diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index 69a947b03..6fec51944 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -126,7 +126,7 @@ class IssuesController < ApplicationController
raise ::Unauthorized
end
call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
- @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
+ @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads])) if User.current.allowed_to?(:edit_attachments, @issue.project)
if @issue.save
call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue})
respond_to do |format|
@@ -523,6 +523,7 @@ class IssuesController < ApplicationController
@issue.safe_attributes = attrs
if @issue.project
+ @issue.attachments = [] unless User.current.allowed_to?(:edit_attachments, @issue.project)
@issue.tracker ||= @issue.allowed_target_trackers.first
if @issue.tracker.nil?
if @issue.project.trackers.any?
diff --git a/app/models/issue.rb b/app/models/issue.rb
index b20da8d91..4f8bd521f 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -38,7 +38,8 @@ class Issue < ActiveRecord::Base
has_many :relations_from, :class_name => 'IssueRelation', :foreign_key => 'issue_from_id', :dependent => :delete_all
has_many :relations_to, :class_name => 'IssueRelation', :foreign_key => 'issue_to_id', :dependent => :delete_all
- acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed
+ acts_as_attachable :after_add => :attachment_added, :after_remove => :attachment_removed,
+ :view_permission => :view_attachments, :edit_permission => :edit_attachments, :delete_permission => :delete_attachments
acts_as_customizable
acts_as_watchable
acts_as_searchable :columns => ['subject', "#{table_name}.description"],
@@ -273,7 +274,7 @@ class Issue < ActiveRecord::Base
self.status = issue.status
end
self.author = User.current
- unless options[:attachments] == false
+ if options[:attachments] == true && User.current.allowed_to?(:view_attachments, issue.project)
self.attachments = issue.attachments.map do |attachement|
attachement.copy(:container => self)
end
diff --git a/app/models/journal.rb b/app/models/journal.rb
index ce3f9d0b3..e19e667dc 100644
--- a/app/models/journal.rb
+++ b/app/models/journal.rb
@@ -88,6 +88,8 @@ class Journal < ActiveRecord::Base
detail.custom_field && detail.custom_field.visible_by?(project, user)
elsif detail.property == 'relation'
Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user)
+ elsif detail.property == 'attachment'
+ user.allowed_to?(:view_attachments, project)
else
true
end
diff --git a/app/models/mailer.rb b/app/models/mailer.rb
index 58fe1d5f7..71cd0d93d 100644
--- a/app/models/mailer.rb
+++ b/app/models/mailer.rb
@@ -93,7 +93,7 @@ class Mailer < ActionMailer::Base
end
# Builds a mail for notifying user about an issue update
- def issue_edit(user, journal)
+ def issue_edit(user, journal, att=false)
issue = journal.journalized
redmine_headers 'Project' => issue.project.identifier,
'Issue-Id' => issue.id,
@@ -110,6 +110,7 @@ class Mailer < ActionMailer::Base
@journal = journal
@journal_details = journal.visible_details
@issue_url = url_for(:controller => 'issues', :action => 'show', :id => issue, :anchor => "change-#{journal.id}")
+ @att = att
mail :to => user,
:subject => s
@@ -120,12 +121,13 @@ class Mailer < ActionMailer::Base
# Example:
# Mailer.deliver_issue_edit(journal)
def self.deliver_issue_edit(journal)
+ issue = journal.journalized.reload
users = journal.notified_users | journal.notified_watchers
users.select! do |user|
journal.notes? || journal.visible_details(user).any?
end
users.each do |user|
- issue_edit(user, journal).deliver_later
+ issue_edit(user, journal, user.allowed_to?(:view_attachments, issue.project)).deliver_later
end
end
diff --git a/app/views/issues/_edit.html.erb b/app/views/issues/_edit.html.erb
index 3afaee4ca..218e7d173 100644
--- a/app/views/issues/_edit.html.erb
+++ b/app/views/issues/_edit.html.erb
@@ -39,6 +39,7 @@
<%= call_hook(:view_issues_edit_notes_bottom, { :issue => @issue, :notes => @notes, :form => f }) %>
+ <% if User.current.allowed_to?(:edit_attachments, @project) %>
+ <% end %>
<% end %>
diff --git a/app/views/issues/new.html.erb b/app/views/issues/new.html.erb
index 22a174a11..9bb5bee04 100644
--- a/app/views/issues/new.html.erb
+++ b/app/views/issues/new.html.erb
@@ -17,7 +17,7 @@
<%= check_box_tag 'link_copy', '1', @link_copy %>
<% end %>
- <% if @copy_from && @copy_from.attachments.any? %>
+ <% if @copy_from && @copy_from.attachments.any? && User.current.allowed_to?(:view_attachments, @copy_from.project) %>
<%= check_box_tag 'copy_attachments', '1', @copy_attachments %>
@@ -30,7 +30,9 @@
<% end %>
+ <% if User.current.allowed_to?(:edit_attachments, @project) %>
<%= render :partial => 'attachments/form', :locals => {:container => @issue} %>
+ <% end %>
<%= render :partial => 'issues/watchers_form' %>
diff --git a/app/views/issues/show.api.rsb b/app/views/issues/show.api.rsb
index f474ed9c6..1fecc10d1 100644
--- a/app/views/issues/show.api.rsb
+++ b/app/views/issues/show.api.rsb
@@ -35,7 +35,7 @@ api.issue do
@issue.attachments.each do |attachment|
render_api_attachment(attachment, api)
end
- end if include_in_api_response?('attachments')
+ end if include_in_api_response?('attachments') && User.current.allowed_to?(:view_attachments, @project)
api.array :relations do
@relations.each do |relation|
diff --git a/app/views/issues/show.html.erb b/app/views/issues/show.html.erb
index a11a24df6..c6885641d 100644
--- a/app/views/issues/show.html.erb
+++ b/app/views/issues/show.html.erb
@@ -88,10 +88,10 @@ end %>
<% end %>
-<% if @issue.attachments.any? %>
+<% if @issue.attachments.any? && (User.current.allowed_to?(:view_attachments, @project)) %>
<%=l(:label_attachment_plural)%>
- <%= link_to_attachments @issue, :thumbnails => true %>
+ <%= link_to_attachments @issue, :thumbnails => true if User.current.allowed_to?(:view_attachments, @project) %>
<% end %>
<%= render_full_width_custom_fields_rows(@issue) %>
diff --git a/app/views/mailer/_issue.html.erb b/app/views/mailer/_issue.html.erb
index 58287c658..7a5dd515a 100644
--- a/app/views/mailer/_issue.html.erb
+++ b/app/views/mailer/_issue.html.erb
@@ -4,7 +4,7 @@
<%= textilizable(issue, :description, :only_path => false) %>
-<% if issue.attachments.any? %>
+<% if issue.attachments.any? && @att %>