Adds a :copy_issues permission (#18855).

When copy is allowed, target projects are those on which the user has the :add_issues permission. git-svn-id: http://svn.redmine.org/redmine/trunk@13985 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-02-08 12:07:00 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-02-08 12:07:00 +0000
commit: c3c7d9a4d27b9accac73d55652302f6781371380 (patch)
tree: 284fb0eed8f32d47126880249ea5c202874b47fd /app
parent: 01f673be08be68247b72a8954379b3f0c7a9a9d3 (diff)
download: redmine-c3c7d9a4d27b9accac73d55652302f6781371380.tar.gz
redmine-c3c7d9a4d27b9accac73d55652302f6781371380.zip
6 files changed, 38 insertions, 6 deletions
diff --git a/app/controllers/context_menus_controller.rb b/app/controllers/context_menus_controller.rb
index 99b320d5c..4d22b0af9 100644
--- a/app/controllers/context_menus_controller.rb
+++ b/app/controllers/context_menus_controller.rb
@@ -31,7 +31,7 @@ class ContextMenusController < ApplicationController
 
     @can = {:edit => User.current.allowed_to?(:edit_issues, @projects),
             :log_time => (@project && User.current.allowed_to?(:log_time, @project)),
-            :copy => User.current.allowed_to?(:add_issues, @projects),
+            :copy => User.current.allowed_to?(:copy_issues, @projects) && Issue.allowed_target_projects.any?,
             :delete => User.current.allowed_to?(:delete_issues, @projects)
             }
     if @project
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index de7155481..b95856a19 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -143,6 +143,9 @@ class IssuesController < ApplicationController
   end
 
   def create
+    unless User.current.allowed_to?(:add_issues, @issue.project)
+      raise ::Unauthorized
+    end
     call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
     @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
     if @issue.save
@@ -219,6 +222,12 @@ class IssuesController < ApplicationController
     @copy = params[:copy].present?
     @notes = params[:notes]
 
+    if @copy
+      unless User.current.allowed_to?(:copy_issues, @projects)
+        raise ::Unauthorized
+      end
+    end
+
     @allowed_projects = Issue.allowed_target_projects
     if params[:issue]
       @target_project = @allowed_projects.detect {|p| p.id.to_s == params[:issue][:project_id].to_s}
@@ -255,6 +264,19 @@ class IssuesController < ApplicationController
     @copy = params[:copy].present?
     attributes = parse_params_for_bulk_issue_attributes(params)
 
+    if @copy
+      unless User.current.allowed_to?(:copy_issues, @projects)
+        raise ::Unauthorized
+      end
+      target_projects = @projects
+      if attributes['project_id'].present?
+        target_projects = Project.where(:id => attributes['project_id']).to_a
+      end
+      unless User.current.allowed_to?(:add_issues, target_projects)
+        raise ::Unauthorized
+      end
+    end
+
     unsaved_issues = []
     saved_issues = []
 
@@ -407,6 +429,9 @@ class IssuesController < ApplicationController
         begin
           @issue.init_journal(User.current)
           @copy_from = Issue.visible.find(params[:copy_from])
+          unless User.current.allowed_to?(:copy_issues, @copy_from.project)
+            raise ::Unauthorized
+          end
           @link_copy = link_copy?(params[:link_copy]) || request.get?
           @copy_attachments = params[:copy_attachments].present? || request.get?
           @copy_subtasks = params[:copy_subtasks].present? || request.get?
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index db10ed604..24d033a7e 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -343,8 +343,11 @@ module ApplicationHelper
 
   def project_tree_options_for_select(projects, options = {})
     s = ''.html_safe
-    if options[:include_blank]
-      s << content_tag('option', '&nbsp;'.html_safe, :value => '')
+    if blank_text = options[:include_blank]
+      if blank_text == true
+        blank_text = '&nbsp;'.html_safe
+      end
+      s << content_tag('option', blank_text, :value => '')
     end
     project_tree(projects) do |project, level|
       name_prefix = (level > 0 ? '&nbsp;' * 2 * level + '&#187; ' : '').html_safe
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 5ea344a4f..dcf844be0 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -424,6 +424,9 @@ class Issue < ActiveRecord::Base
     names = super
     names -= disabled_core_fields
     names -= read_only_attribute_names(user)
+    if new_record? && copy?
+      names |= %w(project_id)
+    end
     names
   end
 
diff --git a/app/views/issues/_action_menu.html.erb b/app/views/issues/_action_menu.html.erb
index 18c9e59b6..c3304626d 100644
--- a/app/views/issues/_action_menu.html.erb
+++ b/app/views/issues/_action_menu.html.erb
@@ -2,6 +2,6 @@
 <%= link_to l(:button_edit), edit_issue_path(@issue), :onclick => 'showAndScrollTo("update", "issue_notes"); return false;', :class => 'icon icon-edit', :accesskey => accesskey(:edit) if @issue.editable? %>
 <%= link_to l(:button_log_time), new_issue_time_entry_path(@issue), :class => 'icon icon-time-add' if User.current.allowed_to?(:log_time, @project) %>
 <%= watcher_link(@issue, User.current) %>
-<%= link_to l(:button_copy), project_copy_issue_path(@project, @issue), :class => 'icon icon-copy' if User.current.allowed_to?(:add_issues, @project) %>
+<%= link_to l(:button_copy), project_copy_issue_path(@project, @issue), :class => 'icon icon-copy' if User.current.allowed_to?(:copy_issues, @project) && Issue.allowed_target_projects.any? %>
 <%= link_to l(:button_delete), issue_path(@issue), :data => {:confirm => issues_destroy_confirmation_message(@issue)}, :method => :delete, :class => 'icon icon-del' if User.current.allowed_to?(:delete_issues, @project) %>
 </div>
diff --git a/app/views/issues/bulk_edit.html.erb b/app/views/issues/bulk_edit.html.erb
index bdaaf2114..4cdc257da 100644
--- a/app/views/issues/bulk_edit.html.erb
+++ b/app/views/issues/bulk_edit.html.erb
@@ -33,8 +33,9 @@
 <p>
   <label for="issue_project_id"><%= l(:field_project) %></label>
   <%= select_tag('issue[project_id]',
-                 content_tag('option', l(:label_no_change_option), :value => '') + 
-                   project_tree_options_for_select(@allowed_projects, :selected => @target_project),
+                 project_tree_options_for_select(@allowed_projects,
+                   :include_blank => ((!@copy || (@projects & @allowed_projects == @projects)) ? l(:label_no_change_option) : false),
+                   :selected => @target_project),
                  :onchange => "updateBulkEditFrom('#{escape_javascript url_for(:action => 'bulk_edit', :format => 'js')}')") %>
 </p>
 <% end %>
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-02-08 12:07:00 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-02-08 12:07:00 +0000
commit	c3c7d9a4d27b9accac73d55652302f6781371380 (patch)
tree	284fb0eed8f32d47126880249ea5c202874b47fd /app
parent	01f673be08be68247b72a8954379b3f0c7a9a9d3 (diff)
download	redmine-c3c7d9a4d27b9accac73d55652302f6781371380.tar.gz redmine-c3c7d9a4d27b9accac73d55652302f6781371380.zip