Check permission before retrieving projects.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8532 e93f8b46-1217-0410-a6f0-8f06a7374b81
2012-01-07 12:39:26 +00:00 · 2012-01-07 12:39:26 +00:00 · 6539d04622
parent 81cf6b2343
commit 6539d04622
1 changed files with 4 additions and 2 deletions
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@ -246,8 +246,10 @@ class Issue < ActiveRecord::Base

  safe_attributes 'project_id',
    :if => lambda {|issue, user|
-      projects = Issue.allowed_target_projects_on_move(user)
-      projects.include?(issue.project) && projects.size > 1
+      if user.allowed_to?(:move_issues, issue.project)
+        projects = Issue.allowed_target_projects_on_move(user)
+        projects.include?(issue.project) && projects.size > 1
+      end
    }

  safe_attributes 'tracker_id',