From c54474eccc970b58ef3c40b620387e522a84b478 Mon Sep 17 00:00:00 2001 From: Go MAEDA Date: Sun, 3 Nov 2024 05:41:19 +0000 Subject: [PATCH] Fix: "Import issues" and "Import time entries" pages are visible to users without "Add issues" and "Log spent time" permissions (#41465). Patch by Kenta Kumojima (user:kumojima). git-svn-id: https://svn.redmine.org/redmine/trunk@23178 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/issue_import.rb | 2 +- app/models/time_entry_import.rb | 2 +- app/views/issues/index.html.erb | 2 +- app/views/timelog/index.html.erb | 2 +- test/functional/imports_controller_test.rb | 12 ++++++++++++ 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/app/models/issue_import.rb b/app/models/issue_import.rb index d7e0919d3..57305e38f 100644 --- a/app/models/issue_import.rb +++ b/app/models/issue_import.rb @@ -50,7 +50,7 @@ class IssueImport < Import end def self.authorized?(user) - user.allowed_to?(:import_issues, nil, :global => true) + user.allowed_to?(:import_issues, nil, :global => true) && user.allowed_to?(:add_issues, nil, :global => true) end # Returns the objects that were imported diff --git a/app/models/time_entry_import.rb b/app/models/time_entry_import.rb index a6d05f520..01fde3488 100644 --- a/app/models/time_entry_import.rb +++ b/app/models/time_entry_import.rb @@ -32,7 +32,7 @@ class TimeEntryImport < Import end def self.authorized?(user) - user.allowed_to?(:import_time_entries, nil, :global => true) + user.allowed_to?(:import_time_entries, nil, :global => true) && user.allowed_to?(:log_time, nil, :global => true) end # Returns the objects that were imported diff --git a/app/views/issues/index.html.erb b/app/views/issues/index.html.erb index 103835def..af2510827 100644 --- a/app/views/issues/index.html.erb +++ b/app/views/issues/index.html.erb @@ -7,7 +7,7 @@ <%= link_to sprite_icon('summary', l(:field_summary)), project_issues_report_path(@project), :class => 'icon icon-stats' %> <% end %> - <% if User.current.allowed_to?(:import_issues, @project, :global => true) %> + <% if User.current.allowed_to?(:import_issues, @project, :global => true) && User.current.allowed_to?(:add_issues, @project, :global => true) %> <%= link_to sprite_icon('import', l(:button_import)), new_issues_import_path(:project_id => @project), :class => 'icon icon-import' %> <% end %> diff --git a/app/views/timelog/index.html.erb b/app/views/timelog/index.html.erb index e76a235be..55e2312b3 100644 --- a/app/views/timelog/index.html.erb +++ b/app/views/timelog/index.html.erb @@ -3,7 +3,7 @@ _new_time_entry_path(@project, @query.filtered_issue_id), :class => 'icon icon-time-add' if User.current.allowed_to?(:log_time, @project, :global => true) %> <%= actions_dropdown do %> - <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) %> + <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) && User.current.allowed_to?(:log_time, @project, :global => true) %> <%= link_to sprite_icon('import', l(:button_import)), new_time_entries_import_path(:project_id => @project), :class => 'icon icon-import' %> <% end %> diff --git a/test/functional/imports_controller_test.rb b/test/functional/imports_controller_test.rb index b4022298a..ad1e1aade 100644 --- a/test/functional/imports_controller_test.rb +++ b/test/functional/imports_controller_test.rb @@ -52,6 +52,18 @@ class ImportsControllerTest < Redmine::ControllerTest assert_select 'input[name=?][type=?][value=?]', 'project_id', 'hidden', 'subproject1' end + def test_new_issue_import_without_add_issues_permission + Role.all.map { |role| role.remove_permission! :add_issues } + get(:new, :params => {:type => 'IssueImport', :project_id => 'subproject1'}) + assert_response :forbidden + end + + def test_new_time_entry_import_without_log_time_permission + Role.all.map { |role| role.remove_permission! :log_time } + get(:new, :params => {:type => 'TimeEntryImport', :project_id => 'subproject1'}) + assert_response :forbidden + end + def test_create_should_save_the_file import = new_record(Import) do post( -- 2.39.5