From b03e03b7704a50639f143806471386fab4900835 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Mon, 26 Jun 2017 19:49:02 +0000 Subject: [PATCH] Global News view should not be allowed without permission (#7068). git-svn-id: http://svn.redmine.org/redmine/trunk@16721 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/news_controller.rb | 10 ---------- lib/redmine.rb | 1 + test/functional/news_controller_test.rb | 8 ++++++++ 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb index 727617cb7..3df9e5e44 100644 --- a/app/controllers/news_controller.rb +++ b/app/controllers/news_controller.rb @@ -98,14 +98,4 @@ class NewsController < ApplicationController @news.destroy redirect_to project_news_index_path(@project) end - - private - - def find_optional_project - return true unless params[:project_id] - @project = Project.find(params[:project_id]) - authorize - rescue ActiveRecord::RecordNotFound - render_404 - end end diff --git a/lib/redmine.rb b/lib/redmine.rb index 6f4d3e07c..5f01787c2 100644 --- a/lib/redmine.rb +++ b/lib/redmine.rb @@ -217,6 +217,7 @@ Redmine::MenuManager.map :application_menu do |menu| menu.push :calendar, { :controller => 'calendars', :action => 'show' }, :caption => :label_calendar menu.push :news, {:controller => 'news', :action => 'index'}, + :if => Proc.new {User.current.allowed_to?(:view_news, nil, :global => true)}, :caption => :label_news_plural end diff --git a/test/functional/news_controller_test.rb b/test/functional/news_controller_test.rb index 91db40cb0..f62d21bf1 100644 --- a/test/functional/news_controller_test.rb +++ b/test/functional/news_controller_test.rb @@ -47,6 +47,14 @@ class NewsControllerTest < Redmine::ControllerTest assert_response 404 end + def test_index_without_permission_should_fail + Role.all.each {|r| r.remove_permission! :view_news} + @request.session[:user_id] = 2 + + get :index + assert_response 403 + end + def test_show get :show, :params => { :id => 1