Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-15 09:46:02 +01:00
Code Issues Packages Projects Releases Activity

Adds visibility checks on version views (#27676).

Browse Source 
Previously not all data on the roadmap and version view where properly
checked against the issue visibility setting. Unprivileged users were
able to see the total number of issues, their estimations and the
open/close status - even if the user was only allowed to see their own issues.

Patch by Gregor Schmidt.

git-svn-id: http://svn.redmine.org/redmine/trunk@17051 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang
2017-11-29 19:37:20 +00:00
parent 96a854a4b3
commit cd75ba33e9
3 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/helpers/versions_helper.rb
View File

@@ -57,9 +57,9 @@ module VersionsHelper
h = Hash.new {|k,v| k[v] = [0, 0]} h = Hash.new {|k,v| k[v] = [0, 0]}
begin begin
# Total issue count # Total issue count
version.fixed_issues.group(criteria).count.each {|c,s| h[c][0] = s} version.fixed_issues.visible.group(criteria).count.each {|c,s| h[c][0] = s}
# Open issues count # Open issues count
version.fixed_issues.open.group(criteria).count.each {|c,s| h[c][1] = s} version.fixed_issues.visible.open.group(criteria).count.each {|c,s| h[c][1] = s}
rescue ActiveRecord::RecordNotFound rescue ActiveRecord::RecordNotFound
# When grouping by an association, Rails throws this exception if there's no result (bug) # When grouping by an association, Rails throws this exception if there's no result (bug)
end end

20
app/views/versions/_overview.html.erb
View File

@@ -14,22 +14,22 @@
</ul> </ul>
<% end %> <% end %>
<% if version.issues_count > 0 %> <% if version.fixed_issues.visible.count > 0 %>
<%= progress_bar([version.closed_percent, version.completed_percent], <%= progress_bar([version.fixed_issues.visible.closed_percent, version.fixed_issues.visible.completed_percent],
:titles => :titles =>
["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.closed_percent], ["%s: %0.0f%%" % [l(:label_closed_issues_plural), version.fixed_issues.visible.closed_percent],
"%s: %0.0f%%" % [l(:field_done_ratio), version.completed_percent]], "%s: %0.0f%%" % [l(:field_done_ratio), version.fixed_issues.visible.completed_percent]],
:legend => ('%0.0f%%' % version.completed_percent)) %> :legend => ('%0.0f%%' % version.fixed_issues.visible.completed_percent)) %>
<p class="progress-info"> <p class="progress-info">
<%= link_to(l(:label_x_issues, :count => version.issues_count), <%= link_to(l(:label_x_issues, :count => version.fixed_issues.visible.count),
version_filtered_issues_path(version, :status_id => '*')) %> version_filtered_issues_path(version, :status_id => '*')) %>
&nbsp; &nbsp;
(<%= link_to_if(version.closed_issues_count > 0, (<%= link_to_if(version.fixed_issues.visible.closed_count > 0,
l(:label_x_closed_issues_abbr, :count => version.closed_issues_count), l(:label_x_closed_issues_abbr, :count => version.fixed_issues.visible.closed_count),
version_filtered_issues_path(version, :status_id => 'c')) %> version_filtered_issues_path(version, :status_id => 'c')) %>
&#8212; &#8212;
<%= link_to_if(version.open_issues_count > 0, <%= link_to_if(version.fixed_issues.visible.open_count > 0,
l(:label_x_open_issues_abbr, :count => version.open_issues_count), l(:label_x_open_issues_abbr, :count => version.fixed_issues.visible.open_count),
version_filtered_issues_path(version, :status_id => 'o')) %>) version_filtered_issues_path(version, :status_id => 'o')) %>)
</p> </p>
<% else %> <% else %>

4
app/views/versions/show.html.erb
View File

@@ -12,12 +12,12 @@
<%= render(:partial => "wiki/content", :locals => {:content => @version.wiki_page.content}) if @version.wiki_page %> <%= render(:partial => "wiki/content", :locals => {:content => @version.wiki_page.content}) if @version.wiki_page %>
<div id="version-summary"> <div id="version-summary">
<% if @version.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %> <% if @version.fixed_issues.visible.estimated_hours > 0 || User.current.allowed_to?(:view_time_entries, @project) %>
<fieldset class="time-tracking"><legend><%= l(:label_time_tracking) %></legend> <fieldset class="time-tracking"><legend><%= l(:label_time_tracking) %></legend>
<table> <table>
<tr> <tr>
<th><%= l(:field_estimated_hours) %></th> <th><%= l(:field_estimated_hours) %></th>
<td class="total-hours"><%= link_to html_hours(l_hours(@version.estimated_hours)), <td class="total-hours"><%= link_to html_hours(l_hours(@version.fixed_issues.visible.estimated_hours)),
project_issues_path(@version.project, :set_filter => 1, :status_id => '*', :fixed_version_id => @version.id, :c => [:tracker, :status, :subject, :estimated_hours], :t => [:estimated_hours]) %></td> project_issues_path(@version.project, :set_filter => 1, :status_id => '*', :fixed_version_id => @version.id, :c => [:tracker, :status, :subject, :estimated_hours], :t => [:estimated_hours]) %></td>
</tr> </tr>
<% if User.current.allowed_to_view_all_time_entries?(@project) %> <% if User.current.allowed_to_view_all_time_entries?(@project) %>