mirrors
/
redmine
mirror of https://github.com/redmine/redmine.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 199 Wiki Activity
Browse Source

Check tracker permissions when copying an issue (#25791). 

git-svn-id: http://svn.redmine.org/redmine/trunk@16569 e93f8b46-1217-0410-a6f0-8f06a7374b81
tags/3.4.0
Jean-Philippe Lang 7 years ago
parent
8ba7b6a2b2
commit
86fa4e66c9
2 changed files with 26 additions and 1 deletions
Split View Show Diff Stats
  1. 10
    1
      app/models/issue.rb
  2. 16
    0
      test/functional/issues_controller_test.rb

+ 10
- 1
app/models/issue.rb View File

@@ -68,7 +68,7 @@ class Issue < ActiveRecord::Base
validates :estimated_hours, :numericality => {:greater_than_or_equal_to => 0, :allow_nil => true, :message => :invalid}
validates :start_date, :date => true
validates :due_date, :date => true
validate :validate_issue, :validate_required_fields
validate :validate_issue, :validate_required_fields, :validate_permissions
attr_protected :id

scope :visible, lambda {|*args|
@@ -512,6 +512,7 @@ class Issue < ActiveRecord::Base
# attr_accessible is too rough because we still want things like
# Issue.new(:project => foo) to work
def safe_attributes=(attrs, user=User.current)
@attributes_set_by = user
return unless attrs.is_a?(Hash)

attrs = attrs.deep_dup
@@ -776,6 +777,14 @@ class Issue < ActiveRecord::Base
end
end

def validate_permissions
if @attributes_set_by && new_record? && copy?
unless allowed_target_trackers(@attributes_set_by).include?(tracker)
errors.add :tracker, :invalid
end
end
end

# Overrides Redmine::Acts::Customizable::InstanceMethods#validate_custom_field_values
# so that custom values that are not editable are not validated (eg. a custom field that
# is marked as required should not trigger a validation error if the user is not allowed

+ 16
- 0
test/functional/issues_controller_test.rb View File

@@ -3109,6 +3109,22 @@ class IssuesControllerTest < Redmine::ControllerTest
assert_equal 1, issue.status_id
end

def test_create_as_copy_should_fail_without_add_issue_permission_on_original_tracker
role = Role.find(2)
role.set_permission_trackers :add_issues, [1, 3]
role.save!
Role.non_member.remove_permission! :add_issues

issue = Issue.generate!(:project_id => 1, :tracker_id => 2)
@request.session[:user_id] = 3

assert_no_difference 'Issue.count' do
post :create, :project_id => 1, :copy_from => issue.id,
:issue => {:project_id => '1'}
end
assert_select_error 'Tracker is invalid'
end

def test_create_as_copy_should_copy_attachments
@request.session[:user_id] = 2
issue = Issue.find(3)

Write Preview
Loading…
Cancel
Save