Patch #31954 » 0002-Reject-version-custom-field-values-not-visible-for-t.patch
| app/models/version.rb | ||
|---|---|---|
| 163 | 163 |
'custom_field_values', |
| 164 | 164 |
'custom_fields' |
| 165 | 165 | |
| 166 |
def safe_attributes=(attrs, user=User.current) |
|
| 167 |
if attrs.respond_to?(:to_unsafe_hash) |
|
| 168 |
attrs = attrs.to_unsafe_hash |
|
| 169 |
end |
|
| 170 | ||
| 171 |
return unless attrs.is_a?(Hash) |
|
| 172 |
attrs = attrs.deep_dup |
|
| 173 | ||
| 174 |
# Reject custom fields values not visible by the user |
|
| 175 |
if attrs['custom_field_values'].present? |
|
| 176 |
editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}
|
|
| 177 |
attrs['custom_field_values'].reject! {|k, v| !editable_custom_field_ids.include?(k.to_s)}
|
|
| 178 |
end |
|
| 179 | ||
| 180 |
# Reject custom fields not visible by the user |
|
| 181 |
if attrs['custom_fields'].present? |
|
| 182 |
editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}
|
|
| 183 |
attrs['custom_fields'].reject! {|c| !editable_custom_field_ids.include?(c['id'].to_s)}
|
|
| 184 |
end |
|
| 185 | ||
| 186 |
super(attrs, user) |
|
| 187 |
end |
|
| 188 | ||
| 166 | 189 |
# Returns true if +user+ or current user is allowed to view the version |
| 167 | 190 |
def visible?(user=User.current) |
| 168 | 191 |
user.allowed_to?(:view_issues, self.project) |
| 169 | 192 |
end |
| 170 | 193 | |
| 194 |
# Returns the custom_field_values that can be edited by the given user |
|
| 195 |
def editable_custom_field_values(user=nil) |
|
| 196 |
visible_custom_field_values(user) |
|
| 197 |
end |
|
| 198 | ||
| 171 | 199 |
def visible_custom_field_values(user = nil) |
| 172 | 200 |
user ||= User.current |
| 173 | 201 |
custom_field_values.select do |value| |
| test/unit/version_test.rb | ||
|---|---|---|
| 299 | 299 |
assert_includes Version.like('like scope'), version
|
| 300 | 300 |
end |
| 301 | 301 | |
| 302 |
def test_safe_attributes_should_include_only_custom_fields_visible_to_user |
|
| 303 |
cf1 = VersionCustomField.create!(:name => 'Visible field', |
|
| 304 |
:field_format => 'string', |
|
| 305 |
:visible => false, :role_ids => [1]) |
|
| 306 |
cf2 = VersionCustomField.create!(:name => 'Non visible field', |
|
| 307 |
:field_format => 'string', |
|
| 308 |
:visible => false, :role_ids => [3]) |
|
| 309 |
user = User.find(2) |
|
| 310 |
version = Version.new(:project_id => 1, :name => 'v4') |
|
| 311 | ||
| 312 |
version.send :safe_attributes=, {'custom_field_values' => {
|
|
| 313 |
cf1.id.to_s => 'value1', cf2.id.to_s => 'value2' |
|
| 314 |
}}, user |
|
| 315 |
assert_equal 'value1', version.custom_field_value(cf1) |
|
| 316 |
assert_nil version.custom_field_value(cf2) |
|
| 317 |
version.send :safe_attributes=, {'custom_fields' => [
|
|
| 318 |
{'id' => cf1.id.to_s, 'value' => 'valuea'},
|
|
| 319 |
{'id' => cf2.id.to_s, 'value' => 'valueb'}
|
|
| 320 |
]}, user |
|
| 321 |
assert_equal 'valuea', version.custom_field_value(cf1) |
|
| 322 |
assert_nil version.custom_field_value(cf2) |
|
| 323 |
end |
|
| 324 | ||
| 302 | 325 |
private |
| 303 | 326 | |
| 304 | 327 |
def add_issue(version, attributes={})
|
- « Previous
- 1
- 2
- Next »