From 6b43e9462e978addc28bd38b219dbb7fda0535ef Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Thu, 24 Nov 2011 21:16:44 +0000 Subject: [PATCH] Fixed that :view_time_entries permission allows time entry editing (#9405). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7920 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- lib/redmine.rb | 2 +- test/functional/timelog_controller_test.rb | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/redmine.rb b/lib/redmine.rb index 129b39315..be5c8b5a3 100644 --- a/lib/redmine.rb +++ b/lib/redmine.rb @@ -88,7 +88,7 @@ Redmine::AccessControl.map do |map| end map.project_module :time_tracking do |map| - map.permission :log_time, {:timelog => [:new, :create, :edit, :update, :bulk_edit, :bulk_update]}, :require => :loggedin + map.permission :log_time, {:timelog => [:new, :create]}, :require => :loggedin map.permission :view_time_entries, :timelog => [:index, :show], :time_entry_reports => [:report] map.permission :edit_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy, :bulk_edit, :bulk_update]}, :require => :member map.permission :edit_own_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy,:bulk_edit, :bulk_update]}, :require => :loggedin diff --git a/test/functional/timelog_controller_test.rb b/test/functional/timelog_controller_test.rb index c455d5496..fb635a72d 100644 --- a/test/functional/timelog_controller_test.rb +++ b/test/functional/timelog_controller_test.rb @@ -163,6 +163,9 @@ class TimelogControllerTest < ActionController::TestCase def test_bulk_update_on_different_projects @request.session[:user_id] = 2 + # makes user a manager on the other project + Member.create!(:user_id => 2, :project_id => 3, :role_ids => [1]) + # update time entry activity post :bulk_update, :ids => [1, 2, 4], :time_entry => { :activity_id => 9 } @@ -205,6 +208,14 @@ class TimelogControllerTest < ActionController::TestCase assert_redirected_to :controller => 'timelog', :action => 'index', :project_id => Project.find(1).identifier end + def test_post_bulk_update_without_edit_permission_should_be_denied + @request.session[:user_id] = 2 + Role.find_by_name('Manager').remove_permission! :edit_time_entries + post :bulk_update, :ids => [1,2] + + assert_response 403 + end + def test_destroy @request.session[:user_id] = 2 delete :destroy, :id => 1 -- 2.39.5