From 20f56ce0aed9e44a75ddda9086f903dfe2e82035 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sun, 10 May 2015 07:19:06 +0000 Subject: [PATCH] Merged r14242 (#18580). git-svn-id: http://svn.redmine.org/redmine/branches/3.0-stable@14246 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/context_menus_controller.rb | 6 ++-- app/controllers/timelog_controller.rb | 1 + .../context_menus_controller_test.rb | 12 ++++++++ test/functional/timelog_controller_test.rb | 29 +++++++++++++++++++ 4 files changed, 45 insertions(+), 3 deletions(-) diff --git a/app/controllers/context_menus_controller.rb b/app/controllers/context_menus_controller.rb index 4d22b0af9..7c5e76d1c 100644 --- a/app/controllers/context_menus_controller.rb +++ b/app/controllers/context_menus_controller.rb @@ -76,9 +76,9 @@ class ContextMenusController < ApplicationController @projects = @time_entries.collect(&:project).compact.uniq @project = @projects.first if @projects.size == 1 @activities = TimeEntryActivity.shared.active - @can = {:edit => User.current.allowed_to?(:edit_time_entries, @projects), - :delete => User.current.allowed_to?(:edit_time_entries, @projects) - } + + edit_allowed = @time_entries.all? {|t| t.editable_by?(User.current)} + @can = {:edit => edit_allowed, :delete => edit_allowed} @back = back_url @options_by_custom_field = {} diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb index 8a8cfeeea..a8d48a707 100644 --- a/app/controllers/timelog_controller.rb +++ b/app/controllers/timelog_controller.rb @@ -234,6 +234,7 @@ private def find_time_entries @time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).to_a raise ActiveRecord::RecordNotFound if @time_entries.empty? + raise Unauthorized unless @time_entries.all? {|t| t.editable_by?(User.current)} @projects = @time_entries.collect(&:project).compact.uniq @project = @projects.first if @projects.size == 1 rescue ActiveRecord::RecordNotFound diff --git a/test/functional/context_menus_controller_test.rb b/test/functional/context_menus_controller_test.rb index 0ecbf63da..2b5bd7414 100644 --- a/test/functional/context_menus_controller_test.rb +++ b/test/functional/context_menus_controller_test.rb @@ -276,6 +276,18 @@ class ContextMenusControllerTest < ActionController::TestCase end end + def test_time_entries_context_menu_with_edit_own_time_entries_permission + @request.session[:user_id] = 2 + Role.find_by_name('Manager').remove_permission! :edit_time_entries + Role.find_by_name('Manager').add_permission! :edit_own_time_entries + ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id} + + get :time_entries, :ids => ids + assert_response :success + assert_template 'context_menus/time_entries' + assert_select 'a:not(.disabled)', :text => 'Edit' + end + def test_time_entries_context_menu_without_edit_permission @request.session[:user_id] = 2 Role.find_by_name('Manager').remove_permission! :edit_time_entries diff --git a/test/functional/timelog_controller_test.rb b/test/functional/timelog_controller_test.rb index 38ffcfa2b..1d925f6bf 100644 --- a/test/functional/timelog_controller_test.rb +++ b/test/functional/timelog_controller_test.rb @@ -425,6 +425,16 @@ class TimelogControllerTest < ActionController::TestCase assert_template 'bulk_edit' end + def test_bulk_edit_with_edit_own_time_entries_permission + @request.session[:user_id] = 2 + Role.find_by_name('Manager').remove_permission! :edit_time_entries + Role.find_by_name('Manager').add_permission! :edit_own_time_entries + ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id} + + get :bulk_edit, :ids => ids + assert_response :success + end + def test_bulk_update @request.session[:user_id] = 2 # update time entry activity @@ -466,6 +476,25 @@ class TimelogControllerTest < ActionController::TestCase assert_response 403 end + def test_bulk_update_with_edit_own_time_entries_permission + @request.session[:user_id] = 2 + Role.find_by_name('Manager').remove_permission! :edit_time_entries + Role.find_by_name('Manager').add_permission! :edit_own_time_entries + ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id} + + post :bulk_update, :ids => ids, :time_entry => { :activity_id => 9 } + assert_response 302 + end + + def test_bulk_update_with_edit_own_time_entries_permissions_should_be_denied_for_time_entries_of_other_user + @request.session[:user_id] = 2 + Role.find_by_name('Manager').remove_permission! :edit_time_entries + Role.find_by_name('Manager').add_permission! :edit_own_time_entries + + post :bulk_update, :ids => [1, 2], :time_entry => { :activity_id => 9 } + assert_response 403 + end + def test_bulk_update_custom_field @request.session[:user_id] = 2 post :bulk_update, :ids => [1, 2], :time_entry => { :custom_field_values => {'10' => '0'} } -- 2.39.5