summaryrefslogtreecommitdiffstats
path: root/app
diff options
context:
space:
mode:
authorGo MAEDA <maeda@farend.jp>2023-03-02 04:32:34 +0000
committerGo MAEDA <maeda@farend.jp>2023-03-02 04:32:34 +0000
commit555acea7804e6a93b133fe7398f490cb083c05b2 (patch)
treef5a1471e7463a4c77cc99f36656c484e9215a114 /app
parent4dc56cd943b6cb5cfaae8bd21db2c8ef82e7a50c (diff)
downloadredmine-555acea7804e6a93b133fe7398f490cb083c05b2.tar.gz
redmine-555acea7804e6a93b133fe7398f490cb083c05b2.zip
Check if the user has the permission to add notes or edit an issue when adding an issue attachments (#38297).
Patch by Holger Just. git-svn-id: https://svn.redmine.org/redmine/trunk@22122 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app')
-rw-r--r--app/controllers/issues_controller.rb12
-rw-r--r--app/models/issue.rb4
-rw-r--r--app/views/issues/_edit.html.erb3
3 files changed, 16 insertions, 3 deletions
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index c3f8ec8d5..07de47c0d 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -192,8 +192,16 @@ class IssuesController < ApplicationController
def update
return unless update_issue_from_params
- @issue.save_attachments(params[:attachments] ||
- (params[:issue] && params[:issue][:uploads]))
+ attachments = params[:attachments] || params.dig(:issue, :uploads)
+ if @issue.attachments_addable?
+ @issue.save_attachments(attachments)
+ else
+ attachments = attachments.to_unsafe_hash if attachments.respond_to?(:to_unsafe_hash)
+ if [Hash, Array].any? { |klass| attachments.is_a?(klass) } && attachments.any?
+ flash[:warning] = l(:warning_attachments_not_saved, attachments.size)
+ end
+ end
+
saved = false
begin
saved = save_issue_with_child_records
diff --git a/app/models/issue.rb b/app/models/issue.rb
index a0c2006ad..f267f3f48 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -199,6 +199,10 @@ class Issue < ActiveRecord::Base
)
end
+ def attachments_addable?(user=User.current)
+ attributes_editable?(user) || notes_addable?(user)
+ end
+
# Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
def attachments_editable?(user=User.current)
attributes_editable?(user)
diff --git a/app/views/issues/_edit.html.erb b/app/views/issues/_edit.html.erb
index 226b6f988..d816ff6fc 100644
--- a/app/views/issues/_edit.html.erb
+++ b/app/views/issues/_edit.html.erb
@@ -42,7 +42,8 @@
<%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %>
</fieldset>
-
+ <% end %>
+ <% if @issue.attachments_addable? %>
<fieldset id="add_attachments"><legend><%= l(:label_attachment_plural) %></legend>
<% if @issue.attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
<div class="contextual"><%= link_to l(:label_edit_attachments), '#', :onclick => "$('#existing-attachments').toggle(); return false;" %></div>