Fixed: issue details view discloses relations to issues that the user is not allowed to view (#2589).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2343 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
2679150ed4
commit
f021c856c1
|
@ -54,6 +54,11 @@ class Issue < ActiveRecord::Base
|
||||||
named_scope :visible, lambda {|*args| { :include => :project,
|
named_scope :visible, lambda {|*args| { :include => :project,
|
||||||
:conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
|
:conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
|
||||||
|
|
||||||
|
# Returns true if usr or current user is allowed to view the issue
|
||||||
|
def visible?(usr=nil)
|
||||||
|
(usr || User.current).allowed_to?(:view_issues, self.project)
|
||||||
|
end
|
||||||
|
|
||||||
def after_initialize
|
def after_initialize
|
||||||
if new_record?
|
if new_record?
|
||||||
# set default values for new records only
|
# set default values for new records only
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
|
|
||||||
<% if @issue.relations.any? %>
|
<% if @issue.relations.any? %>
|
||||||
<table style="width:100%">
|
<table style="width:100%">
|
||||||
<% @issue.relations.each do |relation| %>
|
<% @issue.relations.select {|r| r.other_issue(@issue).visible? }.each do |relation| %>
|
||||||
<tr>
|
<tr>
|
||||||
<td><%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %>
|
<td><%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %>
|
||||||
<%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %></td>
|
<%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %></td>
|
||||||
|
|
|
@ -324,6 +324,21 @@ class IssuesControllerTest < Test::Unit::TestCase
|
||||||
:content => /Notes/ } }
|
:content => /Notes/ } }
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_show_should_not_disclose_relations_to_invisible_issues
|
||||||
|
Setting.cross_project_issue_relations = '1'
|
||||||
|
IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates')
|
||||||
|
# Relation to a private project issue
|
||||||
|
IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(4), :relation_type => 'relates')
|
||||||
|
|
||||||
|
get :show, :id => 1
|
||||||
|
assert_response :success
|
||||||
|
|
||||||
|
assert_tag :div, :attributes => { :id => 'relations' },
|
||||||
|
:descendant => { :tag => 'a', :content => /#2$/ }
|
||||||
|
assert_no_tag :div, :attributes => { :id => 'relations' },
|
||||||
|
:descendant => { :tag => 'a', :content => /#4$/ }
|
||||||
|
end
|
||||||
|
|
||||||
def test_new_routing
|
def test_new_routing
|
||||||
assert_routing(
|
assert_routing(
|
||||||
{:method => :get, :path => '/projects/1/issues/new'},
|
{:method => :get, :path => '/projects/1/issues/new'},
|
||||||
|
|
Loading…
Reference in New Issue