Global News view should not be allowed without permission (#7068).

git-svn-id: http://svn.redmine.org/redmine/trunk@16721 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/news_controller.rb

@@ -98,14 +98,4 @@ class NewsController < ApplicationController
     @news.destroy
     redirect_to project_news_index_path(@project)
   end
-
-  private
-
-  def find_optional_project
-    return true unless params[:project_id]
-    @project = Project.find(params[:project_id])
-    authorize
-  rescue ActiveRecord::RecordNotFound
-    render_404
-  end
 end

lib/redmine.rb

@@ -217,6 +217,7 @@ Redmine::MenuManager.map :application_menu do |menu|
   menu.push :calendar, { :controller => 'calendars', :action => 'show' }, :caption => :label_calendar
 
   menu.push :news, {:controller => 'news', :action => 'index'},
+    :if => Proc.new {User.current.allowed_to?(:view_news, nil, :global => true)},
     :caption => :label_news_plural
 end
 

test/functional/news_controller_test.rb

@@ -47,6 +47,14 @@ class NewsControllerTest < Redmine::ControllerTest
     assert_response 404
   end
 
+  def test_index_without_permission_should_fail
+    Role.all.each {|r| r.remove_permission! :view_news}
+    @request.session[:user_id] = 2
+
+    get :index
+    assert_response 403
+  end
+
   def test_show
     get :show, :params => {
         :id => 1