Commit 371dc72a authored by jplang's avatar jplang

Global News view should not be allowed without permission (#7068).

git-svn-id: https://svn.redmine.org/redmine/trunk@16721 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent e5c54751
...@@ -98,14 +98,4 @@ class NewsController < ApplicationController ...@@ -98,14 +98,4 @@ class NewsController < ApplicationController
@news.destroy @news.destroy
redirect_to project_news_index_path(@project) redirect_to project_news_index_path(@project)
end end
private
def find_optional_project
return true unless params[:project_id]
@project = Project.find(params[:project_id])
authorize
rescue ActiveRecord::RecordNotFound
render_404
end
end end
...@@ -217,6 +217,7 @@ Redmine::MenuManager.map :application_menu do |menu| ...@@ -217,6 +217,7 @@ Redmine::MenuManager.map :application_menu do |menu|
menu.push :calendar, { :controller => 'calendars', :action => 'show' }, :caption => :label_calendar menu.push :calendar, { :controller => 'calendars', :action => 'show' }, :caption => :label_calendar
menu.push :news, {:controller => 'news', :action => 'index'}, menu.push :news, {:controller => 'news', :action => 'index'},
:if => Proc.new {User.current.allowed_to?(:view_news, nil, :global => true)},
:caption => :label_news_plural :caption => :label_news_plural
end end
......
...@@ -47,6 +47,14 @@ class NewsControllerTest < Redmine::ControllerTest ...@@ -47,6 +47,14 @@ class NewsControllerTest < Redmine::ControllerTest
assert_response 404 assert_response 404
end end
def test_index_without_permission_should_fail
Role.all.each {|r| r.remove_permission! :view_news}
@request.session[:user_id] = 2
get :index
assert_response 403
end
def test_show def test_show
get :show, :params => { get :show, :params => {
:id => 1 :id => 1
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment