diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index c640aad..36e794d 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -136,7 +136,7 @@ class IssuesController < ApplicationController
raise ::Unauthorized
end
call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
- @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
+ @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) if User.current.allowed_to?(:edit_attachments, @issue.project)
if @issue.save
call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue})
respond_to do |format|
@@ -474,6 +474,7 @@ class IssuesController < ApplicationController
@issue.safe_attributes = attrs
if @issue.project
+ @issue.attachments = [] unless User.current.allowed_to?(:edit_attachments, @issue.project)
@issue.tracker ||= @issue.allowed_target_trackers.first
if @issue.tracker.nil?
if @issue.project.trackers.any?
diff --git a/app/models/issue.rb b/app/models/issue.rb
index 58d51e1..e664f4e 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -43,7 +43,8 @@ class Issue < ActiveRecord::Base
has_many :relations_from, :class_name => 'IssueRelation', :foreign_key => 'issue_from_id', :dependent => :delete_all
has_many :relations_to, :class_name => 'IssueRelation', :foreign_key => 'issue_to_id', :dependent => :delete_all
- acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed
+ acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed,
+ :view_permission => :view_attachments, :edit_permission => :edit_attachments, :delete_permission => :delete_attachments
acts_as_customizable
acts_as_watchable
acts_as_searchable :columns => ['subject', "#{table_name}.description"],
@@ -265,7 +266,7 @@ class Issue < ActiveRecord::Base
self.custom_field_values = issue.custom_field_values.inject({}) {|h,v| h[v.custom_field_id] = v.value; h}
self.status = issue.status
self.author = User.current
- unless options[:attachments] == false
+ if options[:attachments] == true && User.current.allowed_to?(:view_attachments, issue.project)
self.attachments = issue.attachments.map do |attachement|
attachement.copy(:container => self)
end
diff --git a/app/models/journal.rb b/app/models/journal.rb
index 927f86f..36f8f22 100644
--- a/app/models/journal.rb
+++ b/app/models/journal.rb
@@ -74,6 +74,8 @@ class Journal < ActiveRecord::Base
detail.custom_field && detail.custom_field.visible_by?(project, user)
elsif detail.property == 'relation'
Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user)
+ elsif detail.property == 'attachment'
+ user.allowed_to?(:view_attachments, project)
else
true
end
diff --git a/app/models/mailer.rb b/app/models/mailer.rb
index fe02792..6261669 100644
--- a/app/models/mailer.rb
+++ b/app/models/mailer.rb
@@ -66,7 +66,7 @@ class Mailer < ActionMailer::Base
end
# Builds a mail for notifying to_users and cc_users about an issue update
- def issue_edit(journal, to_users, cc_users)
+ def issue_edit(journal, to_users, cc_users, att=false)
issue = journal.journalized
redmine_headers 'Project' => issue.project.identifier,
'Issue-Id' => issue.id,
@@ -83,6 +83,7 @@ class Mailer < ActionMailer::Base
@journal = journal
@journal_details = journal.visible_details(@users.first)
@issue_url = url_for(:controller => 'issues', :action => 'show', :id => issue, :anchor => "change-#{journal.id}")
+ @att = att
mail :to => to_users,
:cc => cc_users,
:subject => s
@@ -91,11 +92,18 @@ class Mailer < ActionMailer::Base
# Notifies users about an issue update
def self.deliver_issue_edit(journal)
issue = journal.journalized.reload
- to = journal.notified_users
- cc = journal.notified_watchers - to
+ toa = journal.notified_users.select{|user| user.allowed_to?(:view_attachments, issue.project)}
+ cca = journal.notified_watchers.select{|user| user.allowed_to?(:view_attachments, issue.project)} - toa
+ to = journal.notified_users - toa
+ cc = journal.notified_watchers - to - toa - cca
journal.each_notification(to + cc) do |users|
issue.each_notification(users) do |users2|
- Mailer.issue_edit(journal, to & users2, cc & users2).deliver
+ Mailer.issue_edit(journal, to & users2, cc & users2, false).deliver
+ end
+ end
+ journal.each_notification(toa + cca) do |users|
+ issue.each_notification(users) do |users2|
+ Mailer.issue_edit(journal, toa & users2, cca & users2, true).deliver
end
end
end
diff --git a/app/views/issues/_edit.html.erb b/app/views/issues/_edit.html.erb
index 67e3324..d90657e 100644
--- a/app/views/issues/_edit.html.erb
+++ b/app/views/issues/_edit.html.erb
@@ -35,13 +35,15 @@
<% if @issue.safe_attribute? 'private_notes' %>
<%= f.check_box :private_notes, :no_label => true %>
<% end %>
-
+
<%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %>
-
+
+ <% if User.current.allowed_to?(:edit_attachments, @project) %>
+ <% end %>
<% end %>
diff --git a/app/views/issues/new.html.erb b/app/views/issues/new.html.erb
index c93a1fc..87f7cf2 100644
--- a/app/views/issues/new.html.erb
+++ b/app/views/issues/new.html.erb
@@ -17,7 +17,7 @@
<%= check_box_tag 'link_copy', '1', @link_copy %>
<% end %>
- <% if @copy_from && @copy_from.attachments.any? %>
+ <% if @copy_from && @copy_from.attachments.any? && User.current.allowed_to?(:view_attachments, @copy_from.project) %>
<%= check_box_tag 'copy_attachments', '1', @copy_attachments %>
@@ -30,7 +30,9 @@
<% end %>
+ <% if User.current.allowed_to?(:edit_attachments, @project) %>
<%= render :partial => 'attachments/form', :locals => {:container => @issue} %>
+ <% end %>
<% if @issue.safe_attribute? 'watcher_user_ids' -%>
diff --git a/app/views/issues/show.api.rsb b/app/views/issues/show.api.rsb
index f474ed9..1fecc10 100644
--- a/app/views/issues/show.api.rsb
+++ b/app/views/issues/show.api.rsb
@@ -35,7 +35,7 @@ api.issue do
@issue.attachments.each do |attachment|
render_api_attachment(attachment, api)
end
- end if include_in_api_response?('attachments')
+ end if include_in_api_response?('attachments') && User.current.allowed_to?(:view_attachments, @project)
api.array :relations do
@relations.each do |relation|
diff --git a/app/views/issues/show.html.erb b/app/views/issues/show.html.erb
index 2cbff32..ff9440a 100644
--- a/app/views/issues/show.html.erb
+++ b/app/views/issues/show.html.erb
@@ -72,7 +72,7 @@ end %>
<%= call_hook(:view_issues_show_details_bottom, :issue => @issue) %>
-<% if @issue.description? || @issue.attachments.any? -%>
+<% if @issue.description? || (@issue.attachments.any? && User.current.allowed_to?(:view_attachments, @project)) -%>
<% if @issue.description? %>
@@ -86,7 +86,7 @@ end %>
<% end %>
-<%= link_to_attachments @issue, :thumbnails => true %>
+<%= link_to_attachments @issue, :thumbnails => true if User.current.allowed_to?(:view_attachments, @project) %>
<% end -%>
<%= call_hook(:view_issues_show_description_bottom, :issue => @issue) %>
diff --git a/app/views/mailer/_issue.html.erb b/app/views/mailer/_issue.html.erb
index 9461d84..c74ed8d 100644
--- a/app/views/mailer/_issue.html.erb
+++ b/app/views/mailer/_issue.html.erb
@@ -4,7 +4,7 @@
<%= textilizable(issue, :description, :only_path => false) %>
-<% if issue.attachments.any? %>
+<% if issue.attachments.any? && @att %>