From: Jean-Philippe Lang Date: Sun, 8 Apr 2018 13:23:30 +0000 (+0000) Subject: Global and public custom queries are shown as editable to non administrators in proje... X-Git-Tag: 4.0.0~339 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=af2730de5e580d98e31e3372098b757fee5a7810;p=redmine.git Global and public custom queries are shown as editable to non administrators in projects (#28264). git-svn-id: http://svn.redmine.org/redmine/trunk@17292 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/models/query.rb b/app/models/query.rb index 319a0b8a8..85de2f1a9 100644 --- a/app/models/query.rb +++ b/app/models/query.rb @@ -356,13 +356,13 @@ class Query < ActiveRecord::Base !is_private? end - def queried_table_name - @queried_table_name ||= self.class.queried_class.table_name + # Returns true if the query is available for all projects + def is_global? + new_record? ? project_id.nil? : project_id_in_database.nil? end - def initialize(attributes=nil, *args) - super attributes - @is_for_all = project.nil? + def queried_table_name + @queried_table_name ||= self.class.queried_class.table_name end # Builds the query from the given params @@ -447,7 +447,7 @@ class Query < ActiveRecord::Base # Admin can edit them all and regular users can edit their private queries return true if user.admin? || (is_private? && self.user_id == user.id) # Members can not edit public queries that are for all project (only admin is allowed to) - is_public? && !@is_for_all && user.allowed_to?(:manage_public_queries, project) + is_public? && !is_global? && user.allowed_to?(:manage_public_queries, project) end def trackers diff --git a/test/unit/query_test.rb b/test/unit/query_test.rb index bb5effdef..4dfc25712 100644 --- a/test/unit/query_test.rb +++ b/test/unit/query_test.rb @@ -1742,9 +1742,29 @@ class QueryTest < ActiveSupport::TestCase assert q.editable_by?(admin) assert !q.editable_by?(manager) assert q.editable_by?(developer) + end + + def test_editable_by_for_global_query + admin = User.find(1) + manager = User.find(2) + developer = User.find(3) - # Public query for all projects q = IssueQuery.find(4) + q.project = Project.find(1) + + assert q.editable_by?(admin) + assert !q.editable_by?(manager) + assert !q.editable_by?(developer) + end + + def test_editable_by_for_global_query_with_project_set + admin = User.find(1) + manager = User.find(2) + developer = User.find(3) + + q = IssueQuery.find(4) + q.project = Project.find(1) + assert q.editable_by?(admin) assert !q.editable_by?(manager) assert !q.editable_by?(developer)