diff options
author | Go MAEDA <maeda@farend.jp> | 2023-03-02 04:32:34 +0000 |
---|---|---|
committer | Go MAEDA <maeda@farend.jp> | 2023-03-02 04:32:34 +0000 |
commit | 555acea7804e6a93b133fe7398f490cb083c05b2 (patch) | |
tree | f5a1471e7463a4c77cc99f36656c484e9215a114 /app | |
parent | 4dc56cd943b6cb5cfaae8bd21db2c8ef82e7a50c (diff) | |
download | redmine-555acea7804e6a93b133fe7398f490cb083c05b2.tar.gz redmine-555acea7804e6a93b133fe7398f490cb083c05b2.zip |
Check if the user has the permission to add notes or edit an issue when adding an issue attachments (#38297).
Patch by Holger Just.
git-svn-id: https://svn.redmine.org/redmine/trunk@22122 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/issues_controller.rb | 12 | ||||
-rw-r--r-- | app/models/issue.rb | 4 | ||||
-rw-r--r-- | app/views/issues/_edit.html.erb | 3 |
3 files changed, 16 insertions, 3 deletions
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb index c3f8ec8d5..07de47c0d 100644 --- a/app/controllers/issues_controller.rb +++ b/app/controllers/issues_controller.rb @@ -192,8 +192,16 @@ class IssuesController < ApplicationController def update return unless update_issue_from_params - @issue.save_attachments(params[:attachments] || - (params[:issue] && params[:issue][:uploads])) + attachments = params[:attachments] || params.dig(:issue, :uploads) + if @issue.attachments_addable? + @issue.save_attachments(attachments) + else + attachments = attachments.to_unsafe_hash if attachments.respond_to?(:to_unsafe_hash) + if [Hash, Array].any? { |klass| attachments.is_a?(klass) } && attachments.any? + flash[:warning] = l(:warning_attachments_not_saved, attachments.size) + end + end + saved = false begin saved = save_issue_with_child_records diff --git a/app/models/issue.rb b/app/models/issue.rb index a0c2006ad..f267f3f48 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -199,6 +199,10 @@ class Issue < ActiveRecord::Base ) end + def attachments_addable?(user=User.current) + attributes_editable?(user) || notes_addable?(user) + end + # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable? def attachments_editable?(user=User.current) attributes_editable?(user) diff --git a/app/views/issues/_edit.html.erb b/app/views/issues/_edit.html.erb index 226b6f988..d816ff6fc 100644 --- a/app/views/issues/_edit.html.erb +++ b/app/views/issues/_edit.html.erb @@ -42,7 +42,8 @@ <%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %> </fieldset> - + <% end %> + <% if @issue.attachments_addable? %> <fieldset id="add_attachments"><legend><%= l(:label_attachment_plural) %></legend> <% if @issue.attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %> <div class="contextual"><%= link_to l(:label_edit_attachments), '#', :onclick => "$('#existing-attachments').toggle(); return false;" %></div> |