Merged r20970 from trunk to 4.0-stable (#35045).

git-svn-id: http://svn.redmine.org/redmine/branches/4.0-stable@20973 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/models/mail_handler.rb b/app/models/mail_handler.rb
index d11b6f4ff1a186182e430e977943605eabe63d34..fc80c99e998ba38c0aa011b18ddb92d6dfdededb 100755 (executable)
--- a/app/models/mail_handler.rb
+++ b/app/models/mail_handler.rb
@@ -231,8 +231,7 @@ class MailHandler < ActionMailer::Base
     return unless issue
     # check permission
     unless handler_options[:no_permission_check]
-      unless user.allowed_to?(:add_issue_notes, issue.project) ||
-               user.allowed_to?(:edit_issues, issue.project)
+      unless issue.notes_addable?
         raise UnauthorizedAction
       end
     end

diff --git a/test/unit/mail_handler_test.rb b/test/unit/mail_handler_test.rb
index 940dce5c46abc69adb9b36644b0d9a2613c70aec..15cd438dc1c73541a01fb7c834f9de4d9193899e 100644 (file)
--- a/test/unit/mail_handler_test.rb
+++ b/test/unit/mail_handler_test.rb
@@ -969,6 +969,18 @@ class MailHandlerTest < ActiveSupport::TestCase
     end
   end
 
+  def test_reply_to_an_issue_without_permission
+    set_tmp_attachments_directory
+    # "add_issue_notes" permission is explicit required to allow users to add notes
+    # "edit_issue" permission no longer includes the "add_issue_notes" permission
+    Role.all.each {|r| r.remove_permission! :add_issue_notes}
+    assert_no_difference 'Issue.count' do
+      assert_no_difference 'Journal.count' do
+        assert_not submit_email('ticket_reply_with_status.eml')
+      end
+    end
+  end
+
   def test_reply_to_a_message
     m = submit_email('message_reply.eml')
     assert m.is_a?(Message)