if attrs
attrs = super(attrs)
if issue_id_changed? && issue
- if user.allowed_to?(:log_time, issue.project)
+ if issue.visible?(user) && user.allowed_to?(:log_time, issue.project)
if attrs[:project_id].blank? && issue.project_id != project_id
self.project_id = issue.project_id
end
<% end %>
<p>
<%= f.text_field :issue_id, :size => 6 %>
- <span id="time_entry_issue"><%= h("#{@time_entry.issue.tracker.name} ##{@time_entry.issue.id}: #{@time_entry.issue.subject}") if @time_entry.issue %></span>
+ <% if @time_entry.issue.try(:visible?) %>
+ <span id="time_entry_issue"><%= "#{@time_entry.issue.tracker.name} ##{@time_entry.issue.id}: #{@time_entry.issue.subject}" %></span>
+ <% end %>
</p>
<p><%= f.text_field :spent_on, :size => 10, :required => true %><%= calendar_for('time_entry_spent_on') %></p>
<p><%= f.text_field :hours, :size => 6, :required => true %></p>
end
end
+ def test_create_on_issue_that_is_not_visible_should_not_disclose_subject
+ issue = Issue.generate!(:subject => "issue_that_is_not_visible", :is_private => true)
+ assert !issue.visible?(User.find(3))
+
+ @request.session[:user_id] = 3
+ assert_no_difference 'TimeEntry.count' do
+ post :create, :time_entry => {
+ :project_id => '', :issue_id => issue.id.to_s,
+ :activity_id => '11', :spent_on => '2008-03-14', :hours => '7.3'
+ }
+ end
+ assert_select_error /Issue is invalid/
+ assert_select "input[name=?][value=?]", "time_entry[issue_id]", issue.id.to_s
+ assert_select "#time_entry_issue", 0
+ assert !response.body.include?('issue_that_is_not_visible')
+ end
+
def test_create_and_continue_at_project_level
@request.session[:user_id] = 2
assert_difference 'TimeEntry.count' do
projects / redmine.git / commitdiff