From 9c698157f44819d224a9be5c13d8b517690e4bed Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Fri, 4 Jan 2013 08:21:33 +0000 Subject: [PATCH] Check permissions before the extra condition for displaying a menu item (#12721). Patch by Daniel Ritz. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11112 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- lib/redmine/menu_manager.rb | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/lib/redmine/menu_manager.rb b/lib/redmine/menu_manager.rb index 1bb991178..94b92c6b7 100644 --- a/lib/redmine/menu_manager.rb +++ b/lib/redmine/menu_manager.rb @@ -190,20 +190,17 @@ module Redmine # Checks if a user is allowed to access the menu item by: # - # * Checking the conditions of the item # * Checking the url target (project only) + # * Checking the conditions of the item def allowed_node?(node, user, project) + if project && user && !user.allowed_to?(node.url, project) + return false + end if node.condition && !node.condition.call(project) # Condition that doesn't pass return false end - - if project - return user && user.allowed_to?(node.url, project) - else - # outside a project, all menu items allowed - return true - end + return true end end