redmine_own_v.2.patch

For redmine 1.0.0 - Oleg Volkov, 2010-07-20 08:27

Download (17 KB)

View differences:

redmine/app/controllers/issues_controller.rb 2010-07-19 19:52:43.152810115 +0400
111 111
  end
112 112
  
113 113
  def show
114
    return render_403 if !@issue.visible?
114 115
    @journals = @issue.journals.find(:all, :include => [:user, :details], :order => "#{Journal.table_name}.created_on ASC")
115 116
    @journals.each_with_index {|j,i| j.indice = i+1}
116 117
    @journals.reverse! if User.current.wants_comments_in_reverse_order?
redmine/app/models/issue.rb 2010-07-19 19:52:43.153809953 +0400
74 74
  after_destroy :update_parent_attributes
75 75
  
76 76
  # Returns true if usr or current user is allowed to view the issue
77
  def visible?(usr=nil)
78
    (usr || User.current).allowed_to?(:view_issues, self.project)
77
  def visible?(user=User.current)
78
    user.allowed_to?(:view_issues, self.project) || user.allowed_to?(:add_issues, self.project) && (author == user || assigned_to == user || watched_by?(user))
79 79
  end
80 80
  
81 81
  def after_initialize
redmine/app/models/query.rb 2010-07-19 19:52:43.153809953 +0400
373 373
    group_by_column.groupable
374 374
  end
375 375
  
376
  def project_statement
376
  def project_statement(own=nil)
377 377
    project_clauses = []
378 378
    if project && !@project.descendants.active.empty?
379 379
      ids = [project.id]
......
395 395
    elsif project
396 396
      project_clauses << "#{Project.table_name}.id = %d" % project.id
397 397
    end
398
    project_clauses <<  Project.allowed_to_condition(User.current, :view_issues)
398
    if own
399
      wt = Watcher.table_name
400
      uc = User.current.id.to_s
401
      project_clauses << '('+Project.allowed_to_condition(User.current, :view_issues)+' OR '+Project.allowed_to_condition(User.current, :add_issues)+
402
        " AND (#{Issue.table_name}.author_id=#{uc} OR "+
403
              "#{Issue.table_name}.assigned_to_id=#{uc} OR "+
404
              "#{Issue.table_name}.id IN (SELECT #{wt}.watchable_id FROM #{wt} WHERE #{wt}.watchable_type='Issue' AND user_id=#{uc}))"+")"
405
    else
406
      project_clauses << Project.allowed_to_condition(User.current, :view_issues)
407
    end
399 408
    project_clauses.join(' AND ')
400 409
  end
401 410

  
......
436 445
      
437 446
    end if filters and valid?
438 447
    
439
    (filters_clauses << project_statement).join(' AND ')
448
    (filters_clauses << project_statement(true)).join(' AND ')
440 449
  end
441 450
  
442 451
  # Returns the issue count
redmine/app/models/user.rb 2010-07-19 19:52:43.154809701 +0400
311 311
      
312 312
      roles = roles_for_project(project)
313 313
      return false unless roles
314
      roles.detect {|role| (project.is_public? || role.member?) && role.allowed_to?(action)}
314
      roles.any? {|role| (project.is_public? || role.member?) && role.allowed_to?(action)}
315 315
      
316 316
    elsif options[:global]
317 317
      # Admin users are always authorized
......
319 319
      
320 320
      # authorize if user has at least one role that has this permission
321 321
      roles = memberships.collect {|m| m.roles}.flatten.uniq
322
      roles.detect {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
322
      roles.any? {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
323 323
    else
324 324
      false
325 325
    end
redmine/lib/redmine.rb 2010-07-19 20:02:20.146205829 +0400
44 44

  
45 45
# Permissions
46 46
Redmine::AccessControl.map do |map|
47
  map.permission :view_project, {:projects => [:show, :activity]}, :public => true
47
  map.permission :view_project, {:projects => :show}, :public => true
48 48
  map.permission :search_project, {:search => :index}, :public => true
49 49
  map.permission :add_project, {:projects => :add}, :require => :loggedin
50 50
  map.permission :edit_project, {:projects => [:settings, :edit]}, :require => :member
......
57 57
    # Issue categories
58 58
    map.permission :manage_categories, {:projects => :settings, :issue_categories => [:new, :edit, :destroy]}, :require => :member
59 59
    # Issues
60
    map.permission :view_issues, {:projects => :roadmap, 
60
    map.permission :view_issues, {:projects => [:roadmap, :activity],
61 61
                                  :issues => [:index, :changes, :show, :context_menu, :auto_complete],
62 62
                                  :versions => [:show, :status_by],
63 63
                                  :queries => :index,
64 64
                                  :reports => [:issue_report, :issue_report_details]}
65
    map.permission :add_issues, {:issues => [:new, :create, :update_form]}
65
    map.permission :add_issues, {:issues => [:new, :create, :update_form, :index, :show]}
66 66
    map.permission :edit_issues, {:issues => [:edit, :update, :reply, :bulk_edit, :update_form]}
67 67
    map.permission :manage_issue_relations, {:issue_relations => [:new, :destroy]}
68 68
    map.permission :manage_subtasks, {}
......
94 94
  map.project_module :news do |map|
95 95
    map.permission :manage_news, {:news => [:new, :edit, :destroy, :destroy_comment]}, :require => :member
96 96
    map.permission :view_news, {:news => [:index, :show]}, :public => true
97
    map.permission :comment_news, {:news => :add_comment}
97
    map.permission :comment_news, {:projects => :activity, :news => :add_comment}
98 98
  end
99 99

  
100 100
  map.project_module :documents do |map|
......
121 121
    
122 122
  map.project_module :repository do |map|
123 123
    map.permission :manage_repository, {:repositories => [:edit, :committers, :destroy]}, :require => :member
124
    map.permission :browse_repository, :repositories => [:show, :browse, :entry, :annotate, :changes, :diff, :stats, :graph]
125
    map.permission :view_changesets, :repositories => [:show, :revisions, :revision]
124
    map.permission :browse_repository, :projects => :activity, :repositories => [:show, :browse, :entry, :annotate, :changes, :diff, :stats, :graph]
125
    map.permission :view_changesets, :projects => :activity, :repositories => [:show, :revisions, :revision]
126 126
    map.permission :commit_access, {}
127 127
  end
128 128

  
129 129
  map.project_module :boards do |map|
130 130
    map.permission :manage_boards, {:boards => [:new, :edit, :destroy]}, :require => :member
131 131
    map.permission :view_messages, {:boards => [:index, :show], :messages => [:show]}, :public => true
132
    map.permission :add_messages, {:messages => [:new, :reply, :quote]}
132
    map.permission :add_messages, {:projects => :activity, :messages => [:new, :reply, :quote]}
133 133
    map.permission :edit_messages, {:messages => :edit}, :require => :member
134 134
    map.permission :edit_own_messages, {:messages => :edit}, :require => :loggedin
135 135
    map.permission :delete_messages, {:messages => :destroy}, :require => :member
redmine/test/fixtures/issues.yml 2010-07-20 10:06:05.350916308 +0400
102 102
  category_id: 
103 103
  description: This is an issue of a private subproject of cookbook
104 104
  tracker_id: 1
105
  assigned_to_id: 
105
  assigned_to_id: 12
106 106
  author_id: 2
107 107
  status_id: 1
108 108
  start_date: <%= Date.today.to_s(:db) %>
109
  due_date: <%= 1.days.from_now.to_date.to_s(:db) %>
110 109
  root_id: 6
111 110
  lft: 1
112 111
  rgt: 2
......
243 242
  root_id: 13
244 243
  lft: 1
245 244
  rgt: 2
245
issues_014:
246
  created_on: <%= 5.days.ago.to_date.to_s(:db) %>
247
  project_id: 5
248
  updated_on: <%= 2.days.ago.to_date.to_s(:db) %>
249
  priority_id: 5
250
  subject: Test own message
251
  id: 14
252
  fixed_version_id: 
253
  category_id: 
254
  description: Test own message
255
  tracker_id: 1
256
  assigned_to_id: 
257
  author_id: 12
258
  status_id: 1
259
  root_id: 14
260
  lft: 1
261
  rgt: 2
redmine/test/fixtures/member_roles.yml 2010-07-19 19:52:43.156809242 +0400
47 47
  role_id: 2
48 48
  member_id: 10
49 49
  inherited_from: 10
50
member_roles_012: 
51
  id: 12
52
  role_id: 6
53
  member_id: 11
54
  inherited_from: 11
redmine/test/fixtures/members.yml 2010-07-19 19:52:43.157808960 +0400
60 60
  project_id: 2
61 61
  user_id: 8
62 62
  mail_notification: false
63
members_011: 
64
  id: 11
65
  created_on: 2006-07-19 19:35:33 +02:00
66
  project_id: 5
67
  user_id: 12
68
  mail_notification: false
redmine/test/fixtures/roles.yml 2010-07-19 19:52:43.157808960 +0400
184 184
    - :view_changesets
185 185

  
186 186
  position: 5
187
roles_006: 
188
  name: Reporter2
189
  id: 6
190
  builtin: 0
191
  permissions: |
192
    --- 
193
    - :add_issues
194

  
195
  position: 6
187 196

  
redmine/test/fixtures/users.yml 2010-07-19 19:52:43.157808960 +0400
152 152
  id: 11
153 153
  lastname: B Team
154 154
  type: Group
155
users_012: 
156
  id: 12
157
  created_on: 2006-07-19 19:33:19 +02:00
158
  status: 1
159
  last_login_on: 
160
  language: 'ru'
161
  hashed_password: 1
162
  updated_on: 2006-07-19 19:33:19 +02:00
163
  admin: false
164
  mail: vasia@foo.bar
165
  lastname: Vasia
166
  firstname: Pupkin
167
  auth_source_id: 
168
  mail_notification: false
169
  login: vasia
170
  type: User
155 171

  
156 172
  
redmine/test/fixtures/watchers.yml 2010-07-19 19:52:43.158808811 +0400
11 11
  watchable_type: Issue
12 12
  watchable_id: 2
13 13
  user_id: 1
14
watchers_004: 
15
  watchable_type: Issue
16
  watchable_id: 9
17
  user_id: 12
14 18
  
redmine/test/functional/issues_controller_test.rb 2010-07-19 19:52:43.159808650 +0400
284 284
  
285 285
  def test_show_should_deny_member_access_without_permission
286 286
    Role.find(1).remove_permission!(:view_issues)
287
    Role.find(1).remove_permission!(:add_issues)
287 288
    @request.session[:user_id] = 2
288 289
    get :show, :id => 1
289 290
    assert_response 403
......
320 321
    assert_not_nil assigns(:issue)
321 322
  end
322 323

  
324
  def test_show_own_issue_by_author
325
    @request.session[:user_id] = 12
326
    get :show, :id => 14
327
    assert_response :success
328
  end
329

  
330
  def test_show_own_issue_by_assigned
331
    @request.session[:user_id] = 12
332
    get :show, :id => 6
333
    assert_response :success
334
  end
335

  
336
  def test_show_own_issue_by_watcher
337
    @request.session[:user_id] = 12
338
    get :show, :id => 9
339
    assert_response :success
340
  end
341

  
342
  def test_show_should_deny_access_without_permission
343
    @request.session[:user_id] = 12
344
    get :show, :id => 10
345
    assert_response 403
346
  end
347

  
323 348
  def test_get_new
324 349
    @request.session[:user_id] = 2
325 350
    get :new, :project_id => 1, :tracker_id => 1
redmine/test/unit/attachment_test.rb 2010-07-19 19:52:43.159808650 +0400
20 20
require File.dirname(__FILE__) + '/../test_helper'
21 21

  
22 22
class AttachmentTest < ActiveSupport::TestCase
23
  fixtures :issues, :users
23
  fixtures :issues, :users, :watchers
24 24
  
25 25
  def setup
26 26
  end
......
82 82
      end
83 83
    end
84 84
  end
85
  
86
  def test_visible_file_for_issue
87
    # Set "Add issue", unset "View issue" on default for user #12
88
    # author
89
    a = Attachment.new(:container => Issue.find(14), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
90
    assert a.save
91
    assert_equal true, a.visible?(User.find(12))
92
    # assigned to
93
    a = Attachment.new(:container => Issue.find(6), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
94
    assert a.save
95
    assert_equal true, a.visible?(User.find(12))
96
    # watcher
97
    a = Attachment.new(:container => Issue.find(9), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
98
    assert a.save
99
    assert_equal true, a.visible?(User.find(12))
100
    # other
101
    a = Attachment.new(:container => Issue.find(10), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
102
    assert a.save
103
    assert_equal false, a.visible?(User.find(12))
104
    Role.find(6).add_permission!(:view_issues)
105
    assert_equal true, a.visible?(User.find(12))
106
  end
85 107
end
redmine/test/unit/issue_test.rb 2010-07-20 10:15:46.843804404 +0400
106 106
    assert issues.detect {|issue| !issue.project.is_public?}
107 107
  end
108 108
  
109
  def test_visible
110
    user=User.find(12)
111
    issue = Issue.new(:project_id => 5, :tracker_id => 1, :author_id => 2, :status_id => 1, :priority => IssuePriority.all.first, :subject => 'test_own', :description => 'IssueTest#test_own', :estimated_hours => '5:30')
112
    assert issue.save
113
    issue.reload
114
    # Test for user, with "View_issue"
115
    assert_equal true, issue.visible?(User.find(8))
116
    # Test for user, without "View issue", but with "Add issue"
117
    assert_equal false, issue.visible?(user)
118
    # Test for assinged user
119
    issue.assigned_to=user
120
    assert_equal true, issue.visible?(user)
121
    # Test for watcher
122
    issue.assigned_to=nil
123
    issue.add_watcher(user)
124
    assert_equal true, issue.visible?(user)
125
    # Test for author
126
    issue = Issue.new(:project_id => 5, :tracker_id => 1, :author_id => 12, :status_id => 1, :priority => IssuePriority.all.first, :subject => 'test_own', :description => 'IssueTest#test_own', :estimated_hours => '5:30')
127
    assert issue.save
128
    issue.reload
129
    assert_equal true, issue.visible?(user)
130
  end
131

  
109 132
  def test_errors_full_messages_should_include_custom_fields_errors
110 133
    field = IssueCustomField.find_by_name('Database')
111 134
    
......
665 688
  test "#by_subproject" do
666 689
    groups = Issue.by_subproject(Project.find(1))
667 690
    assert_equal 2, groups.size
668
    assert_equal 5, groups.inject(0) {|sum, group| sum + group['total'].to_i}
691
    assert_equal 6, groups.inject(0) {|sum, group| sum + group['total'].to_i}
669 692
  end
670 693
  
671 694
  
redmine/test/unit/mailer_test.rb 2010-07-19 19:52:43.160809678 +0400
235 235
      user = User.find(9)
236 236
      Watcher.create!(:watchable => @issue, :user => user)
237 237
      Role.non_member.remove_permission!(:view_issues)
238
      Role.non_member.remove_permission!(:add_issues)
238 239
      assert Mailer.deliver_issue_add(@issue)
239 240
      assert !last_email.bcc.include?(user.mail)
240 241
    end
redmine/vendor/plugins/acts_as_attachable/lib/acts_as_attachable.rb 2010-07-19 19:52:43.161808229 +0400
44 44
        end
45 45
        
46 46
        def attachments_visible?(user=User.current)
47
          user.allowed_to?(self.class.attachable_options[:view_permission], self.project)
47
          user.allowed_to?(self.class.attachable_options[:view_permission], self.project) || is_a?(Issue) && self.visible?(user)
48 48
        end
49 49
        
50 50
        def attachments_deletable?(user=User.current)