GitLab wurde aktualisiert. Dank regelmäßiger Updates bleibt das THM GitLab sicher und Sie profitieren von den neuesten Funktionen. Vielen Dank für Ihre Geduld.

Commit f5238f5b authored by jplang's avatar jplang
Browse files

Can't bulk edit own time entries with "Edit own time entries" (#18580).

git-svn-id: https://svn.redmine.org/redmine/trunk@14242 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 4d160c6a
...@@ -76,9 +76,9 @@ class ContextMenusController < ApplicationController ...@@ -76,9 +76,9 @@ class ContextMenusController < ApplicationController
@projects = @time_entries.collect(&:project).compact.uniq @projects = @time_entries.collect(&:project).compact.uniq
@project = @projects.first if @projects.size == 1 @project = @projects.first if @projects.size == 1
@activities = TimeEntryActivity.shared.active @activities = TimeEntryActivity.shared.active
@can = {:edit => User.current.allowed_to?(:edit_time_entries, @projects),
:delete => User.current.allowed_to?(:edit_time_entries, @projects) edit_allowed = @time_entries.all? {|t| t.editable_by?(User.current)}
} @can = {:edit => edit_allowed, :delete => edit_allowed}
@back = back_url @back = back_url
@options_by_custom_field = {} @options_by_custom_field = {}
......
...@@ -234,6 +234,7 @@ private ...@@ -234,6 +234,7 @@ private
def find_time_entries def find_time_entries
@time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).to_a @time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).to_a
raise ActiveRecord::RecordNotFound if @time_entries.empty? raise ActiveRecord::RecordNotFound if @time_entries.empty?
raise Unauthorized unless @time_entries.all? {|t| t.editable_by?(User.current)}
@projects = @time_entries.collect(&:project).compact.uniq @projects = @time_entries.collect(&:project).compact.uniq
@project = @projects.first if @projects.size == 1 @project = @projects.first if @projects.size == 1
rescue ActiveRecord::RecordNotFound rescue ActiveRecord::RecordNotFound
......
...@@ -276,6 +276,18 @@ class ContextMenusControllerTest < ActionController::TestCase ...@@ -276,6 +276,18 @@ class ContextMenusControllerTest < ActionController::TestCase
end end
end end
def test_time_entries_context_menu_with_edit_own_time_entries_permission
@request.session[:user_id] = 2
Role.find_by_name('Manager').remove_permission! :edit_time_entries
Role.find_by_name('Manager').add_permission! :edit_own_time_entries
ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id}
get :time_entries, :ids => ids
assert_response :success
assert_template 'context_menus/time_entries'
assert_select 'a:not(.disabled)', :text => 'Edit'
end
def test_time_entries_context_menu_without_edit_permission def test_time_entries_context_menu_without_edit_permission
@request.session[:user_id] = 2 @request.session[:user_id] = 2
Role.find_by_name('Manager').remove_permission! :edit_time_entries Role.find_by_name('Manager').remove_permission! :edit_time_entries
......
...@@ -425,6 +425,16 @@ class TimelogControllerTest < ActionController::TestCase ...@@ -425,6 +425,16 @@ class TimelogControllerTest < ActionController::TestCase
assert_template 'bulk_edit' assert_template 'bulk_edit'
end end
def test_bulk_edit_with_edit_own_time_entries_permission
@request.session[:user_id] = 2
Role.find_by_name('Manager').remove_permission! :edit_time_entries
Role.find_by_name('Manager').add_permission! :edit_own_time_entries
ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id}
get :bulk_edit, :ids => ids
assert_response :success
end
def test_bulk_update def test_bulk_update
@request.session[:user_id] = 2 @request.session[:user_id] = 2
# update time entry activity # update time entry activity
...@@ -466,6 +476,25 @@ class TimelogControllerTest < ActionController::TestCase ...@@ -466,6 +476,25 @@ class TimelogControllerTest < ActionController::TestCase
assert_response 403 assert_response 403
end end
def test_bulk_update_with_edit_own_time_entries_permission
@request.session[:user_id] = 2
Role.find_by_name('Manager').remove_permission! :edit_time_entries
Role.find_by_name('Manager').add_permission! :edit_own_time_entries
ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id}
post :bulk_update, :ids => ids, :time_entry => { :activity_id => 9 }
assert_response 302
end
def test_bulk_update_with_edit_own_time_entries_permissions_should_be_denied_for_time_entries_of_other_user
@request.session[:user_id] = 2
Role.find_by_name('Manager').remove_permission! :edit_time_entries
Role.find_by_name('Manager').add_permission! :edit_own_time_entries
post :bulk_update, :ids => [1, 2], :time_entry => { :activity_id => 9 }
assert_response 403
end
def test_bulk_update_custom_field def test_bulk_update_custom_field
@request.session[:user_id] = 2 @request.session[:user_id] = 2
post :bulk_update, :ids => [1, 2], :time_entry => { :custom_field_values => {'10' => '0'} } post :bulk_update, :ids => [1, 2], :time_entry => { :custom_field_values => {'10' => '0'} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment