Commit 35ab700f authored by jplang's avatar jplang

Fixed: cross-project issue list should not show issues of projects for which...

Fixed: cross-project issue list should not show issues of projects for which the issue tracking module was disabled.

git-svn-id: https://svn.redmine.org/redmine/trunk@1907 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 0f275a53
......@@ -108,6 +108,12 @@ class Project < ActiveRecord::Base
def self.allowed_to_condition(user, permission, options={})
statements = []
base_statement = "#{Project.table_name}.status=#{Project::STATUS_ACTIVE}"
if perm = Redmine::AccessControl.permission(permission)
unless perm.project_module.nil?
# If the permission belongs to a project module, make sure the module is enabled
base_statement << " AND EXISTS (SELECT em.id FROM #{EnabledModule.table_name} em WHERE em.name='#{perm.project_module}' AND em.project_id=#{Project.table_name}.id)"
end
end
if options[:project]
project_statement = "#{Project.table_name}.id = #{options[:project].id}"
project_statement << " OR #{Project.table_name}.parent_id = #{options[:project].id}" if options[:with_subprojects]
......
......@@ -277,7 +277,7 @@ class Query < ActiveRecord::Base
elsif project
project_clauses << "#{Project.table_name}.id = %d" % project.id
end
project_clauses << Project.visible_by(User.current)
project_clauses << Project.allowed_to_condition(User.current, :view_issues)
project_clauses.join(' AND ')
end
......
......@@ -30,8 +30,15 @@ module Redmine
@permissions
end
# Returns the permission of given name or nil if it wasn't found
# Argument should be a symbol
def permission(name)
permissions.detect {|p| p.name == name}
end
# Returns the actions that are allowed by the permission of given name
def allowed_actions(permission_name)
perm = @permissions.detect {|p| p.name == permission_name}
perm = permission(permission_name)
perm ? perm.actions : []
end
......@@ -94,6 +101,7 @@ module Redmine
@actions << "#{controller}/#{actions}"
end
end
@actions.flatten!
end
def public?
......
......@@ -43,4 +43,16 @@ enabled_modules_011:
name: issue_tracking
project_id: 2
id: 11
enabled_modules_012:
name: time_tracking
project_id: 3
id: 12
enabled_modules_013:
name: issue_tracking
project_id: 3
id: 13
enabled_modules_014:
name: issue_tracking
project_id: 5
id: 14
\ No newline at end of file
......@@ -62,6 +62,17 @@ class IssuesControllerTest < Test::Unit::TestCase
assert_no_tag :tag => 'a', :content => /Issue of a private subproject/
assert_no_tag :tag => 'a', :content => /Issue on project 2/
end
def test_index_should_not_list_issues_when_module_disabled
EnabledModule.delete_all("name = 'issue_tracking' AND project_id = 1")
get :index
assert_response :success
assert_template 'index.rhtml'
assert_not_nil assigns(:issues)
assert_nil assigns(:project)
assert_no_tag :tag => 'a', :content => /Can't print recipes/
assert_tag :tag => 'a', :content => /Subproject issue/
end
def test_index_with_project
Setting.display_subprojects_issues = 0
......
# Redmine - project management software
# Copyright (C) 2006-2008 Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
require File.dirname(__FILE__) + '/../../../test_helper'
class Redmine::AccessControlTest < Test::Unit::TestCase
def setup
@access_module = Redmine::AccessControl
end
def test_permissions
perms = @access_module.permissions
assert perms.is_a?(Array)
assert perms.first.is_a?(Redmine::AccessControl::Permission)
end
def test_module_permission
perm = @access_module.permission(:view_issues)
assert perm.is_a?(Redmine::AccessControl::Permission)
assert_equal :view_issues, perm.name
assert_equal :issue_tracking, perm.project_module
assert perm.actions.is_a?(Array)
assert perm.actions.include?('issues/index')
end
def test_no_module_permission
perm = @access_module.permission(:edit_project)
assert perm.is_a?(Redmine::AccessControl::Permission)
assert_equal :edit_project, perm.name
assert_nil perm.project_module
assert perm.actions.is_a?(Array)
assert perm.actions.include?('projects/settings')
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment