Commit 5624738b authored by jplang's avatar jplang

Global and public custom queries are shown as editable to non administrators in projects (#28264).

git-svn-id: https://svn.redmine.org/redmine/trunk@17292 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 5a1d76ef
......@@ -356,13 +356,13 @@ class Query < ActiveRecord::Base
!is_private?
end
def queried_table_name
@queried_table_name ||= self.class.queried_class.table_name
# Returns true if the query is available for all projects
def is_global?
new_record? ? project_id.nil? : project_id_in_database.nil?
end
def initialize(attributes=nil, *args)
super attributes
@is_for_all = project.nil?
def queried_table_name
@queried_table_name ||= self.class.queried_class.table_name
end
# Builds the query from the given params
......@@ -447,7 +447,7 @@ class Query < ActiveRecord::Base
# Admin can edit them all and regular users can edit their private queries
return true if user.admin? || (is_private? && self.user_id == user.id)
# Members can not edit public queries that are for all project (only admin is allowed to)
is_public? && !@is_for_all && user.allowed_to?(:manage_public_queries, project)
is_public? && !is_global? && user.allowed_to?(:manage_public_queries, project)
end
def trackers
......
......@@ -1742,9 +1742,29 @@ class QueryTest < ActiveSupport::TestCase
assert q.editable_by?(admin)
assert !q.editable_by?(manager)
assert q.editable_by?(developer)
end
def test_editable_by_for_global_query
admin = User.find(1)
manager = User.find(2)
developer = User.find(3)
# Public query for all projects
q = IssueQuery.find(4)
q.project = Project.find(1)
assert q.editable_by?(admin)
assert !q.editable_by?(manager)
assert !q.editable_by?(developer)
end
def test_editable_by_for_global_query_with_project_set
admin = User.find(1)
manager = User.find(2)
developer = User.find(3)
q = IssueQuery.find(4)
q.project = Project.find(1)
assert q.editable_by?(admin)
assert !q.editable_by?(manager)
assert !q.editable_by?(developer)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment