summaryrefslogtreecommitdiffstats
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/controllers/watchers_controller.rb27
-rw-r--r--app/models/issue.rb4
-rw-r--r--app/views/watchers/_watchers.html.erb4
3 files changed, 27 insertions, 8 deletions
diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb
index 8933de96f..28e66a386 100644
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -41,6 +41,8 @@ class WatchersController < ApplicationController
end
def create
+ return unless authorize_for_watchable_type(:add)
+
user_ids = []
if params[:watcher]
user_ids << (params[:watcher][:user_ids] || params[:watcher][:user_id])
@@ -51,7 +53,9 @@ class WatchersController < ApplicationController
users = Principal.assignable_watchers.where(:id => user_ids).to_a
users.each do |user|
@watchables.each do |watchable|
- Watcher.create(:watchable => watchable, :user => user)
+ if watchable.valid_watcher?(user)
+ Watcher.create(:watchable => watchable, :user => user)
+ end
end
end
respond_to do |format|
@@ -76,6 +80,8 @@ class WatchersController < ApplicationController
end
def destroy
+ return unless authorize_for_watchable_type(:delete)
+
user = Principal.find(params[:user_id])
@watchables.each do |watchable|
watchable.set_watcher(user, false)
@@ -156,11 +162,10 @@ class WatchersController < ApplicationController
users = scope.sorted.like(params[:q]).to_a
if @watchables && @watchables.size == 1
watchable_object = @watchables.first
- users -= watchable_object.watcher_users
-
- if watchable_object.respond_to?(:visible?)
- users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)}
- end
+ users -= watchable_object.visible_watcher_users
+ end
+ @watchables&.each do |watchable|
+ users.reject!{|user| !watchable.valid_watcher?(user)}
end
users
end
@@ -228,4 +233,14 @@ class WatchersController < ApplicationController
objects
end
+
+ # Check permission for the watchable type for each watchable involved
+ def authorize_for_watchable_type(action)
+ if @watchables.any?{|watchable| !User.current.allowed_to?(:"#{action}_#{watchable.class.name.underscore}_watchers", watchable.project)}
+ render_403
+ return false
+ else
+ return true
+ end
+ end
end
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 31d2f75dd..823bf90e8 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -314,9 +314,9 @@ class Issue < ActiveRecord::Base
attachement.copy(:container => self)
end
end
+
unless options[:watchers] == false
- self.watcher_user_ids =
- issue.watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id)
+ self.watcher_user_ids = issue.visible_watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id)
end
@copied_from = issue
@copy_options = options
diff --git a/app/views/watchers/_watchers.html.erb b/app/views/watchers/_watchers.html.erb
index b53e09d50..25d852c87 100644
--- a/app/views/watchers/_watchers.html.erb
+++ b/app/views/watchers/_watchers.html.erb
@@ -8,6 +8,10 @@
</div>
<% end %>
+<% if User.current.allowed_to?(:"view_#{watched_klass_name}_watchers", watched.project) %>
<h3><%= l(:"label_#{watched_klass_name}_watchers") %> (<%= watched.watcher_users.size %>)</h3>
<%= watchers_list(watched) %>
+<% else %>
+<h3><%= l(:"label_#{watched_klass_name}_watchers") %></h3>
+<% end %>