##// END OF EJS Templates
jro_apps » redmine
RSS
Fixed: users should not be able to add relations with issues they're not allowed to view (#2589)....
Jean-Philippe Lang -
r2321:10994e902779
parent child
Show More
Side by Side Unified
Context file:
r2321:10994e902779 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,58 +1,61
1 1 # redMine - project management software
2 2 # Copyright (C) 2006-2007 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class IssueRelationsController < ApplicationController
19 19 before_filter :find_project, :authorize
20 20
21 21 def new
22 22 @relation = IssueRelation.new(params[:relation])
23 23 @relation.issue_from = @issue
24 if params[:relation] && !params[:relation][:issue_to_id].blank?
25 @relation.issue_to = Issue.visible.find_by_id(params[:relation][:issue_to_id])
26 end
24 27 @relation.save if request.post?
25 28 respond_to do |format|
26 29 format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
27 30 format.js do
28 31 render :update do |page|
29 32 page.replace_html "relations", :partial => 'issues/relations'
30 33 if @relation.errors.empty?
31 34 page << "$('relation_delay').value = ''"
32 35 page << "$('relation_issue_to_id').value = ''"
33 36 end
34 37 end
35 38 end
36 39 end
37 40 end
38 41
39 42 def destroy
40 43 relation = IssueRelation.find(params[:id])
41 44 if request.post? && @issue.relations.include?(relation)
42 45 relation.destroy
43 46 @issue.reload
44 47 end
45 48 respond_to do |format|
46 49 format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
47 50 format.js { render(:update) {|page| page.replace_html "relations", :partial => 'issues/relations'} }
48 51 end
49 52 end
50 53
51 54 private
52 55 def find_project
53 56 @issue = Issue.find(params[:issue_id])
54 57 @project = @issue.project
55 58 rescue ActiveRecord::RecordNotFound
56 59 render_404
57 60 end
58 61 end
Show file before | Show file after | Hide comments
@@ -1,79 +1,81
1 1 # redMine - project management software
2 2 # Copyright (C) 2006-2007 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class IssueRelation < ActiveRecord::Base
19 19 belongs_to :issue_from, :class_name => 'Issue', :foreign_key => 'issue_from_id'
20 20 belongs_to :issue_to, :class_name => 'Issue', :foreign_key => 'issue_to_id'
21 21
22 22 TYPE_RELATES = "relates"
23 23 TYPE_DUPLICATES = "duplicates"
24 24 TYPE_BLOCKS = "blocks"
25 25 TYPE_PRECEDES = "precedes"
26 26
27 27 TYPES = { TYPE_RELATES => { :name => :label_relates_to, :sym_name => :label_relates_to, :order => 1 },
28 28 TYPE_DUPLICATES => { :name => :label_duplicates, :sym_name => :label_duplicated_by, :order => 2 },
29 29 TYPE_BLOCKS => { :name => :label_blocks, :sym_name => :label_blocked_by, :order => 3 },
30 30 TYPE_PRECEDES => { :name => :label_precedes, :sym_name => :label_follows, :order => 4 },
31 31 }.freeze
32 32
33 33 validates_presence_of :issue_from, :issue_to, :relation_type
34 34 validates_inclusion_of :relation_type, :in => TYPES.keys
35 35 validates_numericality_of :delay, :allow_nil => true
36 36 validates_uniqueness_of :issue_to_id, :scope => :issue_from_id
37 37
38 attr_protected :issue_from_id, :issue_to_id
39
38 40 def validate
39 41 if issue_from && issue_to
40 42 errors.add :issue_to_id, :activerecord_error_invalid if issue_from_id == issue_to_id
41 43 errors.add :issue_to_id, :activerecord_error_not_same_project unless issue_from.project_id == issue_to.project_id || Setting.cross_project_issue_relations?
42 44 errors.add_to_base :activerecord_error_circular_dependency if issue_to.all_dependent_issues.include? issue_from
43 45 end
44 46 end
45 47
46 48 def other_issue(issue)
47 49 (self.issue_from_id == issue.id) ? issue_to : issue_from
48 50 end
49 51
50 52 def label_for(issue)
51 53 TYPES[relation_type] ? TYPES[relation_type][(self.issue_from_id == issue.id) ? :name : :sym_name] : :unknow
52 54 end
53 55
54 56 def before_save
55 57 if TYPE_PRECEDES == relation_type
56 58 self.delay ||= 0
57 59 else
58 60 self.delay = nil
59 61 end
60 62 set_issue_to_dates
61 63 end
62 64
63 65 def set_issue_to_dates
64 66 soonest_start = self.successor_soonest_start
65 67 if soonest_start && (!issue_to.start_date || issue_to.start_date < soonest_start)
66 68 issue_to.start_date, issue_to.due_date = successor_soonest_start, successor_soonest_start + issue_to.duration
67 69 issue_to.save
68 70 end
69 71 end
70 72
71 73 def successor_soonest_start
72 74 return nil unless (TYPE_PRECEDES == self.relation_type) && (issue_from.start_date || issue_from.due_date)
73 75 (issue_from.due_date || issue_from.start_date) + 1 + delay
74 76 end
75 77
76 78 def <=>(relation)
77 79 TYPES[self.relation_type][:order] <=> TYPES[relation.relation_type][:order]
78 80 end
79 81 end
Show file before | Show file after | Hide comments
@@ -1,22 +1,58
1 1 require File.dirname(__FILE__) + '/../test_helper'
2 2 require 'issue_relations_controller'
3 3
4 4 # Re-raise errors caught by the controller.
5 5 class IssueRelationsController; def rescue_action(e) raise e end; end
6 6
7 7
8 8 class IssueRelationsControllerTest < Test::Unit::TestCase
9 fixtures :projects,
10 :users,
11 :roles,
12 :members,
13 :issues,
14 :issue_statuses,
15 :enabled_modules,
16 :enumerations,
17 :trackers
18
19 def setup
20 @controller = IssueRelationsController.new
21 @request = ActionController::TestRequest.new
22 @response = ActionController::TestResponse.new
23 User.current = nil
24 end
25
9 26 def test_new_routing
10 27 assert_routing(
11 28 {:method => :post, :path => '/issues/1/relations'},
12 29 {:controller => 'issue_relations', :action => 'new', :issue_id => '1'}
13 30 )
14 31 end
15 32
16 33 def test_destroy_routing
17 34 assert_recognizes( #TODO: use DELETE on issue URI
18 35 {:controller => 'issue_relations', :action => 'destroy', :issue_id => '1', :id => '23'},
19 36 {:method => :post, :path => '/issues/1/relations/23/destroy'}
20 37 )
21 38 end
39
40 def test_new
41 assert_difference 'IssueRelation.count' do
42 @request.session[:user_id] = 3
43 post :new, :issue_id => 1,
44 :relation => {:issue_to_id => '2', :relation_type => 'relates', :delay => ''}
45 end
46 end
47
48 def test_should_create_relations_with_visible_issues_only
49 Setting.cross_project_issue_relations = '1'
50 assert_nil Issue.visible(User.find(3)).find_by_id(4)
51
52 assert_no_difference 'IssueRelation.count' do
53 @request.session[:user_id] = 3
54 post :new, :issue_id => 1,
55 :relation => {:issue_to_id => '4', :relation_type => 'relates', :delay => ''}
56 end
57 end
22 58 end
General Comments 0
You need to be logged in to leave comments. Login now