From b51dfd414bc6756064c642960f230446cf2f6137 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 10 May 2015 07:25:38 +0000
Subject: [PATCH] Merged r14242 (#18580).

git-svn-id: http://svn.redmine.org/redmine/branches/2.6-stable@14252 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/context_menus_controller.rb   |  6 ++--
 app/controllers/timelog_controller.rb         |  1 +
 .../context_menus_controller_test.rb          | 12 ++++++++
 test/functional/timelog_controller_test.rb    | 29 +++++++++++++++++++
 4 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/app/controllers/context_menus_controller.rb b/app/controllers/context_menus_controller.rb
index 1dc9a2ef2..27099377d 100644
--- a/app/controllers/context_menus_controller.rb
+++ b/app/controllers/context_menus_controller.rb
@@ -78,9 +78,9 @@ class ContextMenusController < ApplicationController
     @projects = @time_entries.collect(&:project).compact.uniq
     @project = @projects.first if @projects.size == 1
     @activities = TimeEntryActivity.shared.active
-    @can = {:edit   => User.current.allowed_to?(:edit_time_entries, @projects),
-            :delete => User.current.allowed_to?(:edit_time_entries, @projects)
-            }
+
+    edit_allowed = @time_entries.all? {|t| t.editable_by?(User.current)}
+    @can = {:edit => edit_allowed, :delete => edit_allowed}
     @back = back_url
 
     @options_by_custom_field = {}
diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb
index 6701560f8..88d9650c3 100644
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -234,6 +234,7 @@ private
   def find_time_entries
     @time_entries = TimeEntry.where(:id => params[:id] || params[:ids]).all
     raise ActiveRecord::RecordNotFound if @time_entries.empty?
+    raise Unauthorized unless @time_entries.all? {|t| t.editable_by?(User.current)}
     @projects = @time_entries.collect(&:project).compact.uniq
     @project = @projects.first if @projects.size == 1
   rescue ActiveRecord::RecordNotFound
diff --git a/test/functional/context_menus_controller_test.rb b/test/functional/context_menus_controller_test.rb
index 925a60209..7b1e0c5ee 100644
--- a/test/functional/context_menus_controller_test.rb
+++ b/test/functional/context_menus_controller_test.rb
@@ -267,6 +267,18 @@ class ContextMenusControllerTest < ActionController::TestCase
     end
   end
 
+  def test_time_entries_context_menu_with_edit_own_time_entries_permission
+    @request.session[:user_id] = 2
+    Role.find_by_name('Manager').remove_permission! :edit_time_entries
+    Role.find_by_name('Manager').add_permission! :edit_own_time_entries
+    ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id}
+
+    get :time_entries, :ids => ids
+    assert_response :success
+    assert_template 'context_menus/time_entries'
+    assert_select 'a:not(.disabled)', :text => 'Edit'
+  end
+
   def test_time_entries_context_menu_without_edit_permission
     @request.session[:user_id] = 2
     Role.find_by_name('Manager').remove_permission! :edit_time_entries
diff --git a/test/functional/timelog_controller_test.rb b/test/functional/timelog_controller_test.rb
index 0e239e59b..44e1a3a34 100644
--- a/test/functional/timelog_controller_test.rb
+++ b/test/functional/timelog_controller_test.rb
@@ -375,6 +375,16 @@ class TimelogControllerTest < ActionController::TestCase
     assert_template 'bulk_edit'
   end
 
+  def test_bulk_edit_with_edit_own_time_entries_permission
+    @request.session[:user_id] = 2
+    Role.find_by_name('Manager').remove_permission! :edit_time_entries
+    Role.find_by_name('Manager').add_permission! :edit_own_time_entries
+    ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id}
+
+    get :bulk_edit, :ids => ids
+    assert_response :success
+  end
+
   def test_bulk_update
     @request.session[:user_id] = 2
     # update time entry activity
@@ -416,6 +426,25 @@ class TimelogControllerTest < ActionController::TestCase
     assert_response 403
   end
 
+  def test_bulk_update_with_edit_own_time_entries_permission
+    @request.session[:user_id] = 2
+    Role.find_by_name('Manager').remove_permission! :edit_time_entries
+    Role.find_by_name('Manager').add_permission! :edit_own_time_entries
+    ids = (0..1).map {TimeEntry.generate!(:user => User.find(2)).id}
+
+    post :bulk_update, :ids => ids, :time_entry => { :activity_id => 9 }
+    assert_response 302
+  end
+
+  def test_bulk_update_with_edit_own_time_entries_permissions_should_be_denied_for_time_entries_of_other_user
+    @request.session[:user_id] = 2
+    Role.find_by_name('Manager').remove_permission! :edit_time_entries
+    Role.find_by_name('Manager').add_permission! :edit_own_time_entries
+
+    post :bulk_update, :ids => [1, 2], :time_entry => { :activity_id => 9 }
+    assert_response 403
+  end
+
   def test_bulk_update_custom_field
     @request.session[:user_id] = 2
     post :bulk_update, :ids => [1, 2], :time_entry => { :custom_field_values => {'10' => '0'} }
-- 
2.39.5