"View differences" buttons are shown in the repository page even without "Browse repository" permission
|Assignee:||Jean-Philippe Lang||% Done:|
You are not allowed to see the diff between changesets if you don't have a "Browse repository" permission. However, "View differences" buttons on RepositoriesController#show page are always shown even if you don't have the permission. In contrast, the "View differences" tab on the RepositoriesController#revision is hidden depending on the permission.
I think the buttons should be hidden if the current user does not have a "Browse repository" permission.
"View differences" buttons are shown in the repository page even without "Browse repository" permission (#30731).
Patch by Go MAEDA.
#2 Updated by Go MAEDA about 1 month ago
- Target version set to Candidate for next minor release
Thank you for the patch. While reviewing the patch, I found that we don't have to show radio buttons to select revisions to show diff when "View differences" is hidden.
IMHO, the following fix is better. It hides the radio boxes as well as the button. In addition, it is simpler.
diff --git a/app/views/repositories/_revisions.html.erb b/app/views/repositories/_revisions.html.erb index 914999b34..514380791 100644 --- a/app/views/repositories/_revisions.html.erb +++ b/app/views/repositories/_revisions.html.erb @@ -20,7 +20,7 @@ end %> :repository_id => @repository.identifier_param, :path => to_path_param(path)}, :method => :get ) do %> -<% show_diff = revisions.size > 1 %> +<% show_diff = revisions.size > 1 && User.current.allowed_to?(:browse_repository, @repository.project) %> <%= submit_tag(l(:label_view_diff), :name => nil) if show_diff %> <table class="list changesets"> <thead><tr>