Display issue form fields according to permissions.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8227 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/issue.rb

     'assigned_to_id',
     'fixed_version_id',
     'done_ratio',
+    'lock_version',
     :if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }
 
   safe_attributes 'watcher_user_ids',

app/views/issues/_attributes.html.erb

 <% labelled_fields_for :issue, @issue do |f| %>
 
 <div class="splitcontentleft">
-<% if @issue.new_record? || @allowed_statuses.any? %>
+<% if @issue.safe_attribute? 'status_id'  %>
 <p><%= f.select :status_id, (@allowed_statuses.collect {|p| [p.name, p.id]}), :required => true %></p>
 <% else %>
 <p><label><%= l(:field_status) %></label> <%= h(@issue.status.name) %></p>
 <% end %>
 
+<% if @issue.safe_attribute? 'priority_id' %>
 <p><%= f.select :priority_id, (@priorities.collect {|p| [p.name, p.id]}), {:required => true}, :disabled => !@issue.leaf? %></p>
+<% end %>
+
+<% if @issue.safe_attribute? 'assigned_to_id' %>
 <p><%= f.select :assigned_to_id, principals_options_for_select(@issue.assignable_users, @issue.assigned_to), :include_blank => true %></p>
-<% unless @project.issue_categories.empty? %>
+<% end %>
+
+<% if @issue.safe_attribute?('category_id') && @project.issue_categories.any? %>
 <p><%= f.select :category_id, (@project.issue_categories.collect {|c| [c.name, c.id]}), :include_blank => true %>
 <%= prompt_to_remote(image_tag('add.png', :style => 'vertical-align: middle;'),
                      l(:label_issue_category_new),
                      :title => l(:label_issue_category_new),
                      :tabindex => 199) if authorize_for('issue_categories', 'new') %></p>
 <% end %>
-<% unless @issue.assignable_versions.empty? %>
+
+<% if @issue.safe_attribute?('fixed_version_id') && @issue.assignable_versions.any? %>
 <p><%= f.select :fixed_version_id, version_options_for_select(@issue.assignable_versions, @issue.fixed_version), :include_blank => true %>
 <%= prompt_to_remote(image_tag('add.png', :style => 'vertical-align: middle;'),
                      l(:label_version_new),
 <div id="parent_issue_candidates" class="autocomplete"></div>
 <%= javascript_tag "observeParentIssueField('#{auto_complete_issues_path(:id => @issue, :project_id => @project) }')" %>
 <% end %>
+
+<% if @issue.safe_attribute? 'start_date' %>
 <p><%= f.text_field :start_date, :size => 10, :disabled => !@issue.leaf? %><%= calendar_for('issue_start_date') if @issue.leaf? %></p>
+<% end %>
+
+<% if @issue.safe_attribute? 'due_date' %>
 <p><%= f.text_field :due_date, :size => 10, :disabled => !@issue.leaf? %><%= calendar_for('issue_due_date') if @issue.leaf? %></p>
+<% end %>
+
+<% if @issue.safe_attribute? 'estimated_hours' %>
 <p><%= f.text_field :estimated_hours, :size => 3, :disabled => !@issue.leaf? %> <%= l(:field_hours) %></p>
-<% if @issue.leaf? && Issue.use_field_for_done_ratio? %>
+<% end %>
+
+<% if @issue.safe_attribute?('done_ratio') && @issue.leaf? && Issue.use_field_for_done_ratio? %>
 <p><%= f.select :done_ratio, ((0..10).to_a.collect {|r| ["#{r*10} %", r*10] }) %></p>
 <% end %>
 </div>
 
 <div style="clear:both;"> </div>
+<% if @issue.safe_attribute? 'custom_field_values' %>
 <%= render :partial => 'issues/form_custom_fields' %>
+<% end %>
 
 <% end %>

app/views/issues/_edit.html.erb

     <div class="box">
     <% if @edit_allowed || !@allowed_statuses.empty? %>
         <fieldset class="tabular"><legend><%= l(:label_change_properties) %></legend>
-        <%= render :partial => (@edit_allowed ? 'form' : 'form_update'), :locals => {:f => f} %>
+        <%= render :partial => 'form', :locals => {:f => f} %>
         </fieldset>
     <% end %>
     <% if User.current.allowed_to?(:log_time, @project) %>

app/views/issues/_form.html.erb

   <label class="inline" for="issue_is_private" id="issue_is_private_label"><%= f.check_box :is_private, :no_label => true %> <%= l(:field_is_private) %></label>
 </p>
 <% end %>
+
+<% if @issue.safe_attribute? 'tracker_id' %>
 <p><%= f.select :tracker_id, @project.trackers.collect {|t| [t.name, t.id]}, :required => true %></p>
 <%= observe_field :issue_tracker_id, :url => project_issue_form_path(@project, :id => @issue),
                                      :update => :attributes,
                                      :with => "Form.serialize('issue-form')" %>
+<% end %>
 
+<% if @issue.safe_attribute? 'subject' %>
 <p><%= f.text_field :subject, :size => 80, :required => true %></p>
+<% end %>
+
+<% if @issue.safe_attribute? 'description' %>
 <p>
   <label><%= l(:field_description) %></label>
   <%= link_to_function image_tag('edit.png'), 
                    :no_label => true %>
   <% end %>
 </p>
+<%= wikitoolbar_for 'issue_description' %>
+<% end %>
 
 <div id="attributes" class="attributes">
   <%= render :partial => 'issues/attributes' %>
 </div>
 
 <%= call_hook(:view_issues_form_details_bottom, { :issue => @issue, :form => f }) %>
-
-<%= wikitoolbar_for 'issue_description' %>

app/views/issues/_form_update.html.erb

-<div class="attributes">
-<div class="splitcontentleft">
-<p><%= f.select :status_id, (@allowed_statuses.collect {|p| [p.name, p.id]}), :required => true %></p>
-<p><%= f.select :assigned_to_id, principals_options_for_select(@issue.assignable_users, @issue.assigned_to), :include_blank => true %></p>
-</div>
-<div class="splitcontentright">
-<% if Issue.use_field_for_done_ratio? %>
-<p><%= f.select :done_ratio, ((0..10).to_a.collect {|r| ["#{r*10} %", r*10] }) %></p>
-<% end %>
-<% unless @issue.assignable_versions.empty? %>
-<p><%= f.select :fixed_version_id, (@issue.assignable_versions.collect {|v| [v.name, v.id]}), :include_blank => true %></p>
-<% end %>
-</div>
-</div>

test/functional/issues_controller_test.rb

                                             :content => /Notes/ } }
   end
 
+  def test_show_should_display_update_form
+    @request.session[:user_id] = 2
+    get :show, :id => 1
+    assert_response :success
+
+    assert_tag 'form', :attributes => {:id => 'issue-form'}
+    assert_tag 'input', :attributes => {:name => 'issue[is_private]'}
+    assert_tag 'select', :attributes => {:name => 'issue[tracker_id]'}
+    assert_tag 'input', :attributes => {:name => 'issue[subject]'}
+    assert_tag 'textarea', :attributes => {:name => 'issue[description]'}
+    assert_tag 'select', :attributes => {:name => 'issue[status_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[priority_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[assigned_to_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[category_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[fixed_version_id]'}
+    assert_tag 'input', :attributes => {:name => 'issue[parent_issue_id]'}
+    assert_tag 'input', :attributes => {:name => 'issue[start_date]'}
+    assert_tag 'input', :attributes => {:name => 'issue[due_date]'}
+    assert_tag 'select', :attributes => {:name => 'issue[done_ratio]'}
+    assert_tag 'input', :attributes => { :name => 'issue[custom_field_values][2]' }
+    assert_no_tag 'input', :attributes => {:name => 'issue[watcher_user_ids][]'}
+    assert_tag 'textarea', :attributes => {:name => 'notes'}
+  end
+
+  def test_show_should_display_update_form_with_minimal_permissions
+    Role.find(1).update_attribute :permissions, [:view_issues, :add_issue_notes]
+    Workflow.delete_all :role_id => 1
+
+    @request.session[:user_id] = 2
+    get :show, :id => 1
+    assert_response :success
+
+    assert_tag 'form', :attributes => {:id => 'issue-form'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[is_private]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[tracker_id]'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[subject]'}
+    assert_no_tag 'textarea', :attributes => {:name => 'issue[description]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[status_id]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[priority_id]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[assigned_to_id]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[category_id]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[fixed_version_id]'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[parent_issue_id]'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[start_date]'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[due_date]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[done_ratio]'}
+    assert_no_tag 'input', :attributes => { :name => 'issue[custom_field_values][2]' }
+    assert_no_tag 'input', :attributes => {:name => 'issue[watcher_user_ids][]'}
+    assert_tag 'textarea', :attributes => {:name => 'notes'}
+  end
+
+  def test_show_should_display_update_form_with_workflow_permissions
+    Role.find(1).update_attribute :permissions, [:view_issues, :add_issue_notes]
+
+    @request.session[:user_id] = 2
+    get :show, :id => 1
+    assert_response :success
+
+    assert_tag 'form', :attributes => {:id => 'issue-form'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[is_private]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[tracker_id]'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[subject]'}
+    assert_no_tag 'textarea', :attributes => {:name => 'issue[description]'}
+    assert_tag 'select', :attributes => {:name => 'issue[status_id]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[priority_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[assigned_to_id]'}
+    assert_no_tag 'select', :attributes => {:name => 'issue[category_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[fixed_version_id]'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[parent_issue_id]'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[start_date]'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[due_date]'}
+    assert_tag 'select', :attributes => {:name => 'issue[done_ratio]'}
+    assert_no_tag 'input', :attributes => { :name => 'issue[custom_field_values][2]' }
+    assert_no_tag 'input', :attributes => {:name => 'issue[watcher_user_ids][]'}
+    assert_tag 'textarea', :attributes => {:name => 'notes'}
+  end
+
+  def test_show_should_not_display_update_form_without_permissions
+    Role.find(1).update_attribute :permissions, [:view_issues]
+
+    @request.session[:user_id] = 2
+    get :show, :id => 1
+    assert_response :success
+
+    assert_no_tag 'form', :attributes => {:id => 'issue-form'}
+  end
+
   def test_update_form_should_not_display_inactive_enumerations
     @request.session[:user_id] = 2
     get :show, :id => 1
     assert_response :success
     assert_template 'new'
 
-    assert_tag :tag => 'input', :attributes => { :name => 'issue[custom_field_values][2]',
-                                                 :value => 'Default string' }
+    assert_tag 'input', :attributes => {:name => 'issue[is_private]'}
+    assert_tag 'select', :attributes => {:name => 'issue[tracker_id]'}
+    assert_tag 'input', :attributes => {:name => 'issue[subject]'}
+    assert_tag 'textarea', :attributes => {:name => 'issue[description]'}
+    assert_tag 'select', :attributes => {:name => 'issue[status_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[priority_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[assigned_to_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[category_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[fixed_version_id]'}
+    assert_tag 'input', :attributes => {:name => 'issue[parent_issue_id]'}
+    assert_tag 'input', :attributes => {:name => 'issue[start_date]'}
+    assert_tag 'input', :attributes => {:name => 'issue[due_date]'}
+    assert_tag 'select', :attributes => {:name => 'issue[done_ratio]'}
+    assert_tag 'input', :attributes => { :name => 'issue[custom_field_values][2]', :value => 'Default string' }
+    assert_tag 'input', :attributes => {:name => 'issue[watcher_user_ids][]'}
 
     # Be sure we don't display inactive IssuePriorities
     assert ! IssuePriority.find(15).active?
                            :parent => {:tag => 'select', :attributes => {:id => 'issue_priority_id'} }
   end
 
+  def test_get_new_with_minimal_permissions
+    Role.find(1).update_attribute :permissions, [:add_issues]
+    Workflow.delete_all :role_id => 1
+
+    @request.session[:user_id] = 2
+    get :new, :project_id => 1, :tracker_id => 1
+    assert_response :success
+    assert_template 'new'
+
+    assert_no_tag 'input', :attributes => {:name => 'issue[is_private]'}
+    assert_tag 'select', :attributes => {:name => 'issue[tracker_id]'}
+    assert_tag 'input', :attributes => {:name => 'issue[subject]'}
+    assert_tag 'textarea', :attributes => {:name => 'issue[description]'}
+    assert_tag 'select', :attributes => {:name => 'issue[status_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[priority_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[assigned_to_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[category_id]'}
+    assert_tag 'select', :attributes => {:name => 'issue[fixed_version_id]'}
+    assert_no_tag 'input', :attributes => {:name => 'issue[parent_issue_id]'}
+    assert_tag 'input', :attributes => {:name => 'issue[start_date]'}
+    assert_tag 'input', :attributes => {:name => 'issue[due_date]'}
+    assert_tag 'select', :attributes => {:name => 'issue[done_ratio]'}
+    assert_tag 'input', :attributes => { :name => 'issue[custom_field_values][2]', :value => 'Default string' }
+    assert_no_tag 'input', :attributes => {:name => 'issue[watcher_user_ids][]'}
+  end
+
   def test_get_new_without_default_start_date_is_creation_date
     Setting.default_issue_start_date_to_creation_date = 0