Patch #24623 » 0015-Implements-permissions-and-restrictions-to-issue-att-fix-4.1.patch
| app/controllers/issues_controller.rb | ||
|---|---|---|
| 88 | 88 |
@journals = @issue.visible_journals_with_index |
| 89 | 89 |
@has_changesets = @issue.changesets.visible.preload(:repository, :user).exists? |
| 90 | 90 |
@relations = @issue.relations.select {|r| r.other_issue(@issue) && r.other_issue(@issue).visible? }
|
| 91 |
@attachments = @issue.attachments_visible?(User.current) ? @issue.attachments : [] |
|
| 91 | 92 | |
| 92 | 93 |
@journals.reverse! if User.current.wants_comments_in_reverse_order? |
| 93 | 94 | |
| ... | ... | |
| 129 | 130 |
raise ::Unauthorized |
| 130 | 131 |
end |
| 131 | 132 |
call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
|
| 132 |
@issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) |
|
| 133 |
if @issue.attachments_addable?(User.current) |
|
| 134 |
@issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) |
|
| 135 |
end |
|
| 133 | 136 |
if @issue.save |
| 134 | 137 |
call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue})
|
| 135 | 138 |
respond_to do |format| |
| ... | ... | |
| 166 | 169 | |
| 167 | 170 |
def update |
| 168 | 171 |
return unless update_issue_from_params |
| 169 |
@issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) |
|
| 172 |
if @issue.attachments_addable?(User.current) |
|
| 173 |
@issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) |
|
| 174 |
end |
|
| 170 | 175 |
saved = false |
| 171 | 176 |
begin |
| 172 | 177 |
saved = save_issue_with_child_records |
| ... | ... | |
| 282 | 287 |
@versions = target_projects.map {|p| p.shared_versions.open}.reduce(:&)
|
| 283 | 288 |
@categories = target_projects.map {|p| p.issue_categories}.reduce(:&)
|
| 284 | 289 |
if @copy |
| 285 |
@attachments_present = @issues.detect {|i| i.attachments.any?}.present?
|
|
| 290 |
@attachments_present = @issues.detect {|i| i.attachments.any? && i.attachments_visible?(User.current)}.present?
|
|
| 286 | 291 |
@subtasks_present = @issues.detect {|i| !i.leaf?}.present?
|
| 287 | 292 |
@watchers_present = User.current.allowed_to?(:add_issue_watchers, @projects) && |
| 288 | 293 |
Watcher.where(:watchable_type => 'Issue', |
| ... | ... | |
| 348 | 353 |
end |
| 349 | 354 |
journal = issue.init_journal(User.current, params[:notes]) |
| 350 | 355 |
issue.safe_attributes = attributes |
| 356 |
issue.attachments = [] unless issue.attachments_addable?(User.current) if @copy |
|
| 351 | 357 |
call_hook(:controller_issues_bulk_edit_before_save, { :params => params, :issue => issue })
|
| 352 | 358 |
if issue.save |
| 353 | 359 |
saved_issues << issue |
| ... | ... | |
| 568 | 574 | |
| 569 | 575 |
@priorities = IssuePriority.active |
| 570 | 576 |
@allowed_statuses = @issue.new_statuses_allowed_to(User.current) |
| 577 |
@issue.attachments = [] unless @issue.attachments_addable?(User.current) |
|
| 571 | 578 |
end |
| 572 | 579 | |
| 573 | 580 |
# Saves @issue and a time_entry from the parameters |
| app/models/issue.rb | ||
|---|---|---|
| 40 | 40 |
has_many :relations_from, :class_name => 'IssueRelation', :foreign_key => 'issue_from_id', :dependent => :delete_all |
| 41 | 41 |
has_many :relations_to, :class_name => 'IssueRelation', :foreign_key => 'issue_to_id', :dependent => :delete_all |
| 42 | 42 | |
| 43 |
acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed |
|
| 43 |
acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed, |
|
| 44 |
:view_permission => :view_attachments, :edit_permission => :edit_attachments, |
|
| 45 |
:delete_permission => :delete_attachments |
|
| 46 | ||
| 44 | 47 |
acts_as_customizable |
| 45 | 48 |
acts_as_watchable |
| 46 | 49 |
acts_as_searchable :columns => ['subject', "#{table_name}.description"],
|
| ... | ... | |
| 186 | 189 |
) |
| 187 | 190 |
end |
| 188 | 191 | |
| 192 |
# Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable? |
|
| 193 |
def attachments_visible?(user=User.current) |
|
| 194 |
user_tracker_permission?(user, :view_attachments) |
|
| 195 |
end |
|
| 196 | ||
| 197 |
# Returns true if user or current user is allowed to add the attachment to the issue |
|
| 198 |
def attachments_addable?(user=User.current) |
|
| 199 |
user_tracker_permission?(user, :add_attachments) |
|
| 200 |
end |
|
| 201 | ||
| 189 | 202 |
# Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable? |
| 190 | 203 |
def attachments_editable?(user=User.current) |
| 191 |
attributes_editable?(user) |
|
| 204 |
user_tracker_permission?(user, :edit_attachments) |
|
| 205 |
end |
|
| 206 | ||
| 207 |
# Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_editable? |
|
| 208 |
def attachments_deletable?(user=User.current) |
|
| 209 |
user_tracker_permission?(user, :delete_attachments) |
|
| 192 | 210 |
end |
| 193 | 211 | |
| 194 | 212 |
# Returns true if user or current user is allowed to add notes to the issue |
| ... | ... | |
| 278 | 296 |
self.status = issue.status |
| 279 | 297 |
end |
| 280 | 298 |
self.author = User.current |
| 281 |
unless options[:attachments] == false
|
|
| 299 |
if options[:attachments] == true && issue.attachments_visible?(user=User.current)
|
|
| 282 | 300 |
self.attachments = issue.attachments.map do |attachement| |
| 283 | 301 |
attachement.copy(:container => self) |
| 284 | 302 |
end |
| ... | ... | |
| 1639 | 1657 |
copy.parent_issue_id = copied_issue_ids[child.parent_id] |
| 1640 | 1658 |
copy.fixed_version_id = nil unless child.fixed_version.present? && child.fixed_version.status == 'open' |
| 1641 | 1659 |
copy.assigned_to = nil unless child.assigned_to_id.present? && child.assigned_to.status == User::STATUS_ACTIVE |
| 1660 |
copy.attachments = [] unless copy.attachments_addable?(User.current) |
|
| 1642 | 1661 |
unless copy.save |
| 1643 | 1662 |
logger.error "Could not copy subtask ##{child.id} while copying ##{@copied_from.id} to ##{id} due to validation errors: #{copy.errors.full_messages.join(', ')}" if logger
|
| 1644 | 1663 |
next |
| app/models/journal.rb | ||
|---|---|---|
| 92 | 92 |
detail.custom_field && detail.custom_field.visible_by?(project, user) |
| 93 | 93 |
elsif detail.property == 'relation' |
| 94 | 94 |
Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user) |
| 95 |
elsif detail.property == 'attachment' |
|
| 96 |
self.issue.attachments_visible?(User.current) |
|
| 95 | 97 |
else |
| 96 | 98 |
true |
| 97 | 99 |
end |
| app/models/mailer.rb | ||
|---|---|---|
| 99 | 99 |
end |
| 100 | 100 | |
| 101 | 101 |
# Builds a mail for notifying user about an issue update |
| 102 |
def issue_edit(user, journal) |
|
| 102 |
def issue_edit(user, journal, att=false)
|
|
| 103 | 103 |
issue = journal.journalized |
| 104 | 104 |
redmine_headers 'Project' => issue.project.identifier, |
| 105 | 105 |
'Issue-Tracker' => issue.tracker.name, |
| ... | ... | |
| 117 | 117 |
@journal = journal |
| 118 | 118 |
@journal_details = journal.visible_details |
| 119 | 119 |
@issue_url = url_for(:controller => 'issues', :action => 'show', :id => issue, :anchor => "change-#{journal.id}")
|
| 120 |
@att = att |
|
| 120 | 121 | |
| 121 | 122 |
mail :to => user, |
| 122 | 123 |
:subject => s |
| ... | ... | |
| 132 | 133 |
journal.notes? || journal.visible_details(user).any? |
| 133 | 134 |
end |
| 134 | 135 |
users.each do |user| |
| 135 |
issue_edit(user, journal).deliver_later |
|
| 136 |
issue_edit(user, journal, journal.issue.attachments_visible?(user)).deliver_later
|
|
| 136 | 137 |
end |
| 137 | 138 |
end |
| 138 | 139 | |
| app/views/issues/_edit.html.erb | ||
|---|---|---|
| 44 | 44 |
<%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %>
|
| 45 | 45 |
</fieldset> |
| 46 | 46 | |
| 47 |
<% if @issue.attachments_addable?(User.current) %> |
|
| 47 | 48 |
<fieldset><legend><%= l(:label_attachment_plural) %></legend> |
| 48 |
<% if @issue.attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
|
|
| 49 |
<% if @attachments.any? && @issue.safe_attribute?('deleted_attachment_ids') %>
|
|
| 49 | 50 |
<div class="contextual"><%= link_to l(:label_edit_attachments), '#', :onclick => "$('#existing-attachments').toggle(); return false;" %></div>
|
| 50 | 51 |
<div id="existing-attachments" style="<%= @issue.deleted_attachment_ids.blank? ? 'display:none;' : '' %>"> |
| 51 |
<% @issue.attachments.each do |attachment| %>
|
|
| 52 |
<% @attachments.each do |attachment| %> |
|
| 52 | 53 |
<span class="existing-attachment"> |
| 53 | 54 |
<%= text_field_tag '', attachment.filename, :class => "icon icon-attachment filename", :disabled => true %> |
| 54 | 55 |
<label> |
| ... | ... | |
| 67 | 68 |
<%= render :partial => 'attachments/form', :locals => {:container => @issue} %>
|
| 68 | 69 |
</div> |
| 69 | 70 |
</fieldset> |
| 71 |
<% end %> |
|
| 70 | 72 |
<% end %> |
| 71 | 73 |
</div> |
| 72 | 74 | |
| app/views/issues/index.api.rsb | ||
|---|---|---|
| 29 | 29 |
api.array :attachments do |
| 30 | 30 |
issue.attachments.each do |attachment| |
| 31 | 31 |
render_api_attachment(attachment, api) |
| 32 |
end |
|
| 32 |
end if issue.attachments_visible?
|
|
| 33 | 33 |
end if include_in_api_response?('attachments')
|
| 34 | 34 | |
| 35 | 35 |
api.array :relations do |
| app/views/issues/new.html.erb | ||
|---|---|---|
| 18 | 18 |
</p> |
| 19 | 19 |
<% end %> |
| 20 | 20 |
<% if @copy_from && @copy_from.attachments.any? %> |
| 21 |
<p> |
|
| 21 |
<p style="<%= "display: none;" unless @copy_from.attachments_visible?(User.current) && @issue.attachments_addable?(User.current) %>">
|
|
| 22 | 22 |
<label for="copy_attachments"><%= l(:label_copy_attachments) %></label> |
| 23 | 23 |
<%= check_box_tag 'copy_attachments', '1', @copy_attachments %> |
| 24 | 24 |
</p> |
| ... | ... | |
| 30 | 30 |
</p> |
| 31 | 31 |
<% end %> |
| 32 | 32 | |
| 33 |
<p id="attachments_form"><label><%= l(:label_attachment_plural) %></label><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
|
|
| 33 |
<p id="attachments_form" style="<%= "display: none;" unless @issue.attachments_addable?(User.current) %>"><label><%= l(:label_attachment_plural) %></label><%= render :partial => 'attachments/form', :locals => {:container => @issue} %></p>
|
|
| 34 | 34 | |
| 35 | 35 |
<div id="watchers_form_container"> |
| 36 | 36 |
<%= render :partial => 'issues/watchers_form' %> |
| app/views/issues/new.js.erb | ||
|---|---|---|
| 5 | 5 |
<% when "issue_category_id" %> |
| 6 | 6 |
$('#issue_assigned_to_id').find('option').first().html('<%= escape_javascript(@issue.category.try(:assigned_to).try(:name)).presence || ' '.html_safe %>');
|
| 7 | 7 |
<% end %> |
| 8 |
<% if @issue.attachments_addable?(User.current) %> |
|
| 9 |
<% if @copy_from.attachments_visible?(User.current) %> |
|
| 10 |
$('#copy_attachments').parent().show();
|
|
| 11 |
<% else %> |
|
| 12 |
$('#copy_attachments').parent().hide();
|
|
| 13 |
<% end %> |
|
| 14 |
$('#attachments_form').show();
|
|
| 15 |
<% else %> |
|
| 16 |
$('#copy_attachments').parent().hide();
|
|
| 17 |
$('#attachments_form').hide();
|
|
| 18 |
<% end %> |
|
| app/views/issues/show.api.rsb | ||
|---|---|---|
| 32 | 32 |
render_api_issue_children(@issue, api) if include_in_api_response?('children')
|
| 33 | 33 | |
| 34 | 34 |
api.array :attachments do |
| 35 |
@issue.attachments.each do |attachment|
|
|
| 35 |
@attachments.each do |attachment| |
|
| 36 | 36 |
render_api_attachment(attachment, api) |
| 37 | 37 |
end |
| 38 | 38 |
end if include_in_api_response?('attachments')
|
| app/views/issues/show.html.erb | ||
|---|---|---|
| 84 | 84 | |
| 85 | 85 |
<p><strong><%=l(:field_description)%></strong></p> |
| 86 | 86 |
<div class="wiki"> |
| 87 |
<%= textilizable @issue, :description, :attachments => @issue.attachments %>
|
|
| 87 |
<%= textilizable @issue, :description, :attachments => @attachments %> |
|
| 88 | 88 |
</div> |
| 89 | 89 |
</div> |
| 90 | 90 |
<% end %> |
| 91 |
<% if @issue.attachments.any? %>
|
|
| 91 |
<% if @attachments.any? %> |
|
| 92 | 92 |
<hr /> |
| 93 | 93 |
<p><strong><%=l(:label_attachment_plural)%></strong></p> |
| 94 | 94 |
<%= link_to_attachments @issue, :thumbnails => true %> |
| app/views/mailer/_issue.html.erb | ||
|---|---|---|
| 4 | 4 | |
| 5 | 5 |
<%= textilizable(issue, :description, :only_path => false) %> |
| 6 | 6 | |
| 7 |
<% if issue.attachments.any? %> |
|
| 7 |
<% if issue.attachments.any? && @att %>
|
|
| 8 | 8 |
<fieldset class="attachments"><legend><%= l(:label_attachment_plural) %></legend> |
| 9 | 9 |
<% issue.attachments.each do |attachment| %> |
| 10 | 10 |
<%= link_to_attachment attachment, :download => true, :only_path => false %> |
| app/views/mailer/_issue.text.erb | ||
|---|---|---|
| 5 | 5 |
---------------------------------------- |
| 6 | 6 |
<%= issue.description %> |
| 7 | 7 | |
| 8 |
<% if issue.attachments.any? -%> |
|
| 8 |
<% if issue.attachments.any? && @att -%>
|
|
| 9 | 9 |
---<%= l(:label_attachment_plural).ljust(37, '-') %> |
| 10 | 10 |
<% issue.attachments.each do |attachment| -%> |
| 11 | 11 |
<%= attachment.filename %> (<%= number_to_human_size(attachment.filesize) %>) |
| app/views/roles/_form.html.erb | ||
|---|---|---|
| 68 | 68 | |
| 69 | 69 |
<div id="role-permissions-trackers" class="view_issues_shown"> |
| 70 | 70 |
<h3><%= l(:label_issue_tracking) %></h3> |
| 71 |
<% permissions = [:view_issues, :add_issues, :edit_issues, :add_issue_notes, :delete_issues] & setable_permissions.collect(&:name) %> |
|
| 71 |
<% permissions = [:view_issues, :add_issues, :edit_issues, :add_issue_notes, :delete_issues, :view_attachments, :add_attachments, :edit_attachments, :delete_attachments] & setable_permissions.collect(&:name) %>
|
|
| 72 | 72 | |
| 73 | 73 |
<div class="autoscroll"> |
| 74 | 74 |
<table class="list"> |
| config/locales/en.yml | ||
|---|---|---|
| 509 | 509 |
permission_view_private_notes: View private notes |
| 510 | 510 |
permission_set_notes_private: Set notes as private |
| 511 | 511 |
permission_delete_issues: Delete issues |
| 512 |
permission_view_attachments: View attachments |
|
| 513 |
permission_add_attachments: Add attachments |
|
| 514 |
permission_edit_attachments: Edit attachments |
|
| 515 |
permission_delete_attachments: Delete attachments |
|
| 512 | 516 |
permission_manage_public_queries: Manage public queries |
| 513 | 517 |
permission_save_queries: Save queries |
| 514 | 518 |
permission_view_gantt: View gantt chart |
| config/locales/pt-BR.yml | ||
|---|---|---|
| 785 | 785 |
permission_manage_members: Gerenciar membros |
| 786 | 786 |
permission_edit_messages: Editar mensagens |
| 787 | 787 |
permission_delete_issues: Excluir tarefas |
| 788 |
permission_view_attachments: Ver arquivos anexos |
|
| 789 |
permission_add_attachments: Adicionar arquivos anexos |
|
| 790 |
permission_edit_attachments: Editar arquivos anexos |
|
| 791 |
permission_delete_attachments: Apagar arquivos anexos |
|
| 788 | 792 |
permission_view_issue_watchers: Ver lista de observadores |
| 789 | 793 |
permission_manage_repository: Gerenciar repositório |
| 790 | 794 |
permission_commit_access: Acesso do commit |
| db/migrate/20161215142110_add_attachments_permissions.rb | ||
|---|---|---|
| 1 |
class AddAttachmentsPermissions < ActiveRecord::Migration[4.2] |
|
| 2 |
def self.up |
|
| 3 |
Role.all.each do |r| |
|
| 4 |
r.add_permission!(:view_attachments) if r.has_permission?(:view_issues) |
|
| 5 |
r.add_permission!(:add_attachments) if r.has_permission?(:add_issues) |
|
| 6 |
r.add_permission!(:edit_attachments) if r.has_permission?(:edit_issues) |
|
| 7 |
r.add_permission!(:delete_attachments) if r.has_permission?(:delete_issues) |
|
| 8 |
end |
|
| 9 |
end |
|
| 10 | ||
| 11 |
def self.down |
|
| 12 |
Role.all.each do |r| |
|
| 13 |
r.remove_permission!(:view_attachments) |
|
| 14 |
r.remove_permission!(:add_attachments) |
|
| 15 |
r.remove_permission!(:edit_attachments) |
|
| 16 |
r.remove_permission!(:delete_attachments) |
|
| 17 |
end |
|
| 18 |
end |
|
| 19 |
end |
|
| lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb | ||
|---|---|---|
| 136 | 136 |
r |= fetch_ranks_and_ids( |
| 137 | 137 |
search_scope(user, projects, options). |
| 138 | 138 |
joins(:attachments). |
| 139 |
where("#{Project.allowed_to_condition(user, :view_attachments)}", false).
|
|
| 139 | 140 |
where(search_tokens_condition(["#{Attachment.table_name}.filename", "#{Attachment.table_name}.description"], tokens, options[:all_words])),
|
| 140 | 141 |
options[:limit] |
| 141 | 142 |
) |
| lib/redmine.rb | ||
|---|---|---|
| 102 | 102 |
:queries => :index, |
| 103 | 103 |
:reports => [:issue_report, :issue_report_details]}, |
| 104 | 104 |
:read => true |
| 105 |
map.permission :add_issues, {:issues => [:new, :create], :attachments => :upload}
|
|
| 106 |
map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload}
|
|
| 107 |
map.permission :edit_own_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new], :attachments => :upload}
|
|
| 108 |
map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update], :attachments => :upload}
|
|
| 105 |
map.permission :add_issues, {:issues => [:new, :create]}
|
|
| 106 |
map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]}
|
|
| 107 |
map.permission :edit_own_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update], :journals => [:new]}
|
|
| 108 |
map.permission :copy_issues, {:issues => [:new, :create, :bulk_edit, :bulk_update]}
|
|
| 109 | 109 |
map.permission :manage_issue_relations, {:issue_relations => [:index, :show, :create, :destroy]}
|
| 110 | 110 |
map.permission :manage_subtasks, {}
|
| 111 | 111 |
map.permission :set_issues_private, {}
|
| 112 | 112 |
map.permission :set_own_issues_private, {}, :require => :loggedin
|
| 113 |
map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new], :attachments => :upload}
|
|
| 113 |
map.permission :add_issue_notes, {:issues => [:edit, :update], :journals => [:new]}
|
|
| 114 | 114 |
map.permission :edit_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
|
| 115 | 115 |
map.permission :edit_own_issue_notes, {:journals => [:edit, :update]}, :require => :loggedin
|
| 116 | 116 |
map.permission :view_private_notes, {}, :read => true, :require => :member
|
| 117 | 117 |
map.permission :set_notes_private, {}, :require => :member
|
| 118 | 118 |
map.permission :delete_issues, {:issues => :destroy}, :require => :member
|
| 119 |
# Attachments |
|
| 120 |
map.permission :add_attachments, {:attachments => :upload}
|
|
| 121 |
map.permission :view_attachments, {}
|
|
| 122 |
map.permission :edit_attachments, {}
|
|
| 123 |
map.permission :delete_attachments, {:attachments => :destroy}, :require => :member
|
|
| 119 | 124 |
# Watchers |
| 120 | 125 |
map.permission :view_issue_watchers, {}, :read => true
|
| 121 | 126 |
map.permission :add_issue_watchers, {:watchers => [:new, :create, :append, :autocomplete_for_user]}
|
| lib/redmine/export/pdf/issues_pdf_helper.rb | ||
|---|---|---|
| 236 | 236 |
end |
| 237 | 237 |
end |
| 238 | 238 | |
| 239 |
if issue.attachments.any? |
|
| 239 |
if issue.attachments.any? && issue.attachments_visible?(User.current)
|
|
| 240 | 240 |
pdf.SetFontStyle('B',9)
|
| 241 | 241 |
pdf.RDMCell(190,5, l(:label_attachment_plural), "B") |
| 242 | 242 |
pdf.ln |