meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-12-30 20:29:37 +00:00
Code Issues Releases Wiki Activity

Child nodes should only be rendered if the user is actually authorized to see them (#15880).

Browse Source 
Patch by Jan Schulz-Hofen.

git-svn-id: http://svn.redmine.org/redmine/trunk@15393 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2016-05-08 06:48:36 +00:00
parent 9cfb319c43
commit 8cbfeddeb0
2 changed files with 51 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/redmine/menu_manager.rb
View File

@ -114,7 +114,7 @@ module Redmine
# Standard children
standard_children_list = "".html_safe.tap do |child_html|
node.children.each do |child|
child_html << render_menu_node(child, project)
child_html << render_menu_node(child, project) if allowed_node?(child, User.current, project)
end
end
@ -138,7 +138,7 @@ module Redmine
# Tree nodes support #each so we need to do object detection
if unattached_children.is_a? Array
unattached_children.each do |child|
child_html << content_tag(:li, render_unattached_menu_item(child, project))
child_html << content_tag(:li, render_unattached_menu_item(child, project)) if allowed_node?(child, User.current, project)
end
else
raise MenuError, ":child_menus must be an array of MenuItems"
@ -192,6 +192,7 @@ module Redmine
# See MenuItem#allowed?
def allowed_node?(node, user, project)
raise MenuError, ":child_menus must be an array of MenuItems" unless node.is_a? MenuItem
node.allowed?(user, project)
end
end

50
test/unit/lib/redmine/menu_manager/menu_helper_test.rb
View File

@ -119,7 +119,7 @@ class Redmine::MenuManager::MenuHelperTest < ActionView::TestCase
User.current = User.find(2)
parent_node = Redmine::MenuManager::MenuItem.new(:parent_node,
'/test',
{:controller => 'issues', :action => 'index'},
{
:children => Proc.new {|p|
children = []
@ -131,7 +131,7 @@ class Redmine::MenuManager::MenuHelperTest < ActionView::TestCase
})
parent_node << Redmine::MenuManager::MenuItem.new(:child_node,
'/test',
{:controller => 'issues', :action => 'index'},
{
:children => Proc.new {|p|
children = []
@ -163,6 +163,52 @@ class Redmine::MenuManager::MenuHelperTest < ActionView::TestCase
end
end
def test_render_menu_node_with_allowed_and_unallowed_unattached_children
User.current = User.find(2)
parent_node = Redmine::MenuManager::MenuItem.new(:parent_node,
{:controller => 'issues', :action => 'index'},
{
:children => Proc.new {|p|
[
Redmine::MenuManager::MenuItem.new("test_child_allowed", {:controller => 'issues', :action => 'index'}, {}),
Redmine::MenuManager::MenuItem.new("test_child_unallowed", {:controller => 'issues', :action => 'unallowed'}, {}),
]
}
})
@output_buffer = render_menu_node(parent_node, Project.find(1))
assert_select("li") do
assert_select("a.parent-node", "Parent node")
assert_select("ul.menu-children.unattached") do
assert_select("li a.test-child-allowed", "Test child allowed")
assert_select("li a.test-child-unallowed", false)
end
end
end
def test_render_menu_node_with_allowed_and_unallowed_standard_children
User.current = User.find(6)
Redmine::MenuManager.map :some_menu do |menu|
menu.push(:parent_node, {:controller => 'issues', :action => 'index'}, { })
menu.push(:test_child_allowed, {:controller => 'issues', :action => 'index'}, {:parent => :parent_node})
menu.push(:test_child_unallowed, {:controller => 'issues', :action => 'new'}, {:parent => :parent_node})
end
@output_buffer = render_menu(:some_menu, Project.find(1))
assert_select("li") do
assert_select("a.parent-node", "Parent node")
assert_select("ul.menu-children.unattached", false)
assert_select("ul.menu-children") do
assert_select("li a.test-child-allowed", "Test child allowed")
assert_select("li a.test-child-unallowed", false)
end
end
end
def test_render_menu_node_with_children_without_an_array
parent_node = Redmine::MenuManager::MenuItem.new(:parent_node,
'/test',