diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb index c23c1b5..ac993ad 100644 --- a/app/controllers/issues_controller.rb +++ b/app/controllers/issues_controller.rb @@ -137,7 +137,7 @@ class IssuesController < ApplicationController raise ::Unauthorized end call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue }) - @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) + @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) if User.current.allowed_to?(:edit_attachments, @issue.project) if @issue.save call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue}) respond_to do |format| @@ -439,6 +439,7 @@ class IssuesController < ApplicationController @issue.safe_attributes = attrs if @issue.project + @issue.attachments = [] unless User.current.allowed_to?(:edit_attachments, @issue.project) @issue.tracker ||= @issue.project.trackers.first if @issue.tracker.nil? render_error l(:error_no_tracker_in_project) diff --git a/app/models/issue.rb b/app/models/issue.rb index c474860..d194daa 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -43,7 +43,8 @@ class Issue < ActiveRecord::Base has_many :relations_from, :class_name => 'IssueRelation', :foreign_key => 'issue_from_id', :dependent => :delete_all has_many :relations_to, :class_name => 'IssueRelation', :foreign_key => 'issue_to_id', :dependent => :delete_all - acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed + acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed, + :view_permission => :view_attachments, :edit_permission => :edit_attachments, :delete_permission => :delete_attachments acts_as_customizable acts_as_watchable acts_as_searchable :columns => ['subject', "#{table_name}.description"], @@ -237,7 +238,7 @@ class Issue < ActiveRecord::Base self.custom_field_values = issue.custom_field_values.inject({}) {|h,v| h[v.custom_field_id] = v.value; h} self.status = issue.status self.author = User.current - unless options[:attachments] == false + if options[:attachments] == true && User.current.allowed_to?(:view_attachments, issue.project) self.attachments = issue.attachments.map do |attachement| attachement.copy(:container => self) end diff --git a/app/models/journal.rb b/app/models/journal.rb index 927f86f..36f8f22 100644 --- a/app/models/journal.rb +++ b/app/models/journal.rb @@ -74,6 +74,8 @@ class Journal < ActiveRecord::Base detail.custom_field && detail.custom_field.visible_by?(project, user) elsif detail.property == 'relation' Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user) + elsif detail.property == 'attachment' + user.allowed_to?(:view_attachments, project) else true end diff --git a/app/models/mailer.rb b/app/models/mailer.rb index 0e51a09..083213e 100644 --- a/app/models/mailer.rb +++ b/app/models/mailer.rb @@ -66,7 +66,7 @@ class Mailer < ActionMailer::Base end # Builds a mail for notifying to_users and cc_users about an issue update - def issue_edit(journal, to_users, cc_users) + def issue_edit(journal, to_users, cc_users, att=false) issue = journal.journalized redmine_headers 'Project' => issue.project.identifier, 'Issue-Id' => issue.id, @@ -83,6 +83,7 @@ class Mailer < ActionMailer::Base @journal = journal @journal_details = journal.visible_details(@users.first) @issue_url = url_for(:controller => 'issues', :action => 'show', :id => issue, :anchor => "change-#{journal.id}") + @att = att mail :to => to_users, :cc => cc_users, :subject => s @@ -91,11 +92,18 @@ class Mailer < ActionMailer::Base # Notifies users about an issue update def self.deliver_issue_edit(journal) issue = journal.journalized.reload - to = journal.notified_users - cc = journal.notified_watchers - to + toa = journal.notified_users.select{|user| user.allowed_to?(:view_attachments, issue.project)} + cca = journal.notified_watchers.select{|user| user.allowed_to?(:view_attachments, issue.project)} - toa + to = journal.notified_users - toa + cc = journal.notified_watchers - to - toa - cca journal.each_notification(to + cc) do |users| issue.each_notification(users) do |users2| - Mailer.issue_edit(journal, to & users2, cc & users2).deliver + Mailer.issue_edit(journal, to & users2, cc & users2, false).deliver + end + end + journal.each_notification(toa + cca) do |users| + issue.each_notification(users) do |users2| + Mailer.issue_edit(journal, toa & users2, cca & users2, true).deliver end end end diff --git a/app/views/issues/_edit.html.erb b/app/views/issues/_edit.html.erb index 7415c79..bc9ef45 100644 --- a/app/views/issues/_edit.html.erb +++ b/app/views/issues/_edit.html.erb @@ -39,9 +39,11 @@ <%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %> + <% if User.current.allowed_to?(:edit_attachments, @project) %>
<%= l(:label_attachment_plural) %>

<%= render :partial => 'attachments/form', :locals => {:container => @issue} %>

+ <% end %> <%= f.hidden_field :lock_version %> diff --git a/app/views/issues/new.html.erb b/app/views/issues/new.html.erb index c93a1fc..87f7cf2 100644 --- a/app/views/issues/new.html.erb +++ b/app/views/issues/new.html.erb @@ -17,7 +17,7 @@ <%= check_box_tag 'link_copy', '1', @link_copy %>

<% end %> - <% if @copy_from && @copy_from.attachments.any? %> + <% if @copy_from && @copy_from.attachments.any? && User.current.allowed_to?(:view_attachments, @copy_from.project) %>

<%= check_box_tag 'copy_attachments', '1', @copy_attachments %> @@ -30,7 +30,9 @@

<% end %> + <% if User.current.allowed_to?(:edit_attachments, @project) %>

<%= render :partial => 'attachments/form', :locals => {:container => @issue} %>

+ <% end %> <% if @issue.safe_attribute? 'watcher_user_ids' -%>

diff --git a/app/views/issues/show.api.rsb b/app/views/issues/show.api.rsb index 577a885..f65599e 100644 --- a/app/views/issues/show.api.rsb +++ b/app/views/issues/show.api.rsb @@ -31,7 +31,7 @@ api.issue do @issue.attachments.each do |attachment| render_api_attachment(attachment, api) end - end if include_in_api_response?('attachments') + end if include_in_api_response?('attachments') && User.current.allowed_to?(:view_attachments, @project) api.array :relations do @relations.each do |relation| diff --git a/app/views/issues/show.html.erb b/app/views/issues/show.html.erb index 70a7fe1..f84cef4 100644 --- a/app/views/issues/show.html.erb +++ b/app/views/issues/show.html.erb @@ -72,7 +72,7 @@ end %> <%= call_hook(:view_issues_show_details_bottom, :issue => @issue) %> -<% if @issue.description? || @issue.attachments.any? -%> +<% if @issue.description? || (@issue.attachments.any? && User.current.allowed_to?(:view_attachments, @project)) -%>

<% if @issue.description? %>
@@ -86,7 +86,7 @@ end %>
<% end %> -<%= link_to_attachments @issue, :thumbnails => true %> +<%= link_to_attachments @issue, :thumbnails => true if User.current.allowed_to?(:view_attachments, @project) %> <% end -%> <%= call_hook(:view_issues_show_description_bottom, :issue => @issue) %> diff --git a/app/views/mailer/_issue.html.erb b/app/views/mailer/_issue.html.erb index 9461d84..c74ed8d 100644 --- a/app/views/mailer/_issue.html.erb +++ b/app/views/mailer/_issue.html.erb @@ -4,7 +4,7 @@ <%= textilizable(issue, :description, :only_path => false) %> -<% if issue.attachments.any? %> +<% if issue.attachments.any? && @att %>
<%= l(:label_attachment_plural) %> <% issue.attachments.each do |attachment| %> <%= link_to_attachment attachment, :download => true, :only_path => false %> diff --git a/app/views/mailer/_issue.text.erb b/app/views/mailer/_issue.text.erb index 0034c44..a934333 100644 --- a/app/views/mailer/_issue.text.erb +++ b/app/views/mailer/_issue.text.erb @@ -5,7 +5,7 @@ ---------------------------------------- <%= issue.description %> -<% if issue.attachments.any? -%> +<% if issue.attachments.any? && @att -%> ---<%= l(:label_attachment_plural).ljust(37, '-') %> <% issue.attachments.each do |attachment| -%> <%= attachment.filename %> (<%= number_to_human_size(attachment.filesize) %>) diff --git a/config/locales/en.yml b/config/locales/en.yml index 7d98034..e27c134 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -454,6 +454,9 @@ en: permission_set_notes_private: Set notes as private permission_move_issues: Move issues permission_delete_issues: Delete issues + permission_view_attachments: View attachments + permission_edit_attachments: Edit attachments + permission_delete_attachments: Delete attachments permission_manage_public_queries: Manage public queries permission_save_queries: Save queries permission_view_gantt: View gantt chart diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml index 43f8b32..221fb01 100644 --- a/config/locales/pt-BR.yml +++ b/config/locales/pt-BR.yml @@ -784,6 +784,9 @@ pt-BR: permission_manage_members: Gerenciar membros permission_edit_messages: Editar mensagens permission_delete_issues: Excluir tarefas + permission_view_attachments: Ver arquivos anexos + permission_edit_attachments: Editar arquivos anexos + permission_delete_attachments: Apagar arquivos anexos permission_view_issue_watchers: Ver lista de observadores permission_manage_repository: Gerenciar repositório permission_commit_access: Acesso do commit diff --git a/db/migrate/20161215142110_add_attachments_permissions.rb b/db/migrate/20161215142110_add_attachments_permissions.rb new file mode 100644 index 0000000..d0fbb1f --- /dev/null +++ b/db/migrate/20161215142110_add_attachments_permissions.rb @@ -0,0 +1,17 @@ +class AddAttachmentsPermissions < ActiveRecord::Migration + def self.up + Role.all.each do |r| + r.add_permission!(:view_attachments) if r.has_permission?(:view_issues) + r.add_permission!(:edit_attachments) if r.has_permission?(:edit_issues) + r.add_permission!(:delete_attachments) if r.has_permission?(:edit_issues) + end + end + + def self.down + Role.all.each do |r| + r.remove_permission!(:view_attachments) + r.remove_permission!(:edit_attachments) + r.remove_permission!(:delete_attachments) + end + end +end diff --git a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb index be89071..d84d946 100644 --- a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb +++ b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb @@ -135,6 +135,7 @@ module Redmine r |= fetch_ranks_and_ids( search_scope(user, projects, options). joins(:attachments). + where("#{Project.allowed_to_condition(user, :view_attachments)}", false). where(search_tokens_condition(["#{Attachment.table_name}.filename", "#{Attachment.table_name}.description"], tokens, options[:all_words])), options[:limit] ) diff --git a/lib/redmine.rb b/lib/redmine.rb index 2f4dbb5..e949757 100644 --- a/lib/redmine.rb +++ b/lib/redmine.rb @@ -97,19 +97,23 @@ Redmine::AccessControl.map do |map| :queries => :index, :reports => [:issue_report, :issue_report_details]}, :read => true - map.permission :add_issues, {:issues => [:new, :create], :attachments => :upload} - map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload} - map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update], :attachments => :upload} + map.permission :add_issues, {:issues => [:new, :create]} + map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]} + map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update]} map.permission :manage_issue_relations, {:issue_relations => [:index, :show, :create, :destroy]} map.permission :manage_subtasks, {} map.permission :set_issues_private, {} map.permission :set_own_issues_private, {}, :require => :loggedin - map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new], :attachments => :upload} + map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new]} map.permission :edit_issue_notes, {:journals => :edit}, :require => :loggedin map.permission :edit_own_issue_notes, {:journals => :edit}, :require => :loggedin map.permission :view_private_notes, {}, :read => true, :require => :member map.permission :set_notes_private, {}, :require => :member map.permission :delete_issues, {:issues => :destroy}, :require => :member + # Attachments + map.permission :view_attachments, {}, :require => :member + map.permission :edit_attachments, {:attachments => :upload}, :require => :member + map.permission :delete_attachments, {:attachments => :destroy}, :require => :member # Queries map.permission :manage_public_queries, {:queries => [:new, :create, :edit, :update, :destroy]}, :require => :member map.permission :save_queries, {:queries => [:new, :create, :edit, :update, :destroy]}, :require => :loggedin diff --git a/lib/redmine/export/pdf/issues_pdf_helper.rb b/lib/redmine/export/pdf/issues_pdf_helper.rb index a9ee230..968d27b 100644 --- a/lib/redmine/export/pdf/issues_pdf_helper.rb +++ b/lib/redmine/export/pdf/issues_pdf_helper.rb @@ -223,7 +223,7 @@ module Redmine end end - if issue.attachments.any? + if issue.attachments.any? && User.current.allowed_to?(:view_attachments, @project) pdf.SetFontStyle('B',9) pdf.RDMCell(190,5, l(:label_attachment_plural), "B") pdf.ln