diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb index c640aad..36e794d 100644 --- a/app/controllers/issues_controller.rb +++ b/app/controllers/issues_controller.rb @@ -125,7 +125,7 @@ class IssuesController < ApplicationController raise ::Unauthorized end call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue }) - @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) + @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) if User.current.allowed_to?(:edit_attachments, @issue.project) if @issue.save call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue}) respond_to do |format| @@ -522,6 +522,7 @@ class IssuesController < ApplicationController @issue.safe_attributes = attrs if @issue.project + @issue.attachments = [] unless User.current.allowed_to?(:edit_attachments, @issue.project) @issue.tracker ||= @issue.allowed_target_trackers.first if @issue.tracker.nil? if @issue.project.trackers.any? diff --git a/app/models/issue.rb b/app/models/issue.rb index 58d51e1..e664f4e 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -38,7 +38,8 @@ class Issue < ActiveRecord::Base has_many :relations_from, :class_name => 'IssueRelation', :foreign_key => 'issue_from_id', :dependent => :delete_all has_many :relations_to, :class_name => 'IssueRelation', :foreign_key => 'issue_to_id', :dependent => :delete_all - acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed + acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed, + :view_permission => :view_attachments, :edit_permission => :edit_attachments, :delete_permission => :delete_attachments acts_as_customizable acts_as_watchable acts_as_searchable :columns => ['subject', "#{table_name}.description"], @@ -269,7 +269,7 @@ class Issue < ActiveRecord::Base self.status = issue.status end self.author = User.current - unless options[:attachments] == false + if options[:attachments] == true && User.current.allowed_to?(:view_attachments, issue.project) self.attachments = issue.attachments.map do |attachement| attachement.copy(:container => self) end diff --git a/app/models/journal.rb b/app/models/journal.rb index 927f86f..36f8f22 100644 --- a/app/models/journal.rb +++ b/app/models/journal.rb @@ -89,6 +89,8 @@ class Journal < ActiveRecord::Base detail.custom_field && detail.custom_field.visible_by?(project, user) elsif detail.property == 'relation' Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user) + elsif detail.property == 'attachment' + user.allowed_to?(:view_attachments, project) else true end diff --git a/app/models/mailer.rb b/app/models/mailer.rb index fe02792..6261669 100644 --- a/app/models/mailer.rb +++ b/app/models/mailer.rb @@ -66,7 +66,7 @@ class Mailer < ActionMailer::Base end # Builds a mail for notifying to_users and cc_users about an issue update - def issue_edit(journal, to_users, cc_users) + def issue_edit(journal, to_users, cc_users, att=false) issue = journal.journalized redmine_headers 'Project' => issue.project.identifier, 'Issue-Id' => issue.id, @@ -83,6 +83,7 @@ class Mailer < ActionMailer::Base @journal = journal @journal_details = journal.visible_details(@users.first) @issue_url = url_for(:controller => 'issues', :action => 'show', :id => issue, :anchor => "change-#{journal.id}") + @att = att mail :to => to_users, :cc => cc_users, :subject => s @@ -91,11 +92,18 @@ class Mailer < ActionMailer::Base # Notifies users about an issue update def self.deliver_issue_edit(journal) issue = journal.journalized.reload - to = journal.notified_users - cc = journal.notified_watchers - to + toa = journal.notified_users.select{|user| user.allowed_to?(:view_attachments, issue.project)} + cca = journal.notified_watchers.select{|user| user.allowed_to?(:view_attachments, issue.project)} - toa + to = journal.notified_users - toa + cc = journal.notified_watchers - to - toa - cca journal.each_notification(to + cc) do |users| issue.each_notification(users) do |users2| - issue_edit(journal, to & users2, cc & users2).deliver + issue_edit(journal, to & users2, cc & users2, false).deliver + end + end + journal.each_notification(toa + cca) do |users| + issue.each_notification(users) do |users2| + issue_edit(journal, toa & users2, cca & users2, true).deliver end end end diff --git a/app/views/issues/_edit.html.erb b/app/views/issues/_edit.html.erb index 67e3324..d90657e 100644 --- a/app/views/issues/_edit.html.erb +++ b/app/views/issues/_edit.html.erb @@ -39,6 +39,7 @@ <%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %> + <% if User.current.allowed_to?(:edit_attachments, @project) %>
<%= l(:label_attachment_plural) %> <% if @issue.attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
<%= link_to l(:label_edit_attachments), '#', :onclick => "$('#existing-attachments').toggle(); return false;" %>
@@ -62,6 +62,7 @@ <%= render :partial => 'attachments/form', :locals => {:container => @issue} %>
+ <% end %> <% end %> diff --git a/app/views/issues/new.html.erb b/app/views/issues/new.html.erb index c93a1fc..87f7cf2 100644 --- a/app/views/issues/new.html.erb +++ b/app/views/issues/new.html.erb @@ -17,7 +17,7 @@ <%= check_box_tag 'link_copy', '1', @link_copy %>

<% end %> - <% if @copy_from && @copy_from.attachments.any? %> + <% if @copy_from && @copy_from.attachments.any? && User.current.allowed_to?(:view_attachments, @copy_from.project) %>

<%= check_box_tag 'copy_attachments', '1', @copy_attachments %> @@ -30,7 +30,9 @@

<% end %> + <% if User.current.allowed_to?(:edit_attachments, @project) %>

<%= render :partial => 'attachments/form', :locals => {:container => @issue} %>

+ <% end %>
<%= render :partial => 'issues/watchers_form' %> diff --git a/app/views/issues/show.api.rsb b/app/views/issues/show.api.rsb index f474ed9..1fecc10 100644 --- a/app/views/issues/show.api.rsb +++ b/app/views/issues/show.api.rsb @@ -35,7 +35,7 @@ api.issue do @issue.attachments.each do |attachment| render_api_attachment(attachment, api) end - end if include_in_api_response?('attachments') + end if include_in_api_response?('attachments') && User.current.allowed_to?(:view_attachments, @project) api.array :relations do @relations.each do |relation| diff --git a/app/views/issues/show.html.erb b/app/views/issues/show.html.erb index 2cbff32..ff9440a 100644 --- a/app/views/issues/show.html.erb +++ b/app/views/issues/show.html.erb @@ -75,7 +75,7 @@ end %> <%= call_hook(:view_issues_show_details_bottom, :issue => @issue) %>
-<% if @issue.description? || @issue.attachments.any? -%> +<% if @issue.description? || (@issue.attachments.any? && User.current.allowed_to?(:view_attachments, @project)) -%>
<% if @issue.description? %>
@@ -89,7 +89,7 @@ end %>
<% end %> -<%= link_to_attachments @issue, :thumbnails => true %> +<%= link_to_attachments @issue, :thumbnails => true if User.current.allowed_to?(:view_attachments, @project) %> <% end -%> <%= render_full_width_custom_fields_rows(@issue) %> diff --git a/app/views/mailer/_issue.html.erb b/app/views/mailer/_issue.html.erb index 9461d84..c74ed8d 100644 --- a/app/views/mailer/_issue.html.erb +++ b/app/views/mailer/_issue.html.erb @@ -4,7 +4,7 @@ <%= textilizable(issue, :description, :only_path => false) %> -<% if issue.attachments.any? %> +<% if issue.attachments.any? && @att %>
<%= l(:label_attachment_plural) %> <% issue.attachments.each do |attachment| %> <%= link_to_attachment attachment, :download => true, :only_path => false %> diff --git a/app/views/mailer/_issue.text.erb b/app/views/mailer/_issue.text.erb index 0034c44..a934333 100644 --- a/app/views/mailer/_issue.text.erb +++ b/app/views/mailer/_issue.text.erb @@ -5,7 +5,7 @@ ---------------------------------------- <%= issue.description %> -<% if issue.attachments.any? -%> +<% if issue.attachments.any? && @att -%> ---<%= l(:label_attachment_plural).ljust(37, '-') %> <% issue.attachments.each do |attachment| -%> <%= attachment.filename %> (<%= number_to_human_size(attachment.filesize) %>) diff --git a/config/locales/en.yml b/config/locales/en.yml index a6501c3..bde0912 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -486,6 +486,9 @@ en: permission_set_notes_private: Set notes as private permission_move_issues: Move issues permission_delete_issues: Delete issues + permission_view_attachments: View attachments + permission_edit_attachments: Edit attachments + permission_delete_attachments: Delete attachments permission_manage_public_queries: Manage public queries permission_save_queries: Save queries permission_view_gantt: View gantt chart diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml index 5c9e5bd..f26a301 100644 --- a/config/locales/pt-BR.yml +++ b/config/locales/pt-BR.yml @@ -784,6 +784,9 @@ pt-BR: permission_manage_members: Gerenciar membros permission_edit_messages: Editar mensagens permission_delete_issues: Excluir tarefas + permission_view_attachments: Ver arquivos anexos + permission_edit_attachments: Editar arquivos anexos + permission_delete_attachments: Apagar arquivos anexos permission_view_issue_watchers: Ver lista de observadores permission_manage_repository: Gerenciar repositório permission_commit_access: Acesso do commit diff --git a/db/migrate/20161215142110_add_attachments_permissions.rb b/db/migrate/20161215142110_add_attachments_permissions.rb new file mode 100644 index 0000000..d0fbb1f --- /dev/null +++ b/db/migrate/20161215142110_add_attachments_permissions.rb @@ -0,0 +1,17 @@ +class AddAttachmentsPermissions < ActiveRecord::Migration + def self.up + Role.all.each do |r| + r.add_permission!(:view_attachments) if r.has_permission?(:view_issues) + r.add_permission!(:edit_attachments) if r.has_permission?(:edit_issues) + r.add_permission!(:delete_attachments) if r.has_permission?(:edit_issues) + end + end + + def self.down + Role.all.each do |r| + r.remove_permission!(:view_attachments) + r.remove_permission!(:edit_attachments) + r.remove_permission!(:delete_attachments) + end + end +end diff --git a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb index be89071..d84d946 100644 --- a/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb +++ b/lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb @@ -135,6 +135,7 @@ module Redmine r |= fetch_ranks_and_ids( search_scope(user, projects, options). joins(:attachments). + where("#{Project.allowed_to_condition(user, :view_attachments)}", false). where(search_tokens_condition(["#{Attachment.table_name}.filename", "#{Attachment.table_name}.description"], tokens, options[:all_words])), options[:limit] ) diff --git a/lib/redmine.rb b/lib/redmine.rb index 71722cc..13e5e7d 100644 --- a/lib/redmine.rb +++ b/lib/redmine.rb @@ -99,19 +99,23 @@ Redmine::AccessControl.map do |map| :queries => :index, :reports => [:issue_report, :issue_report_details]}, :read => true - map.permission :add_issues, {:issues => [:new, :create], :attachments => :upload} - map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload} - map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update], :attachments => :upload} + map.permission :add_issues, {:issues => [:new, :create]} + map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]} + map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update]} map.permission :manage_issue_relations, {:issue_relations => [:index, :show, :create, :destroy]} map.permission :manage_subtasks, {} map.permission :set_issues_private, {} map.permission :set_own_issues_private, {}, :require => :loggedin - map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new], :attachments => :upload} + map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new]} map.permission :edit_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin map.permission :edit_own_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin map.permission :view_private_notes, {}, :read => true, :require => :member map.permission :set_notes_private, {}, :require => :member map.permission :delete_issues, {:issues => :destroy}, :require => :member + # Attachments + map.permission :view_attachments, {}, :require => :member + map.permission :edit_attachments, {:attachments => :upload}, :require => :member + map.permission :delete_attachments, {:attachments => :destroy}, :require => :member # Watchers map.permission :view_issue_watchers, {}, :read => true map.permission :add_issue_watchers, {:watchers => [:new, :create, :append, :autocomplete_for_user]} diff --git a/lib/redmine/export/pdf/issues_pdf_helper.rb b/lib/redmine/export/pdf/issues_pdf_helper.rb index 75f63d2..badce57 100644 --- a/lib/redmine/export/pdf/issues_pdf_helper.rb +++ b/lib/redmine/export/pdf/issues_pdf_helper.rb @@ -235,7 +235,7 @@ module Redmine end end - if issue.attachments.any? + if issue.attachments.any? && User.current.allowed_to?(:view_attachments, @project) pdf.SetFontStyle('B',9) pdf.RDMCell(190,5, l(:label_attachment_plural), "B") pdf.ln