"Add news" button on global news index is displayed for users without permission (#35308).

Patch by Alexander Meindl and Mizuki ISHIKAWA.


git-svn-id: http://svn.redmine.org/redmine/trunk@21014 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 14 insertions, 2 deletions

diff --git a/app/views/news/index.html.erb b/app/views/news/index.html.erb
index 3a8f1ccb2..8ec1d512a 100644
--- a/app/views/news/index.html.erb
+++ b/app/views/news/index.html.erb
@@ -1,8 +1,8 @@
 <div class="contextual">
 <%= link_to(l(:label_news_new),
             (@project ? project_news_index_path(@project) : news_index_path),
-            :class => 'icon icon-add',
-            :onclick => 'showAndScrollTo("add-news", "news_title"); return false;') if (@project.nil? || (@project && User.current.allowed_to?(:manage_news, @project))) %>
+            :class => 'icon icon-add add-news-link',
+            :onclick => 'showAndScrollTo("add-news", "news_title"); return false;') if User.current.allowed_to?(:manage_news, @project, global: true) %>
 <%= watcher_link(@project.enabled_module('news'), User.current) if @project && User.current.logged? %>
 </div>
 
diff --git a/test/functional/news_controller_test.rb b/test/functional/news_controller_test.rb
index 4dd46c8a7..212248157 100644
--- a/test/functional/news_controller_test.rb
+++ b/test/functional/news_controller_test.rb
@@ -53,6 +53,18 @@ class NewsControllerTest < Redmine::ControllerTest
     assert_response 403
   end
 
+  def test_index_without_manage_news_permission_should_not_display_add_news_link
+    user = User.find(2)
+    @request.session[:user_id] = user.id
+    Role.all.each {|r| r.remove_permission! :manage_news}
+    get :index
+    assert_select '.add-news-link', count: 0
+
+    user.members.first.roles.first.add_permission! :manage_news
+    get :index
+    assert_select '.add-news-link', count: 1
+  end
+
   def test_show
     get(:show, :params => {:id => 1})
     assert_response :success