Do not render hidden news edit form if user is not allowed to edit (closes #4068).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2954 e93f8b46-1217-0410-a6f0-8f06a7374b81
2009-10-22 17:42:17 +00:00 · 2009-10-22 17:42:17 +00:00 · 04ae25f6b0
parent e5c4cfc688
commit 04ae25f6b0
1 changed files with 3 additions and 1 deletions
--- a/app/views/news/show.rhtml
+++ b/app/views/news/show.rhtml
@ -9,6 +9,7 @@

 <h2><%=h @news.title %></h2>

+<% if authorize_for('news', 'edit') %>
 <div id="edit-news" style="display:none;">
 <% labelled_tabular_form_for :news, @news, :url => { :action => "edit", :id => @news },
                                           :html => { :id => 'news-form' } do |f| %>
@ -20,10 +21,11 @@
                     :update => 'preview',
                     :with => "Form.serialize('news-form')"
                   }, :accesskey => accesskey(:preview) %> |
-<%= link_to l(:button_cancel), "#", :onclick => 'Element.hide("edit-news")' %>
+<%= link_to l(:button_cancel), "#", :onclick => 'Element.hide("edit-news"); return false;' %>
 <% end %>
 <div id="preview" class="wiki"></div>
 </div>
+<% end %>

 <p><em><% unless @news.summary.blank? %><%=h @news.summary %><br /><% end %>
 <span class="author"><%= authoring @news.created_on, @news.author %></span></em></p>