summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2017-06-26 19:49:02 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2017-06-26 19:49:02 +0000
commitb03e03b7704a50639f143806471386fab4900835 (patch)
tree072426e6ef00d2cfe0a95b27405e149663339a7d
parentd5bec063e7b656974b09f9d5f9bf29326a041b7c (diff)
downloadredmine-b03e03b7704a50639f143806471386fab4900835.tar.gz
redmine-b03e03b7704a50639f143806471386fab4900835.zip
Global News view should not be allowed without permission (#7068).
git-svn-id: http://svn.redmine.org/redmine/trunk@16721 e93f8b46-1217-0410-a6f0-8f06a7374b81
-rw-r--r--app/controllers/news_controller.rb10
-rw-r--r--lib/redmine.rb1
-rw-r--r--test/functional/news_controller_test.rb8
3 files changed, 9 insertions, 10 deletions
diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb
index 727617cb7..3df9e5e44 100644
--- a/app/controllers/news_controller.rb
+++ b/app/controllers/news_controller.rb
@@ -98,14 +98,4 @@ class NewsController < ApplicationController
@news.destroy
redirect_to project_news_index_path(@project)
end
-
- private
-
- def find_optional_project
- return true unless params[:project_id]
- @project = Project.find(params[:project_id])
- authorize
- rescue ActiveRecord::RecordNotFound
- render_404
- end
end
diff --git a/lib/redmine.rb b/lib/redmine.rb
index 6f4d3e07c..5f01787c2 100644
--- a/lib/redmine.rb
+++ b/lib/redmine.rb
@@ -217,6 +217,7 @@ Redmine::MenuManager.map :application_menu do |menu|
menu.push :calendar, { :controller => 'calendars', :action => 'show' }, :caption => :label_calendar
menu.push :news, {:controller => 'news', :action => 'index'},
+ :if => Proc.new {User.current.allowed_to?(:view_news, nil, :global => true)},
:caption => :label_news_plural
end
diff --git a/test/functional/news_controller_test.rb b/test/functional/news_controller_test.rb
index 91db40cb0..f62d21bf1 100644
--- a/test/functional/news_controller_test.rb
+++ b/test/functional/news_controller_test.rb
@@ -47,6 +47,14 @@ class NewsControllerTest < Redmine::ControllerTest
assert_response 404
end
+ def test_index_without_permission_should_fail
+ Role.all.each {|r| r.remove_permission! :view_news}
+ @request.session[:user_id] = 2
+
+ get :index
+ assert_response 403
+ end
+
def test_show
get :show, :params => {
:id => 1