Feature #2653 » redmine_own_v.2.patch
| redmine/app/controllers/issues_controller.rb 2010-07-19 19:52:43.152810115 +0400 | ||
|---|---|---|
| 111 | 111 |
end |
| 112 | 112 |
|
| 113 | 113 |
def show |
| 114 |
return render_403 if !@issue.visible? |
|
| 114 | 115 |
@journals = @issue.journals.find(:all, :include => [:user, :details], :order => "#{Journal.table_name}.created_on ASC")
|
| 115 | 116 |
@journals.each_with_index {|j,i| j.indice = i+1}
|
| 116 | 117 |
@journals.reverse! if User.current.wants_comments_in_reverse_order? |
| redmine/app/models/issue.rb 2010-07-19 19:52:43.153809953 +0400 | ||
|---|---|---|
| 74 | 74 |
after_destroy :update_parent_attributes |
| 75 | 75 |
|
| 76 | 76 |
# Returns true if usr or current user is allowed to view the issue |
| 77 |
def visible?(usr=nil)
|
|
| 78 |
(usr || User.current).allowed_to?(:view_issues, self.project)
|
|
| 77 |
def visible?(user=User.current)
|
|
| 78 |
user.allowed_to?(:view_issues, self.project) || user.allowed_to?(:add_issues, self.project) && (author == user || assigned_to == user || watched_by?(user))
|
|
| 79 | 79 |
end |
| 80 | 80 |
|
| 81 | 81 |
def after_initialize |
| redmine/app/models/query.rb 2010-07-19 19:52:43.153809953 +0400 | ||
|---|---|---|
| 373 | 373 |
group_by_column.groupable |
| 374 | 374 |
end |
| 375 | 375 |
|
| 376 |
def project_statement |
|
| 376 |
def project_statement(own=nil)
|
|
| 377 | 377 |
project_clauses = [] |
| 378 | 378 |
if project && !@project.descendants.active.empty? |
| 379 | 379 |
ids = [project.id] |
| ... | ... | |
| 395 | 395 |
elsif project |
| 396 | 396 |
project_clauses << "#{Project.table_name}.id = %d" % project.id
|
| 397 | 397 |
end |
| 398 |
project_clauses << Project.allowed_to_condition(User.current, :view_issues) |
|
| 398 |
if own |
|
| 399 |
wt = Watcher.table_name |
|
| 400 |
uc = User.current.id.to_s |
|
| 401 |
project_clauses << '('+Project.allowed_to_condition(User.current, :view_issues)+' OR '+Project.allowed_to_condition(User.current, :add_issues)+
|
|
| 402 |
" AND (#{Issue.table_name}.author_id=#{uc} OR "+
|
|
| 403 |
"#{Issue.table_name}.assigned_to_id=#{uc} OR "+
|
|
| 404 |
"#{Issue.table_name}.id IN (SELECT #{wt}.watchable_id FROM #{wt} WHERE #{wt}.watchable_type='Issue' AND user_id=#{uc}))"+")"
|
|
| 405 |
else |
|
| 406 |
project_clauses << Project.allowed_to_condition(User.current, :view_issues) |
|
| 407 |
end |
|
| 399 | 408 |
project_clauses.join(' AND ')
|
| 400 | 409 |
end |
| 401 | 410 | |
| ... | ... | |
| 436 | 445 |
|
| 437 | 446 |
end if filters and valid? |
| 438 | 447 |
|
| 439 |
(filters_clauses << project_statement).join(' AND ')
|
|
| 448 |
(filters_clauses << project_statement(true)).join(' AND ')
|
|
| 440 | 449 |
end |
| 441 | 450 |
|
| 442 | 451 |
# Returns the issue count |
| redmine/app/models/user.rb 2010-07-19 19:52:43.154809701 +0400 | ||
|---|---|---|
| 311 | 311 |
|
| 312 | 312 |
roles = roles_for_project(project) |
| 313 | 313 |
return false unless roles |
| 314 |
roles.detect {|role| (project.is_public? || role.member?) && role.allowed_to?(action)}
|
|
| 314 |
roles.any? {|role| (project.is_public? || role.member?) && role.allowed_to?(action)}
|
|
| 315 | 315 |
|
| 316 | 316 |
elsif options[:global] |
| 317 | 317 |
# Admin users are always authorized |
| ... | ... | |
| 319 | 319 |
|
| 320 | 320 |
# authorize if user has at least one role that has this permission |
| 321 | 321 |
roles = memberships.collect {|m| m.roles}.flatten.uniq
|
| 322 |
roles.detect {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
|
|
| 322 |
roles.any? {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
|
|
| 323 | 323 |
else |
| 324 | 324 |
false |
| 325 | 325 |
end |
| redmine/lib/redmine.rb 2010-07-19 20:02:20.146205829 +0400 | ||
|---|---|---|
| 44 | 44 | |
| 45 | 45 |
# Permissions |
| 46 | 46 |
Redmine::AccessControl.map do |map| |
| 47 |
map.permission :view_project, {:projects => [:show, :activity]}, :public => true
|
|
| 47 |
map.permission :view_project, {:projects => :show}, :public => true
|
|
| 48 | 48 |
map.permission :search_project, {:search => :index}, :public => true
|
| 49 | 49 |
map.permission :add_project, {:projects => :add}, :require => :loggedin
|
| 50 | 50 |
map.permission :edit_project, {:projects => [:settings, :edit]}, :require => :member
|
| ... | ... | |
| 57 | 57 |
# Issue categories |
| 58 | 58 |
map.permission :manage_categories, {:projects => :settings, :issue_categories => [:new, :edit, :destroy]}, :require => :member
|
| 59 | 59 |
# Issues |
| 60 |
map.permission :view_issues, {:projects => :roadmap,
|
|
| 60 |
map.permission :view_issues, {:projects => [:roadmap, :activity],
|
|
| 61 | 61 |
:issues => [:index, :changes, :show, :context_menu, :auto_complete], |
| 62 | 62 |
:versions => [:show, :status_by], |
| 63 | 63 |
:queries => :index, |
| 64 | 64 |
:reports => [:issue_report, :issue_report_details]} |
| 65 |
map.permission :add_issues, {:issues => [:new, :create, :update_form]}
|
|
| 65 |
map.permission :add_issues, {:issues => [:new, :create, :update_form, :index, :show]}
|
|
| 66 | 66 |
map.permission :edit_issues, {:issues => [:edit, :update, :reply, :bulk_edit, :update_form]}
|
| 67 | 67 |
map.permission :manage_issue_relations, {:issue_relations => [:new, :destroy]}
|
| 68 | 68 |
map.permission :manage_subtasks, {}
|
| ... | ... | |
| 94 | 94 |
map.project_module :news do |map| |
| 95 | 95 |
map.permission :manage_news, {:news => [:new, :edit, :destroy, :destroy_comment]}, :require => :member
|
| 96 | 96 |
map.permission :view_news, {:news => [:index, :show]}, :public => true
|
| 97 |
map.permission :comment_news, {:news => :add_comment}
|
|
| 97 |
map.permission :comment_news, {:projects => :activity, :news => :add_comment}
|
|
| 98 | 98 |
end |
| 99 | 99 | |
| 100 | 100 |
map.project_module :documents do |map| |
| ... | ... | |
| 121 | 121 |
|
| 122 | 122 |
map.project_module :repository do |map| |
| 123 | 123 |
map.permission :manage_repository, {:repositories => [:edit, :committers, :destroy]}, :require => :member
|
| 124 |
map.permission :browse_repository, :repositories => [:show, :browse, :entry, :annotate, :changes, :diff, :stats, :graph] |
|
| 125 |
map.permission :view_changesets, :repositories => [:show, :revisions, :revision] |
|
| 124 |
map.permission :browse_repository, :projects => :activity, :repositories => [:show, :browse, :entry, :annotate, :changes, :diff, :stats, :graph]
|
|
| 125 |
map.permission :view_changesets, :projects => :activity, :repositories => [:show, :revisions, :revision]
|
|
| 126 | 126 |
map.permission :commit_access, {}
|
| 127 | 127 |
end |
| 128 | 128 | |
| 129 | 129 |
map.project_module :boards do |map| |
| 130 | 130 |
map.permission :manage_boards, {:boards => [:new, :edit, :destroy]}, :require => :member
|
| 131 | 131 |
map.permission :view_messages, {:boards => [:index, :show], :messages => [:show]}, :public => true
|
| 132 |
map.permission :add_messages, {:messages => [:new, :reply, :quote]}
|
|
| 132 |
map.permission :add_messages, {:projects => :activity, :messages => [:new, :reply, :quote]}
|
|
| 133 | 133 |
map.permission :edit_messages, {:messages => :edit}, :require => :member
|
| 134 | 134 |
map.permission :edit_own_messages, {:messages => :edit}, :require => :loggedin
|
| 135 | 135 |
map.permission :delete_messages, {:messages => :destroy}, :require => :member
|
| redmine/test/fixtures/issues.yml 2010-07-20 10:06:05.350916308 +0400 | ||
|---|---|---|
| 102 | 102 |
category_id: |
| 103 | 103 |
description: This is an issue of a private subproject of cookbook |
| 104 | 104 |
tracker_id: 1 |
| 105 |
assigned_to_id: |
|
| 105 |
assigned_to_id: 12
|
|
| 106 | 106 |
author_id: 2 |
| 107 | 107 |
status_id: 1 |
| 108 | 108 |
start_date: <%= Date.today.to_s(:db) %> |
| 109 |
due_date: <%= 1.days.from_now.to_date.to_s(:db) %> |
|
| 110 | 109 |
root_id: 6 |
| 111 | 110 |
lft: 1 |
| 112 | 111 |
rgt: 2 |
| ... | ... | |
| 243 | 242 |
root_id: 13 |
| 244 | 243 |
lft: 1 |
| 245 | 244 |
rgt: 2 |
| 245 |
issues_014: |
|
| 246 |
created_on: <%= 5.days.ago.to_date.to_s(:db) %> |
|
| 247 |
project_id: 5 |
|
| 248 |
updated_on: <%= 2.days.ago.to_date.to_s(:db) %> |
|
| 249 |
priority_id: 5 |
|
| 250 |
subject: Test own message |
|
| 251 |
id: 14 |
|
| 252 |
fixed_version_id: |
|
| 253 |
category_id: |
|
| 254 |
description: Test own message |
|
| 255 |
tracker_id: 1 |
|
| 256 |
assigned_to_id: |
|
| 257 |
author_id: 12 |
|
| 258 |
status_id: 1 |
|
| 259 |
root_id: 14 |
|
| 260 |
lft: 1 |
|
| 261 |
rgt: 2 |
|
| redmine/test/fixtures/member_roles.yml 2010-07-19 19:52:43.156809242 +0400 | ||
|---|---|---|
| 47 | 47 |
role_id: 2 |
| 48 | 48 |
member_id: 10 |
| 49 | 49 |
inherited_from: 10 |
| 50 |
member_roles_012: |
|
| 51 |
id: 12 |
|
| 52 |
role_id: 6 |
|
| 53 |
member_id: 11 |
|
| 54 |
inherited_from: 11 |
|
| redmine/test/fixtures/members.yml 2010-07-19 19:52:43.157808960 +0400 | ||
|---|---|---|
| 60 | 60 |
project_id: 2 |
| 61 | 61 |
user_id: 8 |
| 62 | 62 |
mail_notification: false |
| 63 |
members_011: |
|
| 64 |
id: 11 |
|
| 65 |
created_on: 2006-07-19 19:35:33 +02:00 |
|
| 66 |
project_id: 5 |
|
| 67 |
user_id: 12 |
|
| 68 |
mail_notification: false |
|
| redmine/test/fixtures/roles.yml 2010-07-19 19:52:43.157808960 +0400 | ||
|---|---|---|
| 184 | 184 |
- :view_changesets |
| 185 | 185 | |
| 186 | 186 |
position: 5 |
| 187 |
roles_006: |
|
| 188 |
name: Reporter2 |
|
| 189 |
id: 6 |
|
| 190 |
builtin: 0 |
|
| 191 |
permissions: | |
|
| 192 |
--- |
|
| 193 |
- :add_issues |
|
| 194 | ||
| 195 |
position: 6 |
|
| 187 | 196 | |
| redmine/test/fixtures/users.yml 2010-07-19 19:52:43.157808960 +0400 | ||
|---|---|---|
| 152 | 152 |
id: 11 |
| 153 | 153 |
lastname: B Team |
| 154 | 154 |
type: Group |
| 155 |
users_012: |
|
| 156 |
id: 12 |
|
| 157 |
created_on: 2006-07-19 19:33:19 +02:00 |
|
| 158 |
status: 1 |
|
| 159 |
last_login_on: |
|
| 160 |
language: 'ru' |
|
| 161 |
hashed_password: 1 |
|
| 162 |
updated_on: 2006-07-19 19:33:19 +02:00 |
|
| 163 |
admin: false |
|
| 164 |
mail: vasia@foo.bar |
|
| 165 |
lastname: Vasia |
|
| 166 |
firstname: Pupkin |
|
| 167 |
auth_source_id: |
|
| 168 |
mail_notification: false |
|
| 169 |
login: vasia |
|
| 170 |
type: User |
|
| 155 | 171 | |
| 156 | 172 |
|
| redmine/test/fixtures/watchers.yml 2010-07-19 19:52:43.158808811 +0400 | ||
|---|---|---|
| 11 | 11 |
watchable_type: Issue |
| 12 | 12 |
watchable_id: 2 |
| 13 | 13 |
user_id: 1 |
| 14 |
watchers_004: |
|
| 15 |
watchable_type: Issue |
|
| 16 |
watchable_id: 9 |
|
| 17 |
user_id: 12 |
|
| 14 | 18 |
|
| redmine/test/functional/issues_controller_test.rb 2010-07-19 19:52:43.159808650 +0400 | ||
|---|---|---|
| 284 | 284 |
|
| 285 | 285 |
def test_show_should_deny_member_access_without_permission |
| 286 | 286 |
Role.find(1).remove_permission!(:view_issues) |
| 287 |
Role.find(1).remove_permission!(:add_issues) |
|
| 287 | 288 |
@request.session[:user_id] = 2 |
| 288 | 289 |
get :show, :id => 1 |
| 289 | 290 |
assert_response 403 |
| ... | ... | |
| 320 | 321 |
assert_not_nil assigns(:issue) |
| 321 | 322 |
end |
| 322 | 323 | |
| 324 |
def test_show_own_issue_by_author |
|
| 325 |
@request.session[:user_id] = 12 |
|
| 326 |
get :show, :id => 14 |
|
| 327 |
assert_response :success |
|
| 328 |
end |
|
| 329 | ||
| 330 |
def test_show_own_issue_by_assigned |
|
| 331 |
@request.session[:user_id] = 12 |
|
| 332 |
get :show, :id => 6 |
|
| 333 |
assert_response :success |
|
| 334 |
end |
|
| 335 | ||
| 336 |
def test_show_own_issue_by_watcher |
|
| 337 |
@request.session[:user_id] = 12 |
|
| 338 |
get :show, :id => 9 |
|
| 339 |
assert_response :success |
|
| 340 |
end |
|
| 341 | ||
| 342 |
def test_show_should_deny_access_without_permission |
|
| 343 |
@request.session[:user_id] = 12 |
|
| 344 |
get :show, :id => 10 |
|
| 345 |
assert_response 403 |
|
| 346 |
end |
|
| 347 | ||
| 323 | 348 |
def test_get_new |
| 324 | 349 |
@request.session[:user_id] = 2 |
| 325 | 350 |
get :new, :project_id => 1, :tracker_id => 1 |
| redmine/test/unit/attachment_test.rb 2010-07-19 19:52:43.159808650 +0400 | ||
|---|---|---|
| 20 | 20 |
require File.dirname(__FILE__) + '/../test_helper' |
| 21 | 21 | |
| 22 | 22 |
class AttachmentTest < ActiveSupport::TestCase |
| 23 |
fixtures :issues, :users |
|
| 23 |
fixtures :issues, :users, :watchers
|
|
| 24 | 24 |
|
| 25 | 25 |
def setup |
| 26 | 26 |
end |
| ... | ... | |
| 82 | 82 |
end |
| 83 | 83 |
end |
| 84 | 84 |
end |
| 85 |
|
|
| 86 |
def test_visible_file_for_issue |
|
| 87 |
# Set "Add issue", unset "View issue" on default for user #12 |
|
| 88 |
# author |
|
| 89 |
a = Attachment.new(:container => Issue.find(14), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
|
|
| 90 |
assert a.save |
|
| 91 |
assert_equal true, a.visible?(User.find(12)) |
|
| 92 |
# assigned to |
|
| 93 |
a = Attachment.new(:container => Issue.find(6), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
|
|
| 94 |
assert a.save |
|
| 95 |
assert_equal true, a.visible?(User.find(12)) |
|
| 96 |
# watcher |
|
| 97 |
a = Attachment.new(:container => Issue.find(9), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
|
|
| 98 |
assert a.save |
|
| 99 |
assert_equal true, a.visible?(User.find(12)) |
|
| 100 |
# other |
|
| 101 |
a = Attachment.new(:container => Issue.find(10), :file => uploaded_test_file("testfile.txt", ""), :author => User.find(2))
|
|
| 102 |
assert a.save |
|
| 103 |
assert_equal false, a.visible?(User.find(12)) |
|
| 104 |
Role.find(6).add_permission!(:view_issues) |
|
| 105 |
assert_equal true, a.visible?(User.find(12)) |
|
| 106 |
end |
|
| 85 | 107 |
end |
| redmine/test/unit/issue_test.rb 2010-07-20 10:15:46.843804404 +0400 | ||
|---|---|---|
| 106 | 106 |
assert issues.detect {|issue| !issue.project.is_public?}
|
| 107 | 107 |
end |
| 108 | 108 |
|
| 109 |
def test_visible |
|
| 110 |
user=User.find(12) |
|
| 111 |
issue = Issue.new(:project_id => 5, :tracker_id => 1, :author_id => 2, :status_id => 1, :priority => IssuePriority.all.first, :subject => 'test_own', :description => 'IssueTest#test_own', :estimated_hours => '5:30') |
|
| 112 |
assert issue.save |
|
| 113 |
issue.reload |
|
| 114 |
# Test for user, with "View_issue" |
|
| 115 |
assert_equal true, issue.visible?(User.find(8)) |
|
| 116 |
# Test for user, without "View issue", but with "Add issue" |
|
| 117 |
assert_equal false, issue.visible?(user) |
|
| 118 |
# Test for assinged user |
|
| 119 |
issue.assigned_to=user |
|
| 120 |
assert_equal true, issue.visible?(user) |
|
| 121 |
# Test for watcher |
|
| 122 |
issue.assigned_to=nil |
|
| 123 |
issue.add_watcher(user) |
|
| 124 |
assert_equal true, issue.visible?(user) |
|
| 125 |
# Test for author |
|
| 126 |
issue = Issue.new(:project_id => 5, :tracker_id => 1, :author_id => 12, :status_id => 1, :priority => IssuePriority.all.first, :subject => 'test_own', :description => 'IssueTest#test_own', :estimated_hours => '5:30') |
|
| 127 |
assert issue.save |
|
| 128 |
issue.reload |
|
| 129 |
assert_equal true, issue.visible?(user) |
|
| 130 |
end |
|
| 131 | ||
| 109 | 132 |
def test_errors_full_messages_should_include_custom_fields_errors |
| 110 | 133 |
field = IssueCustomField.find_by_name('Database')
|
| 111 | 134 |
|
| ... | ... | |
| 665 | 688 |
test "#by_subproject" do |
| 666 | 689 |
groups = Issue.by_subproject(Project.find(1)) |
| 667 | 690 |
assert_equal 2, groups.size |
| 668 |
assert_equal 5, groups.inject(0) {|sum, group| sum + group['total'].to_i}
|
|
| 691 |
assert_equal 6, groups.inject(0) {|sum, group| sum + group['total'].to_i}
|
|
| 669 | 692 |
end |
| 670 | 693 |
|
| 671 | 694 |
|
| redmine/test/unit/mailer_test.rb 2010-07-19 19:52:43.160809678 +0400 | ||
|---|---|---|
| 235 | 235 |
user = User.find(9) |
| 236 | 236 |
Watcher.create!(:watchable => @issue, :user => user) |
| 237 | 237 |
Role.non_member.remove_permission!(:view_issues) |
| 238 |
Role.non_member.remove_permission!(:add_issues) |
|
| 238 | 239 |
assert Mailer.deliver_issue_add(@issue) |
| 239 | 240 |
assert !last_email.bcc.include?(user.mail) |
| 240 | 241 |
end |
| redmine/vendor/plugins/acts_as_attachable/lib/acts_as_attachable.rb 2010-07-19 19:52:43.161808229 +0400 | ||
|---|---|---|
| 44 | 44 |
end |
| 45 | 45 |
|
| 46 | 46 |
def attachments_visible?(user=User.current) |
| 47 |
user.allowed_to?(self.class.attachable_options[:view_permission], self.project) |
|
| 47 |
user.allowed_to?(self.class.attachable_options[:view_permission], self.project) || is_a?(Issue) && self.visible?(user)
|
|
| 48 | 48 |
end |
| 49 | 49 |
|
| 50 | 50 |
def attachments_deletable?(user=User.current) |