Setting @--no-permission-check@ in the mail receiver should not allow creating issues in closed and archived projects (#37187).

Patch by Felix Schäfer.


git-svn-id: https://svn.redmine.org/redmine/trunk@21641 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/mail_handler.rb

@@ -22,6 +22,8 @@ class MailHandler < ActionMailer::Base
   include Redmine::I18n
 
   class UnauthorizedAction < StandardError; end
+  class NotAllowedInProject < UnauthorizedAction; end
+  class InsufficientPermissions < UnauthorizedAction; end
   class MissingInformation < StandardError; end
 
   attr_reader :email, :user, :handler_options
@@ -182,9 +184,13 @@ class MailHandler < ActionMailer::Base
   # Creates a new issue
   def receive_issue
     project = target_project
+
+    # Never receive emails to projects where adding issues is not possible
+    raise NotAllowedInProject, "not possible to add issues to project [#{project.name}]" unless project.allows_to?(:add_issues)
+
     # check permission
     unless handler_options[:no_permission_check]
-      raise UnauthorizedAction, "not allowed to add issues to project [#{project.name}]" unless user.allowed_to?(:add_issues, project)
+      raise InsufficientPermissions, "not allowed to add issues to project [#{project.name}]" unless user.allowed_to?(:add_issues, project)
     end
 
     issue = Issue.new(:author => user, :project => project)
@@ -223,10 +229,14 @@ class MailHandler < ActionMailer::Base
       return nil
     end
 
+    # Never receive emails to projects where adding issue notes is not possible
+    project = issue.project
+    raise NotAllowedInProject, "not possible to add notes to project [#{project.name}]" unless project.allows_to?(:add_issue_notes)
+
     # check permission
     unless handler_options[:no_permission_check]
       unless issue.notes_addable?
-        raise UnauthorizedAction, "not allowed to add notes on issues to project [#{issue.project.name}]"
+        raise InsufficientPermissions, "not allowed to add notes on issues to project [#{issue.project.name}]"
       end
     end
 
@@ -274,8 +284,12 @@ class MailHandler < ActionMailer::Base
       return nil
     end
 
+    # Never receive emails to projects where adding messages is not possible
+    project = message.project
+    raise NotAllowedInProject, "not possible to add messages to project [#{project.name}]" unless project.allows_to?(:add_messages)
+
     unless handler_options[:no_permission_check]
-      raise UnauthorizedAction, "not allowed to add messages to project [#{message.project.name}]" unless user.allowed_to?(:add_messages, message.project)
+      raise InsufficientPermissions, "not allowed to add messages to project [#{message.project.name}]" unless user.allowed_to?(:add_messages, message.project)
     end
 
     if !message.locked?

test/unit/mail_handler_test.rb

@@ -403,6 +403,35 @@ class MailHandlerTest < ActiveSupport::TestCase
     end
   end
 
+  def test_no_issue_on_closed_project_without_permission_check
+    Project.find(2).close
+    assert_no_difference 'User.count' do
+      assert_no_difference 'Issue.count' do
+        submit_email(
+          'ticket_by_unknown_user.eml',
+          :issue => {:project => 'onlinestore'},
+          :no_permission_check => '1',
+          :unknown_user => 'accept'
+        )
+      end
+    end
+  ensure
+    Project.find(2).reopen
+  end
+
+  def test_no_issue_on_closed_project_without_issue_tracking_module
+    assert_no_difference 'User.count' do
+      assert_no_difference 'Issue.count' do
+        submit_email(
+          'ticket_by_unknown_user.eml',
+          :issue => {:project => 'subproject2'},
+          :no_permission_check => '1',
+          :unknown_user => 'accept'
+        )
+      end
+    end
+  end
+
   def test_add_issue_by_created_user
     Setting.default_language = 'en'
     assert_difference 'User.count' do