From 293cfbcfe42eae9ed790569f6ded455d3dab02e1 Mon Sep 17 00:00:00 2001 From: kumojima Date: Thu, 10 Oct 2024 17:34:03 +0900 Subject: prevent user without log_time permission accessing to time_entry import --- app/models/time_entry_import.rb | 2 +- app/views/timelog/index.html.erb | 2 +- test/functional/imports_controller_test.rb | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/models/time_entry_import.rb b/app/models/time_entry_import.rb index a6d05f520..01fde3488 100644 --- a/app/models/time_entry_import.rb +++ b/app/models/time_entry_import.rb @@ -32,7 +32,7 @@ class TimeEntryImport < Import end def self.authorized?(user) - user.allowed_to?(:import_time_entries, nil, :global => true) + user.allowed_to?(:import_time_entries, nil, :global => true) && user.allowed_to?(:log_time, nil, :global => true) end # Returns the objects that were imported diff --git a/app/views/timelog/index.html.erb b/app/views/timelog/index.html.erb index ee7752a70..aa36ac058 100644 --- a/app/views/timelog/index.html.erb +++ b/app/views/timelog/index.html.erb @@ -3,7 +3,7 @@ _new_time_entry_path(@project, @query.filtered_issue_id), :class => 'icon icon-time-add' if User.current.allowed_to?(:log_time, @project, :global => true) %> <%= actions_dropdown do %> - <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) %> + <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) && User.current.allowed_to?(:log_time, @project, :global => true) %> <%= link_to icon_with_label('import', l(:button_import)), new_time_entries_import_path(:project_id => @project), :class => 'icon icon-import' %> <% end %> diff --git a/test/functional/imports_controller_test.rb b/test/functional/imports_controller_test.rb index b4022298a..4b94bfa7f 100644 --- a/test/functional/imports_controller_test.rb +++ b/test/functional/imports_controller_test.rb @@ -52,6 +52,12 @@ class ImportsControllerTest < Redmine::ControllerTest assert_select 'input[name=?][type=?][value=?]', 'project_id', 'hidden', 'subproject1' end + def test_new_time_entry_import_without_log_time_permission + Role.all.map { |role| role.remove_permission! :log_time } + get(:new, :params => {:type => 'TimeEntryImport', :project_id => 'subproject1'}) + assert_response :forbidden + end + def test_create_should_save_the_file import = new_record(Import) do post( -- 2.34.1