diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2008-07-10 12:31:49 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2008-07-10 12:31:49 +0000 |
| commit | be4cc2f99e34316be4b8beb2e9040c5ea967a736 (patch) | |
| tree | 604c1ea827a9b4547fda36501b9044cd71e6a0e4 /app | |
| parent | de3d5a88e4c70a06501cc51d7c2a1fcace4092a7 (diff) | |
| download | redmine-be4cc2f99e34316be4b8beb2e9040c5ea967a736.tar.gz redmine-be4cc2f99e34316be4b8beb2e9040c5ea967a736.zip | |
Fixed: search engine may reveal private projects (#1613).
git-svn-id: http://redmine.rubyforge.org/svn/trunk@1649 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'app')
| -rw-r--r-- | app/models/journal.rb | 3 | ||||
| -rw-r--r-- | app/models/project.rb | 18 |
2 files changed, 12 insertions, 9 deletions
diff --git a/app/models/journal.rb b/app/models/journal.rb index 67a3eee3b..8583f63de 100644 --- a/app/models/journal.rb +++ b/app/models/journal.rb @@ -28,7 +28,8 @@ class Journal < ActiveRecord::Base acts_as_searchable :columns => 'notes', :include => {:issue => :project}, :project_key => "#{Issue.table_name}.project_id", - :date_column => "#{Issue.table_name}.created_on" + :date_column => "#{Issue.table_name}.created_on", + :permission => :view_issues acts_as_event :title => Proc.new {|o| status = ((s = o.new_status) ? " (#{s})" : nil); "#{o.issue.tracker} ##{o.issue.id}#{status}: #{o.issue.subject}" }, :description => :notes, diff --git a/app/models/project.rb b/app/models/project.rb index a5ba246b1..67e6c0e39 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -112,16 +112,18 @@ class Project < ActiveRecord::Base end if user.admin? # no restriction - elsif user.logged? - statements << "#{Project.table_name}.is_public = #{connection.quoted_true}" if Role.non_member.allowed_to?(permission) - allowed_project_ids = user.memberships.select {|m| m.role.allowed_to?(permission)}.collect {|m| m.project_id} - statements << "#{Project.table_name}.id IN (#{allowed_project_ids.join(',')})" if allowed_project_ids.any? - elsif Role.anonymous.allowed_to?(permission) - # anonymous user allowed on public project - statements << "#{Project.table_name}.is_public = #{connection.quoted_true}" else - # anonymous user is not authorized statements << "1=0" + if user.logged? + statements << "#{Project.table_name}.is_public = #{connection.quoted_true}" if Role.non_member.allowed_to?(permission) + allowed_project_ids = user.memberships.select {|m| m.role.allowed_to?(permission)}.collect {|m| m.project_id} + statements << "#{Project.table_name}.id IN (#{allowed_project_ids.join(',')})" if allowed_project_ids.any? + elsif Role.anonymous.allowed_to?(permission) + # anonymous user allowed on public project + statements << "#{Project.table_name}.is_public = #{connection.quoted_true}" + else + # anonymous user is not authorized + end end statements.empty? ? base_statement : "((#{base_statement}) AND (#{statements.join(' OR ')}))" end |