atta.4.0.patch

patch for 4.0-stable - piano tako, 2019-06-27 06:42

Download (13.9 KB)

View differences:

app/controllers/issues_controller.rb
126 126
      raise ::Unauthorized
127 127
    end
128 128
    call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
129
    @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
129
    @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) if User.current.allowed_to?(:edit_attachments, @issue.project)
130 130
    if @issue.save
131 131
      call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue})
132 132
      respond_to do |format|
......
523 523
    @issue.safe_attributes = attrs
524 524

  
525 525
    if @issue.project
526
      @issue.attachments = [] unless User.current.allowed_to?(:edit_attachments, @issue.project)
526 527
      @issue.tracker ||= @issue.allowed_target_trackers.first
527 528
      if @issue.tracker.nil?
528 529
        if @issue.project.trackers.any?
app/models/issue.rb
38 38
  has_many :relations_from, :class_name => 'IssueRelation', :foreign_key => 'issue_from_id', :dependent => :delete_all
39 39
  has_many :relations_to, :class_name => 'IssueRelation', :foreign_key => 'issue_to_id', :dependent => :delete_all
40 40

  
41
  acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed
41
  acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed,
42
                     :view_permission => :view_attachments, :edit_permission => :edit_attachments, :delete_permission => :delete_attachments
42 43
  acts_as_customizable
43 44
  acts_as_watchable
44 45
  acts_as_searchable :columns => ['subject', "#{table_name}.description"],
......
273 274
      self.status = issue.status
274 275
    end
275 276
    self.author = User.current
276
    unless options[:attachments] == false
277
    if options[:attachments] == true && User.current.allowed_to?(:view_attachments, issue.project)
277 278
      self.attachments = issue.attachments.map do |attachement|
278 279
        attachement.copy(:container => self)
279 280
      end
app/models/journal.rb
88 88
        detail.custom_field && detail.custom_field.visible_by?(project, user)
89 89
      elsif detail.property == 'relation'
90 90
        Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user)
91
      elsif detail.property == 'attachment'
92
        user.allowed_to?(:view_attachments, project)
91 93
      else
92 94
        true
93 95
      end
app/models/mailer.rb
93 93
  end
94 94

  
95 95
  # Builds a mail for notifying user about an issue update
96
  def issue_edit(user, journal)
96
  def issue_edit(user, journal, att=false)
97 97
    issue = journal.journalized
98 98
    redmine_headers 'Project' => issue.project.identifier,
99 99
                    'Issue-Id' => issue.id,
......
110 110
    @journal = journal
111 111
    @journal_details = journal.visible_details
112 112
    @issue_url = url_for(:controller => 'issues', :action => 'show', :id => issue, :anchor => "change-#{journal.id}")
113
    @att = att
113 114

  
114 115
    mail :to => user,
115 116
      :subject => s
......
120 121
  # Example:
121 122
  #   Mailer.deliver_issue_edit(journal)
122 123
  def self.deliver_issue_edit(journal)
124
    issue = journal.journalized.reload
123 125
    users  = journal.notified_users | journal.notified_watchers
124 126
    users.select! do |user|
125 127
      journal.notes? || journal.visible_details(user).any?
126 128
    end
127 129
    users.each do |user|
128
      issue_edit(user, journal).deliver_later
130
      issue_edit(user, journal, user.allowed_to?(:view_attachments, issue.project)).deliver_later
129 131
    end
130 132
  end
131 133

  
app/views/issues/_edit.html.erb
39 39
      <%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %>
40 40
      </fieldset>
41 41

  
42
      <% if User.current.allowed_to?(:edit_attachments, @project) %>
42 43
      <fieldset><legend><%= l(:label_attachment_plural) %></legend>
43 44
        <% if @issue.attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
44 45
        <div class="contextual"><%= link_to l(:label_edit_attachments), '#', :onclick => "$('#existing-attachments').toggle(); return false;" %></div>
......
62 63
          <%= render :partial => 'attachments/form', :locals => {:container => @issue} %>
63 64
        </div>
64 65
      </fieldset>
66
      <% end %>
65 67
    <% end %>
66 68
    </div>
67 69

  
app/views/issues/new.html.erb
17 17
      <%= check_box_tag 'link_copy', '1', @link_copy %>
18 18
    </p>
19 19
    <% end %>
20
    <% if @copy_from && @copy_from.attachments.any? %>
20
    <% if @copy_from && @copy_from.attachments.any? && User.current.allowed_to?(:view_attachments, @copy_from.project) %>
21 21
    <p>
22 22
      <label for="copy_attachments"><%= l(:label_copy_attachments) %></label>
23 23
      <%= check_box_tag 'copy_attachments', '1', @copy_attachments %>
......
30 30
    </p>
31 31
    <% end %>
32 32

  
33
    <% if User.current.allowed_to?(:edit_attachments, @project) %>
33 34
    <p id="attachments_form"><label><%= l(:label_attachment_plural) %></label><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
35
    <% end %>
34 36

  
35 37
    <div id="watchers_form_container">
36 38
      <%= render :partial => 'issues/watchers_form' %>
app/views/issues/show.api.rsb
35 35
    @issue.attachments.each do |attachment|
36 36
      render_api_attachment(attachment, api)
37 37
    end
38
  end if include_in_api_response?('attachments')
38
  end if include_in_api_response?('attachments') && User.current.allowed_to?(:view_attachments, @project)
39 39

  
40 40
  api.array :relations do
41 41
    @relations.each do |relation|
app/views/issues/show.html.erb
88 88
  </div>
89 89
</div>
90 90
<% end %>
91
<% if @issue.attachments.any? %>
91
<% if @issue.attachments.any? && (User.current.allowed_to?(:view_attachments, @project)) %>
92 92
  <hr />
93 93
  <p><strong><%=l(:label_attachment_plural)%></strong></p>
94
  <%= link_to_attachments @issue, :thumbnails => true %>
94
  <%= link_to_attachments @issue, :thumbnails => true if User.current.allowed_to?(:view_attachments, @project) %>
95 95
<% end %>
96 96

  
97 97
<%= render_full_width_custom_fields_rows(@issue) %>
app/views/mailer/_issue.html.erb
4 4

  
5 5
<%= textilizable(issue, :description, :only_path => false) %>
6 6

  
7
<% if issue.attachments.any? %>
7
<% if issue.attachments.any? && @att %>
8 8
  <fieldset class="attachments"><legend><%= l(:label_attachment_plural) %></legend>
9 9
  <% issue.attachments.each do |attachment| %>
10 10
    <%= link_to_attachment attachment, :download => true, :only_path => false %>
app/views/mailer/_issue.text.erb
5 5
----------------------------------------
6 6
<%= issue.description %>
7 7

  
8
<% if issue.attachments.any? -%>
8
<% if issue.attachments.any? && @att -%>
9 9
---<%= l(:label_attachment_plural).ljust(37, '-') %>
10 10
<% issue.attachments.each do |attachment| -%>
11 11
<%= attachment.filename %> (<%= number_to_human_size(attachment.filesize) %>)
config/locales/en.yml
492 492
  permission_view_private_notes: View private notes
493 493
  permission_set_notes_private: Set notes as private
494 494
  permission_delete_issues: Delete issues
495
  permission_view_attachments: View attachments
496
  permission_edit_attachments: Edit attachments
497
  permission_delete_attachments: Delete attachments
495 498
  permission_manage_public_queries: Manage public queries
496 499
  permission_save_queries: Save queries
497 500
  permission_view_gantt: View gantt chart
config/locales/pt-BR.yml
782 782
  permission_manage_members: Gerenciar membros
783 783
  permission_edit_messages: Editar mensagens
784 784
  permission_delete_issues: Excluir tarefas
785
  permission_view_attachments: Ver arquivos anexos
786
  permission_edit_attachments: Editar arquivos anexos
787
  permission_delete_attachments: Apagar arquivos anexos
785 788
  permission_view_issue_watchers: Ver lista de observadores
786 789
  permission_manage_repository: Gerenciar repositório
787 790
  permission_commit_access: Acesso do commit
db/migrate/20161215142110_add_attachments_permissions.rb
1
class AddAttachmentsPermissions < ActiveRecord::Migration[5.0]
2
  def self.up
3
    Role.all.each do |r|
4
      r.add_permission!(:view_attachments) if r.has_permission?(:view_issues)
5
      r.add_permission!(:edit_attachments) if r.has_permission?(:edit_issues)
6
      r.add_permission!(:delete_attachments) if r.has_permission?(:edit_issues)
7
    end
8
  end
9

  
10
  def self.down
11
    Role.all.each do |r|
12
      r.remove_permission!(:view_attachments)
13
      r.remove_permission!(:edit_attachments)
14
      r.remove_permission!(:delete_attachments)
15
    end
16
  end
17
end
lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
134 134
              r |= fetch_ranks_and_ids(
135 135
                search_scope(user, projects, options).
136 136
                joins(:attachments).
137
                where("#{Project.allowed_to_condition(user, :view_attachments)}", false).
137 138
                where(search_tokens_condition(["#{Attachment.table_name}.filename", "#{Attachment.table_name}.description"], tokens, options[:all_words])),
138 139
                options[:limit]
139 140
              )
lib/redmine.rb
99 99
                                  :queries => :index,
100 100
                                  :reports => [:issue_report, :issue_report_details]},
101 101
                                  :read => true
102
    map.permission :add_issues, {:issues => [:new, :create], :attachments => :upload}
103
    map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload}
104
    map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update], :attachments => :upload}
102
    map.permission :add_issues, {:issues => [:new, :create]}
103
    map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]}
104
    map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update]}
105 105
    map.permission :manage_issue_relations, {:issue_relations => [:index, :show, :create, :destroy]}
106 106
    map.permission :manage_subtasks, {}
107 107
    map.permission :set_issues_private, {}
108 108
    map.permission :set_own_issues_private, {}, :require => :loggedin
109
    map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new], :attachments => :upload}
109
    map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new]}
110 110
    map.permission :edit_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
111 111
    map.permission :edit_own_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
112 112
    map.permission :view_private_notes, {}, :read => true, :require => :member
113 113
    map.permission :set_notes_private, {}, :require => :member
114 114
    map.permission :delete_issues, {:issues => :destroy}, :require => :member
115
    # Attachments
116
    map.permission :view_attachments, {}, :require => :member
117
    map.permission :edit_attachments, {:attachments => :upload}, :require => :member
118
    map.permission :delete_attachments, {:attachments => :destroy}, :require => :member
115 119
    # Watchers
116 120
    map.permission :view_issue_watchers, {}, :read => true
117 121
    map.permission :add_issue_watchers, {:watchers => [:new, :create, :append, :autocomplete_for_user]}
lib/redmine/export/pdf/issues_pdf_helper.rb
235 235
            end
236 236
          end
237 237
  
238
          if issue.attachments.any?
238
          if issue.attachments.any? && User.current.allowed_to?(:view_attachments, @project)
239 239
            pdf.SetFontStyle('B',9)
240 240
            pdf.RDMCell(190,5, l(:label_attachment_plural), "B")
241 241
            pdf.ln