@projects = @time_entries.collect(&:project).compact.uniq
@project = @projects.first if @projects.size == 1
@activities = TimeEntryActivity.shared.active
- @can = {:edit => User.current.allowed_to?(:edit_time_entries, @projects),
- :delete => User.current.allowed_to?(:edit_time_entries, @projects)
- }
+
+ edit_allowed = @time_entries.all? {|t| t.editable_by?(User.current)}
+ @can = {:edit => edit_allowed, :delete => edit_allowed}
@back = back_url
@options_by_custom_field = {}
def find_time_entries
@time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).to_a
raise ActiveRecord::RecordNotFound if @time_entries.empty?
+ raise Unauthorized unless @time_entries.all? {|t| t.editable_by?(User.current)}
@projects = @time_entries.collect(&:project).compact.uniq
@project = @projects.first if @projects.size == 1
rescue ActiveRecord::RecordNotFound
end
end
+ def test_time_entries_context_menu_with_edit_own_time_entries_permission
+ @request.session[:user_id] = 2
+ Role.find_by_name('Manager').remove_permission! :edit_time_entries
+ Role.find_by_name('Manager').add_permission! :edit_own_time_entries
+ ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id}
+
+ get :time_entries, :ids => ids
+ assert_response :success
+ assert_template 'context_menus/time_entries'
+ assert_select 'a:not(.disabled)', :text => 'Edit'
+ end
+
def test_time_entries_context_menu_without_edit_permission
@request.session[:user_id] = 2
Role.find_by_name('Manager').remove_permission! :edit_time_entries
assert_template 'bulk_edit'
end
+ def test_bulk_edit_with_edit_own_time_entries_permission
+ @request.session[:user_id] = 2
+ Role.find_by_name('Manager').remove_permission! :edit_time_entries
+ Role.find_by_name('Manager').add_permission! :edit_own_time_entries
+ ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id}
+
+ get :bulk_edit, :ids => ids
+ assert_response :success
+ end
+
def test_bulk_update
@request.session[:user_id] = 2
# update time entry activity
assert_response 403
end
+ def test_bulk_update_with_edit_own_time_entries_permission
+ @request.session[:user_id] = 2
+ Role.find_by_name('Manager').remove_permission! :edit_time_entries
+ Role.find_by_name('Manager').add_permission! :edit_own_time_entries
+ ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id}
+
+ post :bulk_update, :ids => ids, :time_entry => { :activity_id => 9 }
+ assert_response 302
+ end
+
+ def test_bulk_update_with_edit_own_time_entries_permissions_should_be_denied_for_time_entries_of_other_user
+ @request.session[:user_id] = 2
+ Role.find_by_name('Manager').remove_permission! :edit_time_entries
+ Role.find_by_name('Manager').add_permission! :edit_own_time_entries
+
+ post :bulk_update, :ids => [1, 2], :time_entry => { :activity_id => 9 }
+ assert_response 403
+ end
+
def test_bulk_update_custom_field
@request.session[:user_id] = 2
post :bulk_update, :ids => [1, 2], :time_entry => { :custom_field_values => {'10' => '0'} }
projects / redmine.git / commitdiff