diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2011-11-24 21:16:44 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2011-11-24 21:16:44 +0000 |
| commit | 6b43e9462e978addc28bd38b219dbb7fda0535ef (patch) | |
| tree | 31129666b8f5203bdf44b6ca214ca3978469c0fa | |
| parent | 097b0e7a4d893ef5e6a091ebac72645b1c7ee256 (diff) | |
| download | redmine-6b43e9462e978addc28bd38b219dbb7fda0535ef.tar.gz redmine-6b43e9462e978addc28bd38b219dbb7fda0535ef.zip | |
Fixed that :view_time_entries permission allows time entry editing (#9405).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7920 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | lib/redmine.rb | 2 | ||||
| -rw-r--r-- | test/functional/timelog_controller_test.rb | 11 |
2 files changed, 12 insertions, 1 deletions
diff --git a/lib/redmine.rb b/lib/redmine.rb index 129b39315..be5c8b5a3 100644 --- a/lib/redmine.rb +++ b/lib/redmine.rb @@ -88,7 +88,7 @@ Redmine::AccessControl.map do |map| end map.project_module :time_tracking do |map| - map.permission :log_time, {:timelog => [:new, :create, :edit, :update, :bulk_edit, :bulk_update]}, :require => :loggedin + map.permission :log_time, {:timelog => [:new, :create]}, :require => :loggedin map.permission :view_time_entries, :timelog => [:index, :show], :time_entry_reports => [:report] map.permission :edit_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy, :bulk_edit, :bulk_update]}, :require => :member map.permission :edit_own_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy,:bulk_edit, :bulk_update]}, :require => :loggedin diff --git a/test/functional/timelog_controller_test.rb b/test/functional/timelog_controller_test.rb index c455d5496..fb635a72d 100644 --- a/test/functional/timelog_controller_test.rb +++ b/test/functional/timelog_controller_test.rb @@ -163,6 +163,9 @@ class TimelogControllerTest < ActionController::TestCase def test_bulk_update_on_different_projects @request.session[:user_id] = 2 + # makes user a manager on the other project + Member.create!(:user_id => 2, :project_id => 3, :role_ids => [1]) + # update time entry activity post :bulk_update, :ids => [1, 2, 4], :time_entry => { :activity_id => 9 } @@ -205,6 +208,14 @@ class TimelogControllerTest < ActionController::TestCase assert_redirected_to :controller => 'timelog', :action => 'index', :project_id => Project.find(1).identifier end + def test_post_bulk_update_without_edit_permission_should_be_denied + @request.session[:user_id] = 2 + Role.find_by_name('Manager').remove_permission! :edit_time_entries + post :bulk_update, :ids => [1,2] + + assert_response 403 + end + def test_destroy @request.session[:user_id] = 2 delete :destroy, :id => 1 |