]> source.dussan.org Git - redmine.git/commitdiff
Redmine.pm: deny access if user doesn't have browse_repository permission (#4338).
authorJean-Philippe Lang <jp_lang@yahoo.fr>
Tue, 22 Dec 2009 18:08:19 +0000 (18:08 +0000)
committerJean-Philippe Lang <jp_lang@yahoo.fr>
Tue, 22 Dec 2009 18:08:19 +0000 (18:08 +0000)
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3215 e93f8b46-1217-0410-a6f0-8f06a7374b81

extra/svn/Redmine.pm

index 20f79577925a7dd1449cce0135f2b4342540b331..66dc6c03fa3bc751aa56bcf281ac1a07a395cd3d 100644 (file)
@@ -284,7 +284,7 @@ sub is_member {
 
       unless ($auth_source_id) {
          my $method = $r->method;
-          if ($hashed_password eq $pass_digest && (defined $read_only_methods{$method} || $permissions =~ /:commit_access/) ) {
+          if ($hashed_password eq $pass_digest && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
               $ret = 1;
               last;
           }