Anonymous users should always see public issues only (#11872).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10437 e93f8b46-1217-0410-a6f0-8f06a7374b81
2012-09-20 19:26:58 +00:00 · 2012-09-20 19:26:58 +00:00 · 5328c4adcb
commit 5328c4adcb
parent 30b3e796ff
4 changed files with 34 additions and 19 deletions
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@ -84,25 +84,21 @@ class Issue < ActiveRecord::Base
  # Returns a SQL conditions string used to find all issues visible by the specified user
  def self.visible_condition(user, options={})
    Project.allowed_to_condition(user, :view_issues, options) do |role, user|
-      case role.issues_visibility
+      if user.logged?
-      when 'all'
+        case role.issues_visibility
-        nil
+        when 'all'
-      when 'default'
+          nil
-        if user.logged?
+        when 'default'
          user_ids = [user.id] + user.groups.map(&:id)
          "(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
-        else
+        when 'own'
          "(#{table_name}.is_private = #{connection.quoted_false})"
        end
      when 'own'
        if user.logged?
          user_ids = [user.id] + user.groups.map(&:id)
          "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
        else
          '1=0'
        end
      else
-        '1=0'
+        "(#{table_name}.is_private = #{connection.quoted_false})"
      end
    end
  end
@ -110,15 +106,19 @@ class Issue < ActiveRecord::Base
  # Returns true if usr or current user is allowed to view the issue
  def visible?(usr=nil)
    (usr || User.current).allowed_to?(:view_issues, self.project) do |role, user|
-      case role.issues_visibility
+      if user.logged?
-      when 'all'
+        case role.issues_visibility
-        true
+        when 'all'
-      when 'default'
+          true
-        !self.is_private? || (user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to)))
+        when 'default'
-      when 'own'
+          !self.is_private? || (self.author == user || user.is_or_belongs_to?(assigned_to))
-        user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to))
+        when 'own'
          self.author == user || user.is_or_belongs_to?(assigned_to)
        else
          false
        end
      else
-        false
+        !self.is_private?
      end
    end
  end
--- a/app/models/role.rb
+++ b/app/models/role.rb
@ -133,6 +133,11 @@ class Role < ActiveRecord::Base
    self.builtin != 0
  end
  # Return true if the role is the anonymous role
  def anonymous?
    builtin == 2
  end
  # Return true if the role is a project member role
  def member?
    !self.builtin?
--- a/app/views/roles/_form.html.erb
+++ b/app/views/roles/_form.html.erb
@ -1,5 +1,6 @@
 <%= error_messages_for 'role' %>
 <% unless @role.anonymous? %>
 <div class="box tabular">
 <% unless @role.builtin? %>
 <p><%= f.text_field :name, :required => true %></p>
@ -11,6 +12,7 @@
 <%= select_tag(:copy_workflow_from, content_tag("option") + options_from_collection_for_select(@roles, :id, :name, params[:copy_workflow_from] || @copy_from.try(:id))) %></p>
 <% end %>
 </div>
 <% end %>
 <h3><%= l(:label_permissions) %></h3>
 <div class="box tabular" id="permissions">
--- a/test/functional/roles_controller_test.rb
+++ b/test/functional/roles_controller_test.rb
@ -110,6 +110,14 @@ class RolesControllerTest < ActionController::TestCase
    assert_response :success
    assert_template 'edit'
    assert_equal Role.find(1), assigns(:role)
    assert_select 'select[name=?]', 'role[issues_visibility]'
  end
  def test_edit_anonymous
    get :edit, :id => Role.anonymous.id
    assert_response :success
    assert_template 'edit'
    assert_select 'select[name=?]', 'role[issues_visibility]', 0
  end
  def test_edit_invalid_should_respond_with_404