From 555acea7804e6a93b133fe7398f490cb083c05b2 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Thu, 2 Mar 2023 04:32:34 +0000
Subject: Check if the user has the permission to add notes or edit an issue
 when adding an issue attachments (#38297).

Patch by Holger Just.


git-svn-id: https://svn.redmine.org/redmine/trunk@22122 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/issues_controller.rb | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'app/controllers')

diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index c3f8ec8d5..07de47c0d 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -192,8 +192,16 @@ class IssuesController < ApplicationController
   def update
     return unless update_issue_from_params
 
-    @issue.save_attachments(params[:attachments] ||
-                             (params[:issue] && params[:issue][:uploads]))
+    attachments = params[:attachments] || params.dig(:issue, :uploads)
+    if @issue.attachments_addable?
+      @issue.save_attachments(attachments)
+    else
+      attachments = attachments.to_unsafe_hash if attachments.respond_to?(:to_unsafe_hash)
+      if [Hash, Array].any? { |klass| attachments.is_a?(klass) } && attachments.any?
+        flash[:warning] = l(:warning_attachments_not_saved, attachments.size)
+      end
+    end
+
     saved = false
     begin
       saved = save_issue_with_child_records
-- 
cgit v1.2.3