diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2017-05-27 08:34:41 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2017-05-27 08:34:41 +0000 |
| commit | 86fa4e66c9971dd7f399bba18798792550402706 (patch) | |
| tree | 31918ddb3814474754b92e2c50e0feff766f6f83 | |
| parent | 8ba7b6a2b21cdabf9c629330b4e1919e61e279e2 (diff) | |
| download | redmine-86fa4e66c9971dd7f399bba18798792550402706.tar.gz redmine-86fa4e66c9971dd7f399bba18798792550402706.zip | |
Check tracker permissions when copying an issue (#25791).
git-svn-id: http://svn.redmine.org/redmine/trunk@16569 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/models/issue.rb | 11 | ||||
| -rw-r--r-- | test/functional/issues_controller_test.rb | 16 |
2 files changed, 26 insertions, 1 deletions
diff --git a/app/models/issue.rb b/app/models/issue.rb index 3d8df790b..7d411fc94 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -68,7 +68,7 @@ class Issue < ActiveRecord::Base validates :estimated_hours, :numericality => {:greater_than_or_equal_to => 0, :allow_nil => true, :message => :invalid} validates :start_date, :date => true validates :due_date, :date => true - validate :validate_issue, :validate_required_fields + validate :validate_issue, :validate_required_fields, :validate_permissions attr_protected :id scope :visible, lambda {|*args| @@ -512,6 +512,7 @@ class Issue < ActiveRecord::Base # attr_accessible is too rough because we still want things like # Issue.new(:project => foo) to work def safe_attributes=(attrs, user=User.current) + @attributes_set_by = user return unless attrs.is_a?(Hash) attrs = attrs.deep_dup @@ -776,6 +777,14 @@ class Issue < ActiveRecord::Base end end + def validate_permissions + if @attributes_set_by && new_record? && copy? + unless allowed_target_trackers(@attributes_set_by).include?(tracker) + errors.add :tracker, :invalid + end + end + end + # Overrides Redmine::Acts::Customizable::InstanceMethods#validate_custom_field_values # so that custom values that are not editable are not validated (eg. a custom field that # is marked as required should not trigger a validation error if the user is not allowed diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb index dacbd370e..49aeb08d0 100644 --- a/test/functional/issues_controller_test.rb +++ b/test/functional/issues_controller_test.rb @@ -3109,6 +3109,22 @@ class IssuesControllerTest < Redmine::ControllerTest assert_equal 1, issue.status_id end + def test_create_as_copy_should_fail_without_add_issue_permission_on_original_tracker + role = Role.find(2) + role.set_permission_trackers :add_issues, [1, 3] + role.save! + Role.non_member.remove_permission! :add_issues + + issue = Issue.generate!(:project_id => 1, :tracker_id => 2) + @request.session[:user_id] = 3 + + assert_no_difference 'Issue.count' do + post :create, :project_id => 1, :copy_from => issue.id, + :issue => {:project_id => '1'} + end + assert_select_error 'Tracker is invalid' + end + def test_create_as_copy_should_copy_attachments @request.session[:user_id] = 2 issue = Issue.find(3) |