Project

General

Profile

Patch #24623 » 0015-Implements-permissions-and-restrictions-to-issue-att.patch

for Redmine 4.1 - Frederico Camara, 2020-02-26 19:56

View differences:

app/controllers/issues_controller.rb
88 88
    @journals = @issue.visible_journals_with_index
89 89
    @has_changesets = @issue.changesets.visible.preload(:repository, :user).exists?
90 90
    @relations = @issue.relations.select {|r| r.other_issue(@issue) && r.other_issue(@issue).visible? }
91
    @attachments = @issue.attachments_visible?(User.current) ? @issue.attachments : []
91 92

  
92 93
    @journals.reverse! if User.current.wants_comments_in_reverse_order?
93 94

  
......
129 130
      raise ::Unauthorized
130 131
    end
131 132
    call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
132
    @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
133
    if @issue.attachments_addable?(User.current)
134
      @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
135
    end
133 136
    if @issue.save
134 137
      call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue})
135 138
      respond_to do |format|
......
166 169

  
167 170
  def update
168 171
    return unless update_issue_from_params
169
    @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
172
    if @issue.attachments_addable?(User.current)
173
      @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
174
    end
170 175
    saved = false
171 176
    begin
172 177
      saved = save_issue_with_child_records
......
282 287
    @versions = target_projects.map {|p| p.shared_versions.open}.reduce(:&)
283 288
    @categories = target_projects.map {|p| p.issue_categories}.reduce(:&)
284 289
    if @copy
285
      @attachments_present = @issues.detect {|i| i.attachments.any?}.present?
290
      @attachments_present = @issues.detect {|i| i.attachments.any? && i.attachments_visible?(User.current)}.present?
286 291
      @subtasks_present = @issues.detect {|i| !i.leaf?}.present?
287 292
      @watchers_present = User.current.allowed_to?(:add_issue_watchers, @projects) &&
288 293
                            Watcher.where(:watchable_type => 'Issue',
......
348 353
      end
349 354
      journal = issue.init_journal(User.current, params[:notes])
350 355
      issue.safe_attributes = attributes
356
      issue.attachments = [] unless issue.attachments_addable?(User.current) if @copy
351 357
      call_hook(:controller_issues_bulk_edit_before_save, { :params => params, :issue => issue })
352 358
      if issue.save
353 359
        saved_issues << issue
......
568 574

  
569 575
    @priorities = IssuePriority.active
570 576
    @allowed_statuses = @issue.new_statuses_allowed_to(User.current)
577
    @issue.attachments = [] unless @issue.attachments_addable?(User.current)
571 578
  end
572 579

  
573 580
  # Saves @issue and a time_entry from the parameters
app/models/issue.rb
40 40
  has_many :relations_from, :class_name => 'IssueRelation', :foreign_key => 'issue_from_id', :dependent => :delete_all
41 41
  has_many :relations_to, :class_name => 'IssueRelation', :foreign_key => 'issue_to_id', :dependent => :delete_all
42 42

  
43
  acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed
43
  acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed,
44
                     :view_permission => :view_attachments, :edit_permission => :edit_attachments,
45
                     :delete_permission => :delete_attachments
46

  
44 47
  acts_as_customizable
45 48
  acts_as_watchable
46 49
  acts_as_searchable :columns => ['subject', "#{table_name}.description"],
......
186 189
    )
187 190
  end
188 191

  
192
  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
193
  def attachments_visible?(user=User.current)
194
    user_tracker_permission?(user, :view_attachments)
195
  end
196

  
197
  # Returns true if user or current user is allowed to add the attachment to the issue
198
  def attachments_addable?(user=User.current)
199
    user_tracker_permission?(user, :add_attachments)
200
  end
201

  
189 202
  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
190 203
  def attachments_editable?(user=User.current)
191
    attributes_editable?(user)
204
    user_tracker_permission?(user, :edit_attachments)
205
  end
206

  
207
  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable?
208
  def attachments_deletable?(user=User.current)
209
    user_tracker_permission?(user, :delete_attachments)
192 210
  end
193 211

  
194 212
  # Returns true if user or current user is allowed to add notes to the issue
......
278 296
      self.status = issue.status
279 297
    end
280 298
    self.author = User.current
281
    unless options[:attachments] == false
299
    if options[:attachments] == true && issue.attachments_visible?(user=User.current)
282 300
      self.attachments = issue.attachments.map do |attachement|
283 301
        attachement.copy(:container => self)
284 302
      end
......
1639 1657
        copy.parent_issue_id = copied_issue_ids[child.parent_id]
1640 1658
        copy.fixed_version_id = nil unless child.fixed_version.present? && child.fixed_version.status == 'open'
1641 1659
        copy.assigned_to = nil unless child.assigned_to_id.present? && child.assigned_to.status == User::STATUS_ACTIVE
1660
        copy.attachments = [] unless copy.attachments_addable?(User.current)
1642 1661
        unless copy.save
1643 1662
          logger.error "Could not copy subtask ##{child.id} while copying ##{@copied_from.id} to ##{id} due to validation errors: #{copy.errors.full_messages.join(', ')}" if logger
1644 1663
          next
app/models/journal.rb
92 92
        detail.custom_field && detail.custom_field.visible_by?(project, user)
93 93
      elsif detail.property == 'relation'
94 94
        Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user)
95
      elsif detail.property == 'attachment'
96
        self.issue.attachments_visible?(User.current)
95 97
      else
96 98
        true
97 99
      end
app/models/mailer.rb
99 99
  end
100 100

  
101 101
  # Builds a mail for notifying user about an issue update
102
  def issue_edit(user, journal)
102
  def issue_edit(user, journal, att=false)
103 103
    issue = journal.journalized
104 104
    redmine_headers 'Project' => issue.project.identifier,
105 105
                    'Issue-Tracker' => issue.tracker.name,
......
117 117
    @journal = journal
118 118
    @journal_details = journal.visible_details
119 119
    @issue_url = url_for(:controller => 'issues', :action => 'show', :id => issue, :anchor => "change-#{journal.id}")
120
    @att = att
120 121

  
121 122
    mail :to => user,
122 123
      :subject => s
......
132 133
      journal.notes? || journal.visible_details(user).any?
133 134
    end
134 135
    users.each do |user|
135
      issue_edit(user, journal).deliver_later
136
      issue_edit(user, journal, journal.issue.attachments_visible?(user)).deliver_later
136 137
    end
137 138
  end
138 139

  
app/views/issues/_edit.html.erb
45 45
      </fieldset>
46 46

  
47 47
      <fieldset><legend><%= l(:label_attachment_plural) %></legend>
48
        <% if @issue.attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
48
        <% if @attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
49 49
        <div class="contextual"><%= link_to l(:label_edit_attachments), '#', :onclick => "$('#existing-attachments').toggle(); return false;" %></div>
50 50
        <div id="existing-attachments" style="<%= @issue.deleted_attachment_ids.blank? ? 'display:none;' : '' %>">
51
          <% @issue.attachments.each do |attachment| %>
51
          <% @attachments.each do |attachment| %>
52 52
          <span class="existing-attachment">
53 53
            <%= text_field_tag '', attachment.filename, :class => "icon icon-attachment filename", :disabled => true %>
54 54
            <label>
app/views/issues/index.api.rsb
29 29
      api.array :attachments do
30 30
        issue.attachments.each do |attachment|
31 31
          render_api_attachment(attachment, api)
32
        end
32
        end if issue.attachments_visible?
33 33
      end if include_in_api_response?('attachments')
34 34

  
35 35
      api.array :relations do
app/views/issues/new.html.erb
18 18
    </p>
19 19
    <% end %>
20 20
    <% if @copy_from && @copy_from.attachments.any? %>
21
    <p>
21
    <p style="<%= "display: none;" unless @copy_from.attachments_visible?(User.current) && @issue.attachments_addable?(User.current) %>">
22 22
      <label for="copy_attachments"><%= l(:label_copy_attachments) %></label>
23 23
      <%= check_box_tag 'copy_attachments', '1', @copy_attachments %>
24 24
    </p>
......
30 30
    </p>
31 31
    <% end %>
32 32

  
33
    <p id="attachments_form"><label><%= l(:label_attachment_plural) %></label><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
33
    <p id="attachments_form" style="<%= "display: none;" unless @issue.attachments_addable?(User.current) %>"><label><%= l(:label_attachment_plural) %></label><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
34 34

  
35 35
    <div id="watchers_form_container">
36 36
      <%= render :partial => 'issues/watchers_form' %>
app/views/issues/new.js.erb
5 5
<% when "issue_category_id" %>
6 6
  $('#issue_assigned_to_id').find('option').first().html('<%= escape_javascript(@issue.category.try(:assigned_to).try(:name)).presence || '&nbsp;'.html_safe %>');
7 7
<% end %>
8
<% if @issue.attachments_addable?(User.current) %>
9
  <% if @copy_from.attachments_visible?(User.current) %>
10
    $('#copy_attachments').parent().show();
11
  <% else %>
12
    $('#copy_attachments').parent().hide();
13
  <% end %>
14
  $('#attachments_form').show();
15
<% else %>
16
  $('#copy_attachments').parent().hide();
17
  $('#attachments_form').hide();
18
<% end %>
app/views/issues/show.api.rsb
32 32
  render_api_issue_children(@issue, api) if include_in_api_response?('children')
33 33

  
34 34
  api.array :attachments do
35
    @issue.attachments.each do |attachment|
35
    @attachments.each do |attachment|
36 36
      render_api_attachment(attachment, api)
37 37
    end
38 38
  end if include_in_api_response?('attachments')
app/views/issues/show.html.erb
84 84

  
85 85
  <p><strong><%=l(:field_description)%></strong></p>
86 86
  <div class="wiki">
87
  <%= textilizable @issue, :description, :attachments => @issue.attachments %>
87
  <%= textilizable @issue, :description, :attachments => @attachments %>
88 88
  </div>
89 89
</div>
90 90
<% end %>
91
<% if @issue.attachments.any? %>
91
<% if @attachments.any? %>
92 92
  <hr />
93 93
  <p><strong><%=l(:label_attachment_plural)%></strong></p>
94 94
  <%= link_to_attachments @issue, :thumbnails => true %>
app/views/mailer/_issue.html.erb
4 4

  
5 5
<%= textilizable(issue, :description, :only_path => false) %>
6 6

  
7
<% if issue.attachments.any? %>
7
<% if issue.attachments.any? && @att %>
8 8
  <fieldset class="attachments"><legend><%= l(:label_attachment_plural) %></legend>
9 9
  <% issue.attachments.each do |attachment| %>
10 10
    <%= link_to_attachment attachment, :download => true, :only_path => false %>
app/views/mailer/_issue.text.erb
5 5
----------------------------------------
6 6
<%= issue.description %>
7 7

  
8
<% if issue.attachments.any? -%>
8
<% if issue.attachments.any? && @att -%>
9 9
---<%= l(:label_attachment_plural).ljust(37, '-') %>
10 10
<% issue.attachments.each do |attachment| -%>
11 11
<%= attachment.filename %> (<%= number_to_human_size(attachment.filesize) %>)
app/views/roles/_form.html.erb
68 68

  
69 69
<div id="role-permissions-trackers" class="view_issues_shown">
70 70
<h3><%= l(:label_issue_tracking) %></h3>
71
<% permissions = [:view_issues, :add_issues, :edit_issues, :add_issue_notes, :delete_issues] & setable_permissions.collect(&:name) %>
71
<% permissions = [:view_issues, :add_issues, :edit_issues, :add_issue_notes, :delete_issues, :view_attachments, :add_attachments, :edit_attachments, :delete_attachments] & setable_permissions.collect(&:name) %>
72 72

  
73 73
<div class="autoscroll">
74 74
<table class="list">
config/locales/en.yml
509 509
  permission_view_private_notes: View private notes
510 510
  permission_set_notes_private: Set notes as private
511 511
  permission_delete_issues: Delete issues
512
  permission_view_attachments: View attachments
513
  permission_add_attachments: Add attachments
514
  permission_edit_attachments: Edit attachments
515
  permission_delete_attachments: Delete attachments
512 516
  permission_manage_public_queries: Manage public queries
513 517
  permission_save_queries: Save queries
514 518
  permission_view_gantt: View gantt chart
config/locales/pt-BR.yml
785 785
  permission_manage_members: Gerenciar membros
786 786
  permission_edit_messages: Editar mensagens
787 787
  permission_delete_issues: Excluir tarefas
788
  permission_view_attachments: Ver arquivos anexos
789
  permission_add_attachments: Adicionar arquivos anexos
790
  permission_edit_attachments: Editar arquivos anexos
791
  permission_delete_attachments: Apagar arquivos anexos
788 792
  permission_view_issue_watchers: Ver lista de observadores
789 793
  permission_manage_repository: Gerenciar repositório
790 794
  permission_commit_access: Acesso do commit
db/migrate/20161215142110_add_attachments_permissions.rb
1
class AddAttachmentsPermissions < ActiveRecord::Migration[4.2]
2
  def self.up
3
    Role.all.each do |r|
4
      r.add_permission!(:view_attachments) if r.has_permission?(:view_issues)
5
      r.add_permission!(:add_attachments) if r.has_permission?(:add_issues)
6
      r.add_permission!(:edit_attachments) if r.has_permission?(:edit_issues)
7
      r.add_permission!(:delete_attachments) if r.has_permission?(:delete_issues)
8
    end
9
  end
10

  
11
  def self.down
12
    Role.all.each do |r|
13
      r.remove_permission!(:view_attachments)
14
      r.remove_permission!(:add_attachments)
15
      r.remove_permission!(:edit_attachments)
16
      r.remove_permission!(:delete_attachments)
17
    end
18
  end
19
end
lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb
136 136
              r |= fetch_ranks_and_ids(
137 137
                search_scope(user, projects, options).
138 138
                joins(:attachments).
139
                where("#{Project.allowed_to_condition(user, :view_attachments)}", false).
139 140
                where(search_tokens_condition(["#{Attachment.table_name}.filename", "#{Attachment.table_name}.description"], tokens, options[:all_words])),
140 141
                options[:limit]
141 142
              )
lib/redmine.rb
102 102
                                  :queries => :index,
103 103
                                  :reports => [:issue_report, :issue_report_details]},
104 104
                   :read => true
105
    map.permission :add_issues, {:issues => [:new, :create], :attachments => :upload}
106
    map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload}
107
    map.permission :edit_own_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload}
108
    map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update], :attachments => :upload}
105
    map.permission :add_issues, {:issues => [:new, :create]}
106
    map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]}
107
    map.permission :edit_own_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]}
108
    map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update]}
109 109
    map.permission :manage_issue_relations, {:issue_relations => [:index, :show, :create, :destroy]}
110 110
    map.permission :manage_subtasks, {}
111 111
    map.permission :set_issues_private, {}
112 112
    map.permission :set_own_issues_private, {}, :require => :loggedin
113
    map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new], :attachments => :upload}
113
    map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new]}
114 114
    map.permission :edit_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
115 115
    map.permission :edit_own_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
116 116
    map.permission :view_private_notes, {}, :read => true, :require => :member
117 117
    map.permission :set_notes_private, {}, :require => :member
118 118
    map.permission :delete_issues, {:issues => :destroy}, :require => :member
119
    # Attachments
120
    map.permission :add_attachments, {:attachments => :upload}
121
    map.permission :view_attachments, {}
122
    map.permission :edit_attachments, {}
123
    map.permission :delete_attachments, {:attachments => :destroy}, :require => :member
119 124
    # Watchers
120 125
    map.permission :view_issue_watchers, {}, :read => true
121 126
    map.permission :add_issue_watchers, {:watchers => [:new, :create, :append, :autocomplete_for_user]}
lib/redmine/export/pdf/issues_pdf_helper.rb
236 236
            end
237 237
          end
238 238

  
239
          if issue.attachments.any?
239
          if issue.attachments.any? && issue.attachments_visible?(User.current)
240 240
            pdf.SetFontStyle('B',9)
241 241
            pdf.RDMCell(190,5, l(:label_attachment_plural), "B")
242 242
            pdf.ln
(13-13/19)