summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--app/models/user.rb16
-rw-r--r--test/unit/user_test.rb13
2 files changed, 26 insertions, 3 deletions
diff --git a/app/models/user.rb b/app/models/user.rb
index 638e5f7bd..4b65b3d11 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -344,12 +344,17 @@ class User < Principal
!roles_for_project(project).detect {|role| role.member?}.nil?
end
- # Return true if the user is allowed to do the specified action on project
- # action can be:
+ # Return true if the user is allowed to do the specified action on a specific context
+ # Action can be:
# * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')
# * a permission Symbol (eg. :edit_project)
+ # Context can be:
+ # * a project : returns true if user is allowed to do the specified action on this project
+ # * a group of projects : returns true if user is allowed on every project
+ # * nil with options[:global] set : check if user has at least one role allowed for this action,
+ # or falls back to Non Member / Anonymous permissions depending if the user is logged
def allowed_to?(action, project, options={})
- if project
+ if project && project.is_a?(Project)
# No action allowed on archived projects
return false unless project.active?
# No action allowed on disabled modules
@@ -361,6 +366,11 @@ class User < Principal
return false unless roles
roles.detect {|role| (project.is_public? || role.member?) && role.allowed_to?(action)}
+ elsif project && project.is_a?(Array)
+ # Authorize if user is authorized on every element of the array
+ project.inject do |memo,p|
+ memo && allowed_to?(action,p,options)
+ end
elsif options[:global]
# Admin users are always authorized
return true if admin?
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index f3e56ddd3..b451c1e6b 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -396,6 +396,19 @@ class UserTest < ActiveSupport::TestCase
assert ! @dlopper.allowed_to?(:delete_messages, project) #Developper
end
end
+
+ context "with multiple projects" do
+ should "return false if array is empty" do
+ assert ! @admin.allowed_to?(:view_project, [])
+ end
+
+ should "return true only if user has permission on all these projects" do
+ assert @admin.allowed_to?(:view_project, Project.all)
+ assert ! @dlopper.allowed_to?(:view_project, Project.all) #cannot see Project(2)
+ assert @jsmith.allowed_to?(:edit_issues, @jsmith.projects) #Manager or Developer everywhere
+ assert ! @jsmith.allowed_to?(:delete_issue_watchers, @jsmith.projects) #Dev cannot delete_issue_watchers
+ end
+ end
context "with options[:global]" do
should "authorize if user has at least one role that has this permission" do