]> source.dussan.org Git - redmine.git/commitdiff
Fixed attachments deletable by user without edit issue permission on tracker (#35634).
authorMarius Balteanu <marius.balteanu@zitec.com>
Thu, 5 Aug 2021 23:50:11 +0000 (23:50 +0000)
committerMarius Balteanu <marius.balteanu@zitec.com>
Thu, 5 Aug 2021 23:50:11 +0000 (23:50 +0000)
git-svn-id: http://svn.redmine.org/redmine/trunk@21142 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/issue.rb
test/functional/attachments_controller_test.rb
test/functional/issues_controller_test.rb

index 09f8400cc74eb26f6c72ebcdf2bde64b97255e09..7ce04ad64b627c21e935817500fe32cbde371154 100644 (file)
@@ -209,6 +209,11 @@ class Issue < ActiveRecord::Base
     user_tracker_permission?(user, :delete_issues)
   end
 
+  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_deletable?
+  def attachments_deletable?(user=User.current)
+    attributes_editable?(user)
+  end
+
   def initialize(attributes=nil, *args)
     super
     if new_record?
index e7f6d3a2f542556d9c478153d75851f59eccb20e..08ebe25bf031c39fdcab82686fb91af053198d24 100644 (file)
@@ -744,4 +744,25 @@ class AttachmentsControllerTest < Redmine::ControllerTest
     assert_response 302
     assert Attachment.find_by_id(3)
   end
+
+  def test_destroy_issue_attachment_by_user_without_edit_issue_permission_on_tracker
+    role = Role.find(2)
+    role.set_permission_trackers 'edit_issues', [2, 3]
+    role.save!
+
+    @request.session[:user_id] = 2
+
+    set_tmp_attachments_directory
+    assert_no_difference 'Attachment.count' do
+      delete(
+        :destroy,
+        :params => {
+          :id => 7
+        }
+      )
+    end
+
+    assert_response 403
+    assert Attachment.find_by_id(7)
+  end
 end
index e860486876847f9fc004c00f4a3c1c670c3498ee..b592ee26d03624fb499b41be816be2b47969c551 100644 (file)
@@ -3170,6 +3170,19 @@ class IssuesControllerTest < Redmine::ControllerTest
       assert_select 'div.attachments .icon-edit',  0
   end
 
+  def test_show_should_not_display_delete_attachment_icon_for_user_without_edit_issue_permission_on_tracker
+    role = Role.find(2)
+    role.set_permission_trackers 'edit_issues', [2, 3]
+    role.save!
+
+    @request.session[:user_id] = 2
+
+    get :show, params: {id: 4}
+
+    assert_response :success
+    assert_select 'div.attachments .icon-del', 0
+  end
+
   def test_get_new
     @request.session[:user_id] = 2
     get(