redmine_own_v.2.patch

Spenser Jones, 2011-02-04 20:26

Download (16.8 KB)

View differences:

redmine/app/controllers/issues_controller.rb 2010-10-08 12:16:20.337725004 +0400
97 97
  end
98 98
  
99 99
  def show
100
    return render_403 if !@issue.visible?
100 101
    @journals = @issue.journals.find(:all, :include => [:user, :details], :order => "#{Journal.table_name}.created_on ASC")
101 102
    @journals.each_with_index {|j,i| j.indice = i+1}
102 103
    @journals.reverse! if User.current.wants_comments_in_reverse_order?
redmine/app/models/issue.rb 2010-10-08 12:16:20.339725020 +0400
74 74
  after_destroy :update_parent_attributes
75 75
  
76 76
  # Returns true if usr or current user is allowed to view the issue
77
  def visible?(usr=nil)
78
    (usr || User.current).allowed_to?(:view_issues, self.project)
77
  def visible?(user=User.current)
78
    user.allowed_to?(:view_issues, self.project) || user.allowed_to?(:add_issues, self.project) && (author == user || assigned_to == user || watched_by?(user))
79 79
  end
80 80
  
81 81
  def after_initialize
redmine/app/models/query.rb 2010-10-08 12:16:20.340724583 +0400
379 379
    group_by_column.groupable
380 380
  end
381 381
  
382
  def project_statement
382
  def project_statement(own=nil)
383 383
    project_clauses = []
384 384
    if project && !@project.descendants.active.empty?
385 385
      ids = [project.id]
......
401 401
    elsif project
402 402
      project_clauses << "#{Project.table_name}.id = %d" % project.id
403 403
    end
404
    project_clauses <<  Project.allowed_to_condition(User.current, :view_issues)
404
    if own
405
      wt = Watcher.table_name
406
      uc = User.current.id.to_s
407
      project_clauses << '('+Project.allowed_to_condition(User.current, :view_issues)+' OR '+Project.allowed_to_condition(User.current, :add_issues)+
408
        " AND (#{Issue.table_name}.author_id=#{uc} OR "+
409
              "#{Issue.table_name}.assigned_to_id=#{uc} OR "+
410
              "#{Issue.table_name}.id IN (SELECT #{wt}.watchable_id FROM #{wt} WHERE #{wt}.watchable_type='Issue' AND user_id=#{uc}))"+")"
411
    else
412
      project_clauses << Project.allowed_to_condition(User.current, :view_issues)
413
    end
405 414
    project_clauses.join(' AND ')
406 415
  end
407 416

  
......
442 451
      
443 452
    end if filters and valid?
444 453
    
445
    (filters_clauses << project_statement).join(' AND ')
454
    (filters_clauses << project_statement(true)).join(' AND ')
446 455
  end
447 456
  
448 457
  # Returns the issue count
redmine/app/models/user.rb 2010-10-08 12:16:20.341724431 +0400
339 339
      
340 340
      roles = roles_for_project(project)
341 341
      return false unless roles
342
      roles.detect {|role| (context.is_public? || role.member?) && role.allowed_to?(action)}
342
      roles.any? {|role| (context.is_public? || role.member?) && role.allowed_to?(action)}
343 343
      
344 344
    elsif options[:global]
345 345
      # Admin users are always authorized
......
347 347
      
348 348
      # authorize if user has at least one role that has this permission
349 349
      roles = memberships.collect {|m| m.roles}.flatten.uniq
350
      roles.detect {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
350
      roles.any? {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
351 351
    else
352 352
      false
353 353
    end
redmine/lib/redmine.rb 2010-10-08 23:39:23.033627739 +0400
44 44

  
45 45
# Permissions
46 46
Redmine::AccessControl.map do |map|
47
  map.permission :view_project, {:projects => [:show], :activities => [:index]}, :public => true
47
  map.permission :view_project, {:projects => [:show]}, :public => true
48 48
  map.permission :search_project, {:search => :index}, :public => true
49 49
  map.permission :add_project, {:projects => [:new, :create]}, :require => :loggedin
50 50
  map.permission :edit_project, {:projects => [:settings, :edit, :update]}, :require => :member
......
58 58
    map.permission :manage_categories, {:projects => :settings, :issue_categories => [:new, :edit, :destroy]}, :require => :member
59 59
    # Issues
60 60
    map.permission :view_issues, {:issues => [:index, :show],
61
                                  :activities => [:index],
61 62
                                  :auto_complete => [:issues],
62 63
                                  :context_menus => [:issues],
63 64
                                  :versions => [:index, :show, :status_by],
64 65
                                  :journals => :index,
65 66
                                  :queries => :index,
66 67
                                  :reports => [:issue_report, :issue_report_details]}
67
    map.permission :add_issues, {:issues => [:new, :create, :update_form]}
68
    map.permission :add_issues, {:issues => [:new, :create, :update_form, :index, :show]}
68 69
    map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update, :update_form], :journals => [:new]}
69 70
    map.permission :manage_issue_relations, {:issue_relations => [:new, :destroy]}
70 71
    map.permission :manage_subtasks, {}
......
93 94
  map.project_module :news do |map|
94 95
    map.permission :manage_news, {:news => [:new, :edit, :destroy, :destroy_comment]}, :require => :member
95 96
    map.permission :view_news, {:news => [:index, :show]}, :public => true
96
    map.permission :comment_news, {:comments => :create}
97
    map.permission :comment_news, {:activities => [:index], :comments => :create}
97 98
  end
98 99

  
99 100
  map.project_module :documents do |map|
......
120 121
    
121 122
  map.project_module :repository do |map|
122 123
    map.permission :manage_repository, {:repositories => [:edit, :committers, :destroy]}, :require => :member
123
    map.permission :browse_repository, :repositories => [:show, :browse, :entry, :annotate, :changes, :diff, :stats, :graph]
124
    map.permission :view_changesets, :repositories => [:show, :revisions, :revision]
124
    map.permission :browse_repository, {:activities => [:index], :repositories => [:show, :browse, :entry, :annotate, :changes, :diff, :stats, :graph]}
125
    map.permission :view_changesets, {:activities => [:index], :repositories => [:show, :revisions, :revision]}
125 126
    map.permission :commit_access, {}
126 127
  end
127 128

  
128 129
  map.project_module :boards do |map|
129 130
    map.permission :manage_boards, {:boards => [:new, :edit, :destroy]}, :require => :member
130 131
    map.permission :view_messages, {:boards => [:index, :show], :messages => [:show]}, :public => true
131
    map.permission :add_messages, {:messages => [:new, :reply, :quote]}
132
    map.permission :add_messages, {:activities => [:index], :messages => [:new, :reply, :quote]}
132 133
    map.permission :edit_messages, {:messages => :edit}, :require => :member
133 134
    map.permission :edit_own_messages, {:messages => :edit}, :require => :loggedin
134 135
    map.permission :delete_messages, {:messages => :destroy}, :require => :member
redmine/test/fixtures/issues.yml 2010-10-08 12:16:20.343723937 +0400
103 103
  category_id: 
104 104
  description: This is an issue of a private subproject of cookbook
105 105
  tracker_id: 1
106
  assigned_to_id: 
106
  assigned_to_id: 12
107 107
  author_id: 2
108 108
  status_id: 1
109 109
  start_date: <%= Date.today.to_s(:db) %>
110
  due_date: <%= 1.days.from_now.to_date.to_s(:db) %>
111 110
  root_id: 6
112 111
  lft: 1
113 112
  rgt: 2
......
244 243
  root_id: 13
245 244
  lft: 1
246 245
  rgt: 2
246
issues_014:
247
  created_on: <%= 5.days.ago.to_date.to_s(:db) %>
248
  project_id: 5
249
  updated_on: <%= 2.days.ago.to_date.to_s(:db) %>
250
  priority_id: 5
251
  subject: Test own message
252
  id: 14
253
  fixed_version_id: 
254
  category_id: 
255
  description: Test own message
256
  tracker_id: 1
257
  assigned_to_id: 
258
  author_id: 12
259
  status_id: 1
260
  root_id: 14
261
  lft: 1
262
  rgt: 2
redmine/test/fixtures/member_roles.yml 2010-10-08 12:16:20.343723937 +0400
47 47
  role_id: 2
48 48
  member_id: 10
49 49
  inherited_from: 10
50
member_roles_012: 
51
  id: 12
52
  role_id: 6
53
  member_id: 11
54
  inherited_from: 11
redmine/test/fixtures/members.yml 2010-10-08 12:16:20.344723729 +0400
60 60
  project_id: 2
61 61
  user_id: 8
62 62
  mail_notification: false
63
members_011: 
64
  id: 11
65
  created_on: 2006-07-19 19:35:33 +02:00
66
  project_id: 5
67
  user_id: 12
68
  mail_notification: false
redmine/test/fixtures/roles.yml 2010-10-08 12:16:20.344723729 +0400
184 184
    - :view_changesets
185 185

  
186 186
  position: 5
187
roles_006: 
188
  name: Reporter2
189
  id: 6
190
  builtin: 0
191
  permissions: |
192
    --- 
193
    - :add_issues
194

  
195
  position: 6
187 196

  
redmine/test/fixtures/users.yml 2010-10-08 12:16:20.345723365 +0400
152 152
  id: 11
153 153
  lastname: B Team
154 154
  type: Group
155
users_012: 
156
  id: 12
157
  created_on: 2006-07-19 19:33:19 +02:00
158
  status: 1
159
  last_login_on: 
160
  language: 'ru'
161
  hashed_password: 1
162
  updated_on: 2006-07-19 19:33:19 +02:00
163
  admin: false
164
  mail: vasia@foo.bar
165
  lastname: Vasia
166
  firstname: Pupkin
167
  auth_source_id: 
168
  mail_notification: false
169
  login: vasia
170
  type: User
155 171

  
156 172
  
redmine/test/fixtures/watchers.yml 2010-10-08 12:16:20.345723365 +0400
11 11
  watchable_type: Issue
12 12
  watchable_id: 2
13 13
  user_id: 1
14
watchers_004: 
15
  watchable_type: Issue
16
  watchable_id: 9
17
  user_id: 12
14 18
  
redmine/test/functional/issues_controller_test.rb 2010-10-08 12:16:20.347723839 +0400
277 277
  
278 278
  def test_show_should_deny_member_access_without_permission
279 279
    Role.find(1).remove_permission!(:view_issues)
280
    Role.find(1).remove_permission!(:add_issues)
280 281
    @request.session[:user_id] = 2
281 282
    get :show, :id => 1
282 283
    assert_response 403
......
313 314
    assert_not_nil assigns(:issue)
314 315
  end
315 316

  
317
  def test_show_own_issue_by_author
318
    @request.session[:user_id] = 12
319
    get :show, :id => 14
320
    assert_response :success
321
  end
322

  
323
  def test_show_own_issue_by_assigned
324
    @request.session[:user_id] = 12
325
    get :show, :id => 6
326
    assert_response :success
327
  end
328

  
329
  def test_show_own_issue_by_watcher
330
    @request.session[:user_id] = 12
331
    get :show, :id => 9
332
    assert_response :success
333
  end
334

  
335
  def test_show_should_deny_access_without_permission
336
    @request.session[:user_id] = 12
337
    get :show, :id => 10
338
    assert_response 403
339
  end
340

  
316 341
  def test_get_new
317 342
    @request.session[:user_id] = 2
318 343
    get :new, :project_id => 1, :tracker_id => 1
redmine/test/unit/attachment_test.rb 2010-10-08 12:16:20.348723236 +0400
20 20
require File.dirname(__FILE__) + '/../test_helper'
21 21

  
22 22
class AttachmentTest < ActiveSupport::TestCase
23
  fixtures :issues, :users
23
  fixtures :issues, :users, :watchers
24 24
  
25 25
  def setup
26 26
  end
......
82 82
      end
83 83
    end
84 84
  end
85
  
86
  def test_visible_file_for_issue
87
    # Set "Add issue", unset "View issue" on default for user #12
88
    # author
89
    a = Attachment.new(:container => Issue.find(14), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
90
    assert a.save
91
    assert_equal true, a.visible?(User.find(12))
92
    # assigned to
93
    a = Attachment.new(:container => Issue.find(6), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
94
    assert a.save
95
    assert_equal true, a.visible?(User.find(12))
96
    # watcher
97
    a = Attachment.new(:container => Issue.find(9), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
98
    assert a.save
99
    assert_equal true, a.visible?(User.find(12))
100
    # other
101
    a = Attachment.new(:container => Issue.find(10), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
102
    assert a.save
103
    assert_equal false, a.visible?(User.find(12))
104
    Role.find(6).add_permission!(:view_issues)
105
    assert_equal true, a.visible?(User.find(12))
106
  end
85 107
end
redmine/test/unit/issue_test.rb 2010-10-08 12:16:20.349723183 +0400
106 106
    assert issues.detect {|issue| !issue.project.is_public?}
107 107
  end
108 108
  
109
  def test_visible
110
    user=User.find(12)
111
    issue = Issue.new(:project_id => 5, :tracker_id => 1, :author_id => 2, :status_id => 1, :priority => IssuePriority.all.first, :subject => 'test_own', :description => 'IssueTest#test_own', :estimated_hours => '5:30')
112
    assert issue.save
113
    issue.reload
114
    # Test for user, with "View_issue"
115
    assert_equal true, issue.visible?(User.find(8))
116
    # Test for user, without "View issue", but with "Add issue"
117
    assert_equal false, issue.visible?(user)
118
    # Test for assinged user
119
    issue.assigned_to=user
120
    assert_equal true, issue.visible?(user)
121
    # Test for watcher
122
    issue.assigned_to=nil
123
    issue.add_watcher(user)
124
    assert_equal true, issue.visible?(user)
125
    # Test for author
126
    issue = Issue.new(:project_id => 5, :tracker_id => 1, :author_id => 12, :status_id => 1, :priority => IssuePriority.all.first, :subject => 'test_own', :description => 'IssueTest#test_own', :estimated_hours => '5:30')
127
    assert issue.save
128
    issue.reload
129
    assert_equal true, issue.visible?(user)
130
  end
131

  
109 132
  def test_errors_full_messages_should_include_custom_fields_errors
110 133
    field = IssueCustomField.find_by_name('Database')
111 134
    
......
677 700
  test "#by_subproject" do
678 701
    groups = Issue.by_subproject(Project.find(1))
679 702
    assert_equal 2, groups.size
680
    assert_equal 5, groups.inject(0) {|sum, group| sum + group['total'].to_i}
703
    assert_equal 6, groups.inject(0) {|sum, group| sum + group['total'].to_i}
681 704
  end
682 705
  
683 706
  
redmine/test/unit/mailer_test.rb 2010-10-08 12:16:20.350722465 +0400
235 235
      user = User.find(9)
236 236
      Watcher.create!(:watchable => @issue, :user => user)
237 237
      Role.non_member.remove_permission!(:view_issues)
238
      Role.non_member.remove_permission!(:add_issues)
238 239
      assert Mailer.deliver_issue_add(@issue)
239 240
      assert !last_email.bcc.include?(user.mail)
240 241
    end
redmine/vendor/plugins/acts_as_attachable/lib/acts_as_attachable.rb 2010-10-08 12:16:20.365738902 +0400
44 44
        end
45 45
        
46 46
        def attachments_visible?(user=User.current)
47
          user.allowed_to?(self.class.attachable_options[:view_permission], self.project)
47
          user.allowed_to?(self.class.attachable_options[:view_permission], self.project) || is_a?(Issue) && self.visible?(user)
48 48
        end
49 49
        
50 50
        def attachments_deletable?(user=User.current)