From cffc5d70264e0fb2813b63798dfbc523d0631ff2 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Mon, 8 Jan 2018 17:52:19 +0000 Subject: [PATCH] Merged r17158 to 3.4-stable (#26705). git-svn-id: http://svn.redmine.org/redmine/branches/3.4-stable@17159 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/custom_value.rb | 12 +++- .../functional/attachments_visibility_test.rb | 58 ++++++++++++++++++ .../attachment_format_visibility_test.rb | 59 +++++++++++++++++++ 3 files changed, 126 insertions(+), 3 deletions(-) create mode 100644 test/functional/attachments_visibility_test.rb create mode 100644 test/unit/lib/redmine/field_format/attachment_format_visibility_test.rb diff --git a/app/models/custom_value.rb b/app/models/custom_value.rb index b649ec81d..33da1bd8e 100644 --- a/app/models/custom_value.rb +++ b/app/models/custom_value.rb @@ -38,12 +38,18 @@ class CustomValue < ActiveRecord::Base custom_field.editable? end - def visible? - custom_field.visible? + def visible?(user=User.current) + if custom_field.visible? + true + elsif customized.respond_to?(:project) + custom_field.visible_by?(customized.project, user) + else + false + end end def attachments_visible?(user) - visible? && customized && customized.visible?(user) + visible?(user) && customized && customized.visible?(user) end def required? diff --git a/test/functional/attachments_visibility_test.rb b/test/functional/attachments_visibility_test.rb new file mode 100644 index 000000000..96230e8b2 --- /dev/null +++ b/test/functional/attachments_visibility_test.rb @@ -0,0 +1,58 @@ +# encoding: utf-8 +# +# Redmine - project management software +# Copyright (C) 2006-2017 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require File.expand_path('../../test_helper', __FILE__) + +class AttachmentsVisibilityTest < Redmine::ControllerTest + tests AttachmentsController + fixtures :users, :email_addresses, :projects, :roles, :members, :member_roles, + :enabled_modules, :projects_trackers, :issue_statuses, :enumerations, + :issues, :trackers, :versions + + def setup + set_tmp_attachments_directory + + @field = IssueCustomField.generate!(:field_format => 'attachment', :visible => true) + @attachment = new_record(Attachment) do + issue = Issue.generate + issue.custom_field_values = {@field.id => {:file => mock_file}} + issue.save! + end + end + + def test_attachment_should_be_visible + @request.session[:user_id] = 2 # manager + get :show, :params => {:id => @attachment.id} + assert_response :success + + @field.update!(:visible => false, :role_ids => [1]) + get :show, :params => {:id => @attachment.id} + assert_response :success + end + + def test_attachment_should_be_visible_with_permission + @request.session[:user_id] = 3 # developer + get :show, :params => {:id => @attachment.id} + assert_response :success + + @field.update!(:visible => false, :role_ids => [1]) + get :show, :params => {:id => @attachment.id} + assert_response 403 + end +end diff --git a/test/unit/lib/redmine/field_format/attachment_format_visibility_test.rb b/test/unit/lib/redmine/field_format/attachment_format_visibility_test.rb new file mode 100644 index 000000000..4ce4062bb --- /dev/null +++ b/test/unit/lib/redmine/field_format/attachment_format_visibility_test.rb @@ -0,0 +1,59 @@ +# Redmine - project management software +# Copyright (C) 2006-2017 Jean-Philippe Lang +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +require File.expand_path('../../../../../test_helper', __FILE__) +require 'redmine/field_format' + +class AttachmentFormatVisibilityTest < ActionView::TestCase + fixtures :projects, :enabled_modules, :projects_trackers, + :roles, :members, :member_roles, + :users, :email_addresses, + :trackers, :issue_statuses, :enumerations, :issue_categories, + :versions, :issues + + def setup + set_tmp_attachments_directory + end + + def test_attachment_should_be_visible_with_visible_custom_field + field = IssueCustomField.generate!(:field_format => 'attachment', :visible => true) + attachment = new_record(Attachment) do + issue = Issue.generate + issue.custom_field_values = {field.id => {:file => mock_file}} + issue.save! + end + + assert attachment.visible?(manager = User.find(2)) + assert attachment.visible?(developer = User.find(3)) + assert attachment.visible?(non_member = User.find(7)) + assert attachment.visible?(User.anonymous) + end + + def test_attachment_should_be_visible_with_limited_visibility_custom_field + field = IssueCustomField.generate!(:field_format => 'attachment', :visible => false, :role_ids => [1]) + attachment = new_record(Attachment) do + issue = Issue.generate + issue.custom_field_values = {field.id => {:file => mock_file}} + issue.save! + end + + assert attachment.visible?(manager = User.find(2)) + assert !attachment.visible?(developer = User.find(3)) + assert !attachment.visible?(non_member = User.find(7)) + assert !attachment.visible?(User.anonymous) + end +end -- 2.39.5