From e8f3dd07dd8462d8d80948d5c8f094bdcc966d9a Mon Sep 17 00:00:00 2001
From: Jean-Baptiste Barth <jeanbaptiste.barth@gmail.com>
Date: Wed, 29 Sep 2010 05:22:45 +0000
Subject: [PATCH] Added ability to specify multiple projects in
 User#allowed_to? (#5332)

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4227 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/models/user.rb     | 16 +++++++++++++---
 test/unit/user_test.rb | 13 +++++++++++++
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 638e5f7b..4b65b3d1 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -344,12 +344,17 @@ class User < Principal
     !roles_for_project(project).detect {|role| role.member?}.nil?
   end
   
-  # Return true if the user is allowed to do the specified action on project
-  # action can be:
+  # Return true if the user is allowed to do the specified action on a specific context
+  # Action can be:
   # * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')
   # * a permission Symbol (eg. :edit_project)
+  # Context can be:
+  # * a project : returns true if user is allowed to do the specified action on this project
+  # * a group of projects : returns true if user is allowed on every project
+  # * nil with options[:global] set : check if user has at least one role allowed for this action, 
+  #   or falls back to Non Member / Anonymous permissions depending if the user is logged
   def allowed_to?(action, project, options={})
-    if project
+    if project && project.is_a?(Project)
       # No action allowed on archived projects
       return false unless project.active?
       # No action allowed on disabled modules
@@ -361,6 +366,11 @@ class User < Principal
       return false unless roles
       roles.detect {|role| (project.is_public? || role.member?) && role.allowed_to?(action)}
       
+    elsif project && project.is_a?(Array)
+      # Authorize if user is authorized on every element of the array
+      project.inject do |memo,p|
+        memo && allowed_to?(action,p,options)
+      end
     elsif options[:global]
       # Admin users are always authorized
       return true if admin?
diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb
index f3e56ddd..b451c1e6 100644
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -396,6 +396,19 @@ class UserTest < ActiveSupport::TestCase
         assert ! @dlopper.allowed_to?(:delete_messages, project) #Developper
       end
     end
+
+    context "with multiple projects" do
+      should "return false if array is empty" do
+        assert ! @admin.allowed_to?(:view_project, [])
+      end
+      
+      should "return true only if user has permission on all these projects" do
+        assert @admin.allowed_to?(:view_project, Project.all)
+        assert ! @dlopper.allowed_to?(:view_project, Project.all) #cannot see Project(2)
+        assert @jsmith.allowed_to?(:edit_issues, @jsmith.projects) #Manager or Developer everywhere
+        assert ! @jsmith.allowed_to?(:delete_issue_watchers, @jsmith.projects) #Dev cannot delete_issue_watchers
+      end
+    end
     
     context "with options[:global]" do
       should "authorize if user has at least one role that has this permission" do