From 04ae25f6b0ce4c9a0d453864bef1cac27aa5b70a Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Thu, 22 Oct 2009 17:42:17 +0000
Subject: [PATCH] Do not render hidden news edit form if user is not allowed to
 edit (closes #4068).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2954 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/views/news/show.rhtml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/views/news/show.rhtml b/app/views/news/show.rhtml
index 89649273..019a14df 100644
--- a/app/views/news/show.rhtml
+++ b/app/views/news/show.rhtml
@@ -9,6 +9,7 @@
 
 <h2><%=h @news.title %></h2>
 
+<% if authorize_for('news', 'edit') %>
 <div id="edit-news" style="display:none;">
 <% labelled_tabular_form_for :news, @news, :url => { :action => "edit", :id => @news },
                                            :html => { :id => 'news-form' } do |f| %>
@@ -20,10 +21,11 @@
                      :update => 'preview',
                      :with => "Form.serialize('news-form')"
                    }, :accesskey => accesskey(:preview) %> |
-<%= link_to l(:button_cancel), "#", :onclick => 'Element.hide("edit-news")' %>
+<%= link_to l(:button_cancel), "#", :onclick => 'Element.hide("edit-news"); return false;' %>
 <% end %>
 <div id="preview" class="wiki"></div>
 </div>
+<% end %>
 
 <p><em><% unless @news.summary.blank? %><%=h @news.summary %><br /><% end %>
 <span class="author"><%= authoring @news.created_on, @news.author %></span></em></p>