Fix: "Import issues" and "Import time entries" pages are visible to users without "Add issues" and "Log spent time" permissions (#41465).

Patch by Kenta Kumojima (user:kumojima). git-svn-id: https://svn.redmine.org/redmine/trunk@23178 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Go MAEDA <maeda@farend.jp> 2024-11-03 05:41:19 +0000
committer: Go MAEDA <maeda@farend.jp> 2024-11-03 05:41:19 +0000
commit: c54474eccc970b58ef3c40b620387e522a84b478 (patch)
tree: 36f2156ef7514c0ce2ead82ae16969787bf8fb8c /app
parent: 9925a8ecc0df47cd948f3e025f1303b33df3afbe (diff)
download: redmine-c54474eccc970b58ef3c40b620387e522a84b478.tar.gz
redmine-c54474eccc970b58ef3c40b620387e522a84b478.zip
4 files changed, 4 insertions, 4 deletions
diff --git a/app/models/issue_import.rb b/app/models/issue_import.rb
index d7e0919d3..57305e38f 100644
--- a/app/models/issue_import.rb
+++ b/app/models/issue_import.rb
@@ -50,7 +50,7 @@ class IssueImport < Import
   end
 
   def self.authorized?(user)
-    user.allowed_to?(:import_issues, nil, :global => true)
+    user.allowed_to?(:import_issues, nil, :global => true) && user.allowed_to?(:add_issues, nil, :global => true)
   end
 
   # Returns the objects that were imported
diff --git a/app/models/time_entry_import.rb b/app/models/time_entry_import.rb
index a6d05f520..01fde3488 100644
--- a/app/models/time_entry_import.rb
+++ b/app/models/time_entry_import.rb
@@ -32,7 +32,7 @@ class TimeEntryImport < Import
   end
 
   def self.authorized?(user)
-    user.allowed_to?(:import_time_entries, nil, :global => true)
+    user.allowed_to?(:import_time_entries, nil, :global => true) && user.allowed_to?(:log_time, nil, :global => true)
   end
 
   # Returns the objects that were imported
diff --git a/app/views/issues/index.html.erb b/app/views/issues/index.html.erb
index 103835def..af2510827 100644
--- a/app/views/issues/index.html.erb
+++ b/app/views/issues/index.html.erb
@@ -7,7 +7,7 @@
       <%= link_to sprite_icon('summary', l(:field_summary)), project_issues_report_path(@project), :class => 'icon icon-stats' %>
     <% end %>
 
-    <% if User.current.allowed_to?(:import_issues, @project, :global => true) %>
+    <% if User.current.allowed_to?(:import_issues, @project, :global => true) && User.current.allowed_to?(:add_issues, @project, :global => true) %>
       <%= link_to sprite_icon('import', l(:button_import)), new_issues_import_path(:project_id => @project), :class => 'icon icon-import' %>
     <% end %>
 
diff --git a/app/views/timelog/index.html.erb b/app/views/timelog/index.html.erb
index e76a235be..55e2312b3 100644
--- a/app/views/timelog/index.html.erb
+++ b/app/views/timelog/index.html.erb
@@ -3,7 +3,7 @@
             _new_time_entry_path(@project, @query.filtered_issue_id),
             :class => 'icon icon-time-add' if User.current.allowed_to?(:log_time, @project, :global => true) %>
 <%= actions_dropdown do %>
-  <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) %>
+  <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) && User.current.allowed_to?(:log_time, @project, :global => true) %>
     <%= link_to sprite_icon('import', l(:button_import)), new_time_entries_import_path(:project_id => @project), :class => 'icon icon-import' %>
   <% end %>
author	Go MAEDA <maeda@farend.jp>	2024-11-03 05:41:19 +0000
committer	Go MAEDA <maeda@farend.jp>	2024-11-03 05:41:19 +0000
commit	c54474eccc970b58ef3c40b620387e522a84b478 (patch)
tree	36f2156ef7514c0ce2ead82ae16969787bf8fb8c /app
parent	9925a8ecc0df47cd948f3e025f1303b33df3afbe (diff)
download	redmine-c54474eccc970b58ef3c40b620387e522a84b478.tar.gz redmine-c54474eccc970b58ef3c40b620387e522a84b478.zip