From 293cfbcfe42eae9ed790569f6ded455d3dab02e1 Mon Sep 17 00:00:00 2001 From: kumojima Date: Thu, 10 Oct 2024 17:34:03 +0900 Subject: prevent user without log_time permission accessing to time_entry import --- app/models/time_entry_import.rb | 2 +- app/views/timelog/index.html.erb | 2 +- test/functional/imports_controller_test.rb | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/models/time_entry_import.rb b/app/models/time_entry_import.rb index a6d05f520..01fde3488 100644 --- a/app/models/time_entry_import.rb +++ b/app/models/time_entry_import.rb @@ -32,7 +32,7 @@ class TimeEntryImport < Import end def self.authorized?(user) - user.allowed_to?(:import_time_entries, nil, :global => true) + user.allowed_to?(:import_time_entries, nil, :global => true) && user.allowed_to?(:log_time, nil, :global => true) end # Returns the objects that were imported diff --git a/app/views/timelog/index.html.erb b/app/views/timelog/index.html.erb index ee7752a70..aa36ac058 100644 --- a/app/views/timelog/index.html.erb +++ b/app/views/timelog/index.html.erb @@ -3,7 +3,7 @@ _new_time_entry_path(@project, @query.filtered_issue_id), :class => 'icon icon-time-add' if User.current.allowed_to?(:log_time, @project, :global => true) %> <%= actions_dropdown do %> - <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) %> + <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) && User.current.allowed_to?(:log_time, @project, :global => true) %> <%= link_to icon_with_label('import', l(:button_import)), new_time_entries_import_path(:project_id => @project), :class => 'icon icon-import' %> <% end %> diff --git a/test/functional/imports_controller_test.rb b/test/functional/imports_controller_test.rb index b4022298a..4b94bfa7f 100644 --- a/test/functional/imports_controller_test.rb +++ b/test/functional/imports_controller_test.rb @@ -52,6 +52,12 @@ class ImportsControllerTest < Redmine::ControllerTest assert_select 'input[name=?][type=?][value=?]', 'project_id', 'hidden', 'subproject1' end + def test_new_time_entry_import_without_log_time_permission + Role.all.map { |role| role.remove_permission! :log_time } + get(:new, :params => {:type => 'TimeEntryImport', :project_id => 'subproject1'}) + assert_response :forbidden + end + def test_create_should_save_the_file import = new_record(Import) do post( -- 2.34.1 From bccd7a9a6d1f191dbbcce413ebdc0ef9f702af05 Mon Sep 17 00:00:00 2001 From: kumojima Date: Fri, 11 Oct 2024 23:44:56 +0900 Subject: prevent user without add_issues permission accessing to issue import --- app/models/issue_import.rb | 2 +- app/views/issues/index.html.erb | 2 +- test/functional/imports_controller_test.rb | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/models/issue_import.rb b/app/models/issue_import.rb index d7e0919d3..57305e38f 100644 --- a/app/models/issue_import.rb +++ b/app/models/issue_import.rb @@ -50,7 +50,7 @@ class IssueImport < Import end def self.authorized?(user) - user.allowed_to?(:import_issues, nil, :global => true) + user.allowed_to?(:import_issues, nil, :global => true) && user.allowed_to?(:add_issues, nil, :global => true) end # Returns the objects that were imported diff --git a/app/views/issues/index.html.erb b/app/views/issues/index.html.erb index 9a8d63fac..f137160bc 100644 --- a/app/views/issues/index.html.erb +++ b/app/views/issues/index.html.erb @@ -7,7 +7,7 @@ <%= link_to icon_with_label('summary', l(:field_summary)), project_issues_report_path(@project), :class => 'icon icon-stats' %> <% end %> - <% if User.current.allowed_to?(:import_issues, @project, :global => true) %> + <% if User.current.allowed_to?(:import_issues, @project, :global => true) && User.current.allowed_to?(:add_issues, @project, :global => true) %> <%= link_to icon_with_label('import', l(:button_import)), new_issues_import_path(:project_id => @project), :class => 'icon icon-import' %> <% end %> diff --git a/test/functional/imports_controller_test.rb b/test/functional/imports_controller_test.rb index 4b94bfa7f..ad1e1aade 100644 --- a/test/functional/imports_controller_test.rb +++ b/test/functional/imports_controller_test.rb @@ -52,6 +52,12 @@ class ImportsControllerTest < Redmine::ControllerTest assert_select 'input[name=?][type=?][value=?]', 'project_id', 'hidden', 'subproject1' end + def test_new_issue_import_without_add_issues_permission + Role.all.map { |role| role.remove_permission! :add_issues } + get(:new, :params => {:type => 'IssueImport', :project_id => 'subproject1'}) + assert_response :forbidden + end + def test_new_time_entry_import_without_log_time_permission Role.all.map { |role| role.remove_permission! :log_time } get(:new, :params => {:type => 'TimeEntryImport', :project_id => 'subproject1'}) -- 2.34.1