Project

General

Profile

Download (1.36 KB)

Defect #10148 » private-issues-fix.patch

Fix "private anon issues visible to anon users" bug - Anonymous, 2012-08-30 22:48

View differences:

app/models/issue.rb
105 105 
      when 'all'
106 106 
        true
107 107 
      when 'default'
108 
        !self.is_private? || self.author == user || user.is_or_belongs_to?(assigned_to)
108 
        !self.is_private? || (self.author == user && user != User.anonymous) || user.is_or_belongs_to?(assigned_to)
109 109 
      when 'own'
110 110 
        self.author == user || user.is_or_belongs_to?(assigned_to)
111 111 
      else
app/models/user.rb
464 464 

  		




  465
  465
  
    
      roles = roles_for_project(context)

  		




  466
  466
  
    
      return false unless roles

  		




  467
  
  
    
      roles.detect {|role|

  		




  
  467
  
    
      roles.any? {|role|

  		




  468
  468
  
    
        (context.is_public? || role.member?) &&

  		




  469
  469
  
    
        role.allowed_to?(action) &&

  		




  470
  470
  
    
        (block_given? ? yield(role, self) : true)

  		




  ......




  483
  483
  
    
      # authorize if user has at least one role that has this permission

  		




  484
  484
  
    
      roles = memberships.collect {|m| m.roles}.flatten.uniq

  		




  485
  485
  
    
      roles << (self.logged? ? Role.non_member : Role.anonymous)

  		




  486
  
  
    
      roles.detect {|role|

  		




  
  486
  
    
      roles.any? {|role|

  		




  487
  487
  
    
        role.allowed_to?(action) &&

  		




  488
  488
  
    
        (block_given? ? yield(role, self) : true)

  		




  489
  489
  
    
      }

  		















  (2-2/2)