From 9c4df39c7dba5efcdce474f2fa65593fec8fa0dd Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Thu, 16 Jun 2022 21:32:02 +0000 Subject: Setting @--no-permission-check@ in the mail receiver should not allow creating issues in closed and archived projects (#37187). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch by Felix Schäfer. git-svn-id: https://svn.redmine.org/redmine/trunk@21641 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/mail_handler.rb | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'app') diff --git a/app/models/mail_handler.rb b/app/models/mail_handler.rb index 9afe2a170..8f7cef691 100644 --- a/app/models/mail_handler.rb +++ b/app/models/mail_handler.rb @@ -22,6 +22,8 @@ class MailHandler < ActionMailer::Base include Redmine::I18n class UnauthorizedAction < StandardError; end + class NotAllowedInProject < UnauthorizedAction; end + class InsufficientPermissions < UnauthorizedAction; end class MissingInformation < StandardError; end attr_reader :email, :user, :handler_options @@ -182,9 +184,13 @@ class MailHandler < ActionMailer::Base # Creates a new issue def receive_issue project = target_project + + # Never receive emails to projects where adding issues is not possible + raise NotAllowedInProject, "not possible to add issues to project [#{project.name}]" unless project.allows_to?(:add_issues) + # check permission unless handler_options[:no_permission_check] - raise UnauthorizedAction, "not allowed to add issues to project [#{project.name}]" unless user.allowed_to?(:add_issues, project) + raise InsufficientPermissions, "not allowed to add issues to project [#{project.name}]" unless user.allowed_to?(:add_issues, project) end issue = Issue.new(:author => user, :project => project) @@ -223,10 +229,14 @@ class MailHandler < ActionMailer::Base return nil end + # Never receive emails to projects where adding issue notes is not possible + project = issue.project + raise NotAllowedInProject, "not possible to add notes to project [#{project.name}]" unless project.allows_to?(:add_issue_notes) + # check permission unless handler_options[:no_permission_check] unless issue.notes_addable? - raise UnauthorizedAction, "not allowed to add notes on issues to project [#{issue.project.name}]" + raise InsufficientPermissions, "not allowed to add notes on issues to project [#{issue.project.name}]" end end @@ -274,8 +284,12 @@ class MailHandler < ActionMailer::Base return nil end + # Never receive emails to projects where adding messages is not possible + project = message.project + raise NotAllowedInProject, "not possible to add messages to project [#{project.name}]" unless project.allows_to?(:add_messages) + unless handler_options[:no_permission_check] - raise UnauthorizedAction, "not allowed to add messages to project [#{message.project.name}]" unless user.allowed_to?(:add_messages, message.project) + raise InsufficientPermissions, "not allowed to add messages to project [#{message.project.name}]" unless user.allowed_to?(:add_messages, message.project) end if !message.locked? -- cgit v1.2.3