allowed_to_condition.patch

Alexander Meindl, 2022-11-24 09:54

Download (2.76 KB)

View differences:

app/models/issue.rb
125 125
  # Returns a SQL conditions string used to find all issues visible by the specified user
126 126
  def self.visible_condition(user, options={})
127
    Project.allowed_to_condition(user, :view_issues, options) do |role, user|
127
    Project.allowed_to_condition(user,
128
                                 :view_issues,
129
                                 { pre_condition_project_field: "#{table_name}.project_id" }.merge(options)) do |role, user|
128 130
      sql =
129 131
        if user.id && user.logged?
130 132
          case role.issues_visibility
app/models/project.rb
178 178
  # * :project => project               limit the condition to project
179 179
  # * :with_subprojects => true         limit the condition to project and its subprojects
180 180
  # * :member => true                   limit the condition to the user projects
181
  # * :pre_condition_project_field      table field for where cause with enabled_modules to project_id
181 182
  def self.allowed_to_condition(user, permission, options={})
182 183
    perm = Redmine::AccessControl.permission(permission)
183 184
    base_statement =
......
191 192
      base_statement +=
192 193
        " AND EXISTS (SELECT 1 AS one FROM #{EnabledModule.table_name} em" \
193 194
          " WHERE em.project_id = #{Project.table_name}.id" \
194
          " AND em.name='#{perm.project_module}')"
195
          " AND em.name='#{perm.project_module}'"
196
      base_statement += " AND em.project_id=#{options[:pre_condition_project_field]}" if options[:pre_condition_project_field]
197
      base_statement += ')'
195 198
    end
196 199
    if project = options[:project]
197 200
      project_statement = project.project_condition(options[:with_subprojects])
app/models/time_entry.rb
80 80
  # Returns a SQL conditions string used to find all time entries visible by the specified user
81 81
  def self.visible_condition(user, options={})
82
    Project.allowed_to_condition(user, :view_time_entries, options) do |role, user|
82
    Project.allowed_to_condition(user,
83
                                 :view_time_entries,
84
                                 { pre_condition_project_field: "#{table_name}.project_id" }.merge(options)) do |role, user|
83 85
      if role.time_entries_visibility == 'all'
84 86
        nil
85 87
      elsif role.time_entries_visibility == 'own' && user.id && user.logged?