Merged 15430, 15464 to 15469, 15475, 15476 (#285, #7839).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@15478 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-10 23:36:01 +01:00 · 2016-06-06 09:41:50 +00:00
parent 7a974437e6
commit 6e68d008c4
23 changed files with 525 additions and 83 deletions
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -211,6 +211,10 @@ class IssuesController < ApplicationController
      unless User.current.allowed_to?(:copy_issues, @projects)
        raise ::Unauthorized
      end
+    else
+      unless @issues.all?(&:attributes_editable?)
+        raise ::Unauthorized
+      end
    end

    @allowed_projects = Issue.allowed_target_projects
@@ -230,7 +234,7 @@ class IssuesController < ApplicationController
    end
    @custom_fields = @issues.map{|i|i.editable_custom_fields}.reduce(:&)
    @assignables = target_projects.map(&:assignable_users).reduce(:&)
-    @trackers = target_projects.map(&:trackers).reduce(:&)
+    @trackers = target_projects.map {|p| Issue.allowed_target_trackers(p) }.reduce(:&)
    @versions = target_projects.map {|p| p.shared_versions.open}.reduce(:&)
    @categories = target_projects.map {|p| p.issue_categories}.reduce(:&)
    if @copy
@@ -263,6 +267,10 @@ class IssuesController < ApplicationController
      unless User.current.allowed_to?(:add_issues, target_projects)
        raise ::Unauthorized
      end
+    else
+      unless @issues.all?(&:attributes_editable?)
+        raise ::Unauthorized
+      end
    end

    unsaved_issues = []
@@ -316,6 +324,7 @@ class IssuesController < ApplicationController
  end

  def destroy
+    raise Unauthorized unless @issues.all?(&:deletable?)
    @hours = TimeEntry.where(:issue_id => @issues.map(&:id)).sum(:hours).to_f
    if @hours > 0
      case params[:todo]
@@ -465,9 +474,15 @@ class IssuesController < ApplicationController
    @issue.safe_attributes = attrs

    if @issue.project
-      @issue.tracker ||= @issue.project.trackers.first
+      @issue.tracker ||= @issue.allowed_target_trackers.first
      if @issue.tracker.nil?
-        render_error l(:error_no_tracker_in_project)
+        if @issue.project.trackers.any?
+          # None of the project trackers is allowed to the user
+          render_error :message => l(:error_no_tracker_allowed_for_new_issue_in_project), :status => 403
+        else
+          # Project has no trackers
+          render_error l(:error_no_tracker_in_project)
+        end
        return false
      end
      if @issue.status.nil?