From: Jean-Baptiste Barth <jeanbaptiste.barth@gmail.com>
Date: Wed, 6 Oct 2010 05:08:31 +0000 (+0000)
Subject: Fixed: User#allowed_to? returning true in any case if array of projects had only... 
X-Git-Tag: 1.1.0~302
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=e59c927ee52d3f40a467e7ca6db7f7fcc2db425f;p=redmine.git

Fixed: User#allowed_to? returning true in any case if array of projects had only one item (#5332)

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4233 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/models/user.rb b/app/models/user.rb
index 4b65b3d11..45ab4b4c2 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -368,8 +368,10 @@ class User < Principal
       
     elsif project && project.is_a?(Array)
       # Authorize if user is authorized on every element of the array
-      project.inject do |memo,p|
-        memo && allowed_to?(action,p,options)
+      project.map do |p|
+        allowed_to?(action,p,options)
+      end.inject do |memo,p|
+        memo && p
       end
     elsif options[:global]
       # Admin users are always authorized
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index b451c1e6b..3f824f9fe 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -408,6 +408,10 @@ class UserTest < ActiveSupport::TestCase
         assert @jsmith.allowed_to?(:edit_issues, @jsmith.projects) #Manager or Developer everywhere
         assert ! @jsmith.allowed_to?(:delete_issue_watchers, @jsmith.projects) #Dev cannot delete_issue_watchers
       end
+      
+      should "behave correctly with arrays of 1 project" do
+        assert ! User.anonymous.allowed_to?(:delete_issues, [Project.first])
+      end
     end
     
     context "with options[:global]" do