Defect #30731
closed
"View differences" buttons are shown in the repository page even without "Browse repository" permission
0%
Description
You are not allowed to see the diff between changesets if you don't have a "Browse repository" permission. However, "View differences" buttons on RepositoriesController#show page are always shown even if you don't have the permission. In contrast, the "View differences" tab on the RepositoriesController#revision is hidden depending on the permission.
I think the buttons should be hidden if the current user does not have a "Browse repository" permission.
Files
Updated by Takenori TAKAKI about 5 years ago
- File fix-30731.patch fix-30731.patch added
It seems to be able to solve this problem by adding the following condition for disp the button.
User.current.allowed_to?(:browse_repository, @repository.project)
I made a patch and attached it.
Updated by Go MAEDA about 5 years ago
- Target version set to Candidate for next minor release
Thank you for the patch. While reviewing the patch, I found that we don't have to show radio buttons to select revisions to show diff when "View differences" is hidden.
IMHO, the following fix is better. It hides the radio boxes as well as the button. In addition, it is simpler.
diff --git a/app/views/repositories/_revisions.html.erb b/app/views/repositories/_revisions.html.erb
index 914999b34..514380791 100644
--- a/app/views/repositories/_revisions.html.erb
+++ b/app/views/repositories/_revisions.html.erb
@@ -20,7 +20,7 @@ end %>
:repository_id => @repository.identifier_param, :path => to_path_param(path)},
:method => :get
) do %>
-<% show_diff = revisions.size > 1 %>
+<% show_diff = revisions.size > 1 && User.current.allowed_to?(:browse_repository, @repository.project) %>
<%= submit_tag(l(:label_view_diff), :name => nil) if show_diff %>
<table class="list changesets">
<thead><tr>
Updated by Takenori TAKAKI about 5 years ago
Right, As you said the radio button should also be hidden.
I also thought that the proposed patch is simpler and better.
Updated by Go MAEDA about 5 years ago
- File test-for-30731.diff test-for-30731.diff added
- Target version changed from Candidate for next minor release to 4.0.3
Setting the target version to 4.0.3.
Updated by Go MAEDA about 5 years ago
- Subject changed from "View differences" buttons are shown on the repository page even if the user does not have a "Browse repository" permission to "View differences" buttons are shown in the repository page even without "Browse repository" permission
Updated by Jean-Philippe Lang about 5 years ago
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Committed, thanks.