From: Go MAEDA Date: Sun, 25 Apr 2021 13:32:28 +0000 (+0000) Subject: Merged r20970 from trunk to 4.0-stable (#35045). X-Git-Tag: 4.0.9~2 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=32ff4805e0aaf7e87b15593536a8aa9a725f7e48;p=redmine.git Merged r20970 from trunk to 4.0-stable (#35045). git-svn-id: http://svn.redmine.org/redmine/branches/4.0-stable@20973 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/models/mail_handler.rb b/app/models/mail_handler.rb index d11b6f4ff..fc80c99e9 100755 --- a/app/models/mail_handler.rb +++ b/app/models/mail_handler.rb @@ -231,8 +231,7 @@ class MailHandler < ActionMailer::Base return unless issue # check permission unless handler_options[:no_permission_check] - unless user.allowed_to?(:add_issue_notes, issue.project) || - user.allowed_to?(:edit_issues, issue.project) + unless issue.notes_addable? raise UnauthorizedAction end end diff --git a/test/unit/mail_handler_test.rb b/test/unit/mail_handler_test.rb index 940dce5c4..15cd438dc 100644 --- a/test/unit/mail_handler_test.rb +++ b/test/unit/mail_handler_test.rb @@ -969,6 +969,18 @@ class MailHandlerTest < ActiveSupport::TestCase end end + def test_reply_to_an_issue_without_permission + set_tmp_attachments_directory + # "add_issue_notes" permission is explicit required to allow users to add notes + # "edit_issue" permission no longer includes the "add_issue_notes" permission + Role.all.each {|r| r.remove_permission! :add_issue_notes} + assert_no_difference 'Issue.count' do + assert_no_difference 'Journal.count' do + assert_not submit_email('ticket_reply_with_status.eml') + end + end + end + def test_reply_to_a_message m = submit_email('message_reply.eml') assert m.is_a?(Message)