Check project assignment on issue copy/move.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8553 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
121bc44cc5
commit
2a55d37619
|
@ -311,7 +311,6 @@ class Issue < ActiveRecord::Base
|
||||||
# Should be called from controllers instead of #attributes=
|
# Should be called from controllers instead of #attributes=
|
||||||
# attr_accessible is too rough because we still want things like
|
# attr_accessible is too rough because we still want things like
|
||||||
# Issue.new(:project => foo) to work
|
# Issue.new(:project => foo) to work
|
||||||
# TODO: move workflow/permission checks from controllers to here
|
|
||||||
def safe_attributes=(attrs, user=User.current)
|
def safe_attributes=(attrs, user=User.current)
|
||||||
return unless attrs.is_a?(Hash)
|
return unless attrs.is_a?(Hash)
|
||||||
|
|
||||||
|
@ -321,9 +320,11 @@ class Issue < ActiveRecord::Base
|
||||||
|
|
||||||
# Project and Tracker must be set before since new_statuses_allowed_to depends on it.
|
# Project and Tracker must be set before since new_statuses_allowed_to depends on it.
|
||||||
if p = attrs.delete('project_id')
|
if p = attrs.delete('project_id')
|
||||||
self.project_id = p
|
if allowed_target_projects(user).collect(&:id).include?(p.to_i)
|
||||||
|
self.project_id = p
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
if t = attrs.delete('tracker_id')
|
if t = attrs.delete('tracker_id')
|
||||||
self.tracker_id = t
|
self.tracker_id = t
|
||||||
end
|
end
|
||||||
|
@ -769,7 +770,16 @@ class Issue < ActiveRecord::Base
|
||||||
end
|
end
|
||||||
# End ReportsController extraction
|
# End ReportsController extraction
|
||||||
|
|
||||||
# Returns an array of projects that current user can move issues to
|
# Returns an array of projects that user can assign the issue to
|
||||||
|
def allowed_target_projects(user=User.current)
|
||||||
|
if new_record?
|
||||||
|
Project.all(:conditions => Project.allowed_to_condition(user, :add_issues))
|
||||||
|
else
|
||||||
|
self.class.allowed_target_projects_on_move(user)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Returns an array of projects that user can move issues to
|
||||||
def self.allowed_target_projects_on_move(user=User.current)
|
def self.allowed_target_projects_on_move(user=User.current)
|
||||||
projects = []
|
projects = []
|
||||||
if user.admin?
|
if user.admin?
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
<% end %>
|
<% end %>
|
||||||
|
|
||||||
<% if @issue.safe_attribute? 'project_id' %>
|
<% if @issue.safe_attribute? 'project_id' %>
|
||||||
<p><%= f.select :project_id, project_tree_options_for_select(Issue.allowed_target_projects_on_move, :selected => @issue.project), :required => true %></p>
|
<p><%= f.select :project_id, project_tree_options_for_select(@issue.allowed_target_projects, :selected => @issue.project), :required => true %></p>
|
||||||
<%= observe_field :issue_project_id, :url => project_issue_form_path(@project, :id => @issue, :project_change => '1'),
|
<%= observe_field :issue_project_id, :url => project_issue_form_path(@project, :id => @issue, :project_change => '1'),
|
||||||
:with => "Form.serialize('issue-form')" %>
|
:with => "Form.serialize('issue-form')" %>
|
||||||
<% end %>
|
<% end %>
|
||||||
|
|
|
@ -1630,6 +1630,18 @@ class IssuesControllerTest < ActionController::TestCase
|
||||||
assert_tag 'input', :attributes => {:name => 'copy_from', :value => '1'}
|
assert_tag 'input', :attributes => {:name => 'copy_from', :value => '1'}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_create_as_copy_on_project_without_permission_should_ignore_target_project
|
||||||
|
@request.session[:user_id] = 2
|
||||||
|
assert !User.find(2).member_of?(Project.find(4))
|
||||||
|
|
||||||
|
assert_difference 'Issue.count' do
|
||||||
|
post :create, :project_id => 1, :copy_from => 1,
|
||||||
|
:issue => {:project_id => '4', :tracker_id => '3', :status_id => '1', :subject => 'Copy'}
|
||||||
|
end
|
||||||
|
issue = Issue.first(:order => 'id DESC')
|
||||||
|
assert_equal 1, issue.project_id
|
||||||
|
end
|
||||||
|
|
||||||
def test_get_edit
|
def test_get_edit
|
||||||
@request.session[:user_id] = 2
|
@request.session[:user_id] = 2
|
||||||
get :edit, :id => 1
|
get :edit, :id => 1
|
||||||
|
|
Loading…
Reference in New Issue