summaryrefslogtreecommitdiffstats
path: root/app/controllers
diff options
context:
space:
mode:
authorMarius Balteanu <marius.balteanu@zitec.com>2024-07-08 21:32:15 +0000
committerMarius Balteanu <marius.balteanu@zitec.com>2024-07-08 21:32:15 +0000
commit57743c4145eadc4d702b7bd21eafbb30a15b48ca (patch)
tree641aec6c4e11e6949d095249d1b3a47e03e5ac0b /app/controllers
parentf9f486bdd091fcfdc351b188981688dccffed210 (diff)
downloadredmine-57743c4145eadc4d702b7bd21eafbb30a15b48ca.tar.gz
redmine-57743c4145eadc4d702b7bd21eafbb30a15b48ca.zip
Permission check based on the type of @watchables@ (#40946).
Patch by Jens Krämer (@jkraemer). git-svn-id: https://svn.redmine.org/redmine/trunk@22915 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/watchers_controller.rb14
1 files changed, 14 insertions, 0 deletions
diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb
index b4efa10e9..a446d6410 100644
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -41,6 +41,8 @@ class WatchersController < ApplicationController
end
def create
+ return unless authorize_for_watchable_type(:add)
+
user_ids = []
if params[:watcher]
user_ids << (params[:watcher][:user_ids] || params[:watcher][:user_id])
@@ -76,6 +78,8 @@ class WatchersController < ApplicationController
end
def destroy
+ return unless authorize_for_watchable_type(:delete)
+
user = Principal.find(params[:user_id])
@watchables.each do |watchable|
watchable.set_watcher(user, false)
@@ -228,4 +232,14 @@ class WatchersController < ApplicationController
objects
end
+
+ # Check permission for the watchable type for each watchable involved
+ def authorize_for_watchable_type(action)
+ if @watchables.any?{|watchable| !User.current.allowed_to?(:"#{action}_#{watchable.class.name.underscore}_watchers", watchable.project)}
+ render_403
+ return false
+ else
+ return true
+ end
+ end
end