Defect #6776

Weird link_to_if_authorized behavior

Added by Felix Schäfer almost 7 years ago. Updated over 5 years ago.

Status:ClosedStart date:2010-10-30
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Projects
Target version:-
Resolution:Wont fix Affected version:

Description

See http://www.redmine.org/issues/4416#note-11 , better description once I've had time to have a better look at it ;-)

Update (EM) 03/16/2011 :
link_to_if_authorized always takes @project as the current context when it calls User#allowed_to?.

As a symptom (defect), e.g., the parent's shared version wiki page link is rendered as a link in the subproject settings even if the parent project is not accessible by the current user.

link_to_if_authorized_overridable_context.patch Magnifier (5.43 KB) Etienne Massip, 2011-03-28 20:57


Related issues

Related to Redmine - Feature #4416: Link from version details page to edit the wiki. Closed 2009-12-16

History

#1 Updated by Holger Just almost 7 years ago

Might be an issue here that link_to_if_authorized checks permission for the project that is @project which might be wrong here if the version is shared and actually lives in another project.

If this is the case (and else too), link_to_if_authorized and subsequently authorize_for should get an optional project parameter. link_to_if_authorize could conveniently try to get the project_id from the options hash.

#2 Updated by Etienne Massip over 6 years ago

  • Category set to Projects
  • Target version set to Candidate for next minor release

#3 Updated by Etienne Massip over 6 years ago

  • File link_to_if_authorized_overridable_context.patch added

Here's a patch.

It also removes parameters_for_method_reference argument in #link_to and #url_for, which is no more supported since of Rails 2.x.

A good location to test is the link to the wiki page of a forbidden project shared version in the project settings versions list, as mentioned in #6435.

#4 Updated by Etienne Massip over 6 years ago

  • File link_to_if_authorized_overridable_context.patch added

Nicer syntax + more complete description.

#5 Updated by Etienne Massip over 6 years ago

  • File deleted (link_to_if_authorized_overridable_context.patch)

#6 Updated by Etienne Massip over 6 years ago

  • File deleted (link_to_if_authorized_overridable_context.patch)

#7 Updated by Etienne Massip over 6 years ago

  • File link_to_if_authorized_overridable_context.patch added

With test.

#8 Updated by Jean-Philippe Lang over 6 years ago

The patch applies cleanly on r5230 but triggers a bunch of errors in functional tests. The new argument for #authorize_for must be made optional.

#9 Updated by Etienne Massip over 6 years ago

My bad.

This time, test pass.

#10 Updated by Etienne Massip over 6 years ago

  • File deleted (link_to_if_authorized_overridable_context.patch)

#11 Updated by Jean-Philippe Lang over 5 years ago

  • Status changed from New to Closed
  • Target version deleted (Candidate for next minor release)
  • Resolution set to Wont fix

User.allowed_to? should be used instead. #link_to_if_authorized does not work with string paths.

Also available in: Atom PDF