meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2026-01-08 16:41:31 +00:00
Code Issues Releases Wiki Activity

Global and public custom queries are shown as editable to non administrators in projects (#28264).

Browse Source 
git-svn-id: http://svn.redmine.org/redmine/trunk@17292 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2018-04-08 13:23:30 +00:00
parent 6cafb957b6
commit af2730de5e
2 changed files with 27 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
app/models/query.rb
View File

@ -356,13 +356,13 @@ class Query < ActiveRecord::Base
!is_private?
end
def queried_table_name
@queried_table_name ||= self.class.queried_class.table_name
# Returns true if the query is available for all projects
def is_global?
new_record? ? project_id.nil? : project_id_in_database.nil?
end
def initialize(attributes=nil, *args)
super attributes
@is_for_all = project.nil?
def queried_table_name
@queried_table_name ||= self.class.queried_class.table_name
end
# Builds the query from the given params
@ -447,7 +447,7 @@ class Query < ActiveRecord::Base
# Admin can edit them all and regular users can edit their private queries
return true if user.admin? || (is_private? && self.user_id == user.id)
# Members can not edit public queries that are for all project (only admin is allowed to)
is_public? && !@is_for_all && user.allowed_to?(:manage_public_queries, project)
is_public? && !is_global? && user.allowed_to?(:manage_public_queries, project)
end
def trackers

22
test/unit/query_test.rb
View File

@ -1742,9 +1742,29 @@ class QueryTest < ActiveSupport::TestCase
assert q.editable_by?(admin)
assert !q.editable_by?(manager)
assert q.editable_by?(developer)
end
def test_editable_by_for_global_query
admin = User.find(1)
manager = User.find(2)
developer = User.find(3)
# Public query for all projects
q = IssueQuery.find(4)
q.project = Project.find(1)
assert q.editable_by?(admin)
assert !q.editable_by?(manager)
assert !q.editable_by?(developer)
end
def test_editable_by_for_global_query_with_project_set
admin = User.find(1)
manager = User.find(2)
developer = User.find(3)
q = IssueQuery.find(4)
q.project = Project.find(1)
assert q.editable_by?(admin)
assert !q.editable_by?(manager)
assert !q.editable_by?(developer)