4 files changed, 28 insertions, 13 deletions

diff --git a/app/controllers/issue_relations_controller.rb b/app/controllers/issue_relations_controller.rb
index 36ee8d6d7..9a1754674 100644
--- a/app/controllers/issue_relations_controller.rb
+++ b/app/controllers/issue_relations_controller.rb
@@ -16,7 +16,9 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class IssueRelationsController < ApplicationController
-  before_filter :find_issue, :find_project_from_association, :authorize
+  before_filter :find_issue, :find_project_from_association, :authorize, :only => [:index, :create]
+  before_filter :find_relation, :except => [:index, :create]
+  
   accept_key_auth :index, :show, :create, :destroy
   
   def index
@@ -29,7 +31,7 @@ class IssueRelationsController < ApplicationController
   end
   
   def show
-    @relation = @issue.find_relation(params[:id])
+    raise Unauthorized unless @relation.visible?
 
     respond_to do |format|
       format.html { render :nothing => true }
@@ -62,7 +64,7 @@ class IssueRelationsController < ApplicationController
       end
       format.api { 
         if saved
-          render :action => 'show', :status => :created, :location => issue_relation_url(@issue, @relation)
+          render :action => 'show', :status => :created, :location => relation_url(@relation)
         else
           render_validation_errors(@relation)
         end
@@ -72,16 +74,13 @@ class IssueRelationsController < ApplicationController
   
   verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed }
   def destroy
-    relation = @issue.find_relation(params[:id])
-    relation.destroy
+    raise Unauthorized unless @relation.deletable?
+    @relation.destroy
     
     respond_to do |format|
       format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
-      format.js {
-        @relations = @issue.reload.relations.select {|r| r.other_issue(@issue) && r.other_issue(@issue).visible? }
-        render(:update) {|page| page.replace_html "relations", :partial => 'issues/relations'}
-      }
-      format.api { head :ok }
+      format.js   { render(:update) {|page| page.remove "relation-#{@relation.id}"} }
+      format.api  { head :ok }
     end
   rescue ActiveRecord::RecordNotFound
     render_404
@@ -93,4 +92,10 @@ private
   rescue ActiveRecord::RecordNotFound
     render_404
   end
+  
+  def find_relation
+    @relation = IssueRelation.find(params[:id])
+  rescue ActiveRecord::RecordNotFound
+    render_404
+  end
 end
diff --git a/app/models/issue_relation.rb b/app/models/issue_relation.rb
index 5b050c9a3..2d5086332 100644
--- a/app/models/issue_relation.rb
+++ b/app/models/issue_relation.rb
@@ -43,6 +43,16 @@ class IssueRelation < ActiveRecord::Base
   
   attr_protected :issue_from_id, :issue_to_id
   
+  def visible?(user=User.current)
+    (issue_from.nil? || issue_from.visible?(user)) && (issue_to.nil? || issue_to.visible?(user))
+  end
+  
+  def deletable?(user=User.current)
+    visible?(user) &&
+      ((issue_from.nil? || user.allowed_to?(:manage_issue_relations, issue_from.project)) ||
+        (issue_to.nil? || user.allowed_to?(:manage_issue_relations, issue_to.project)))
+  end
+  
   def after_initialize
     if new_record?
       if relation_type.blank?
diff --git a/app/views/issue_relations/show.api.rsb b/app/views/issue_relations/show.api.rsb
index 0a3e2918a..bffad94ab 100644
--- a/app/views/issue_relations/show.api.rsb
+++ b/app/views/issue_relations/show.api.rsb
@@ -2,6 +2,6 @@ api.relation do
   api.id @relation.id
   api.issue_id @relation.issue_from_id
   api.issue_to_id @relation.issue_to_id
-  api.relation_type @relation.relation_type_for(@issue)
+  api.relation_type @relation.relation_type
   api.delay @relation.delay
 end
diff --git a/app/views/issues/_relations.rhtml b/app/views/issues/_relations.rhtml
index 065f8da9b..12a39ddc4 100644
--- a/app/views/issues/_relations.rhtml
+++ b/app/views/issues/_relations.rhtml
@@ -10,7 +10,7 @@
 <form>
 <table class="list issues">
 <% @relations.each do |relation| %>
-<tr class="issue hascontextmenu">
+<tr class="issue hascontextmenu" id="relation-<%= relation.id %>">
 <td class="checkbox"><%= check_box_tag("ids[]", relation.other_issue(@issue).id, false, :id => nil) %></td>
 <td class="subject"><%= l(relation.label_for(@issue)) %> <%= "(#{l('datetime.distance_in_words.x_days', :count => relation.delay)})" if relation.delay && relation.delay != 0 %>
     <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %>
@@ -19,7 +19,7 @@
 <td class="status"><%= relation.other_issue(@issue).status.name %></td>
 <td class="start_date"><%= format_date(relation.other_issue(@issue).start_date) %></td>
 <td class="due_date"><%= format_date(relation.other_issue(@issue).due_date) %></td>
-<td class="buttons"><%= link_to_remote(image_tag('link_break.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :issue_id => @issue, :id => relation},                                              
+<td class="buttons"><%= link_to_remote(image_tag('link_break.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :id => relation},                                              
                                                   :method => :delete
                                                 }, :title => l(:label_relation_delete)) if authorize_for('issue_relations', 'destroy') %></td>
 </tr>