Adds 2 permissions (closes #859):

* edit_time_entries: lets a user edit/delete any time entry
* edit_own_time_entries: lets a user edit/delete its own time entries only

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1249 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2008-03-14 21:17:09 +00:00
parent 4957752d12
commit 993b60d61e
8 changed files with 76 additions and 8 deletions

View File

@ -20,6 +20,8 @@ class TimelogController < ApplicationController
menu_item :issues
before_filter :find_project, :authorize
verify :method => :post, :only => :destroy, :redirect_to => { :action => :details }
helper :sort
include SortHelper
helper :issues
@ -198,16 +200,24 @@ class TimelogController < ApplicationController
end
def edit
render_404 and return if @time_entry && @time_entry.user != User.current
render_403 and return if @time_entry && !@time_entry.editable_by?(User.current)
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => Date.today)
@time_entry.attributes = params[:time_entry]
if request.post? and @time_entry.save
flash[:notice] = l(:notice_successful_update)
redirect_to :action => 'details', :project_id => @time_entry.project, :issue_id => @time_entry.issue
redirect_to :action => 'details', :project_id => @time_entry.project
return
end
@activities = Enumeration::get_values('ACTI')
end
def destroy
render_404 and return unless @time_entry
render_403 and return unless @time_entry.editable_by?(User.current)
@time_entry.destroy
flash[:notice] = l(:notice_successful_delete)
redirect_to :action => 'details', :project_id => @time_entry.project
end
private
def find_project
@ -223,5 +233,7 @@ private
render_404
return false
end
rescue ActiveRecord::RecordNotFound
render_404
end
end

View File

@ -50,7 +50,7 @@ class TimeEntry < ActiveRecord::Base
# Returns true if the time entry can be edited by usr, otherwise false
def editable_by?(usr)
usr == self.user
(usr == user && usr.allowed_to?(:edit_own_time_entries, project)) || usr.allowed_to?(:edit_time_entries, project)
end
def self.visible_by(usr)

View File

@ -33,7 +33,7 @@
<td><b><%=l(:field_category)%> :</b></td><td><%=h @issue.category ? @issue.category.name : "-" %></td>
<% if User.current.allowed_to?(:view_time_entries, @project) %>
<td><b><%=l(:label_spent_time)%> :</b></td>
<td><%= @issue.spent_hours > 0 ? (link_to lwr(:label_f_hour, @issue.spent_hours), {:controller => 'timelog', :action => 'details', :issue_id => @issue}, :class => 'icon icon-time') : "-" %></td>
<td><%= @issue.spent_hours > 0 ? (link_to lwr(:label_f_hour, @issue.spent_hours), {:controller => 'timelog', :action => 'details', :project_id => @project, :issue_id => @issue}, :class => 'icon icon-time') : "-" %></td>
<% end %>
</tr>
<tr>

View File

@ -23,9 +23,16 @@
</td>
<td class="comments"><%=h entry.comments %></td>
<td class="hours"><%= html_hours("%.2f" % entry.hours) %></td>
<td align="center"><%= link_to_if_authorized(l(:button_edit),
{:controller => 'timelog', :action => 'edit', :id => entry},
:class => 'icon icon-edit') if entry.editable_by?(User.current) %></td>
<td align="center">
<% if entry.editable_by?(User.current) -%>
<%= link_to image_tag('edit.png'), {:controller => 'timelog', :action => 'edit', :id => entry},
:title => l(:button_edit) %>
<%= link_to image_tag('delete.png'), {:controller => 'timelog', :action => 'destroy', :id => entry},
:confirm => l(:text_are_you_sure),
:method => :post,
:title => l(:button_delete) %>
<% end -%>
</td>
</tr>
<% end -%>
</tbdoy>

View File

@ -20,6 +20,7 @@ ActionController::Routing::Routes.draw do |map|
map.connect 'projects/:project_id/news/:action', :controller => 'news'
map.connect 'projects/:project_id/documents/:action', :controller => 'documents'
map.connect 'projects/:project_id/boards/:action/:id', :controller => 'boards'
map.connect 'projects/:project_id/timelog/:action/:id', :controller => 'timelog'
map.connect 'boards/:board_id/topics/:action/:id', :controller => 'messages'
map.with_options :controller => 'repositories' do |omap|

View File

@ -49,6 +49,8 @@ Redmine::AccessControl.map do |map|
map.project_module :time_tracking do |map|
map.permission :log_time, {:timelog => :edit}, :require => :loggedin
map.permission :view_time_entries, :timelog => [:details, :report]
map.permission :edit_time_entries, {:timelog => [:edit, :destroy]}, :require => :member
map.permission :edit_own_time_entries, {:timelog => [:edit, :destroy]}, :require => :loggedin
end
map.project_module :news do |map|

View File

@ -66,6 +66,8 @@ roles_001:
- :view_calendar
- :log_time
- :view_time_entries
- :edit_time_entries
- :delete_time_entries
- :manage_news
- :comment_news
- :view_documents
@ -106,6 +108,7 @@ roles_002:
- :view_calendar
- :log_time
- :view_time_entries
- :edit_own_time_entries
- :manage_news
- :comment_news
- :view_documents

View File

@ -22,13 +22,56 @@ require 'timelog_controller'
class TimelogController; def rescue_action(e) raise e end; end
class TimelogControllerTest < Test::Unit::TestCase
fixtures :projects, :issues, :time_entries, :users, :trackers, :enumerations, :issue_statuses
fixtures :projects, :roles, :members, :issues, :time_entries, :users, :trackers, :enumerations, :issue_statuses
def setup
@controller = TimelogController.new
@request = ActionController::TestRequest.new
@response = ActionController::TestResponse.new
end
def test_create
@request.session[:user_id] = 3
post :edit, :project_id => 1,
:time_entry => {:comments => 'Some work on TimelogControllerTest',
:activity_id => '10',
:spent_on => '2008-03-14',
:issue_id => '1',
:hours => '7.3'}
assert_redirected_to 'projects/ecookbook/timelog/details'
i = Issue.find(1)
t = TimeEntry.find_by_comments('Some work on TimelogControllerTest')
assert_not_nil t
assert_equal 7.3, t.hours
assert_equal 3, t.user_id
assert_equal i, t.issue
assert_equal i.project, t.project
end
def test_update
entry = TimeEntry.find(1)
assert_equal 1, entry.issue_id
assert_equal 2, entry.user_id
@request.session[:user_id] = 1
post :edit, :id => 1,
:time_entry => {:issue_id => '2',
:hours => '8'}
assert_redirected_to 'projects/ecookbook/timelog/details'
entry.reload
assert_equal 8, entry.hours
assert_equal 2, entry.issue_id
assert_equal 2, entry.user_id
end
def destroy
@request.session[:user_id] = 2
post :destroy, :id => 1
assert_redirected_to 'projects/ecookbook/timelog/details'
assert_nil TimeEntry.find_by_id(1)
end
def test_report_no_criteria
get :report, :project_id => 1