Fix: "Import issues" and "Import time entries" pages are visible to users without "Add issues" and "Log spent time" permissions (#41465).

Patch by Kenta Kumojima (user:kumojima).


git-svn-id: https://svn.redmine.org/redmine/trunk@23178 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/issue_import.rb

@@ -50,7 +50,7 @@ class IssueImport < Import
   end
 
   def self.authorized?(user)
-    user.allowed_to?(:import_issues, nil, :global => true)
+    user.allowed_to?(:import_issues, nil, :global => true) && user.allowed_to?(:add_issues, nil, :global => true)
   end
 
   # Returns the objects that were imported

app/models/time_entry_import.rb

@@ -32,7 +32,7 @@ class TimeEntryImport < Import
   end
 
   def self.authorized?(user)
-    user.allowed_to?(:import_time_entries, nil, :global => true)
+    user.allowed_to?(:import_time_entries, nil, :global => true) && user.allowed_to?(:log_time, nil, :global => true)
   end
 
   # Returns the objects that were imported

app/views/issues/index.html.erb

@@ -7,7 +7,7 @@
       <%= link_to sprite_icon('summary', l(:field_summary)), project_issues_report_path(@project), :class => 'icon icon-stats' %>
     <% end %>
 
-    <% if User.current.allowed_to?(:import_issues, @project, :global => true) %>
+    <% if User.current.allowed_to?(:import_issues, @project, :global => true) && User.current.allowed_to?(:add_issues, @project, :global => true) %>
       <%= link_to sprite_icon('import', l(:button_import)), new_issues_import_path(:project_id => @project), :class => 'icon icon-import' %>
     <% end %>
 

app/views/timelog/index.html.erb

@@ -3,7 +3,7 @@
             _new_time_entry_path(@project, @query.filtered_issue_id),
             :class => 'icon icon-time-add' if User.current.allowed_to?(:log_time, @project, :global => true) %>
 <%= actions_dropdown do %>
-  <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) %>
+  <% if User.current.allowed_to?(:import_time_entries, @project, :global => true) && User.current.allowed_to?(:log_time, @project, :global => true) %>
     <%= link_to sprite_icon('import', l(:button_import)), new_time_entries_import_path(:project_id => @project), :class => 'icon icon-import' %>
   <% end %>
 

test/functional/imports_controller_test.rb

@@ -52,6 +52,18 @@ class ImportsControllerTest < Redmine::ControllerTest
     assert_select 'input[name=?][type=?][value=?]', 'project_id', 'hidden', 'subproject1'
   end
 
+  def test_new_issue_import_without_add_issues_permission
+    Role.all.map { |role| role.remove_permission! :add_issues }
+    get(:new, :params => {:type => 'IssueImport', :project_id => 'subproject1'})
+    assert_response :forbidden
+  end
+
+  def test_new_time_entry_import_without_log_time_permission
+    Role.all.map { |role| role.remove_permission! :log_time }
+    get(:new, :params => {:type => 'TimeEntryImport', :project_id => 'subproject1'})
+    assert_response :forbidden
+  end
+
   def test_create_should_save_the_file
     import = new_record(Import) do
       post(