diff options
author | Marius Balteanu <marius.balteanu@zitec.com> | 2024-07-08 21:32:15 +0000 |
---|---|---|
committer | Marius Balteanu <marius.balteanu@zitec.com> | 2024-07-08 21:32:15 +0000 |
commit | 57743c4145eadc4d702b7bd21eafbb30a15b48ca (patch) | |
tree | 641aec6c4e11e6949d095249d1b3a47e03e5ac0b /app/controllers | |
parent | f9f486bdd091fcfdc351b188981688dccffed210 (diff) | |
download | redmine-57743c4145eadc4d702b7bd21eafbb30a15b48ca.tar.gz redmine-57743c4145eadc4d702b7bd21eafbb30a15b48ca.zip |
Permission check based on the type of @watchables@ (#40946).
Patch by Jens Krämer (@jkraemer).
git-svn-id: https://svn.redmine.org/redmine/trunk@22915 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/watchers_controller.rb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb index b4efa10e9..a446d6410 100644 --- a/app/controllers/watchers_controller.rb +++ b/app/controllers/watchers_controller.rb @@ -41,6 +41,8 @@ class WatchersController < ApplicationController end def create + return unless authorize_for_watchable_type(:add) + user_ids = [] if params[:watcher] user_ids << (params[:watcher][:user_ids] || params[:watcher][:user_id]) @@ -76,6 +78,8 @@ class WatchersController < ApplicationController end def destroy + return unless authorize_for_watchable_type(:delete) + user = Principal.find(params[:user_id]) @watchables.each do |watchable| watchable.set_watcher(user, false) @@ -228,4 +232,14 @@ class WatchersController < ApplicationController objects end + + # Check permission for the watchable type for each watchable involved + def authorize_for_watchable_type(action) + if @watchables.any?{|watchable| !User.current.allowed_to?(:"#{action}_#{watchable.class.name.underscore}_watchers", watchable.project)} + render_403 + return false + else + return true + end + end end |