0015-Implements-permissions-and-restrictions-to-issue-att-fix2-4.1.patch

For Redmine 4.1 - Frederico Camara, 2020-05-29 04:19

Download (22.6 KB)

View differences:

app/controllers/issues_controller.rb
88 88
    @journals = @issue.visible_journals_with_index
89 89
    @has_changesets = @issue.changesets.visible.preload(:repository, :user).exists?
90 90
    @relations = @issue.relations.select {|r| r.other_issue(@issue) && r.other_issue(@issue).visible? }
91
    @attachments = @issue.attachments_visible?(User.current) ? @issue.attachments : []
91 92
    @journals.reverse! if User.current.wants_comments_in_reverse_order?
......
129 130
      raise ::Unauthorized
130 131
    end
131 132
    call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
132
    @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
133
    if @issue.attachments_addable?(User.current)
134
      @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
135
    end
133 136
    if @issue.save
134 137
      call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue})
135 138
      respond_to do |format|
......
158 161
  def edit
159 162
    return unless update_issue_from_params
163
    @attachments = @issue.attachments_visible?(User.current) ? @issue.attachments : []
160 164
    respond_to do |format|
161 165
      format.html { }
162 166
      format.js
......
166 170
  def update
167 171
    return unless update_issue_from_params
168
    @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
172
    if @issue.attachments_addable?(User.current)
173
      @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
174
    end
169 175
    saved = false
170 176
    begin
171 177
      saved = save_issue_with_child_records
......
282 288
    @versions = target_projects.map {|p| p.shared_versions.open}.reduce(:&)
283 289
    @categories = target_projects.map {|p| p.issue_categories}.reduce(:&)
284 290
    if @copy
285
      @attachments_present = @issues.detect {|i| i.attachments.any?}.present?
291
      @attachments_present = @issues.detect {|i| i.attachments.any? && i.attachments_visible?(User.current)}.present?
286 292
      @subtasks_present = @issues.detect {|i| !i.leaf?}.present?
287 293
      @watchers_present = User.current.allowed_to?(:add_issue_watchers, @projects) &&
288 294
                            Watcher.where(:watchable_type => 'Issue',
......
348 354
      end
349 355
      journal = issue.init_journal(User.current, params[:notes])
350 356
      issue.safe_attributes = attributes
357
      issue.attachments = [] unless issue.attachments_addable?(User.current) if @copy
351 358
      call_hook(:controller_issues_bulk_edit_before_save, { :params => params, :issue => issue })
352 359
      if issue.save
353 360
        saved_issues << issue
......
568 575
    @priorities = IssuePriority.active
569 576
    @allowed_statuses = @issue.new_statuses_allowed_to(User.current)
577
    @issue.attachments = [] unless @issue.attachments_addable?(User.current)
570 578
  end
571 579
  # Saves @issue and a time_entry from the parameters
app/models/issue.rb
40 40
  has_many :relations_from, :class_name => 'IssueRelation', :foreign_key => 'issue_from_id', :dependent => :delete_all
41 41
  has_many :relations_to, :class_name => 'IssueRelation', :foreign_key => 'issue_to_id', :dependent => :delete_all
42
  acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed
42
  acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed,
43
                     :view_permission => :view_attachments, :edit_permission => :edit_attachments,
44
                     :delete_permission => :delete_attachments
45

  
43 46
  acts_as_customizable
44 47
  acts_as_watchable
45 48
  acts_as_searchable :columns => ['subject', "#{table_name}.description"],
......
186 189
    )
187 190
  end
191
  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
192
  def attachments_visible?(user=User.current)
193
    user_tracker_permission?(user, :view_attachments)
194
  end
195

  
196
  # Returns true if user or current user is allowed to add the attachment to the issue
197
  def attachments_addable?(user=User.current)
198
    user_tracker_permission?(user, :add_attachments)
199
  end
200

  
188 201
  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
189 202
  def attachments_editable?(user=User.current)
190
    attributes_editable?(user)
203
    user_tracker_permission?(user, :edit_attachments)
204
  end
205

  
206
  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
207
  def attachments_deletable?(user=User.current)
208
    user_tracker_permission?(user, :delete_attachments)
191 209
  end
192 210
  # Returns true if user or current user is allowed to add notes to the issue
......
278 296
      self.status = issue.status
279 297
    end
280 298
    self.author = User.current
281
    unless options[:attachments] == false
299
    if options[:attachments] == true && issue.attachments_visible?(user=User.current)
282 300
      self.attachments = issue.attachments.map do |attachement|
283 301
        attachement.copy(:container => self)
284 302
      end
......
1639 1657
        copy.parent_issue_id = copied_issue_ids[child.parent_id]
1640 1658
        copy.fixed_version_id = nil unless child.fixed_version.present? && child.fixed_version.status == 'open'
1641 1659
        copy.assigned_to = nil unless child.assigned_to_id.present? && child.assigned_to.status == User::STATUS_ACTIVE
1660
        copy.attachments = [] unless copy.attachments_addable?(User.current)
1642 1661
        unless copy.save
1643 1662
          logger.error "Could not copy subtask ##{child.id} while copying ##{@copied_from.id} to ##{id} due to validation errors: #{copy.errors.full_messages.join(', ')}" if logger
1644 1663
          next
app/models/journal.rb
92 92
        detail.custom_field && detail.custom_field.visible_by?(project, user)
93 93
      elsif detail.property == 'relation'
94 94
        Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user)
95
      elsif detail.property == 'attachment'
96
        self.issue.attachments_visible?(User.current)
95 97
      else
96 98
        true
97 99
      end
app/models/mailer.rb
99 99
  end
100 100
  # Builds a mail for notifying user about an issue update
101
  def issue_edit(user, journal)
101
  def issue_edit(user, journal, att=false)
102 102
    issue = journal.journalized
103 103
    redmine_headers 'Project' => issue.project.identifier,
104 104
                    'Issue-Tracker' => issue.tracker.name,
......
117 117
    @journal = journal
118 118
    @journal_details = journal.visible_details
119 119
    @issue_url = url_for(:controller => 'issues', :action => 'show', :id => issue, :anchor => "change-#{journal.id}")
120
    @att = att
120 121
    mail :to => user,
121 122
      :subject => s
......
132 133
      journal.notes? || journal.visible_details(user).any?
133 134
    end
134 135
    users.each do |user|
135
      issue_edit(user, journal).deliver_later
136
      issue_edit(user, journal, journal.issue.attachments_visible?(user)).deliver_later
136 137
    end
137 138
  end
app/views/issues/_edit.html.erb
44 44
      <%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %>
45 45
      </fieldset>
46
      <fieldset><legend><%= l(:label_attachment_plural) %></legend>
47
        <% if @issue.attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
46
      <fieldset id="attachments_form" style="<%= "display: none;" unless @issue.attachments_addable?(User.current) %>"><legend><%= l(:label_attachment_plural) %></legend>
47
        <% if @attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
48 48
        <div class="contextual"><%= link_to l(:label_edit_attachments), '#', :onclick => "$('#existing-attachments').toggle(); return false;" %></div>
49 49
        <div id="existing-attachments" style="<%= @issue.deleted_attachment_ids.blank? ? 'display:none;' : '' %>">
50
          <% @issue.attachments.each do |attachment| %>
50
          <% @attachments.each do |attachment| %>
51 51
          <span class="existing-attachment">
52 52
            <%= text_field_tag '', attachment.filename, :class => "icon icon-attachment filename", :disabled => true %>
53 53
            <label>
app/views/issues/edit.js.erb
5 5
<% else %>
6 6
  $('#log_time').hide();
7 7
<% end %>
8

  
9
<% if @issue.attachments_addable?(User.current) %>
10
  $('#attachments_form').show();
11
<% else %>
12
  $('#attachments_form').hide();
13
<% end %>
app/views/issues/index.api.rsb
29 29
      api.array :attachments do
30 30
        issue.attachments.each do |attachment|
31 31
          render_api_attachment(attachment, api)
32
        end
32
        end if issue.attachments_visible?
33 33
      end if include_in_api_response?('attachments')
34 34
      api.array :relations do
app/views/issues/new.html.erb
18 18
    </p>
19 19
    <% end %>
20 20
    <% if @copy_from && @copy_from.attachments.any? %>
21
    <p>
21
    <p style="<%= "display: none;" unless @copy_from.attachments_visible?(User.current) && @issue.attachments_addable?(User.current) %>">
22 22
      <label for="copy_attachments"><%= l(:label_copy_attachments) %></label>
23 23
      <%= check_box_tag 'copy_attachments', '1', @copy_attachments %>
24 24
    </p>
......
30 30
    </p>
31 31
    <% end %>
32
    <p id="attachments_form"><label><%= l(:label_attachment_plural) %></label><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
32
    <p id="attachments_form" style="<%= "display: none;" unless @issue.attachments_addable?(User.current) %>"><label><%= l(:label_attachment_plural) %></label><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
33 33
    <div id="watchers_form_container">
34 34
      <%= render :partial => 'issues/watchers_form' %>
app/views/issues/new.js.erb
5 5
<% when "issue_category_id" %>
6 6
  $('#issue_assigned_to_id').find('option').first().html('<%= escape_javascript(@issue.category.try(:assigned_to).try(:name)).presence || '&nbsp;'.html_safe %>');
7 7
<% end %>
8
<% if @issue.attachments_addable?(User.current) %>
9
  <% if @copy_from && @copy_from.attachments_visible?(User.current) %>
10
    $('#copy_attachments').parent().show();
11
  <% else %>
12
    $('#copy_attachments').parent().hide();
13
  <% end %>
14
  $('#attachments_form').show();
15
<% else %>
16
  $('#copy_attachments').parent().hide();
17
  $('#attachments_form').hide();
18
<% end %>
app/views/issues/show.api.rsb
32 32
  render_api_issue_children(@issue, api) if include_in_api_response?('children')
33 33
  api.array :attachments do
34
    @issue.attachments.each do |attachment|
34
    @attachments.each do |attachment|
35 35
      render_api_attachment(attachment, api)
36 36
    end
37 37
  end if include_in_api_response?('attachments')
app/views/issues/show.html.erb
84 84
  <p><strong><%=l(:field_description)%></strong></p>
85 85
  <div class="wiki">
86
  <%= textilizable @issue, :description, :attachments => @issue.attachments %>
86
  <%= textilizable @issue, :description, :attachments => @attachments %>
87 87
  </div>
88 88
</div>
89 89
<% end %>
90
<% if @issue.attachments.any? %>
90
<% if @attachments.any? %>
91 91
  <hr />
92 92
  <p><strong><%=l(:label_attachment_plural)%></strong></p>
93 93
  <%= link_to_attachments @issue, :thumbnails => true %>
app/views/mailer/_issue.html.erb
4 4
<%= textilizable(issue, :description, :only_path => false) %>
5
<% if issue.attachments.any? %>
5
<% if issue.attachments.any? && @att %>
6 6
  <fieldset class="attachments"><legend><%= l(:label_attachment_plural) %></legend>
7 7
  <% issue.attachments.each do |attachment| %>
8 8
    <%= link_to_attachment attachment, :download => true, :only_path => false %>
app/views/mailer/_issue.text.erb
5 5
----------------------------------------
6 6
<%= issue.description %>
7
<% if issue.attachments.any? -%>
7
<% if issue.attachments.any? && @att -%>
8 8
---<%= l(:label_attachment_plural).ljust(37, '-') %>
9 9
<% issue.attachments.each do |attachment| -%>
10 10
<%= attachment.filename %> (<%= number_to_human_size(attachment.filesize) %>)
app/views/roles/_form.html.erb
68 68
<div id="role-permissions-trackers" class="view_issues_shown">
69 69
<h3><%= l(:label_issue_tracking) %></h3>
70
<% permissions = [:view_issues, :add_issues, :edit_issues, :add_issue_notes, :delete_issues] & setable_permissions.collect(&:name) %>
70
<% permissions = [:view_issues, :add_issues, :edit_issues, :add_issue_notes, :delete_issues, :view_attachments, :add_attachments, :edit_attachments, :delete_attachments] & setable_permissions.collect(&:name) %>
71 71
<div class="autoscroll">
72 72
<table class="list">
config/locales/en.yml
509 509
  permission_view_private_notes: View private notes
510 510
  permission_set_notes_private: Set notes as private
511 511
  permission_delete_issues: Delete issues
512
  permission_view_attachments: View attachments
513
  permission_add_attachments: Add attachments
514
  permission_edit_attachments: Edit attachments
515
  permission_delete_attachments: Delete attachments
512 516
  permission_manage_public_queries: Manage public queries
513 517
  permission_save_queries: Save queries
514 518
  permission_view_gantt: View gantt chart
config/locales/pt-BR.yml
785 785
  permission_manage_members: Gerenciar membros
786 786
  permission_edit_messages: Editar mensagens
787 787
  permission_delete_issues: Excluir tarefas
788
  permission_view_attachments: Ver arquivos anexos
789
  permission_add_attachments: Adicionar arquivos anexos
790
  permission_edit_attachments: Editar arquivos anexos
791
  permission_delete_attachments: Apagar arquivos anexos
788 792
  permission_view_issue_watchers: Ver lista de observadores
789 793
  permission_manage_repository: Gerenciar repositório
790 794
  permission_commit_access: Acesso do commit
db/migrate/20161215142110_add_attachments_permissions.rb
1
class AddAttachmentsPermissions < ActiveRecord::Migration[4.2]
2
  def self.up
3
    Role.all.each do |r|
4
      r.add_permission!(:view_attachments) if r.has_permission?(:view_issues)
5
      r.add_permission!(:add_attachments) if r.has_permission?(:add_issues)
6
      r.add_permission!(:edit_attachments) if r.has_permission?(:edit_issues)
7
      r.add_permission!(:delete_attachments) if r.has_permission?(:delete_issues)
8
    end
9
  end
10

  
11
  def self.down
12
    Role.all.each do |r|
13
      r.remove_permission!(:view_attachments)
14
      r.remove_permission!(:add_attachments)
15
      r.remove_permission!(:edit_attachments)
16
      r.remove_permission!(:delete_attachments)
17
    end
18
  end
19
end
lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
136 136
              r |= fetch_ranks_and_ids(
137 137
                search_scope(user, projects, options).
138 138
                joins(:attachments).
139
                where("#{Project.allowed_to_condition(user, :view_attachments)}", false).
139 140
                where(search_tokens_condition(["#{Attachment.table_name}.filename", "#{Attachment.table_name}.description"], tokens, options[:all_words])),
140 141
                options[:limit]
141 142
              )
lib/redmine.rb
102 102
                                  :queries => :index,
103 103
                                  :reports => [:issue_report, :issue_report_details]},
104 104
                   :read => true
105
    map.permission :add_issues, {:issues => [:new, :create], :attachments => :upload}
106
    map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload}
107
    map.permission :edit_own_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload}
108
    map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update], :attachments => :upload}
105
    map.permission :add_issues, {:issues => [:new, :create]}
106
    map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]}
107
    map.permission :edit_own_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]}
108
    map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update]}
109 109
    map.permission :manage_issue_relations, {:issue_relations => [:index, :show, :create, :destroy]}
110 110
    map.permission :manage_subtasks, {}
111 111
    map.permission :set_issues_private, {}
112 112
    map.permission :set_own_issues_private, {}, :require => :loggedin
113
    map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new], :attachments => :upload}
113
    map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new]}
114 114
    map.permission :edit_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
115 115
    map.permission :edit_own_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
116 116
    map.permission :view_private_notes, {}, :read => true, :require => :member
117 117
    map.permission :set_notes_private, {}, :require => :member
118 118
    map.permission :delete_issues, {:issues => :destroy}, :require => :member
119
    # Attachments
120
    map.permission :add_attachments, {:attachments => :upload}
121
    map.permission :view_attachments, {}
122
    map.permission :edit_attachments, {}
123
    map.permission :delete_attachments, {:attachments => :destroy}, :require => :member
119 124
    # Watchers
120 125
    map.permission :view_issue_watchers, {}, :read => true
121 126
    map.permission :add_issue_watchers, {:watchers => [:new, :create, :append, :autocomplete_for_user]}
lib/redmine/export/pdf/issues_pdf_helper.rb
236 236
            end
237 237
          end
238
          if issue.attachments.any?
238
          if issue.attachments.any? && issue.attachments_visible?(User.current)
239 239
            pdf.SetFontStyle('B',9)
240 240
            pdf.RDMCell(190,5, l(:label_attachment_plural), "B")
241 241
            pdf.ln
242
-