summaryrefslogtreecommitdiffstats
path: root/app/models
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2008-07-10 12:31:49 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2008-07-10 12:31:49 +0000
commitbe4cc2f99e34316be4b8beb2e9040c5ea967a736 (patch)
tree604c1ea827a9b4547fda36501b9044cd71e6a0e4 /app/models
parentde3d5a88e4c70a06501cc51d7c2a1fcace4092a7 (diff)
downloadredmine-be4cc2f99e34316be4b8beb2e9040c5ea967a736.tar.gz
redmine-be4cc2f99e34316be4b8beb2e9040c5ea967a736.zip
Fixed: search engine may reveal private projects (#1613).
git-svn-id: http://redmine.rubyforge.org/svn/trunk@1649 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app/models')
-rw-r--r--app/models/journal.rb3
-rw-r--r--app/models/project.rb18
2 files changed, 12 insertions, 9 deletions
diff --git a/app/models/journal.rb b/app/models/journal.rb
index 67a3eee3b..8583f63de 100644
--- a/app/models/journal.rb
+++ b/app/models/journal.rb
@@ -28,7 +28,8 @@ class Journal < ActiveRecord::Base
acts_as_searchable :columns => 'notes',
:include => {:issue => :project},
:project_key => "#{Issue.table_name}.project_id",
- :date_column => "#{Issue.table_name}.created_on"
+ :date_column => "#{Issue.table_name}.created_on",
+ :permission => :view_issues
acts_as_event :title => Proc.new {|o| status = ((s = o.new_status) ? " (#{s})" : nil); "#{o.issue.tracker} ##{o.issue.id}#{status}: #{o.issue.subject}" },
:description => :notes,
diff --git a/app/models/project.rb b/app/models/project.rb
index a5ba246b1..67e6c0e39 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -112,16 +112,18 @@ class Project < ActiveRecord::Base
end
if user.admin?
# no restriction
- elsif user.logged?
- statements << "#{Project.table_name}.is_public = #{connection.quoted_true}" if Role.non_member.allowed_to?(permission)
- allowed_project_ids = user.memberships.select {|m| m.role.allowed_to?(permission)}.collect {|m| m.project_id}
- statements << "#{Project.table_name}.id IN (#{allowed_project_ids.join(',')})" if allowed_project_ids.any?
- elsif Role.anonymous.allowed_to?(permission)
- # anonymous user allowed on public project
- statements << "#{Project.table_name}.is_public = #{connection.quoted_true}"
else
- # anonymous user is not authorized
statements << "1=0"
+ if user.logged?
+ statements << "#{Project.table_name}.is_public = #{connection.quoted_true}" if Role.non_member.allowed_to?(permission)
+ allowed_project_ids = user.memberships.select {|m| m.role.allowed_to?(permission)}.collect {|m| m.project_id}
+ statements << "#{Project.table_name}.id IN (#{allowed_project_ids.join(',')})" if allowed_project_ids.any?
+ elsif Role.anonymous.allowed_to?(permission)
+ # anonymous user allowed on public project
+ statements << "#{Project.table_name}.is_public = #{connection.quoted_true}"
+ else
+ # anonymous user is not authorized
+ end
end
statements.empty? ? base_statement : "((#{base_statement}) AND (#{statements.join(' OR ')}))"
end