Global News view should not be allowed without permission (#7068).

git-svn-id: http://svn.redmine.org/redmine/trunk@16721 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb
index 727617cb7627d50907787374f5c37186b262e1e8..3df9e5e44f409fb16c938f9043911a9dd74657fd 100644 (file)
--- a/app/controllers/news_controller.rb
+++ b/app/controllers/news_controller.rb
@@ -98,14 +98,4 @@ class NewsController < ApplicationController
     @news.destroy
     redirect_to project_news_index_path(@project)
   end
-
-  private
-
-  def find_optional_project
-    return true unless params[:project_id]
-    @project = Project.find(params[:project_id])
-    authorize
-  rescue ActiveRecord::RecordNotFound
-    render_404
-  end
 end

diff --git a/lib/redmine.rb b/lib/redmine.rb
index 6f4d3e07cac7f0d961e9861ec2aec956abb53f08..5f01787c2dff6a61f49d2ea106906fde71ccc2e1 100644 (file)
--- a/lib/redmine.rb
+++ b/lib/redmine.rb
@@ -217,6 +217,7 @@ Redmine::MenuManager.map :application_menu do |menu|
   menu.push :calendar, { :controller => 'calendars', :action => 'show' }, :caption => :label_calendar
 
   menu.push :news, {:controller => 'news', :action => 'index'},
+    :if => Proc.new {User.current.allowed_to?(:view_news, nil, :global => true)},
     :caption => :label_news_plural
 end
 

diff --git a/test/functional/news_controller_test.rb b/test/functional/news_controller_test.rb
index 91db40cb0352903dec26398f3317087ebb0bc99f..f62d21bf11703a5320fdffcf2550328c0116cbab 100644 (file)
--- a/test/functional/news_controller_test.rb
+++ b/test/functional/news_controller_test.rb
@@ -47,6 +47,14 @@ class NewsControllerTest < Redmine::ControllerTest
     assert_response 404
   end
 
+  def test_index_without_permission_should_fail
+    Role.all.each {|r| r.remove_permission! :view_news}
+    @request.session[:user_id] = 2
+
+    get :index
+    assert_response 403
+  end
+
   def test_show
     get :show, :params => {
         :id => 1