Fixed that :view_time_entries permission allows time entry editing (#9405).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7920 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/redmine.rb

@@ -88,7 +88,7 @@ Redmine::AccessControl.map do |map|
   end
 
   map.project_module :time_tracking do |map|
-    map.permission :log_time, {:timelog => [:new, :create, :edit, :update, :bulk_edit, :bulk_update]}, :require => :loggedin
+    map.permission :log_time, {:timelog => [:new, :create]}, :require => :loggedin
     map.permission :view_time_entries, :timelog => [:index, :show], :time_entry_reports => [:report]
     map.permission :edit_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy, :bulk_edit, :bulk_update]}, :require => :member
     map.permission :edit_own_time_entries, {:timelog => [:new, :create, :edit, :update, :destroy,:bulk_edit, :bulk_update]}, :require => :loggedin

test/functional/timelog_controller_test.rb

@@ -163,6 +163,9 @@ class TimelogControllerTest < ActionController::TestCase
 
   def test_bulk_update_on_different_projects
     @request.session[:user_id] = 2
+    # makes user a manager on the other project
+    Member.create!(:user_id => 2, :project_id => 3, :role_ids => [1])
+    
     # update time entry activity
     post :bulk_update, :ids => [1, 2, 4], :time_entry => { :activity_id => 9 }
 
@@ -205,6 +208,14 @@ class TimelogControllerTest < ActionController::TestCase
     assert_redirected_to :controller => 'timelog', :action => 'index', :project_id => Project.find(1).identifier
   end
 
+  def test_post_bulk_update_without_edit_permission_should_be_denied
+    @request.session[:user_id] = 2
+    Role.find_by_name('Manager').remove_permission! :edit_time_entries
+    post :bulk_update, :ids => [1,2]
+
+    assert_response 403
+  end
+
   def test_destroy
     @request.session[:user_id] = 2
     delete :destroy, :id => 1