0002-Fixed-attachments-deletable-by-user-without-edit-per.patch

Marius BALTEANU, 2021-08-01 13:32

Download (2.62 KB)

View differences:

app/models/issue.rb
209 209
    user_tracker_permission?(user, :delete_issues)
210 210
  end
211 211

  
212
  # Overrides Redmine::Acts::Attachable::InstanceMethods#attachments_deletable?
213
  def attachments_deletable?(user=User.current)
214
    attributes_editable?(user)
215
  end
216

  
212 217
  def initialize(attributes=nil, *args)
213 218
    super
214 219
    if new_record?
test/functional/attachments_controller_test.rb
744 744
    assert_response 302
745 745
    assert Attachment.find_by_id(3)
746 746
  end
747

  
748
  def test_destroy_issue_attachment_by_user_without_edit_issue_permission_on_tracker
749
    role = Role.find(2)
750
    role.set_permission_trackers 'edit_issues', [2, 3]
751
    role.save!
752

  
753
    @request.session[:user_id] = 2
754

  
755
    set_tmp_attachments_directory
756
    assert_no_difference 'Attachment.count' do
757
      delete(
758
        :destroy,
759
        :params => {
760
          :id => 7
761
        }
762
      )
763
    end
764

  
765
    assert_response 403
766
    assert Attachment.find_by_id(7)
767
  end
747 768
end
test/functional/issues_controller_test.rb
3170 3170
      assert_select 'div.attachments .icon-edit',  0
3171 3171
  end
3172 3172

  
3173
  def test_show_should_not_display_delete_attachment_icon_for_user_without_edit_issue_permission_on_tracker
3174
    role = Role.find(2)
3175
    role.set_permission_trackers 'edit_issues', [2, 3]
3176
    role.save!
3177

  
3178
    @request.session[:user_id] = 2
3179

  
3180
    get :show, params: {id: 4}
3181

  
3182
    assert_response :success
3183
    assert_select 'div.attachments .icon-del', 0
3184
  end
3185

  
3173 3186
  def test_get_new
3174 3187
    @request.session[:user_id] = 2
3175 3188
    get(
3176
-