From 7c8df4c29dc0cfcc90175563e74ac96c6c2794df Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Fri, 17 Jun 2022 10:25:15 +0000 Subject: [PATCH] Merged r21641 to 5.0-stable (#37187). git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@21652 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/mail_handler.rb | 20 +++++++++++++++++--- test/unit/mail_handler_test.rb | 29 +++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 3 deletions(-) diff --git a/app/models/mail_handler.rb b/app/models/mail_handler.rb index 9afe2a170..8f7cef691 100644 --- a/app/models/mail_handler.rb +++ b/app/models/mail_handler.rb @@ -22,6 +22,8 @@ class MailHandler < ActionMailer::Base include Redmine::I18n class UnauthorizedAction < StandardError; end + class NotAllowedInProject < UnauthorizedAction; end + class InsufficientPermissions < UnauthorizedAction; end class MissingInformation < StandardError; end attr_reader :email, :user, :handler_options @@ -182,9 +184,13 @@ class MailHandler < ActionMailer::Base # Creates a new issue def receive_issue project = target_project + + # Never receive emails to projects where adding issues is not possible + raise NotAllowedInProject, "not possible to add issues to project [#{project.name}]" unless project.allows_to?(:add_issues) + # check permission unless handler_options[:no_permission_check] - raise UnauthorizedAction, "not allowed to add issues to project [#{project.name}]" unless user.allowed_to?(:add_issues, project) + raise InsufficientPermissions, "not allowed to add issues to project [#{project.name}]" unless user.allowed_to?(:add_issues, project) end issue = Issue.new(:author => user, :project => project) @@ -223,10 +229,14 @@ class MailHandler < ActionMailer::Base return nil end + # Never receive emails to projects where adding issue notes is not possible + project = issue.project + raise NotAllowedInProject, "not possible to add notes to project [#{project.name}]" unless project.allows_to?(:add_issue_notes) + # check permission unless handler_options[:no_permission_check] unless issue.notes_addable? - raise UnauthorizedAction, "not allowed to add notes on issues to project [#{issue.project.name}]" + raise InsufficientPermissions, "not allowed to add notes on issues to project [#{issue.project.name}]" end end @@ -274,8 +284,12 @@ class MailHandler < ActionMailer::Base return nil end + # Never receive emails to projects where adding messages is not possible + project = message.project + raise NotAllowedInProject, "not possible to add messages to project [#{project.name}]" unless project.allows_to?(:add_messages) + unless handler_options[:no_permission_check] - raise UnauthorizedAction, "not allowed to add messages to project [#{message.project.name}]" unless user.allowed_to?(:add_messages, message.project) + raise InsufficientPermissions, "not allowed to add messages to project [#{message.project.name}]" unless user.allowed_to?(:add_messages, message.project) end if !message.locked? diff --git a/test/unit/mail_handler_test.rb b/test/unit/mail_handler_test.rb index 9d0dad1a7..b36259c14 100644 --- a/test/unit/mail_handler_test.rb +++ b/test/unit/mail_handler_test.rb @@ -403,6 +403,35 @@ class MailHandlerTest < ActiveSupport::TestCase end end + def test_no_issue_on_closed_project_without_permission_check + Project.find(2).close + assert_no_difference 'User.count' do + assert_no_difference 'Issue.count' do + submit_email( + 'ticket_by_unknown_user.eml', + :issue => {:project => 'onlinestore'}, + :no_permission_check => '1', + :unknown_user => 'accept' + ) + end + end + ensure + Project.find(2).reopen + end + + def test_no_issue_on_closed_project_without_issue_tracking_module + assert_no_difference 'User.count' do + assert_no_difference 'Issue.count' do + submit_email( + 'ticket_by_unknown_user.eml', + :issue => {:project => 'subproject2'}, + :no_permission_check => '1', + :unknown_user => 'accept' + ) + end + end + end + def test_add_issue_by_created_user Setting.default_language = 'en' assert_difference 'User.count' do -- 2.39.5