diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/watchers_controller.rb | 27 | ||||
-rw-r--r-- | app/models/issue.rb | 4 | ||||
-rw-r--r-- | app/views/watchers/_watchers.html.erb | 4 |
3 files changed, 27 insertions, 8 deletions
diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb index 8933de96f..28e66a386 100644 --- a/app/controllers/watchers_controller.rb +++ b/app/controllers/watchers_controller.rb @@ -41,6 +41,8 @@ class WatchersController < ApplicationController end def create + return unless authorize_for_watchable_type(:add) + user_ids = [] if params[:watcher] user_ids << (params[:watcher][:user_ids] || params[:watcher][:user_id]) @@ -51,7 +53,9 @@ class WatchersController < ApplicationController users = Principal.assignable_watchers.where(:id => user_ids).to_a users.each do |user| @watchables.each do |watchable| - Watcher.create(:watchable => watchable, :user => user) + if watchable.valid_watcher?(user) + Watcher.create(:watchable => watchable, :user => user) + end end end respond_to do |format| @@ -76,6 +80,8 @@ class WatchersController < ApplicationController end def destroy + return unless authorize_for_watchable_type(:delete) + user = Principal.find(params[:user_id]) @watchables.each do |watchable| watchable.set_watcher(user, false) @@ -156,11 +162,10 @@ class WatchersController < ApplicationController users = scope.sorted.like(params[:q]).to_a if @watchables && @watchables.size == 1 watchable_object = @watchables.first - users -= watchable_object.watcher_users - - if watchable_object.respond_to?(:visible?) - users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)} - end + users -= watchable_object.visible_watcher_users + end + @watchables&.each do |watchable| + users.reject!{|user| !watchable.valid_watcher?(user)} end users end @@ -228,4 +233,14 @@ class WatchersController < ApplicationController objects end + + # Check permission for the watchable type for each watchable involved + def authorize_for_watchable_type(action) + if @watchables.any?{|watchable| !User.current.allowed_to?(:"#{action}_#{watchable.class.name.underscore}_watchers", watchable.project)} + render_403 + return false + else + return true + end + end end diff --git a/app/models/issue.rb b/app/models/issue.rb index 31d2f75dd..823bf90e8 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -314,9 +314,9 @@ class Issue < ActiveRecord::Base attachement.copy(:container => self) end end + unless options[:watchers] == false - self.watcher_user_ids = - issue.watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id) + self.watcher_user_ids = issue.visible_watcher_users.select{|u| u.status == User::STATUS_ACTIVE}.map(&:id) end @copied_from = issue @copy_options = options diff --git a/app/views/watchers/_watchers.html.erb b/app/views/watchers/_watchers.html.erb index b53e09d50..25d852c87 100644 --- a/app/views/watchers/_watchers.html.erb +++ b/app/views/watchers/_watchers.html.erb @@ -8,6 +8,10 @@ </div> <% end %> +<% if User.current.allowed_to?(:"view_#{watched_klass_name}_watchers", watched.project) %> <h3><%= l(:"label_#{watched_klass_name}_watchers") %> (<%= watched.watcher_users.size %>)</h3> <%= watchers_list(watched) %> +<% else %> +<h3><%= l(:"label_#{watched_klass_name}_watchers") %></h3> +<% end %> |