Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-07 22:05:56 +01:00
Code Issues Packages Projects Releases Activity

Droped legacy behaviour that allows a user to edit a few attributes of an issue without the edit_issues permission if a status transition is allowed (#15988).

Browse Source 
Now that we can control permission on each field, this behaviour is no longer needed. The edit_issues permission is now required, which is consistent with the current requirements for bulk edition.

git-svn-id: http://svn.redmine.org/redmine/trunk@13746 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang
2014-12-13 14:01:56 +00:00
parent 95f58c69d2
commit 07b44a4662
3 changed files with 1 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/models/issue.rb
View File

@@ -405,14 +405,6 @@ class Issue < ActiveRecord::Base
'notes', 'notes',
:if => lambda {|issue, user| issue.new_record? || user.allowed_to?(:edit_issues, issue.project) } :if => lambda {|issue, user| issue.new_record? || user.allowed_to?(:edit_issues, issue.project) }
safe_attributes 'status_id',
'assigned_to_id',
'fixed_version_id',
'done_ratio',
'lock_version',
'notes',
:if => lambda {|issue, user| issue.new_statuses_allowed_to(user).any? }
safe_attributes 'notes', safe_attributes 'notes',
:if => lambda {|issue, user| user.allowed_to?(:add_issue_notes, issue.project)} :if => lambda {|issue, user| user.allowed_to?(:add_issue_notes, issue.project)}

2
app/views/issues/_edit.html.erb
View File

@@ -2,7 +2,7 @@
<%= error_messages_for 'issue', 'time_entry' %> <%= error_messages_for 'issue', 'time_entry' %>
<%= render :partial => 'conflict' if @conflict %> <%= render :partial => 'conflict' if @conflict %>
<div class="box"> <div class="box">
<% if @edit_allowed || !@allowed_statuses.empty? %> <% if @edit_allowed %>
<fieldset class="tabular"><legend><%= l(:label_change_properties) %></legend> <fieldset class="tabular"><legend><%= l(:label_change_properties) %></legend>
<div id="all_attributes"> <div id="all_attributes">
<%= render :partial => 'form', :locals => {:f => f} %> <%= render :partial => 'form', :locals => {:f => f} %>

62
test/functional/issues_controller_test.rb
View File

@@ -979,34 +979,6 @@ class IssuesControllerTest < ActionController::TestCase
end end
end end
def test_show_should_display_update_form_with_workflow_permissions
Role.find(1).update_attribute :permissions, [:view_issues, :add_issue_notes]
@request.session[:user_id] = 2
get :show, :id => 1
assert_response :success
assert_select 'form#issue-form' do
assert_select 'input[name=?]', 'issue[is_private]', 0
assert_select 'select[name=?]', 'issue[project_id]', 0
assert_select 'select[name=?]', 'issue[tracker_id]', 0
assert_select 'input[name=?]', 'issue[subject]', 0
assert_select 'textarea[name=?]', 'issue[description]', 0
assert_select 'select[name=?]', 'issue[status_id]'
assert_select 'select[name=?]', 'issue[priority_id]', 0
assert_select 'select[name=?]', 'issue[assigned_to_id]'
assert_select 'select[name=?]', 'issue[category_id]', 0
assert_select 'select[name=?]', 'issue[fixed_version_id]'
assert_select 'input[name=?]', 'issue[parent_issue_id]', 0
assert_select 'input[name=?]', 'issue[start_date]', 0
assert_select 'input[name=?]', 'issue[due_date]', 0
assert_select 'select[name=?]', 'issue[done_ratio]'
assert_select 'input[name=?]', 'issue[custom_field_values][2]', 0
assert_select 'input[name=?]', 'issue[watcher_user_ids][]', 0
assert_select 'textarea[name=?]', 'issue[notes]'
end
end
def test_show_should_not_display_update_form_without_permissions def test_show_should_not_display_update_form_without_permissions
Role.find(1).update_attribute :permissions, [:view_issues] Role.find(1).update_attribute :permissions, [:view_issues]
@@ -2405,40 +2377,6 @@ class IssuesControllerTest < ActionController::TestCase
end end
private :setup_with_workflow_privilege private :setup_with_workflow_privilege
test "with workflow privilege #update should accept authorized status" do
setup_with_workflow_privilege
assert_difference 'Journal.count' do
put :update, :id => 1, :issue => {:status_id => 3, :notes => 'just trying'}
end
assert_equal 3, Issue.find(1).status_id
end
test "with workflow privilege #update should ignore unauthorized status" do
setup_with_workflow_privilege
assert_difference 'Journal.count' do
put :update, :id => 1, :issue => {:status_id => 2, :notes => 'just trying'}
end
assert_equal 1, Issue.find(1).status_id
end
test "with workflow privilege #update should accept authorized attributes changes" do
setup_with_workflow_privilege
assert_difference 'Journal.count' do
put :update, :id => 1, :issue => {:assigned_to_id => 2, :notes => 'just trying'}
end
issue = Issue.find(1)
assert_equal 2, issue.assigned_to_id
end
test "with workflow privilege #update should ignore unauthorized attributes changes" do
setup_with_workflow_privilege
assert_difference 'Journal.count' do
put :update, :id => 1, :issue => {:subject => 'changed', :notes => 'just trying'}
end
issue = Issue.find(1)
assert_equal "Can't print recipes", issue.subject
end
def setup_with_workflow_privilege_and_edit_issues_permission def setup_with_workflow_privilege_and_edit_issues_permission
setup_with_workflow_privilege setup_with_workflow_privilege
Role.anonymous.add_permission! :add_issues, :edit_issues Role.anonymous.add_permission! :add_issues, :edit_issues