Project

General

Profile

Download (3.09 KB)

Patch #31954 » 0001-Reject-project-custom-field-values-not-visible-for-t.patch

Marius BĂLTEANU, 2019-08-27 09:15

View differences:

app/models/project.rb
787 787 
      end
788 788 
    end
789 789 

  		




  
  790
  
    
    # Reject custom fields values not visible by the user

  		




  
  791
  
    
    if attrs['custom_field_values'].present?

  		




  
  792
  
    
      editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}

  		




  
  793
  
    
      attrs['custom_field_values'].reject! {|k, v| !editable_custom_field_ids.include?(k.to_s)}

  		




  
  794
  
    
    end

  		




  
  795
  
    

  		




  
  796
  
    
    # Reject custom fields not visible by the user

  		




  
  797
  
    
    if attrs['custom_fields'].present?

  		




  
  798
  
    
      editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}

  		




  
  799
  
    
      attrs['custom_fields'].reject! {|c| !editable_custom_field_ids.include?(c['id'].to_s)}

  		




  
  800
  
    
    end

  		




  
  801
  
    

  		




  790
  802
  
    
    super(attrs, user)

  		




  791
  803
  
    
  end

  		




  792
  804
  
    

  		




  ......




  864
  876
  
    
    end

  		




  865
  877
  
    
  end

  		




  866
  878
  
    

  		




  
  879
  
    
  # Returns the custom_field_values that can be edited by the given user

  		




  
  880
  
    
  def editable_custom_field_values(user=nil)

  		




  
  881
  
    
    visible_custom_field_values(user)

  		




  
  882
  
    
  end

  		




  
  883
  
    

  		




  867
  884
  
    
  def visible_custom_field_values(user = nil)

  		




  868
  885
  
    
    user ||= User.current

  		




  869
  886
  
    
    custom_field_values.select do |value|

  		












  

    
      test/unit/project_test.rb
    
  





  1043
  1043
  
    
      Project.distinct.visible.to_a

  		




  1044
  1044
  
    
    end

  		




  1045
  1045
  
    
  end

  		




  
  1046
  
    

  		




  
  1047
  
    
  def test_safe_attributes_should_include_only_custom_fields_visible_to_user

  		




  
  1048
  
    
    cf1 = ProjectCustomField.create!(:name => 'Visible field',

  		




  
  1049
  
    
                                   :field_format => 'string',

  		




  
  1050
  
    
                                   :visible => false, :role_ids => [1])

  		




  
  1051
  
    
    cf2 = ProjectCustomField.create!(:name => 'Non visible field',

  		




  
  1052
  
    
                                   :field_format => 'string',

  		




  
  1053
  
    
                                   :visible => false, :role_ids => [3])

  		




  
  1054
  
    
    user = User.find(2)

  		




  
  1055
  
    
    project = Project.find(1)

  		




  
  1056
  
    

  		




  
  1057
  
    
    project.send :safe_attributes=, {'custom_field_values' => {

  		




  
  1058
  
    
                                       cf1.id.to_s => 'value1', cf2.id.to_s => 'value2'

  		




  
  1059
  
    
                                     }}, user

  		




  
  1060
  
    
    assert_equal 'value1', project.custom_field_value(cf1)

  		




  
  1061
  
    
    assert_nil project.custom_field_value(cf2)

  		




  
  1062
  
    

  		




  
  1063
  
    
    project.send :safe_attributes=, {'custom_fields' => [

  		




  
  1064
  
    
                                      {'id' => cf1.id.to_s, 'value' => 'valuea'},

  		




  
  1065
  
    
                                      {'id' => cf2.id.to_s, 'value' => 'valueb'}

  		




  
  1066
  
    
                                    ]}, user

  		




  
  1067
  
    
    assert_equal 'valuea', project.custom_field_value(cf1)

  		




  
  1068
  
    
    assert_nil project.custom_field_value(cf2)

  		




  
  1069
  
    
  end

  		




  1046
  1070
  
    
end

  		















  (1-1/2)