diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2011-11-24 21:21:15 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2011-11-24 21:21:15 +0000 |
| commit | f436918dbee678a66d5228341385ae2c9e462a03 (patch) | |
| tree | f56169a6cf89328ebcd693b1c3318a9760e769fc | |
| parent | 6b43e9462e978addc28bd38b219dbb7fda0535ef (diff) | |
| download | redmine-f436918dbee678a66d5228341385ae2c9e462a03.tar.gz redmine-f436918dbee678a66d5228341385ae2c9e462a03.zip | |
Fixed that :edit_time_entries permission allows creating time entries (#9405).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7921 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | lib/redmine.rb | 4 | ||||
| -rw-r--r-- | test/functional/timelog_controller_test.rb | 12 |
2 files changed, 14 insertions, 2 deletions
diff --git a/lib/redmine.rb b/lib/redmine.rb index be5c8b5a3..252c1ca62 100644 --- a/lib/redmine.rb +++ b/lib/redmine.rb @@ -90,8 +90,8 @@ Redmine::AccessControl.map do |map| map.project_module :time_tracking do |map| map.permission :log_time, {:timelog => [:new, :create]}, :require => :loggedin map.permission :view_time_entries, :timelog => [:index, :show], :time_entry_reports => [:report] - map.permission :edit_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy, :bulk_edit, :bulk_update]}, :require => :member - map.permission :edit_own_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy,:bulk_edit, :bulk_update]}, :require => :loggedin + map.permission :edit_time_entries, {:timelog => [:edit, :update, :destroy, :bulk_edit, :bulk_update]}, :require => :member + map.permission :edit_own_time_entries, {:timelog => [:edit, :update, :destroy,:bulk_edit, :bulk_update]}, :require => :loggedin map.permission :manage_project_activities, {:project_enumerations => [:update, :destroy]}, :require => :member end diff --git a/test/functional/timelog_controller_test.rb b/test/functional/timelog_controller_test.rb index fb635a72d..ce06852f8 100644 --- a/test/functional/timelog_controller_test.rb +++ b/test/functional/timelog_controller_test.rb @@ -117,6 +117,18 @@ class TimelogControllerTest < ActionController::TestCase assert_equal 3, t.user_id end + def test_create_without_log_time_permission_should_be_denied + @request.session[:user_id] = 2 + Role.find_by_name('Manager').remove_permission! :log_time + post :create, :project_id => 1, + :time_entry => {:activity_id => '11', + :issue_id => '', + :spent_on => '2008-03-14', + :hours => '7.3'} + + assert_response 403 + end + def test_update entry = TimeEntry.find(1) assert_equal 1, entry.issue_id |