mirror of
https://github.com/redmine/redmine.git
synced 2026-07-11 20:51:28 +02:00
Add view_issues permission (#3187).
A migration adds this permission to all existing roles to preserve current behaviour. This permission controls access to issues, roadmap and changelog. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3039 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
5
test/fixtures/roles.yml
vendored
5
test/fixtures/roles.yml
vendored
@@ -10,6 +10,7 @@ roles_001:
|
||||
- :manage_members
|
||||
- :manage_versions
|
||||
- :manage_categories
|
||||
- :view_issues
|
||||
- :add_issues
|
||||
- :edit_issues
|
||||
- :manage_issue_relations
|
||||
@@ -60,6 +61,7 @@ roles_002:
|
||||
- :manage_members
|
||||
- :manage_versions
|
||||
- :manage_categories
|
||||
- :view_issues
|
||||
- :add_issues
|
||||
- :edit_issues
|
||||
- :manage_issue_relations
|
||||
@@ -102,6 +104,7 @@ roles_003:
|
||||
- :manage_members
|
||||
- :manage_versions
|
||||
- :manage_categories
|
||||
- :view_issues
|
||||
- :add_issues
|
||||
- :edit_issues
|
||||
- :manage_issue_relations
|
||||
@@ -135,6 +138,7 @@ roles_004:
|
||||
builtin: 1
|
||||
permissions: |
|
||||
---
|
||||
- :view_issues
|
||||
- :add_issues
|
||||
- :edit_issues
|
||||
- :manage_issue_relations
|
||||
@@ -164,6 +168,7 @@ roles_005:
|
||||
builtin: 2
|
||||
permissions: |
|
||||
---
|
||||
- :view_issues
|
||||
- :add_issue_notes
|
||||
- :view_gantt
|
||||
- :view_calendar
|
||||
|
||||
@@ -358,6 +358,26 @@ class IssuesControllerTest < ActionController::TestCase
|
||||
:content => /Notes/ } }
|
||||
end
|
||||
|
||||
def test_show_should_deny_anonymous_access_without_permission
|
||||
Role.anonymous.remove_permission!(:view_issues)
|
||||
get :show, :id => 1
|
||||
assert_response :redirect
|
||||
end
|
||||
|
||||
def test_show_should_deny_non_member_access_without_permission
|
||||
Role.non_member.remove_permission!(:view_issues)
|
||||
@request.session[:user_id] = 9
|
||||
get :show, :id => 1
|
||||
assert_response 403
|
||||
end
|
||||
|
||||
def test_show_should_deny_member_access_without_permission
|
||||
Role.find(1).remove_permission!(:view_issues)
|
||||
@request.session[:user_id] = 2
|
||||
get :show, :id => 1
|
||||
assert_response 403
|
||||
end
|
||||
|
||||
def test_show_should_not_disclose_relations_to_invisible_issues
|
||||
Setting.cross_project_issue_relations = '1'
|
||||
IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates')
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
require File.dirname(__FILE__) + '/../test_helper'
|
||||
|
||||
class IssueTest < ActiveSupport::TestCase
|
||||
fixtures :projects, :users, :members, :member_roles,
|
||||
fixtures :projects, :users, :members, :member_roles, :roles,
|
||||
:trackers, :projects_trackers,
|
||||
:versions,
|
||||
:issue_statuses, :issue_categories, :issue_relations, :workflows,
|
||||
@@ -64,6 +64,47 @@ class IssueTest < ActiveSupport::TestCase
|
||||
assert_equal 'PostgreSQL', issue.custom_value_for(field).value
|
||||
end
|
||||
|
||||
def test_visible_scope_for_anonymous
|
||||
# Anonymous user should see issues of public projects only
|
||||
issues = Issue.visible(User.anonymous).all
|
||||
assert issues.any?
|
||||
assert_nil issues.detect {|issue| !issue.project.is_public?}
|
||||
# Anonymous user should not see issues without permission
|
||||
Role.anonymous.remove_permission!(:view_issues)
|
||||
issues = Issue.visible(User.anonymous).all
|
||||
assert issues.empty?
|
||||
end
|
||||
|
||||
def test_visible_scope_for_user
|
||||
user = User.find(9)
|
||||
assert user.projects.empty?
|
||||
# Non member user should see issues of public projects only
|
||||
issues = Issue.visible(user).all
|
||||
assert issues.any?
|
||||
assert_nil issues.detect {|issue| !issue.project.is_public?}
|
||||
# Non member user should not see issues without permission
|
||||
Role.non_member.remove_permission!(:view_issues)
|
||||
user.reload
|
||||
issues = Issue.visible(user).all
|
||||
assert issues.empty?
|
||||
# User should see issues of projects for which he has view_issues permissions only
|
||||
Member.create!(:principal => user, :project_id => 2, :role_ids => [1])
|
||||
user.reload
|
||||
issues = Issue.visible(user).all
|
||||
assert issues.any?
|
||||
assert_nil issues.detect {|issue| issue.project_id != 2}
|
||||
end
|
||||
|
||||
def test_visible_scope_for_admin
|
||||
user = User.find(1)
|
||||
user.members.each(&:destroy)
|
||||
assert user.projects.empty?
|
||||
issues = Issue.visible(user).all
|
||||
assert issues.any?
|
||||
# Admin should see issues on private projects that he does not belong to
|
||||
assert issues.detect {|issue| !issue.project.is_public?}
|
||||
end
|
||||
|
||||
def test_errors_full_messages_should_include_custom_fields_errors
|
||||
field = IssueCustomField.find_by_name('Database')
|
||||
|
||||
|
||||
Reference in New Issue
Block a user