From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Fri, 4 Jan 2013 08:21:33 +0000 (+0000)
Subject: Check permissions before the extra condition for displaying a menu item (#12721).
X-Git-Tag: 2.3.0~357
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=9c698157f44819d224a9be5c13d8b517690e4bed;p=redmine.git

Check permissions before the extra condition for displaying a menu item (#12721).

Patch by Daniel Ritz.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11112 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/lib/redmine/menu_manager.rb b/lib/redmine/menu_manager.rb
index 1bb991178..94b92c6b7 100644
--- a/lib/redmine/menu_manager.rb
+++ b/lib/redmine/menu_manager.rb
@@ -190,20 +190,17 @@ module Redmine
 
       # Checks if a user is allowed to access the menu item by:
       #
-      # * Checking the conditions of the item
       # * Checking the url target (project only)
+      # * Checking the conditions of the item
       def allowed_node?(node, user, project)
+        if project && user && !user.allowed_to?(node.url, project)
+          return false
+        end
         if node.condition && !node.condition.call(project)
           # Condition that doesn't pass
           return false
         end
-
-        if project
-          return user && user.allowed_to?(node.url, project)
-        else
-          # outside a project, all menu items allowed
-          return true
-        end
+        return true
       end
     end