Anonymous users should not see private issues with anonymous author (#11872).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10433 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
fa2fe3e1e8
commit
59d8ae61ef
|
@ -88,11 +88,19 @@ class Issue < ActiveRecord::Base
|
||||||
when 'all'
|
when 'all'
|
||||||
nil
|
nil
|
||||||
when 'default'
|
when 'default'
|
||||||
user_ids = [user.id] + user.groups.map(&:id)
|
if user.logged?
|
||||||
"(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
|
user_ids = [user.id] + user.groups.map(&:id)
|
||||||
|
"(#{table_name}.is_private = #{connection.quoted_false} OR #{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
|
||||||
|
else
|
||||||
|
"(#{table_name}.is_private = #{connection.quoted_false})"
|
||||||
|
end
|
||||||
when 'own'
|
when 'own'
|
||||||
user_ids = [user.id] + user.groups.map(&:id)
|
if user.logged?
|
||||||
"(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
|
user_ids = [user.id] + user.groups.map(&:id)
|
||||||
|
"(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id IN (#{user_ids.join(',')}))"
|
||||||
|
else
|
||||||
|
'1=0'
|
||||||
|
end
|
||||||
else
|
else
|
||||||
'1=0'
|
'1=0'
|
||||||
end
|
end
|
||||||
|
@ -106,9 +114,9 @@ class Issue < ActiveRecord::Base
|
||||||
when 'all'
|
when 'all'
|
||||||
true
|
true
|
||||||
when 'default'
|
when 'default'
|
||||||
!self.is_private? || self.author == user || user.is_or_belongs_to?(assigned_to)
|
!self.is_private? || (user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to)))
|
||||||
when 'own'
|
when 'own'
|
||||||
self.author == user || user.is_or_belongs_to?(assigned_to)
|
user.logged? && (self.author == user || user.is_or_belongs_to?(assigned_to))
|
||||||
else
|
else
|
||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
|
@ -25,7 +25,7 @@ class IssueTest < ActiveSupport::TestCase
|
||||||
:versions,
|
:versions,
|
||||||
:issue_statuses, :issue_categories, :issue_relations, :workflows,
|
:issue_statuses, :issue_categories, :issue_relations, :workflows,
|
||||||
:enumerations,
|
:enumerations,
|
||||||
:issues,
|
:issues, :journals, :journal_details,
|
||||||
:custom_fields, :custom_fields_projects, :custom_fields_trackers, :custom_values,
|
:custom_fields, :custom_fields_projects, :custom_fields_trackers, :custom_values,
|
||||||
:time_entries
|
:time_entries
|
||||||
|
|
||||||
|
@ -105,18 +105,6 @@ class IssueTest < ActiveSupport::TestCase
|
||||||
assert_visibility_match User.anonymous, issues
|
assert_visibility_match User.anonymous, issues
|
||||||
end
|
end
|
||||||
|
|
||||||
def test_visible_scope_for_anonymous_with_own_issues_visibility
|
|
||||||
Role.anonymous.update_attribute :issues_visibility, 'own'
|
|
||||||
Issue.create!(:project_id => 1, :tracker_id => 1,
|
|
||||||
:author_id => User.anonymous.id,
|
|
||||||
:subject => 'Issue by anonymous')
|
|
||||||
|
|
||||||
issues = Issue.visible(User.anonymous).all
|
|
||||||
assert issues.any?
|
|
||||||
assert_nil issues.detect {|issue| issue.author != User.anonymous}
|
|
||||||
assert_visibility_match User.anonymous, issues
|
|
||||||
end
|
|
||||||
|
|
||||||
def test_visible_scope_for_anonymous_without_view_issues_permissions
|
def test_visible_scope_for_anonymous_without_view_issues_permissions
|
||||||
# Anonymous user should not see issues without permission
|
# Anonymous user should not see issues without permission
|
||||||
Role.anonymous.remove_permission!(:view_issues)
|
Role.anonymous.remove_permission!(:view_issues)
|
||||||
|
@ -125,6 +113,20 @@ class IssueTest < ActiveSupport::TestCase
|
||||||
assert_visibility_match User.anonymous, issues
|
assert_visibility_match User.anonymous, issues
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_anonymous_should_not_see_private_issues_with_issues_visibility_set_to_default
|
||||||
|
assert Role.anonymous.update_attribute(:issues_visibility, 'default')
|
||||||
|
issue = Issue.generate_for_project!(Project.find(1), :author => User.anonymous, :assigned_to => User.anonymous, :is_private => true)
|
||||||
|
assert_nil Issue.where(:id => issue.id).visible(User.anonymous).first
|
||||||
|
assert !issue.visible?(User.anonymous)
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_anonymous_should_not_see_private_issues_with_issues_visibility_set_to_own
|
||||||
|
assert Role.anonymous.update_attribute(:issues_visibility, 'own')
|
||||||
|
issue = Issue.generate_for_project!(Project.find(1), :author => User.anonymous, :assigned_to => User.anonymous, :is_private => true)
|
||||||
|
assert_nil Issue.where(:id => issue.id).visible(User.anonymous).first
|
||||||
|
assert !issue.visible?(User.anonymous)
|
||||||
|
end
|
||||||
|
|
||||||
def test_visible_scope_for_non_member
|
def test_visible_scope_for_non_member
|
||||||
user = User.find(9)
|
user = User.find(9)
|
||||||
assert user.projects.empty?
|
assert user.projects.empty?
|
||||||
|
|
Loading…
Reference in New Issue