From 6539d04622fb66f1fd895cdf2a5200eec861d43c Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sat, 7 Jan 2012 12:39:26 +0000 Subject: [PATCH] Check permission before retrieving projects. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@8532 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/issue.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/app/models/issue.rb b/app/models/issue.rb index 16707f8ad..c9892c6f1 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -246,8 +246,10 @@ class Issue < ActiveRecord::Base safe_attributes 'project_id', :if => lambda {|issue, user| - projects = Issue.allowed_target_projects_on_move(user) - projects.include?(issue.project) && projects.size > 1 + if user.allowed_to?(:move_issues, issue.project) + projects = Issue.allowed_target_projects_on_move(user) + projects.include?(issue.project) && projects.size > 1 + end } safe_attributes 'tracker_id',