meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-12-19 15:01:14 +00:00
Code Issues Releases Wiki Activity

Reject version custom field values not visible for the user (#31954, #23997).

Browse Source 
Patch by Marius BALTEANU.


git-svn-id: http://svn.redmine.org/redmine/trunk@18402 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Go MAEDA 2019-08-27 10:44:39 +00:00
parent ce831ae5e4
commit c37d1b43a4
2 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
app/models/version.rb
View File

@ -163,11 +163,39 @@ class Version < ActiveRecord::Base
'custom_field_values', 'custom_field_values',
'custom_fields' 'custom_fields'
def safe_attributes=(attrs, user=User.current)
if attrs.respond_to?(:to_unsafe_hash)
attrs = attrs.to_unsafe_hash
end
return unless attrs.is_a?(Hash)
attrs = attrs.deep_dup
# Reject custom fields values not visible by the user
if attrs['custom_field_values'].present?
editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}
attrs['custom_field_values'].reject! {|k, v| !editable_custom_field_ids.include?(k.to_s)}
end
# Reject custom fields not visible by the user
if attrs['custom_fields'].present?
editable_custom_field_ids = editable_custom_field_values(user).map {|v| v.custom_field_id.to_s}
attrs['custom_fields'].reject! {|c| !editable_custom_field_ids.include?(c['id'].to_s)}
end
super(attrs, user)
end
# Returns true if +user+ or current user is allowed to view the version # Returns true if +user+ or current user is allowed to view the version
def visible?(user=User.current) def visible?(user=User.current)
user.allowed_to?(:view_issues, self.project) user.allowed_to?(:view_issues, self.project)
end end
# Returns the custom_field_values that can be edited by the given user
def editable_custom_field_values(user=nil)
visible_custom_field_values(user)
end
def visible_custom_field_values(user = nil) def visible_custom_field_values(user = nil)
user ||= User.current user ||= User.current
custom_field_values.select do |value| custom_field_values.select do |value|

23
test/unit/version_test.rb
View File

@ -299,6 +299,29 @@ class VersionTest < ActiveSupport::TestCase
assert_includes Version.like('like scope'), version assert_includes Version.like('like scope'), version
end end
def test_safe_attributes_should_include_only_custom_fields_visible_to_user
cf1 = VersionCustomField.create!(:name => 'Visible field',
:field_format => 'string',
:visible => false, :role_ids => [1])
cf2 = VersionCustomField.create!(:name => 'Non visible field',
:field_format => 'string',
:visible => false, :role_ids => [3])
user = User.find(2)
version = Version.new(:project_id => 1, :name => 'v4')
version.send :safe_attributes=, {'custom_field_values' => {
cf1.id.to_s => 'value1', cf2.id.to_s => 'value2'
}}, user
assert_equal 'value1', version.custom_field_value(cf1)
assert_nil version.custom_field_value(cf2)
version.send :safe_attributes=, {'custom_fields' => [
{'id' => cf1.id.to_s, 'value' => 'valuea'},
{'id' => cf2.id.to_s, 'value' => 'valueb'}
]}, user
assert_equal 'valuea', version.custom_field_value(cf1)
assert_nil version.custom_field_value(cf2)
end
private private
def add_issue(version, attributes={}) def add_issue(version, attributes={})