Merged r16569 (#25791).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Tue, 6 Jun 2017 20:54:14 +0000 (20:54 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Tue, 6 Jun 2017 20:54:14 +0000 (20:54 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Tue, 6 Jun 2017 20:54:14 +0000 (20:54 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Tue, 6 Jun 2017 20:54:14 +0000 (20:54 +0000)
diff --git a/app/models/issue.rb b/app/models/issue.rb

index 40e30e003c9524ad81d7a4acc98047f3e2512fd5..2d72dfbec753c670cc61c48cdf6fbba14df016ac 100644 (file)
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -72,7 +72,7 @@ class Issue < ActiveRecord::Base
    validates :estimated_hours, :numericality => {:greater_than_or_equal_to => 0, :allow_nil => true, :message => :invalid}
    validates :start_date, :date => true
    validates :due_date, :date => true
-  validate :validate_issue, :validate_required_fields
+  validate :validate_issue, :validate_required_fields, :validate_permissions
    attr_protected :id
  
    scope :visible, lambda {|*args|
@@ -490,6 +490,7 @@ class Issue < ActiveRecord::Base
    # attr_accessible is too rough because we still want things like
    # Issue.new(:project => foo) to work
    def safe_attributes=(attrs, user=User.current)
+    @attributes_set_by = user
      return unless attrs.is_a?(Hash)
  
      attrs = attrs.deep_dup
@@ -745,6 +746,14 @@ class Issue < ActiveRecord::Base
      end
    end
  
+  def validate_permissions
+    if @attributes_set_by && new_record? && copy?
+      unless allowed_target_trackers(@attributes_set_by).include?(tracker)
+        errors.add :tracker, :invalid
+      end
+    end
+  end
+
    # Overrides Redmine::Acts::Customizable::InstanceMethods#validate_custom_field_values
    # so that custom values that are not editable are not validated (eg. a custom field that
    # is marked as required should not trigger a validation error if the user is not allowed
diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb

index 181bd86e334c95c59aecb3434ee7daeffd865bce..8efe7e7b6a9b366e2865e447e9c61b61c7dffd65 100644 (file)
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@@ -3081,6 +3081,22 @@ class IssuesControllerTest < ActionController::TestCase
      assert_equal 1, issue.status_id
    end
  
+  def test_create_as_copy_should_fail_without_add_issue_permission_on_original_tracker
+    role = Role.find(2)
+    role.set_permission_trackers :add_issues, [1, 3]
+    role.save!
+    Role.non_member.remove_permission! :add_issues
+
+    issue = Issue.generate!(:project_id => 1, :tracker_id => 2)
+    @request.session[:user_id] = 3
+
+    assert_no_difference 'Issue.count' do
+      post :create, :project_id => 1, :copy_from => issue.id,
+        :issue => {:project_id => '1'}
+    end
+    assert_select_error 'Tracker is invalid'
+  end
+
    def test_create_as_copy_should_copy_attachments
      @request.session[:user_id] = 2
      issue = Issue.find(3)
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Tue, 6 Jun 2017 20:54:14 +0000 (20:54 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Tue, 6 Jun 2017 20:54:14 +0000 (20:54 +0000)
app/models/issue.rb		patch \| blob \| history
test/functional/issues_controller_test.rb		patch \| blob \| history