summaryrefslogtreecommitdiffstats
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/controllers/application_controller.rb8
-rw-r--r--app/controllers/issues_controller.rb8
-rw-r--r--app/models/issue.rb22
-rw-r--r--app/models/project.rb7
-rw-r--r--app/models/role.rb10
-rw-r--r--app/models/user.rb23
-rw-r--r--app/views/roles/_form.rhtml5
7 files changed, 67 insertions, 16 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 803eb5f2e..dbdeb9dfb 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,5 +1,5 @@
-# redMine - project management software
-# Copyright (C) 2006-2007 Jean-Philippe Lang
+# Redmine - project management software
+# Copyright (C) 2006-2011 Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -221,6 +221,10 @@ class ApplicationController < ActionController::Base
def find_issues
@issues = Issue.find_all_by_id(params[:id] || params[:ids])
raise ActiveRecord::RecordNotFound if @issues.empty?
+ if @issues.detect {|issue| !issue.visible?}
+ deny_access
+ return
+ end
@projects = @issues.collect(&:project).compact.uniq
@project = @projects.first if @projects.size == 1
rescue ActiveRecord::RecordNotFound
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index fdce296c4..4acd728ba 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -1,5 +1,5 @@
# Redmine - project management software
-# Copyright (C) 2006-2008 Jean-Philippe Lang
+# Copyright (C) 2006-2011 Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -251,7 +251,13 @@ class IssuesController < ApplicationController
private
def find_issue
+ # Issue.visible.find(...) can not be used to redirect user to the login form
+ # if the issue actually exists but requires authentication
@issue = Issue.find(params[:id], :include => [:project, :tracker, :status, :author, :priority, :category])
+ unless @issue.visible?
+ deny_access
+ return
+ end
@project = @issue.project
rescue ActiveRecord::RecordNotFound
render_404
diff --git a/app/models/issue.rb b/app/models/issue.rb
index aca68b1ae..cbfad6a57 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -88,12 +88,30 @@ class Issue < ActiveRecord::Base
# Returns a SQL conditions string used to find all issues visible by the specified user
def self.visible_condition(user, options={})
- Project.allowed_to_condition(user, :view_issues, options)
+ Project.allowed_to_condition(user, :view_issues, options) do |role, user|
+ case role.issues_visibility
+ when 'default'
+ nil
+ when 'own'
+ "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id = #{user.id})"
+ else
+ '1=0'
+ end
+ end
end
# Returns true if usr or current user is allowed to view the issue
def visible?(usr=nil)
- (usr || User.current).allowed_to?(:view_issues, self.project)
+ (usr || User.current).allowed_to?(:view_issues, self.project) do |role, user|
+ case role.issues_visibility
+ when 'default'
+ true
+ when 'own'
+ self.author == user || self.assigned_to == user
+ else
+ false
+ end
+ end
end
def after_initialize
diff --git a/app/models/project.rb b/app/models/project.rb
index 4724b7465..6d1d8eae6 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -174,6 +174,13 @@ class Project < ActiveRecord::Base
if statement_by_role.empty?
"1=0"
else
+ if block_given?
+ statement_by_role.each do |role, statement|
+ if s = yield(role, user)
+ statement_by_role[role] = "(#{statement} AND (#{s}))"
+ end
+ end
+ end
"((#{base_statement}) AND (#{statement_by_role.values.join(' OR ')}))"
end
end
diff --git a/app/models/role.rb b/app/models/role.rb
index e0b18434e..38edd360d 100644
--- a/app/models/role.rb
+++ b/app/models/role.rb
@@ -19,6 +19,11 @@ class Role < ActiveRecord::Base
# Built-in roles
BUILTIN_NON_MEMBER = 1
BUILTIN_ANONYMOUS = 2
+
+ ISSUES_VISIBILITY_OPTIONS = [
+ ['default', :label_issues_visibility_all],
+ ['own', :label_issues_visibility_own]
+ ]
named_scope :givable, { :conditions => "builtin = 0", :order => 'position' }
named_scope :builtin, lambda { |*args|
@@ -43,7 +48,10 @@ class Role < ActiveRecord::Base
validates_presence_of :name
validates_uniqueness_of :name
validates_length_of :name, :maximum => 30
-
+ validates_inclusion_of :issues_visibility,
+ :in => ISSUES_VISIBILITY_OPTIONS.collect(&:first),
+ :if => lambda {|role| role.respond_to?(:issues_visibility)}
+
def permissions
read_attribute(:permissions) || []
end
diff --git a/app/models/user.rb b/app/models/user.rb
index 1018c33e0..c06a907fe 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -394,10 +394,10 @@ class User < Principal
# * a permission Symbol (eg. :edit_project)
# Context can be:
# * a project : returns true if user is allowed to do the specified action on this project
- # * a group of projects : returns true if user is allowed on every project
+ # * an array of projects : returns true if user is allowed on every project
# * nil with options[:global] set : check if user has at least one role allowed for this action,
# or falls back to Non Member / Anonymous permissions depending if the user is logged
- def allowed_to?(action, context, options={})
+ def allowed_to?(action, context, options={}, &block)
if context && context.is_a?(Project)
# No action allowed on archived projects
return false unless context.active?
@@ -408,12 +408,15 @@ class User < Principal
roles = roles_for_project(context)
return false unless roles
- roles.detect {|role| (context.is_public? || role.member?) && role.allowed_to?(action)}
-
+ roles.detect {|role|
+ (context.is_public? || role.member?) &&
+ role.allowed_to?(action) &&
+ (block_given? ? yield(role, self) : true)
+ }
elsif context && context.is_a?(Array)
# Authorize if user is authorized on every element of the array
context.map do |project|
- allowed_to?(action,project,options)
+ allowed_to?(action, project, options, &block)
end.inject do |memo,allowed|
memo && allowed
end
@@ -423,7 +426,11 @@ class User < Principal
# authorize if user has at least one role that has this permission
roles = memberships.collect {|m| m.roles}.flatten.uniq
- roles.detect {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
+ roles << (self.logged? ? Role.non_member : Role.anonymous)
+ roles.detect {|role|
+ role.allowed_to?(action) &&
+ (block_given? ? yield(role, self) : true)
+ }
else
false
end
@@ -431,8 +438,8 @@ class User < Principal
# Is the user allowed to do the specified action on any project?
# See allowed_to? for the actions and valid options.
- def allowed_to_globally?(action, options)
- allowed_to?(action, nil, options.reverse_merge(:global => true))
+ def allowed_to_globally?(action, options, &block)
+ allowed_to?(action, nil, options.reverse_merge(:global => true), &block)
end
safe_attributes 'login',
diff --git a/app/views/roles/_form.rhtml b/app/views/roles/_form.rhtml
index a167907e8..232a72582 100644
--- a/app/views/roles/_form.rhtml
+++ b/app/views/roles/_form.rhtml
@@ -1,15 +1,16 @@
<%= error_messages_for 'role' %>
-<% unless @role.builtin? %>
<div class="box">
+<% unless @role.builtin? %>
<p><%= f.text_field :name, :required => true %></p>
<p><%= f.check_box :assignable %></p>
+<% end %>
+<p><%= f.select :issues_visibility, Role::ISSUES_VISIBILITY_OPTIONS.collect {|v| [l(v.last), v.first]} %></p>
<% if @role.new_record? && @roles.any? %>
<p><label><%= l(:label_copy_workflow_from) %></label>
<%= select_tag(:copy_workflow_from, content_tag("option") + options_from_collection_for_select(@roles, :id, :name)) %></p>
<% end %>
</div>
-<% end %>
<h3><%= l(:label_permissions) %></h3>
<div class="box" id="permissions">
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-12 19:15:04 +0000