Merged 15430, 15464 to 15469, 15475, 15476 (#285, #7839).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@15478 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2016-06-06 09:41:50 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2016-06-06 09:41:50 +0000
commit: 6e68d008c4dc50f46585e30aabaa5bc9859bee0f (patch)
tree: dddbcaecd80051789282556982fad7270c2e5b9d /app/controllers
parent: 7a974437e6414682d6b318a3b1130d728f51907a (diff)
download: redmine-6e68d008c4dc50f46585e30aabaa5bc9859bee0f.tar.gz
redmine-6e68d008c4dc50f46585e30aabaa5bc9859bee0f.zip
2 files changed, 21 insertions, 7 deletions
diff --git a/app/controllers/context_menus_controller.rb b/app/controllers/context_menus_controller.rb
index 1e5652d09..66ec35085 100644
--- a/app/controllers/context_menus_controller.rb
+++ b/app/controllers/context_menus_controller.rb
@@ -29,11 +29,11 @@ class ContextMenusController < ApplicationController
 
     @allowed_statuses = @issues.map(&:new_statuses_allowed_to).reduce(:&)
 
-    @can = {:edit => User.current.allowed_to?(:edit_issues, @projects),
+    @can = {:edit => @issues.all?(&:attributes_editable?),
             :log_time => (@project && User.current.allowed_to?(:log_time, @project)),
             :copy => User.current.allowed_to?(:copy_issues, @projects) && Issue.allowed_target_projects.any?,
             :add_watchers => User.current.allowed_to?(:add_issue_watchers, @projects),
-            :delete => User.current.allowed_to?(:delete_issues, @projects)
+            :delete => @issues.all?(&:deletable?)
             }
     if @project
       if @issue
@@ -41,12 +41,11 @@ class ContextMenusController < ApplicationController
       else
         @assignables = @project.assignable_users
       end
-      @trackers = @project.trackers
     else
       #when multiple projects, we only keep the intersection of each set
       @assignables = @projects.map(&:assignable_users).reduce(:&)
-      @trackers = @projects.map(&:trackers).reduce(:&)
     end
+    @trackers = @projects.map {|p| Issue.allowed_target_trackers(p) }.reduce(:&)
     @versions = @projects.map {|p| p.shared_versions.open}.reduce(:&)
 
     @priorities = IssuePriority.active.reverse
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index cf402de22..67956667a 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -211,6 +211,10 @@ class IssuesController < ApplicationController
       unless User.current.allowed_to?(:copy_issues, @projects)
         raise ::Unauthorized
       end
+    else
+      unless @issues.all?(&:attributes_editable?)
+        raise ::Unauthorized
+      end
     end
 
     @allowed_projects = Issue.allowed_target_projects
@@ -230,7 +234,7 @@ class IssuesController < ApplicationController
     end
     @custom_fields = @issues.map{|i|i.editable_custom_fields}.reduce(:&)
     @assignables = target_projects.map(&:assignable_users).reduce(:&)
-    @trackers = target_projects.map(&:trackers).reduce(:&)
+    @trackers = target_projects.map {|p| Issue.allowed_target_trackers(p) }.reduce(:&)
     @versions = target_projects.map {|p| p.shared_versions.open}.reduce(:&)
     @categories = target_projects.map {|p| p.issue_categories}.reduce(:&)
     if @copy
@@ -263,6 +267,10 @@ class IssuesController < ApplicationController
       unless User.current.allowed_to?(:add_issues, target_projects)
         raise ::Unauthorized
       end
+    else
+      unless @issues.all?(&:attributes_editable?)
+        raise ::Unauthorized
+      end
     end
 
     unsaved_issues = []
@@ -316,6 +324,7 @@ class IssuesController < ApplicationController
   end
 
   def destroy
+    raise Unauthorized unless @issues.all?(&:deletable?)
     @hours = TimeEntry.where(:issue_id => @issues.map(&:id)).sum(:hours).to_f
     if @hours > 0
       case params[:todo]
@@ -465,9 +474,15 @@ class IssuesController < ApplicationController
     @issue.safe_attributes = attrs
 
     if @issue.project
-      @issue.tracker ||= @issue.project.trackers.first
+      @issue.tracker ||= @issue.allowed_target_trackers.first
       if @issue.tracker.nil?
-        render_error l(:error_no_tracker_in_project)
+        if @issue.project.trackers.any?
+          # None of the project trackers is allowed to the user
+          render_error :message => l(:error_no_tracker_allowed_for_new_issue_in_project), :status => 403
+        else
+          # Project has no trackers
+          render_error l(:error_no_tracker_in_project)
+        end
         return false
       end
       if @issue.status.nil?
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2016-06-06 09:41:50 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2016-06-06 09:41:50 +0000
commit	6e68d008c4dc50f46585e30aabaa5bc9859bee0f (patch)
tree	dddbcaecd80051789282556982fad7270c2e5b9d /app/controllers
parent	7a974437e6414682d6b318a3b1130d728f51907a (diff)
download	redmine-6e68d008c4dc50f46585e30aabaa5bc9859bee0f.tar.gz redmine-6e68d008c4dc50f46585e30aabaa5bc9859bee0f.zip