git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@5466 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/1.2.0
@@ -61,18 +61,23 @@ module IssuesHelper | |||
def render_issue_subject_with_tree(issue) | |||
s = '' | |||
ancestors = issue.root? ? [] : issue.ancestors.all | |||
ancestors = issue.root? ? [] : issue.ancestors.visible.all | |||
ancestors.each do |ancestor| | |||
s << '<div>' + content_tag('p', link_to_issue(ancestor)) | |||
end | |||
s << '<div>' + content_tag('h3', h(issue.subject)) | |||
s << '<div>' | |||
subject = h(issue.subject) | |||
if issue.is_private? | |||
subject = content_tag('span', l(:field_is_private), :class => 'private') + ' ' + subject | |||
end | |||
s << content_tag('h3', subject) | |||
s << '</div>' * (ancestors.size + 1) | |||
s | |||
end | |||
def render_descendants_tree(issue) | |||
s = '<form><table class="list issues">' | |||
issue_list(issue.descendants.sort_by(&:lft)) do |child, level| | |||
issue_list(issue.descendants.visible.sort_by(&:lft)) do |child, level| | |||
s << content_tag('tr', | |||
content_tag('td', check_box_tag("ids[]", child.id, false, :id => nil), :class => 'checkbox') + | |||
content_tag('td', link_to_issue(child, :truncate => 60), :class => 'subject') + | |||
@@ -159,6 +164,10 @@ module IssuesHelper | |||
label = l(:field_parent_issue) | |||
value = "##{detail.value}" unless detail.value.blank? | |||
old_value = "##{detail.old_value}" unless detail.old_value.blank? | |||
when detail.prop_key == 'is_private' | |||
value = l(detail.value == "0" ? :general_text_No : :general_text_Yes) unless detail.value.blank? | |||
old_value = l(detail.old_value == "0" ? :general_text_No : :general_text_Yes) unless detail.old_value.blank? | |||
end | |||
when 'cf' | |||
custom_field = CustomField.find_by_id(detail.prop_key) |
@@ -90,8 +90,10 @@ class Issue < ActiveRecord::Base | |||
def self.visible_condition(user, options={}) | |||
Project.allowed_to_condition(user, :view_issues, options) do |role, user| | |||
case role.issues_visibility | |||
when 'default' | |||
when 'all' | |||
nil | |||
when 'default' | |||
"(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id = #{user.id})" | |||
when 'own' | |||
"(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id = #{user.id})" | |||
else | |||
@@ -104,8 +106,10 @@ class Issue < ActiveRecord::Base | |||
def visible?(usr=nil) | |||
(usr || User.current).allowed_to?(:view_issues, self.project) do |role, user| | |||
case role.issues_visibility | |||
when 'default' | |||
when 'all' | |||
true | |||
when 'default' | |||
!self.is_private? || self.author == user || self.assigned_to == user | |||
when 'own' | |||
self.author == user || self.assigned_to == user | |||
else | |||
@@ -257,6 +261,12 @@ class Issue < ActiveRecord::Base | |||
'done_ratio', | |||
:if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? } | |||
safe_attributes 'is_private', | |||
:if => lambda {|issue, user| | |||
user.allowed_to?(:set_issues_private, issue.project) || | |||
(issue.author == user && user.allowed_to?(:set_own_issues_private, issue.project)) | |||
} | |||
# Safely sets attributes | |||
# Should be called from controllers instead of #attributes= | |||
# attr_accessible is too rough because we still want things like | |||
@@ -552,6 +562,7 @@ class Issue < ActiveRecord::Base | |||
s << ' overdue' if overdue? | |||
s << ' child' if child? | |||
s << ' parent' unless leaf? | |||
s << ' private' if is_private? | |||
s << ' created-by-me' if User.current.logged? && author_id == User.current.id | |||
s << ' assigned-to-me' if User.current.logged? && assigned_to_id == User.current.id | |||
s |
@@ -17,4 +17,22 @@ | |||
class JournalDetail < ActiveRecord::Base | |||
belongs_to :journal | |||
before_save :normalize_values | |||
private | |||
def normalize_values | |||
self.value = normalize(value) | |||
self.old_value = normalize(old_value) | |||
end | |||
def normalize(v) | |||
if v == true | |||
"1" | |||
elsif v == false | |||
"0" | |||
else | |||
v | |||
end | |||
end | |||
end |
@@ -21,7 +21,8 @@ class Role < ActiveRecord::Base | |||
BUILTIN_ANONYMOUS = 2 | |||
ISSUES_VISIBILITY_OPTIONS = [ | |||
['default', :label_issues_visibility_all], | |||
['all', :label_issues_visibility_all], | |||
['default', :label_issues_visibility_public], | |||
['own', :label_issues_visibility_own] | |||
] | |||
@@ -1,6 +1,11 @@ | |||
<%= call_hook(:view_issues_form_details_top, { :issue => @issue, :form => f }) %> | |||
<div id="issue_descr_fields" <%= 'style="display:none"' unless @issue.new_record? || @issue.errors.any? %>> | |||
<% if @issue.safe_attribute_names.include?('is_private') %> | |||
<p style="float:right; margin-right:1em;"> | |||
<label class="inline" for="issue_is_private"><%= f.check_box :is_private, :no_label => true %> <%= l(:field_is_private) %></label> | |||
</p> | |||
<% end %> | |||
<p><%= f.select :tracker_id, @project.trackers.collect {|t| [t.name, t.id]}, :required => true %></p> | |||
<%= observe_field :issue_tracker_id, :url => { :action => :new, :project_id => @project, :id => @issue }, | |||
:update => :attributes, |
@@ -305,6 +305,7 @@ en: | |||
field_visible: Visible | |||
field_warn_on_leaving_unsaved: "Warn me when leaving a page with unsaved text" | |||
field_issues_visibility: Issues visibility | |||
field_is_private: Private | |||
setting_app_title: Application title | |||
setting_app_subtitle: Application subtitle | |||
@@ -377,6 +378,8 @@ en: | |||
permission_add_issues: Add issues | |||
permission_edit_issues: Edit issues | |||
permission_manage_issue_relations: Manage issue relations | |||
permission_set_issues_private: Set issues public or private | |||
permission_set_own_issues_private: Set own issues public or private | |||
permission_add_issue_notes: Add notes | |||
permission_edit_issue_notes: Edit notes | |||
permission_edit_own_issue_notes: Edit own notes | |||
@@ -806,6 +809,7 @@ en: | |||
label_additional_workflow_transitions_for_author: Additional transitions allowed when the user is the author | |||
label_additional_workflow_transitions_for_assignee: Additional transitions allowed when the user is the assignee | |||
label_issues_visibility_all: All issues | |||
label_issues_visibility_public: All non private issues | |||
label_issues_visibility_own: Issues created by or assigned to the user | |||
button_login: Login |
@@ -309,6 +309,7 @@ fr: | |||
field_visible: Visible | |||
field_warn_on_leaving_unsaved: "M'avertir lorsque je quitte une page contenant du texte non sauvegardé" | |||
field_issues_visibility: Visibilité des demandes | |||
field_is_private: Privée | |||
setting_app_title: Titre de l'application | |||
setting_app_subtitle: Sous-titre de l'application | |||
@@ -378,6 +379,8 @@ fr: | |||
permission_add_issues: Créer des demandes | |||
permission_edit_issues: Modifier les demandes | |||
permission_manage_issue_relations: Gérer les relations | |||
permission_set_issues_private: Rendre les demandes publiques ou privées | |||
permission_set_own_issues_private: Rendre ses propres demandes publiques ou privées | |||
permission_add_issue_notes: Ajouter des notes | |||
permission_edit_issue_notes: Modifier les notes | |||
permission_edit_own_issue_notes: Modifier ses propres notes | |||
@@ -793,6 +796,7 @@ fr: | |||
label_additional_workflow_transitions_for_author: Autorisations supplémentaires lorsque l'utilisateur a créé la demande | |||
label_additional_workflow_transitions_for_assignee: Autorisations supplémentaires lorsque la demande est assignée à l'utilisateur | |||
label_issues_visibility_all: Toutes les demandes | |||
label_issues_visibility_public: Toutes les demandes non privées | |||
label_issues_visibility_own: Demandes créées par ou assignées à l'utilisateur | |||
button_login: Connexion |
@@ -0,0 +1,9 @@ | |||
class AddIssuesIsPrivate < ActiveRecord::Migration | |||
def self.up | |||
add_column :issues, :is_private, :boolean, :default => false, :null => false | |||
end | |||
def self.down | |||
remove_column :issues, :is_private | |||
end | |||
end |
@@ -71,6 +71,8 @@ Redmine::AccessControl.map do |map| | |||
map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update, :update_form], :journals => [:new]} | |||
map.permission :manage_issue_relations, {:issue_relations => [:new, :destroy]} | |||
map.permission :manage_subtasks, {} | |||
map.permission :set_issues_private, {} | |||
map.permission :set_own_issues_private, {} | |||
map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new]} | |||
map.permission :edit_issue_notes, {:journals => :edit}, :require => :loggedin | |||
map.permission :edit_own_issue_notes, {:journals => :edit}, :require => :loggedin |
@@ -1,5 +1,5 @@ | |||
# redMine - project management software | |||
# Copyright (C) 2006-2007 Jean-Philippe Lang | |||
# Redmine - project management software | |||
# Copyright (C) 2006-2011 Jean-Philippe Lang | |||
# | |||
# This program is free software; you can redistribute it and/or | |||
# modify it under the terms of the GNU General Public License | |||
@@ -41,6 +41,7 @@ module Redmine | |||
Role.transaction do | |||
# Roles | |||
manager = Role.create! :name => l(:default_role_manager), | |||
:issues_visibility => 'all', | |||
:position => 1 | |||
manager.permissions = manager.setable_permissions.collect {|p| p.name} | |||
manager.save! |
@@ -278,6 +278,7 @@ div.issue div.subject div div { padding-left: 16px; } | |||
div.issue div.subject p {margin: 0; margin-bottom: 0.1em; font-size: 90%; color: #999;} | |||
div.issue div.subject>div>p { margin-top: 0.5em; } | |||
div.issue div.subject h3 {margin: 0; margin-bottom: 0.1em;} | |||
div.issue span.private { position:relative; bottom: 2px; text-transform: uppercase; background: #d22; color: #fff; font-weight:bold; padding: 0px 2px 0px 2px; font-size: 60%; margin-right: 2px; border-radius: 2px; -moz-border-radius: 2px;} | |||
#issue_tree table.issues, #relations table.issues { border: 0; } | |||
#issue_tree td.checkbox, #relations td.checkbox {display:none;} |
@@ -169,3 +169,16 @@ attachments_014: | |||
filename: changeset_utf8.diff | |||
author_id: 2 | |||
content_type: text/x-diff | |||
attachments_015: | |||
id: 15 | |||
created_on: 2010-07-19 21:07:27 +02:00 | |||
container_type: Issue | |||
container_id: 14 | |||
downloads: 0 | |||
disk_filename: 060719210727_changeset_utf8.diff | |||
digest: b91e08d0cf966d5c6ff411bd8c4cc3a2 | |||
filesize: 687 | |||
filename: private.diff | |||
author_id: 2 | |||
content_type: text/x-diff | |||
description: attachement of a private issue |
@@ -244,3 +244,21 @@ issues_013: | |||
root_id: 13 | |||
lft: 1 | |||
rgt: 2 | |||
issues_014: | |||
id: 14 | |||
created_on: <%= 15.days.ago.to_date.to_s(:db) %> | |||
project_id: 3 | |||
updated_on: <%= 15.days.ago.to_date.to_s(:db) %> | |||
priority_id: 5 | |||
subject: Private issue on public project | |||
fixed_version_id: | |||
category_id: | |||
description: This is a private issue | |||
tracker_id: 1 | |||
assigned_to_id: | |||
author_id: 2 | |||
status_id: 1 | |||
is_private: true | |||
root_id: 14 | |||
lft: 1 | |||
rgt: 2 |
@@ -3,7 +3,7 @@ roles_001: | |||
name: Manager | |||
id: 1 | |||
builtin: 0 | |||
issues_visibility: default | |||
issues_visibility: all | |||
permissions: | | |||
--- | |||
- :add_project |
@@ -86,6 +86,18 @@ class AttachmentsControllerTest < ActionController::TestCase | |||
assert_equal 'application/octet-stream', @response.content_type | |||
end | |||
def test_show_file_from_private_issue_without_permission | |||
get :show, :id => 15 | |||
assert_redirected_to '/login?back_url=http%3A%2F%2Ftest.host%2Fattachments%2F15' | |||
end | |||
def test_show_file_from_private_issue_with_permission | |||
@request.session[:user_id] = 2 | |||
get :show, :id => 15 | |||
assert_response :success | |||
assert_tag 'h2', :content => /private.diff/ | |||
end | |||
def test_download_text_file | |||
get :download, :id => 4 | |||
assert_response :success |
@@ -91,6 +91,13 @@ class IssuesControllerTest < ActionController::TestCase | |||
assert_no_tag :tag => 'a', :content => /Can't print recipes/ | |||
assert_tag :tag => 'a', :content => /Subproject issue/ | |||
end | |||
def test_index_should_list_visible_issues_only | |||
get :index, :per_page => 100 | |||
assert_response :success | |||
assert_not_nil assigns(:issues) | |||
assert_nil assigns(:issues).detect {|issue| !issue.visible?} | |||
end | |||
def test_index_with_project | |||
Setting.display_subprojects_issues = 0 | |||
@@ -317,6 +324,12 @@ class IssuesControllerTest < ActionController::TestCase | |||
assert_response :redirect | |||
end | |||
def test_show_should_deny_anonymous_access_to_private_issue | |||
Issue.update_all(["is_private = ?", true], "id = 1") | |||
get :show, :id => 1 | |||
assert_response :redirect | |||
end | |||
def test_show_should_deny_non_member_access_without_permission | |||
Role.non_member.remove_permission!(:view_issues) | |||
@request.session[:user_id] = 9 | |||
@@ -324,6 +337,13 @@ class IssuesControllerTest < ActionController::TestCase | |||
assert_response 403 | |||
end | |||
def test_show_should_deny_non_member_access_to_private_issue | |||
Issue.update_all(["is_private = ?", true], "id = 1") | |||
@request.session[:user_id] = 9 | |||
get :show, :id => 1 | |||
assert_response 403 | |||
end | |||
def test_show_should_deny_member_access_without_permission | |||
Role.find(1).remove_permission!(:view_issues) | |||
@request.session[:user_id] = 2 | |||
@@ -331,6 +351,35 @@ class IssuesControllerTest < ActionController::TestCase | |||
assert_response 403 | |||
end | |||
def test_show_should_deny_member_access_to_private_issue_without_permission | |||
Issue.update_all(["is_private = ?", true], "id = 1") | |||
@request.session[:user_id] = 3 | |||
get :show, :id => 1 | |||
assert_response 403 | |||
end | |||
def test_show_should_allow_author_access_to_private_issue | |||
Issue.update_all(["is_private = ?, author_id = 3", true], "id = 1") | |||
@request.session[:user_id] = 3 | |||
get :show, :id => 1 | |||
assert_response :success | |||
end | |||
def test_show_should_allow_assignee_access_to_private_issue | |||
Issue.update_all(["is_private = ?, assigned_to_id = 3", true], "id = 1") | |||
@request.session[:user_id] = 3 | |||
get :show, :id => 1 | |||
assert_response :success | |||
end | |||
def test_show_should_allow_member_access_to_private_issue_with_permission | |||
Issue.update_all(["is_private = ?", true], "id = 1") | |||
User.find(3).roles_for_project(Project.find(1)).first.update_attribute :issues_visibility, 'all' | |||
@request.session[:user_id] = 3 | |||
get :show, :id => 1 | |||
assert_response :success | |||
end | |||
def test_show_should_not_disclose_relations_to_invisible_issues | |||
Setting.cross_project_issue_relations = '1' | |||
IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates') |
@@ -74,6 +74,7 @@ class IssueTest < ActiveSupport::TestCase | |||
issues = Issue.visible(User.anonymous).all | |||
assert issues.any? | |||
assert_nil issues.detect {|issue| !issue.project.is_public?} | |||
assert_nil issues.detect {|issue| issue.is_private?} | |||
assert_visibility_match User.anonymous, issues | |||
end | |||
@@ -102,6 +103,7 @@ class IssueTest < ActiveSupport::TestCase | |||
issues = Issue.visible(user).all | |||
assert issues.any? | |||
assert_nil issues.detect {|issue| !issue.project.is_public?} | |||
assert_nil issues.detect {|issue| issue.is_private?} | |||
assert_visibility_match user, issues | |||
end | |||
@@ -130,10 +132,11 @@ class IssueTest < ActiveSupport::TestCase | |||
user = User.find(9) | |||
# User should see issues of projects for which he has view_issues permissions only | |||
Role.non_member.remove_permission!(:view_issues) | |||
Member.create!(:principal => user, :project_id => 2, :role_ids => [1]) | |||
Member.create!(:principal => user, :project_id => 3, :role_ids => [2]) | |||
issues = Issue.visible(user).all | |||
assert issues.any? | |||
assert_nil issues.detect {|issue| issue.project_id != 2} | |||
assert_nil issues.detect {|issue| issue.project_id != 3} | |||
assert_nil issues.detect {|issue| issue.is_private?} | |||
assert_visibility_match user, issues | |||
end | |||
@@ -145,6 +148,8 @@ class IssueTest < ActiveSupport::TestCase | |||
assert issues.any? | |||
# Admin should see issues on private projects that he does not belong to | |||
assert issues.detect {|issue| !issue.project.is_public?} | |||
# Admin should see private issues of other users | |||
assert issues.detect {|issue| issue.is_private? && issue.author != user} | |||
assert_visibility_match user, issues | |||
end | |||
@@ -1,5 +1,5 @@ | |||
# Redmine - project management software | |||
# Copyright (C) 2006-2008 Jean-Philippe Lang | |||
# Copyright (C) 2006-2011 Jean-Philippe Lang | |||
# | |||
# This program is free software; you can redistribute it and/or | |||
# modify it under the terms of the GNU General Public License | |||
@@ -44,11 +44,13 @@ module Redmine | |||
end | |||
def attachments_visible?(user=User.current) | |||
user.allowed_to?(self.class.attachable_options[:view_permission], self.project) | |||
(respond_to?(:visible?) ? visible?(user) : true) && | |||
user.allowed_to?(self.class.attachable_options[:view_permission], self.project) | |||
end | |||
def attachments_deletable?(user=User.current) | |||
user.allowed_to?(self.class.attachable_options[:delete_permission], self.project) | |||
(respond_to?(:visible?) ? visible?(user) : true) && | |||
user.allowed_to?(self.class.attachable_options[:delete_permission], self.project) | |||
end | |||
def initialize_unsaved_attachments |