Check permission before retrieving projects.

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sat, 7 Jan 2012 12:39:26 +0000 (12:39 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sat, 7 Jan 2012 12:39:26 +0000 (12:39 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 7 Jan 2012 12:39:26 +0000 (12:39 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 7 Jan 2012 12:39:26 +0000 (12:39 +0000)
diff --git a/app/models/issue.rb b/app/models/issue.rb

index 16707f8ad24fc7497677dd280f9c076e738397ee..c9892c6f1997a55b2995a3cf7b4ffbbbaecfbba0 100644 (file)
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -246,8 +246,10 @@ class Issue < ActiveRecord::Base
  
    safe_attributes 'project_id',
      :if => lambda {|issue, user|
-      projects = Issue.allowed_target_projects_on_move(user)
-      projects.include?(issue.project) && projects.size > 1
+      if user.allowed_to?(:move_issues, issue.project)
+        projects = Issue.allowed_target_projects_on_move(user)
+        projects.include?(issue.project) && projects.size > 1
+      end
      }
  
    safe_attributes 'tracker_id',
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sat, 7 Jan 2012 12:39:26 +0000 (12:39 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sat, 7 Jan 2012 12:39:26 +0000 (12:39 +0000)