From: Go MAEDA Date: Sat, 15 Aug 2020 07:49:52 +0000 (+0000) Subject: Merged r19975 from trunk to 4.0-stable (#33689). X-Git-Tag: 4.0.8~22 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=ee1f94c7f293103d57357285be0e52a8eb915d47;p=redmine.git Merged r19975 from trunk to 4.0-stable (#33689). git-svn-id: http://svn.redmine.org/redmine/branches/4.0-stable@19979 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/models/issue.rb b/app/models/issue.rb index dad03e39b..4e0c7a492 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -465,7 +465,6 @@ class Issue < ActiveRecord::Base 'custom_field_values', 'custom_fields', 'lock_version', - 'notes', :if => lambda {|issue, user| issue.new_record? || issue.attributes_editable?(user) } safe_attributes 'notes', diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb index 81312123c..38bf87ce3 100644 --- a/test/functional/issues_controller_test.rb +++ b/test/functional/issues_controller_test.rb @@ -4917,6 +4917,24 @@ class IssuesControllerTest < Redmine::ControllerTest assert_equal spent_hours_before + 2.5, issue.spent_hours end + def test_put_update_should_check_add_issue_notes_permission + role = Role.find(1) + role.remove_permission! :add_issue_notes + @request.session[:user_id] = 2 + + assert_no_difference 'Journal.count' do + put( + :update, + :params => { + :id => 1, + :issue => { + :notes => 'New note' + } + } + ) + end + end + def test_put_update_should_preserve_parent_issue_even_if_not_visible parent = Issue.generate!(:project_id => 1, :is_private => true) issue = Issue.generate!(:parent_issue_id => parent.id) diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb index 432dd8745..f6a945f12 100644 --- a/test/unit/issue_test.rb +++ b/test/unit/issue_test.rb @@ -873,6 +873,23 @@ class IssueTest < ActiveSupport::TestCase assert_equal Date.parse('2012-07-14'), issue.due_date end + def test_safe_attributes_notes_should_check_add_issue_notes_permission + # With add_issue_notes permission + user = User.find(2) + issue = Issue.new(:project => Project.find(1)) + issue.init_journal(user) + issue.send :safe_attributes=, {'notes' => 'note'}, user + assert_equal 'note', issue.notes + + # Without add_issue_notes permission + Role.find(1).remove_permission!(:add_issue_notes) + issue = Issue.new(:project => Project.find(1)) + user.reload + issue.init_journal(user) + issue.send :safe_attributes=, {'notes' => 'note'}, user + assert_equal '', issue.notes + end + def test_safe_attributes_should_accept_target_tracker_enabled_fields source = Tracker.find(1) source.core_fields = []