diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2012-01-08 11:48:36 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2012-01-08 11:48:36 +0000 |
| commit | 2a55d37619719cff870f02a9c771963269b45a93 (patch) | |
| tree | 29045b35d1b9f4ff01114eade380fd72def73ac5 /app | |
| parent | 121bc44cc504b3086c35d40f984d75d978c59fb0 (diff) | |
| download | redmine-2a55d37619719cff870f02a9c771963269b45a93.tar.gz redmine-2a55d37619719cff870f02a9c771963269b45a93.zip | |
Check project assignment on issue copy/move.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8553 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/issue.rb | 18 | ||||
| -rw-r--r-- | app/views/issues/_form.html.erb | 2 |
2 files changed, 15 insertions, 5 deletions
diff --git a/app/models/issue.rb b/app/models/issue.rb index 1259361da..007339130 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -311,7 +311,6 @@ class Issue < ActiveRecord::Base # Should be called from controllers instead of #attributes= # attr_accessible is too rough because we still want things like # Issue.new(:project => foo) to work - # TODO: move workflow/permission checks from controllers to here def safe_attributes=(attrs, user=User.current) return unless attrs.is_a?(Hash) @@ -321,9 +320,11 @@ class Issue < ActiveRecord::Base # Project and Tracker must be set before since new_statuses_allowed_to depends on it. if p = attrs.delete('project_id') - self.project_id = p + if allowed_target_projects(user).collect(&:id).include?(p.to_i) + self.project_id = p + end end - + if t = attrs.delete('tracker_id') self.tracker_id = t end @@ -769,7 +770,16 @@ class Issue < ActiveRecord::Base end # End ReportsController extraction - # Returns an array of projects that current user can move issues to + # Returns an array of projects that user can assign the issue to + def allowed_target_projects(user=User.current) + if new_record? + Project.all(:conditions => Project.allowed_to_condition(user, :add_issues)) + else + self.class.allowed_target_projects_on_move(user) + end + end + + # Returns an array of projects that user can move issues to def self.allowed_target_projects_on_move(user=User.current) projects = [] if user.admin? diff --git a/app/views/issues/_form.html.erb b/app/views/issues/_form.html.erb index 19b5f08eb..6634723f7 100644 --- a/app/views/issues/_form.html.erb +++ b/app/views/issues/_form.html.erb @@ -8,7 +8,7 @@ <% end %> <% if @issue.safe_attribute? 'project_id' %> -<p><%= f.select :project_id, project_tree_options_for_select(Issue.allowed_target_projects_on_move, :selected => @issue.project), :required => true %></p> +<p><%= f.select :project_id, project_tree_options_for_select(@issue.allowed_target_projects, :selected => @issue.project), :required => true %></p> <%= observe_field :issue_project_id, :url => project_issue_form_path(@project, :id => @issue, :project_change => '1'), :with => "Form.serialize('issue-form')" %> <% end %> |