Fixed: issue details view discloses relations to issues that the user is not allowed to view (#2589).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2343 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2009-01-31 13:22:29 +00:00
parent 2679150ed4
commit f021c856c1
3 changed files with 21 additions and 1 deletions

View File

@ -54,6 +54,11 @@ class Issue < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => :project, named_scope :visible, lambda {|*args| { :include => :project,
:conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } } :conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
# Returns true if usr or current user is allowed to view the issue
def visible?(usr=nil)
(usr || User.current).allowed_to?(:view_issues, self.project)
end
def after_initialize def after_initialize
if new_record? if new_record?
# set default values for new records only # set default values for new records only

View File

@ -8,7 +8,7 @@
<% if @issue.relations.any? %> <% if @issue.relations.any? %>
<table style="width:100%"> <table style="width:100%">
<% @issue.relations.each do |relation| %> <% @issue.relations.select {|r| r.other_issue(@issue).visible? }.each do |relation| %>
<tr> <tr>
<td><%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %> <td><%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %>
<%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %></td> <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %></td>

View File

@ -324,6 +324,21 @@ class IssuesControllerTest < Test::Unit::TestCase
:content => /Notes/ } } :content => /Notes/ } }
end end
def test_show_should_not_disclose_relations_to_invisible_issues
Setting.cross_project_issue_relations = '1'
IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates')
# Relation to a private project issue
IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(4), :relation_type => 'relates')
get :show, :id => 1
assert_response :success
assert_tag :div, :attributes => { :id => 'relations' },
:descendant => { :tag => 'a', :content => /#2$/ }
assert_no_tag :div, :attributes => { :id => 'relations' },
:descendant => { :tag => 'a', :content => /#4$/ }
end
def test_new_routing def test_new_routing
assert_routing( assert_routing(
{:method => :get, :path => '/projects/1/issues/new'}, {:method => :get, :path => '/projects/1/issues/new'},