Check tracker permissions when copying an issue (#25791).

git-svn-id: http://svn.redmine.org/redmine/trunk@16569 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 10 insertions, 1 deletions

diff --git a/app/models/issue.rb b/app/models/issue.rb
index 3d8df790b..7d411fc94 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -68,7 +68,7 @@ class Issue < ActiveRecord::Base
   validates :estimated_hours, :numericality => {:greater_than_or_equal_to => 0, :allow_nil => true, :message => :invalid}
   validates :start_date, :date => true
   validates :due_date, :date => true
-  validate :validate_issue, :validate_required_fields
+  validate :validate_issue, :validate_required_fields, :validate_permissions
   attr_protected :id
 
   scope :visible, lambda {|*args|
@@ -512,6 +512,7 @@ class Issue < ActiveRecord::Base
   # attr_accessible is too rough because we still want things like
   # Issue.new(:project => foo) to work
   def safe_attributes=(attrs, user=User.current)
+    @attributes_set_by = user
     return unless attrs.is_a?(Hash)
 
     attrs = attrs.deep_dup
@@ -776,6 +777,14 @@ class Issue < ActiveRecord::Base
     end
   end
 
+  def validate_permissions
+    if @attributes_set_by && new_record? && copy?
+      unless allowed_target_trackers(@attributes_set_by).include?(tracker)
+        errors.add :tracker, :invalid
+      end
+    end
+  end
+
   # Overrides Redmine::Acts::Customizable::InstanceMethods#validate_custom_field_values
   # so that custom values that are not editable are not validated (eg. a custom field that
   # is marked as required should not trigger a validation error if the user is not allowed