diff options
author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-02-08 12:07:00 +0000 |
---|---|---|
committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-02-08 12:07:00 +0000 |
commit | c3c7d9a4d27b9accac73d55652302f6781371380 (patch) | |
tree | 284fb0eed8f32d47126880249ea5c202874b47fd /app/controllers/issues_controller.rb | |
parent | 01f673be08be68247b72a8954379b3f0c7a9a9d3 (diff) | |
download | redmine-c3c7d9a4d27b9accac73d55652302f6781371380.tar.gz redmine-c3c7d9a4d27b9accac73d55652302f6781371380.zip |
Adds a :copy_issues permission (#18855).
When copy is allowed, target projects are those on which the user has the :add_issues permission.
git-svn-id: http://svn.redmine.org/redmine/trunk@13985 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers/issues_controller.rb')
-rw-r--r-- | app/controllers/issues_controller.rb | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb index de7155481..b95856a19 100644 --- a/app/controllers/issues_controller.rb +++ b/app/controllers/issues_controller.rb @@ -143,6 +143,9 @@ class IssuesController < ApplicationController end def create + unless User.current.allowed_to?(:add_issues, @issue.project) + raise ::Unauthorized + end call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue }) @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) if @issue.save @@ -219,6 +222,12 @@ class IssuesController < ApplicationController @copy = params[:copy].present? @notes = params[:notes] + if @copy + unless User.current.allowed_to?(:copy_issues, @projects) + raise ::Unauthorized + end + end + @allowed_projects = Issue.allowed_target_projects if params[:issue] @target_project = @allowed_projects.detect {|p| p.id.to_s == params[:issue][:project_id].to_s} @@ -255,6 +264,19 @@ class IssuesController < ApplicationController @copy = params[:copy].present? attributes = parse_params_for_bulk_issue_attributes(params) + if @copy + unless User.current.allowed_to?(:copy_issues, @projects) + raise ::Unauthorized + end + target_projects = @projects + if attributes['project_id'].present? + target_projects = Project.where(:id => attributes['project_id']).to_a + end + unless User.current.allowed_to?(:add_issues, target_projects) + raise ::Unauthorized + end + end + unsaved_issues = [] saved_issues = [] @@ -407,6 +429,9 @@ class IssuesController < ApplicationController begin @issue.init_journal(User.current) @copy_from = Issue.visible.find(params[:copy_from]) + unless User.current.allowed_to?(:copy_issues, @copy_from.project) + raise ::Unauthorized + end @link_copy = link_copy?(params[:link_copy]) || request.get? @copy_attachments = params[:copy_attachments].present? || request.get? @copy_subtasks = params[:copy_subtasks].present? || request.get? |