]> source.dussan.org Git - redmine.git/commitdiff
projects / redmine.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9925a8e)
Fix: "Import issues" and "Import time entries" pages are visible to users without...
authorGo MAEDA <maeda@farend.jp>
Sun, 3 Nov 2024 05:41:19 +0000 (05:41 +0000)
committerGo MAEDA <maeda@farend.jp>
Sun, 3 Nov 2024 05:41:19 +0000 (05:41 +0000)
Patch by Kenta Kumojima (user:kumojima).

git-svn-id: https://svn.redmine.org/redmine/trunk@23178 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/issue_import.rb patch | blob | history
app/models/time_entry_import.rb patch | blob | history
app/views/issues/index.html.erb patch | blob | history
app/views/timelog/index.html.erb patch | blob | history
test/functional/imports_controller_test.rb patch | blob | history

diff --git a/app/models/issue_import.rb b/app/models/issue_import.rb
index d7e0919d3749cee3cbb5ef8447c0647cad776519..57305e38f681c811ead1ca2dfb0f02c2eb2fb30c 100644 (file)
--- a/app/models/issue_import.rb
+++ b/app/models/issue_import.rb
@@ -50,7 +50,7 @@ class IssueImport < Import
   end
 
   def self.authorized?(user)
-    user.allowed_to?(:import_issues, nil, :global => true)
+    user.allowed_to?(:import_issues, nil, :global => true) && user.allowed_to?(:add_issues, nil, :global => true)
   end
 
   # Returns the objects that were imported
diff --git a/app/models/time_entry_import.rb b/app/models/time_entry_import.rb
index a6d05f5208560caa196c63ac07292c57d49fdf7c..01fde348840362410dca7a2d260a5a858ebcf091 100644 (file)
--- a/app/models/time_entry_import.rb
+++ b/app/models/time_entry_import.rb
@@ -32,7 +32,7 @@ class TimeEntryImport < Import
   end
 
   def self.authorized?(user)
-    user.allowed_to?(:import_time_entries, nil, :global => true)
+    user.allowed_to?(:import_time_entries, nil, :global => true) && user.allowed_to?(:log_time, nil, :global => true)
   end
 
   # Returns the objects that were imported
diff --git a/app/views/issues/index.html.erb b/app/views/issues/index.html.erb
index 103835def773f4c96a8e28ad07319c2ee4b077ef..af251082773145fd66054e6a06afdaa47ce7ad48 100644 (file)
--- a/app/views/issues/index.html.erb
+++ b/app/views/issues/index.html.erb
@@ -7,7 +7,7 @@
       <%= link_to sprite_icon('summary', l(:field_summary)), project_issues_report_path(@project), :class => 'icon icon-stats' %>
     <% end %>
 
-    <% if User.current.allowed_to?(:import_issues, @project, :global => true) %>
+    <% if User.current.allowed_to?(:import_issues, @project, :global => true) && User.current.allowed_to?(:add_issues, @project, :global => true) %>
       <%= link_to sprite_icon('import', l(:button_import)), new_issues_import_path(:project_id => @project), :class => 'icon icon-import' %>
     <% end %>
 
diff --git a/app/views/timelog/index.html.erb b/app/views/timelog/index.html.erb
index e76a235be20974b508051aac92ac3910224ed3d0..55e2312b35a49ede1b1ab00dcf73e7fb48ad4065 100644 (file)
--- a/app/views/timelog/index.html.erb
+++ b/app/views/timelog/index.html.erb
@@ -3,7 +3,7 @@
             _new_time_entry_path(@project, @query.filtered_issue_id),
             :class => 'icon icon-time-add' if User.current.allowed_to?(:log_time, @project, :global => true) %>
 <%= actions_dropdown do %>
-  <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) %>
+  <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) && User.current.allowed_to?(:log_time, @project, :global => true) %>
     <%= link_to sprite_icon('import', l(:button_import)), new_time_entries_import_path(:project_id => @project), :class => 'icon icon-import' %>
   <% end %>
 
diff --git a/test/functional/imports_controller_test.rb b/test/functional/imports_controller_test.rb
index b4022298a118e4b41f33f626f391a0f7f7be1e9c..ad1e1aade1ac9f7ed8190acbe8c79e25ef26a6dd 100644 (file)
--- a/test/functional/imports_controller_test.rb
+++ b/test/functional/imports_controller_test.rb
@@ -52,6 +52,18 @@ class ImportsControllerTest < Redmine::ControllerTest
     assert_select 'input[name=?][type=?][value=?]', 'project_id', 'hidden', 'subproject1'
   end
 
+  def test_new_issue_import_without_add_issues_permission
+    Role.all.map { |role| role.remove_permission! :add_issues }
+    get(:new, :params => {:type => 'IssueImport', :project_id => 'subproject1'})
+    assert_response :forbidden
+  end
+
+  def test_new_time_entry_import_without_log_time_permission
+    Role.all.map { |role| role.remove_permission! :log_time }
+    get(:new, :params => {:type => 'TimeEntryImport', :project_id => 'subproject1'})
+    assert_response :forbidden
+  end
+
   def test_create_should_save_the_file
     import = new_record(Import) do
       post(
Mirror of redmine code source: https://github.com/redmine/redmine