# check permission
unless handler_options[:no_permission_check]
- unless user.allowed_to?(:add_issue_notes, issue.project) ||
- user.allowed_to?(:edit_issues, issue.project)
+ unless issue.notes_addable?
raise UnauthorizedAction, "not allowed to add notes on issues to project [#{issue.project.name}]"
end
end
end
end
- def test_reply_to_a_issue_without_permission
+ def test_reply_to_an_issue_without_permission
set_tmp_attachments_directory
- Role.all.each {|r| r.remove_permission! :add_issue_notes, :edit_issues}
+ # "add_issue_notes" permission is explicit required to allow users to add notes
+ # "edit_issue" permission no longer includes the "add_issue_notes" permission
+ Role.all.each {|r| r.remove_permission! :add_issue_notes}
assert_no_difference 'Issue.count' do
assert_no_difference 'Journal.count' do
assert_not submit_email('ticket_reply_with_status.eml')
projects / redmine.git / commitdiff