##// END OF EJS Templates
jro_apps » redmine
RSS
Fixed: users should not be able to add relations with issues they're not allowed to view (#2589)....
Jean-Philippe Lang -
r2321:10994e902779
parent child
Show More
Side by Side Unified
Context file:
r2321:10994e902779 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,58 +1,61
1 # redMine - project management software
1 # redMine - project management software
2 # Copyright (C) 2006-2007 Jean-Philippe Lang
2 # Copyright (C) 2006-2007 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class IssueRelationsController < ApplicationController
18 class IssueRelationsController < ApplicationController
19 before_filter :find_project, :authorize
19 before_filter :find_project, :authorize
20
20
21 def new
21 def new
22 @relation = IssueRelation.new(params[:relation])
22 @relation = IssueRelation.new(params[:relation])
23 @relation.issue_from = @issue
23 @relation.issue_from = @issue
24 if params[:relation] && !params[:relation][:issue_to_id].blank?
25 @relation.issue_to = Issue.visible.find_by_id(params[:relation][:issue_to_id])
26 end
24 @relation.save if request.post?
27 @relation.save if request.post?
25 respond_to do |format|
28 respond_to do |format|
26 format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
29 format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
27 format.js do
30 format.js do
28 render :update do |page|
31 render :update do |page|
29 page.replace_html "relations", :partial => 'issues/relations'
32 page.replace_html "relations", :partial => 'issues/relations'
30 if @relation.errors.empty?
33 if @relation.errors.empty?
31 page << "$('relation_delay').value = ''"
34 page << "$('relation_delay').value = ''"
32 page << "$('relation_issue_to_id').value = ''"
35 page << "$('relation_issue_to_id').value = ''"
33 end
36 end
34 end
37 end
35 end
38 end
36 end
39 end
37 end
40 end
38
41
39 def destroy
42 def destroy
40 relation = IssueRelation.find(params[:id])
43 relation = IssueRelation.find(params[:id])
41 if request.post? && @issue.relations.include?(relation)
44 if request.post? && @issue.relations.include?(relation)
42 relation.destroy
45 relation.destroy
43 @issue.reload
46 @issue.reload
44 end
47 end
45 respond_to do |format|
48 respond_to do |format|
46 format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
49 format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
47 format.js { render(:update) {|page| page.replace_html "relations", :partial => 'issues/relations'} }
50 format.js { render(:update) {|page| page.replace_html "relations", :partial => 'issues/relations'} }
48 end
51 end
49 end
52 end
50
53
51 private
54 private
52 def find_project
55 def find_project
53 @issue = Issue.find(params[:issue_id])
56 @issue = Issue.find(params[:issue_id])
54 @project = @issue.project
57 @project = @issue.project
55 rescue ActiveRecord::RecordNotFound
58 rescue ActiveRecord::RecordNotFound
56 render_404
59 render_404
57 end
60 end
58 end
61 end
Show file before | Show file after | Hide comments
@@ -1,79 +1,81
1 # redMine - project management software
1 # redMine - project management software
2 # Copyright (C) 2006-2007 Jean-Philippe Lang
2 # Copyright (C) 2006-2007 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class IssueRelation < ActiveRecord::Base
18 class IssueRelation < ActiveRecord::Base
19 belongs_to :issue_from, :class_name => 'Issue', :foreign_key => 'issue_from_id'
19 belongs_to :issue_from, :class_name => 'Issue', :foreign_key => 'issue_from_id'
20 belongs_to :issue_to, :class_name => 'Issue', :foreign_key => 'issue_to_id'
20 belongs_to :issue_to, :class_name => 'Issue', :foreign_key => 'issue_to_id'
21
21
22 TYPE_RELATES = "relates"
22 TYPE_RELATES = "relates"
23 TYPE_DUPLICATES = "duplicates"
23 TYPE_DUPLICATES = "duplicates"
24 TYPE_BLOCKS = "blocks"
24 TYPE_BLOCKS = "blocks"
25 TYPE_PRECEDES = "precedes"
25 TYPE_PRECEDES = "precedes"
26
26
27 TYPES = { TYPE_RELATES => { :name => :label_relates_to, :sym_name => :label_relates_to, :order => 1 },
27 TYPES = { TYPE_RELATES => { :name => :label_relates_to, :sym_name => :label_relates_to, :order => 1 },
28 TYPE_DUPLICATES => { :name => :label_duplicates, :sym_name => :label_duplicated_by, :order => 2 },
28 TYPE_DUPLICATES => { :name => :label_duplicates, :sym_name => :label_duplicated_by, :order => 2 },
29 TYPE_BLOCKS => { :name => :label_blocks, :sym_name => :label_blocked_by, :order => 3 },
29 TYPE_BLOCKS => { :name => :label_blocks, :sym_name => :label_blocked_by, :order => 3 },
30 TYPE_PRECEDES => { :name => :label_precedes, :sym_name => :label_follows, :order => 4 },
30 TYPE_PRECEDES => { :name => :label_precedes, :sym_name => :label_follows, :order => 4 },
31 }.freeze
31 }.freeze
32
32
33 validates_presence_of :issue_from, :issue_to, :relation_type
33 validates_presence_of :issue_from, :issue_to, :relation_type
34 validates_inclusion_of :relation_type, :in => TYPES.keys
34 validates_inclusion_of :relation_type, :in => TYPES.keys
35 validates_numericality_of :delay, :allow_nil => true
35 validates_numericality_of :delay, :allow_nil => true
36 validates_uniqueness_of :issue_to_id, :scope => :issue_from_id
36 validates_uniqueness_of :issue_to_id, :scope => :issue_from_id
37
37
38 attr_protected :issue_from_id, :issue_to_id
39
38 def validate
40 def validate
39 if issue_from && issue_to
41 if issue_from && issue_to
40 errors.add :issue_to_id, :activerecord_error_invalid if issue_from_id == issue_to_id
42 errors.add :issue_to_id, :activerecord_error_invalid if issue_from_id == issue_to_id
41 errors.add :issue_to_id, :activerecord_error_not_same_project unless issue_from.project_id == issue_to.project_id || Setting.cross_project_issue_relations?
43 errors.add :issue_to_id, :activerecord_error_not_same_project unless issue_from.project_id == issue_to.project_id || Setting.cross_project_issue_relations?
42 errors.add_to_base :activerecord_error_circular_dependency if issue_to.all_dependent_issues.include? issue_from
44 errors.add_to_base :activerecord_error_circular_dependency if issue_to.all_dependent_issues.include? issue_from
43 end
45 end
44 end
46 end
45
47
46 def other_issue(issue)
48 def other_issue(issue)
47 (self.issue_from_id == issue.id) ? issue_to : issue_from
49 (self.issue_from_id == issue.id) ? issue_to : issue_from
48 end
50 end
49
51
50 def label_for(issue)
52 def label_for(issue)
51 TYPES[relation_type] ? TYPES[relation_type][(self.issue_from_id == issue.id) ? :name : :sym_name] : :unknow
53 TYPES[relation_type] ? TYPES[relation_type][(self.issue_from_id == issue.id) ? :name : :sym_name] : :unknow
52 end
54 end
53
55
54 def before_save
56 def before_save
55 if TYPE_PRECEDES == relation_type
57 if TYPE_PRECEDES == relation_type
56 self.delay ||= 0
58 self.delay ||= 0
57 else
59 else
58 self.delay = nil
60 self.delay = nil
59 end
61 end
60 set_issue_to_dates
62 set_issue_to_dates
61 end
63 end
62
64
63 def set_issue_to_dates
65 def set_issue_to_dates
64 soonest_start = self.successor_soonest_start
66 soonest_start = self.successor_soonest_start
65 if soonest_start && (!issue_to.start_date || issue_to.start_date < soonest_start)
67 if soonest_start && (!issue_to.start_date || issue_to.start_date < soonest_start)
66 issue_to.start_date, issue_to.due_date = successor_soonest_start, successor_soonest_start + issue_to.duration
68 issue_to.start_date, issue_to.due_date = successor_soonest_start, successor_soonest_start + issue_to.duration
67 issue_to.save
69 issue_to.save
68 end
70 end
69 end
71 end
70
72
71 def successor_soonest_start
73 def successor_soonest_start
72 return nil unless (TYPE_PRECEDES == self.relation_type) && (issue_from.start_date || issue_from.due_date)
74 return nil unless (TYPE_PRECEDES == self.relation_type) && (issue_from.start_date || issue_from.due_date)
73 (issue_from.due_date || issue_from.start_date) + 1 + delay
75 (issue_from.due_date || issue_from.start_date) + 1 + delay
74 end
76 end
75
77
76 def <=>(relation)
78 def <=>(relation)
77 TYPES[self.relation_type][:order] <=> TYPES[relation.relation_type][:order]
79 TYPES[self.relation_type][:order] <=> TYPES[relation.relation_type][:order]
78 end
80 end
79 end
81 end
Show file before | Show file after | Hide comments
@@ -1,22 +1,58
1 require File.dirname(__FILE__) + '/../test_helper'
1 require File.dirname(__FILE__) + '/../test_helper'
2 require 'issue_relations_controller'
2 require 'issue_relations_controller'
3
3
4 # Re-raise errors caught by the controller.
4 # Re-raise errors caught by the controller.
5 class IssueRelationsController; def rescue_action(e) raise e end; end
5 class IssueRelationsController; def rescue_action(e) raise e end; end
6
6
7
7
8 class IssueRelationsControllerTest < Test::Unit::TestCase
8 class IssueRelationsControllerTest < Test::Unit::TestCase
9 fixtures :projects,
10 :users,
11 :roles,
12 :members,
13 :issues,
14 :issue_statuses,
15 :enabled_modules,
16 :enumerations,
17 :trackers
18
19 def setup
20 @controller = IssueRelationsController.new
21 @request = ActionController::TestRequest.new
22 @response = ActionController::TestResponse.new
23 User.current = nil
24 end
25
9 def test_new_routing
26 def test_new_routing
10 assert_routing(
27 assert_routing(
11 {:method => :post, :path => '/issues/1/relations'},
28 {:method => :post, :path => '/issues/1/relations'},
12 {:controller => 'issue_relations', :action => 'new', :issue_id => '1'}
29 {:controller => 'issue_relations', :action => 'new', :issue_id => '1'}
13 )
30 )
14 end
31 end
15
32
16 def test_destroy_routing
33 def test_destroy_routing
17 assert_recognizes( #TODO: use DELETE on issue URI
34 assert_recognizes( #TODO: use DELETE on issue URI
18 {:controller => 'issue_relations', :action => 'destroy', :issue_id => '1', :id => '23'},
35 {:controller => 'issue_relations', :action => 'destroy', :issue_id => '1', :id => '23'},
19 {:method => :post, :path => '/issues/1/relations/23/destroy'}
36 {:method => :post, :path => '/issues/1/relations/23/destroy'}
20 )
37 )
21 end
38 end
39
40 def test_new
41 assert_difference 'IssueRelation.count' do
42 @request.session[:user_id] = 3
43 post :new, :issue_id => 1,
44 :relation => {:issue_to_id => '2', :relation_type => 'relates', :delay => ''}
45 end
46 end
47
48 def test_should_create_relations_with_visible_issues_only
49 Setting.cross_project_issue_relations = '1'
50 assert_nil Issue.visible(User.find(3)).find_by_id(4)
51
52 assert_no_difference 'IssueRelation.count' do
53 @request.session[:user_id] = 3
54 post :new, :issue_id => 1,
55 :relation => {:issue_to_id => '4', :relation_type => 'relates', :delay => ''}
56 end
57 end
22 end
58 end
General Comments 0
You need to be logged in to leave comments. Login now