GitLab steht wegen Wartungsarbeiten am Montag, den 10. Mai, zwischen 17:00 und 19:00 Uhr nicht zur Verfügung.

Commit bb8a005e authored by jplang's avatar jplang

Adds permission to edit and delete issues by role/tracker (#285).

git-svn-id: https://svn.redmine.org/redmine/trunk@15466 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 9f9f560f
......@@ -29,11 +29,11 @@ class ContextMenusController < ApplicationController
@allowed_statuses = @issues.map(&:new_statuses_allowed_to).reduce(:&)
@can = {:edit => User.current.allowed_to?(:edit_issues, @projects),
@can = {:edit => @issues.all?(&:attributes_editable?),
:log_time => (@project && User.current.allowed_to?(:log_time, @project)),
:copy => User.current.allowed_to?(:copy_issues, @projects) && Issue.allowed_target_projects.any?,
:add_watchers => User.current.allowed_to?(:add_issue_watchers, @projects),
:delete => User.current.allowed_to?(:delete_issues, @projects)
:delete => @issues.all?(&:deletable?)
}
if @project
if @issue
......
......@@ -211,6 +211,10 @@ class IssuesController < ApplicationController
unless User.current.allowed_to?(:copy_issues, @projects)
raise ::Unauthorized
end
else
unless @issues.all?(&:attributes_editable?)
raise ::Unauthorized
end
end
@allowed_projects = Issue.allowed_target_projects
......@@ -263,6 +267,10 @@ class IssuesController < ApplicationController
unless User.current.allowed_to?(:add_issues, target_projects)
raise ::Unauthorized
end
else
unless @issues.all?(&:attributes_editable?)
raise ::Unauthorized
end
end
unsaved_issues = []
......@@ -316,6 +324,7 @@ class IssuesController < ApplicationController
end
def destroy
raise Unauthorized unless @issues.all?(&:deletable?)
@hours = TimeEntry.where(:issue_id => @issues.map(&:id)).sum(:hours).to_f
if @hours > 0
case params[:todo]
......
......@@ -172,14 +172,24 @@ class Issue < ActiveRecord::Base
end
end
# Returns true if user or current user is allowed to edit or add a note to the issue
# Returns true if user or current user is allowed to edit or add notes to the issue
def editable?(user=User.current)
attributes_editable?(user) || user.allowed_to?(:add_issue_notes, project)
attributes_editable?(user) || notes_addable?(user)
end
# Returns true if user or current user is allowed to edit the issue
def attributes_editable?(user=User.current)
user.allowed_to?(:edit_issues, project)
user_tracker_permission?(user, :edit_issues)
end
# Returns true if user or current user is allowed to add notes to the issue
def notes_addable?(user=User.current)
user_tracker_permission?(user, :add_issue_notes)
end
# Returns true if user or current user is allowed to delete the issue
def deletable?(user=User.current)
user_tracker_permission?(user, :delete_issues)
end
def initialize(attributes=nil, *args)
......@@ -429,10 +439,10 @@ class Issue < ActiveRecord::Base
'custom_fields',
'lock_version',
'notes',
:if => lambda {|issue, user| issue.new_record? || user.allowed_to?(:edit_issues, issue.project) }
:if => lambda {|issue, user| issue.new_record? || issue.attributes_editable?(user) }
safe_attributes 'notes',
:if => lambda {|issue, user| user.allowed_to?(:add_issue_notes, issue.project)}
:if => lambda {|issue, user| issue.notes_addable?(user)}
safe_attributes 'private_notes',
:if => lambda {|issue, user| !issue.new_record? && user.allowed_to?(:set_notes_private, issue.project)}
......@@ -447,7 +457,7 @@ class Issue < ActiveRecord::Base
}
safe_attributes 'parent_issue_id',
:if => lambda {|issue, user| (issue.new_record? || user.allowed_to?(:edit_issues, issue.project)) &&
:if => lambda {|issue, user| (issue.new_record? || issue.attributes_editable?(user)) &&
user.allowed_to?(:manage_subtasks, issue.project)}
def safe_attribute_names(user=nil)
......@@ -1406,6 +1416,11 @@ class Issue < ActiveRecord::Base
private
def user_tracker_permission?(user, permission)
roles = user.roles_for_project(project).select {|r| r.has_permission?(permission)}
roles.any? {|r| r.permissions_all_trackers?(permission) || r.permissions_tracker_ids?(permission, tracker_id)}
end
def after_project_change
# Update project_id on related time entries
TimeEntry.where({:issue_id => id}).update_all(["project_id = ?", project_id])
......
......@@ -3,5 +3,5 @@
<%= link_to l(:button_log_time), new_issue_time_entry_path(@issue), :class => 'icon icon-time-add' if User.current.allowed_to?(:log_time, @project) %>
<%= watcher_link(@issue, User.current) %>
<%= link_to l(:button_copy), project_copy_issue_path(@project, @issue), :class => 'icon icon-copy' if User.current.allowed_to?(:copy_issues, @project) && Issue.allowed_target_projects.any? %>
<%= link_to l(:button_delete), issue_path(@issue), :data => {:confirm => issues_destroy_confirmation_message(@issue)}, :method => :delete, :class => 'icon icon-del' if User.current.allowed_to?(:delete_issues, @project) %>
<%= link_to l(:button_delete), issue_path(@issue), :data => {:confirm => issues_destroy_confirmation_message(@issue)}, :method => :delete, :class => 'icon icon-del' if @issue.deletable? %>
</div>
......@@ -27,21 +27,22 @@
<% end %>
</fieldset>
<% end %>
<fieldset><legend><%= l(:field_notes) %></legend>
<%= f.text_area :notes, :cols => 60, :rows => 10, :class => 'wiki-edit', :no_label => true %>
<%= wikitoolbar_for 'issue_notes' %>
<% if @issue.safe_attribute? 'private_notes' %>
<%= f.check_box :private_notes, :no_label => true %> <label for="issue_private_notes"><%= l(:field_private_notes) %></label>
<% if @issue.notes_addable? %>
<fieldset><legend><%= l(:field_notes) %></legend>
<%= f.text_area :notes, :cols => 60, :rows => 10, :class => 'wiki-edit', :no_label => true %>
<%= wikitoolbar_for 'issue_notes' %>
<% if @issue.safe_attribute? 'private_notes' %>
<%= f.check_box :private_notes, :no_label => true %> <label for="issue_private_notes"><%= l(:field_private_notes) %></label>
<% end %>
<%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %>
</fieldset>
<fieldset><legend><%= l(:label_attachment_plural) %></legend>
<p><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
</fieldset>
<% end %>
<%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %>
</fieldset>
<fieldset><legend><%= l(:label_attachment_plural) %></legend>
<p><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
</fieldset>
</div>
<%= f.hidden_field :lock_version %>
......
<% reply_links = authorize_for('issues', 'edit') -%>
<% reply_links = issue.notes_addable? -%>
<% for journal in journals %>
<div id="change-<%= journal.id %>" class="<%= journal.css_classes %>">
<div id="note-<%= journal.indice %>">
......
......@@ -77,7 +77,7 @@ end %>
<% if @issue.description? %>
<div class="description">
<div class="contextual">
<%= link_to l(:button_quote), quoted_issue_path(@issue), :remote => true, :method => 'post', :class => 'icon icon-comment' if authorize_for('issues', 'edit') %>
<%= link_to l(:button_quote), quoted_issue_path(@issue), :remote => true, :method => 'post', :class => 'icon icon-comment' if @issue.notes_addable? %>
</div>
<p><strong><%=l(:field_description)%></strong></p>
......
......@@ -64,7 +64,9 @@
<div id="role-permissions-trackers">
<h3><%= l(:label_issue_tracking) %></h3>
<% permissions = %w(view_issues add_issues) %>
<% permissions = %w(view_issues add_issues edit_issues add_issue_notes delete_issues) %>
<div class="autoscroll">
<table class="list">
<thead>
<tr>
......@@ -87,7 +89,7 @@
<% end %>
</tr>
<% Tracker.sorted.all.each do |tracker| %>
<tr>
<tr class="<%= cycle("odd", "even") %>">
<td class="name"><%= tracker.name %></td>
<% permissions.each do |permission| %>
<td><%= check_box_tag "role[permissions_tracker_ids][#{permission}][]",
......@@ -100,6 +102,7 @@
<% end %>
</tbody>
</table>
</div>
<% permissions.each do |permission| %>
<%= hidden_field_tag "role[permissions_tracker_ids][#{permission}][]", '' %>
......
......@@ -152,6 +152,7 @@ table.list td.buttons img, div.buttons img {vertical-align:middle;}
table.list td.reorder {width:15%; white-space:nowrap; text-align:center; }
table.list table.progress td {padding-right:0px;}
table.list caption { text-align: left; padding: 0.5em 0.5em 0.5em 0; }
#role-permissions-trackers table.list th {white-space:normal;}
.table-list-cell {display: table-cell; vertical-align: top; padding:2px; }
......
......@@ -3872,6 +3872,30 @@ class IssuesControllerTest < ActionController::TestCase
assert_redirected_to '/issues/11?issue_count=3&issue_position=2&next_issue_id=12&prev_issue_id=8'
end
def test_update_with_permission_on_tracker_should_be_allowed
role = Role.find(1)
role.set_permission_trackers :edit_issues, [1]
role.save!
issue = Issue.generate!(:project_id => 1, :tracker_id => 1, :subject => 'Original subject')
@request.session[:user_id] = 2
put :update, :id => issue.id, :issue => {:subject => 'Changed subject'}
assert_response 302
assert_equal 'Changed subject', issue.reload.subject
end
def test_update_without_permission_on_tracker_should_be_denied
role = Role.find(1)
role.set_permission_trackers :edit_issues, [1]
role.save!
issue = Issue.generate!(:project_id => 1, :tracker_id => 2, :subject => 'Original subject')
@request.session[:user_id] = 2
put :update, :id => issue.id, :issue => {:subject => 'Changed subject'}
assert_response 302
assert_equal 'Original subject', issue.reload.subject
end
def test_get_bulk_edit
@request.session[:user_id] = 2
get :bulk_edit, :ids => [1, 3]
......@@ -4702,6 +4726,32 @@ class IssuesControllerTest < ActionController::TestCase
assert_response 404
end
def test_destroy_with_permission_on_tracker_should_be_allowed
role = Role.find(1)
role.set_permission_trackers :delete_issues, [1]
role.save!
issue = Issue.generate!(:project_id => 1, :tracker_id => 1)
@request.session[:user_id] = 2
assert_difference 'Issue.count', -1 do
delete :destroy, :id => issue.id
end
assert_response 302
end
def test_destroy_without_permission_on_tracker_should_be_denied
role = Role.find(1)
role.set_permission_trackers :delete_issues, [2]
role.save!
issue = Issue.generate!(:project_id => 1, :tracker_id => 1)
@request.session[:user_id] = 2
assert_no_difference 'Issue.count' do
delete :destroy, :id => issue.id
end
assert_response 403
end
def test_default_search_scope
get :index
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment