From 9c4df39c7dba5efcdce474f2fa65593fec8fa0dd Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Thu, 16 Jun 2022 21:32:02 +0000 Subject: [PATCH] Setting @--no-permission-check@ in the mail receiver should not allow creating issues in closed and archived projects (#37187). MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Patch by Felix Schäfer. git-svn-id: https://svn.redmine.org/redmine/trunk@21641 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/mail_handler.rb | 20 +++++++++++++++++--- test/unit/mail_handler_test.rb | 29 +++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+), 3 deletions(-) diff --git a/app/models/mail_handler.rb b/app/models/mail_handler.rb index 9afe2a170..8f7cef691 100644 --- a/app/models/mail_handler.rb +++ b/app/models/mail_handler.rb @@ -22,6 +22,8 @@ class MailHandler < ActionMailer::Base include Redmine::I18n class UnauthorizedAction < StandardError; end + class NotAllowedInProject < UnauthorizedAction; end + class InsufficientPermissions < UnauthorizedAction; end class MissingInformation < StandardError; end attr_reader :email, :user, :handler_options @@ -182,9 +184,13 @@ class MailHandler < ActionMailer::Base # Creates a new issue def receive_issue project = target_project + + # Never receive emails to projects where adding issues is not possible + raise NotAllowedInProject, "not possible to add issues to project [#{project.name}]" unless project.allows_to?(:add_issues) + # check permission unless handler_options[:no_permission_check] - raise UnauthorizedAction, "not allowed to add issues to project [#{project.name}]" unless user.allowed_to?(:add_issues, project) + raise InsufficientPermissions, "not allowed to add issues to project [#{project.name}]" unless user.allowed_to?(:add_issues, project) end issue = Issue.new(:author => user, :project => project) @@ -223,10 +229,14 @@ class MailHandler < ActionMailer::Base return nil end + # Never receive emails to projects where adding issue notes is not possible + project = issue.project + raise NotAllowedInProject, "not possible to add notes to project [#{project.name}]" unless project.allows_to?(:add_issue_notes) + # check permission unless handler_options[:no_permission_check] unless issue.notes_addable? - raise UnauthorizedAction, "not allowed to add notes on issues to project [#{issue.project.name}]" + raise InsufficientPermissions, "not allowed to add notes on issues to project [#{issue.project.name}]" end end @@ -274,8 +284,12 @@ class MailHandler < ActionMailer::Base return nil end + # Never receive emails to projects where adding messages is not possible + project = message.project + raise NotAllowedInProject, "not possible to add messages to project [#{project.name}]" unless project.allows_to?(:add_messages) + unless handler_options[:no_permission_check] - raise UnauthorizedAction, "not allowed to add messages to project [#{message.project.name}]" unless user.allowed_to?(:add_messages, message.project) + raise InsufficientPermissions, "not allowed to add messages to project [#{message.project.name}]" unless user.allowed_to?(:add_messages, message.project) end if !message.locked? diff --git a/test/unit/mail_handler_test.rb b/test/unit/mail_handler_test.rb index 9d0dad1a7..b36259c14 100644 --- a/test/unit/mail_handler_test.rb +++ b/test/unit/mail_handler_test.rb @@ -403,6 +403,35 @@ class MailHandlerTest < ActiveSupport::TestCase end end + def test_no_issue_on_closed_project_without_permission_check + Project.find(2).close + assert_no_difference 'User.count' do + assert_no_difference 'Issue.count' do + submit_email( + 'ticket_by_unknown_user.eml', + :issue => {:project => 'onlinestore'}, + :no_permission_check => '1', + :unknown_user => 'accept' + ) + end + end + ensure + Project.find(2).reopen + end + + def test_no_issue_on_closed_project_without_issue_tracking_module + assert_no_difference 'User.count' do + assert_no_difference 'Issue.count' do + submit_email( + 'ticket_by_unknown_user.eml', + :issue => {:project => 'subproject2'}, + :no_permission_check => '1', + :unknown_user => 'accept' + ) + end + end + end + def test_add_issue_by_created_user Setting.default_language = 'en' assert_difference 'User.count' do -- 2.39.5