Defect #37962 ยป allowed_to_condition.patch
| app/models/issue.rb | ||
|---|---|---|
| 125 | 125 |
# Returns a SQL conditions string used to find all issues visible by the specified user |
| 126 | 126 |
def self.visible_condition(user, options={})
|
| 127 |
Project.allowed_to_condition(user, :view_issues, options) do |role, user| |
|
| 127 |
Project.allowed_to_condition(user, |
|
| 128 |
:view_issues, |
|
| 129 |
{ pre_condition_project_field: "#{table_name}.project_id" }.merge(options)) do |role, user|
|
|
| 128 | 130 |
sql = |
| 129 | 131 |
if user.id && user.logged? |
| 130 | 132 |
case role.issues_visibility |
| app/models/project.rb | ||
|---|---|---|
| 178 | 178 |
# * :project => project limit the condition to project |
| 179 | 179 |
# * :with_subprojects => true limit the condition to project and its subprojects |
| 180 | 180 |
# * :member => true limit the condition to the user projects |
| 181 |
# * :pre_condition_project_field table field for where cause with enabled_modules to project_id |
|
| 181 | 182 |
def self.allowed_to_condition(user, permission, options={})
|
| 182 | 183 |
perm = Redmine::AccessControl.permission(permission) |
| 183 | 184 |
base_statement = |
| ... | ... | |
| 191 | 192 |
base_statement += |
| 192 | 193 |
" AND EXISTS (SELECT 1 AS one FROM #{EnabledModule.table_name} em" \
|
| 193 | 194 |
" WHERE em.project_id = #{Project.table_name}.id" \
|
| 194 |
" AND em.name='#{perm.project_module}')"
|
|
| 195 |
" AND em.name='#{perm.project_module}'"
|
|
| 196 |
base_statement += " AND em.project_id=#{options[:pre_condition_project_field]}" if options[:pre_condition_project_field]
|
|
| 197 |
base_statement += ')' |
|
| 195 | 198 |
end |
| 196 | 199 |
if project = options[:project] |
| 197 | 200 |
project_statement = project.project_condition(options[:with_subprojects]) |
| app/models/time_entry.rb | ||
|---|---|---|
| 80 | 80 |
# Returns a SQL conditions string used to find all time entries visible by the specified user |
| 81 | 81 |
def self.visible_condition(user, options={})
|
| 82 |
Project.allowed_to_condition(user, :view_time_entries, options) do |role, user| |
|
| 82 |
Project.allowed_to_condition(user, |
|
| 83 |
:view_time_entries, |
|
| 84 |
{ pre_condition_project_field: "#{table_name}.project_id" }.merge(options)) do |role, user|
|
|
| 83 | 85 |
if role.time_entries_visibility == 'all' |
| 84 | 86 |
nil |
| 85 | 87 |
elsif role.time_entries_visibility == 'own' && user.id && user.logged? |