summaryrefslogtreecommitdiffstats
path: root/app/controllers
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2016-06-05 13:45:10 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2016-06-05 13:45:10 +0000
commitc4fd1750f703a7649f0b3b52b25cf32fa532b5b3 (patch)
treef94e5de3b00a6eb8c2b6741f847c2bb8d75625f7 /app/controllers
parenta23450fe08f367a1d4a03e937c3f8e90f83383fe (diff)
downloadredmine-c4fd1750f703a7649f0b3b52b25cf32fa532b5b3.tar.gz
redmine-c4fd1750f703a7649f0b3b52b25cf32fa532b5b3.zip
Adds permission to edit and delete issues by role/tracker (#285).
git-svn-id: http://svn.redmine.org/redmine/trunk@15466 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/context_menus_controller.rb4
-rw-r--r--app/controllers/issues_controller.rb9
2 files changed, 11 insertions, 2 deletions
diff --git a/app/controllers/context_menus_controller.rb b/app/controllers/context_menus_controller.rb
index 59ee3a77a..66ec35085 100644
--- a/app/controllers/context_menus_controller.rb
+++ b/app/controllers/context_menus_controller.rb
@@ -29,11 +29,11 @@ class ContextMenusController < ApplicationController
@allowed_statuses = @issues.map(&:new_statuses_allowed_to).reduce(:&)
- @can = {:edit => User.current.allowed_to?(:edit_issues, @projects),
+ @can = {:edit => @issues.all?(&:attributes_editable?),
:log_time => (@project && User.current.allowed_to?(:log_time, @project)),
:copy => User.current.allowed_to?(:copy_issues, @projects) && Issue.allowed_target_projects.any?,
:add_watchers => User.current.allowed_to?(:add_issue_watchers, @projects),
- :delete => User.current.allowed_to?(:delete_issues, @projects)
+ :delete => @issues.all?(&:deletable?)
}
if @project
if @issue
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index 37825c995..67956667a 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -211,6 +211,10 @@ class IssuesController < ApplicationController
unless User.current.allowed_to?(:copy_issues, @projects)
raise ::Unauthorized
end
+ else
+ unless @issues.all?(&:attributes_editable?)
+ raise ::Unauthorized
+ end
end
@allowed_projects = Issue.allowed_target_projects
@@ -263,6 +267,10 @@ class IssuesController < ApplicationController
unless User.current.allowed_to?(:add_issues, target_projects)
raise ::Unauthorized
end
+ else
+ unless @issues.all?(&:attributes_editable?)
+ raise ::Unauthorized
+ end
end
unsaved_issues = []
@@ -316,6 +324,7 @@ class IssuesController < ApplicationController
end
def destroy
+ raise Unauthorized unless @issues.all?(&:deletable?)
@hours = TimeEntry.where(:issue_id => @issues.map(&:id)).sum(:hours).to_f
if @hours > 0
case params[:todo]