summaryrefslogtreecommitdiffstats
path: root/app/controllers/issues_controller.rb
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2015-02-08 12:07:00 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2015-02-08 12:07:00 +0000
commitc3c7d9a4d27b9accac73d55652302f6781371380 (patch)
tree284fb0eed8f32d47126880249ea5c202874b47fd /app/controllers/issues_controller.rb
parent01f673be08be68247b72a8954379b3f0c7a9a9d3 (diff)
downloadredmine-c3c7d9a4d27b9accac73d55652302f6781371380.tar.gz
redmine-c3c7d9a4d27b9accac73d55652302f6781371380.zip
Adds a :copy_issues permission (#18855).
When copy is allowed, target projects are those on which the user has the :add_issues permission. git-svn-id: http://svn.redmine.org/redmine/trunk@13985 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers/issues_controller.rb')
-rw-r--r--app/controllers/issues_controller.rb25
1 files changed, 25 insertions, 0 deletions
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index de7155481..b95856a19 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -143,6 +143,9 @@ class IssuesController < ApplicationController
end
def create
+ unless User.current.allowed_to?(:add_issues, @issue.project)
+ raise ::Unauthorized
+ end
call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
@issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
if @issue.save
@@ -219,6 +222,12 @@ class IssuesController < ApplicationController
@copy = params[:copy].present?
@notes = params[:notes]
+ if @copy
+ unless User.current.allowed_to?(:copy_issues, @projects)
+ raise ::Unauthorized
+ end
+ end
+
@allowed_projects = Issue.allowed_target_projects
if params[:issue]
@target_project = @allowed_projects.detect {|p| p.id.to_s == params[:issue][:project_id].to_s}
@@ -255,6 +264,19 @@ class IssuesController < ApplicationController
@copy = params[:copy].present?
attributes = parse_params_for_bulk_issue_attributes(params)
+ if @copy
+ unless User.current.allowed_to?(:copy_issues, @projects)
+ raise ::Unauthorized
+ end
+ target_projects = @projects
+ if attributes['project_id'].present?
+ target_projects = Project.where(:id => attributes['project_id']).to_a
+ end
+ unless User.current.allowed_to?(:add_issues, target_projects)
+ raise ::Unauthorized
+ end
+ end
+
unsaved_issues = []
saved_issues = []
@@ -407,6 +429,9 @@ class IssuesController < ApplicationController
begin
@issue.init_journal(User.current)
@copy_from = Issue.visible.find(params[:copy_from])
+ unless User.current.allowed_to?(:copy_issues, @copy_from.project)
+ raise ::Unauthorized
+ end
@link_copy = link_copy?(params[:link_copy]) || request.get?
@copy_attachments = params[:copy_attachments].present? || request.get?
@copy_subtasks = params[:copy_subtasks].present? || request.get?