diff options
| -rw-r--r-- | app/controllers/news_controller.rb | 10 | ||||
| -rw-r--r-- | lib/redmine.rb | 1 | ||||
| -rw-r--r-- | test/functional/news_controller_test.rb | 8 |
3 files changed, 9 insertions, 10 deletions
diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb index 727617cb7..3df9e5e44 100644 --- a/app/controllers/news_controller.rb +++ b/app/controllers/news_controller.rb @@ -98,14 +98,4 @@ class NewsController < ApplicationController @news.destroy redirect_to project_news_index_path(@project) end - - private - - def find_optional_project - return true unless params[:project_id] - @project = Project.find(params[:project_id]) - authorize - rescue ActiveRecord::RecordNotFound - render_404 - end end diff --git a/lib/redmine.rb b/lib/redmine.rb index 6f4d3e07c..5f01787c2 100644 --- a/lib/redmine.rb +++ b/lib/redmine.rb @@ -217,6 +217,7 @@ Redmine::MenuManager.map :application_menu do |menu| menu.push :calendar, { :controller => 'calendars', :action => 'show' }, :caption => :label_calendar menu.push :news, {:controller => 'news', :action => 'index'}, + :if => Proc.new {User.current.allowed_to?(:view_news, nil, :global => true)}, :caption => :label_news_plural end diff --git a/test/functional/news_controller_test.rb b/test/functional/news_controller_test.rb index 91db40cb0..f62d21bf1 100644 --- a/test/functional/news_controller_test.rb +++ b/test/functional/news_controller_test.rb @@ -47,6 +47,14 @@ class NewsControllerTest < Redmine::ControllerTest assert_response 404 end + def test_index_without_permission_should_fail + Role.all.each {|r| r.remove_permission! :view_news} + @request.session[:user_id] = 2 + + get :index + assert_response 403 + end + def test_show get :show, :params => { :id => 1 |