| @@ -311,7 +311,6 class Issue < ActiveRecord::Base | |||
|
|
311 | 311 | # Should be called from controllers instead of #attributes= |
|
|
312 | 312 | # attr_accessible is too rough because we still want things like |
|
|
313 | 313 | # Issue.new(:project => foo) to work |
|
|
314 | # TODO: move workflow/permission checks from controllers to here | |
|
|
315 | 314 | def safe_attributes=(attrs, user=User.current) |
|
|
316 | 315 | return unless attrs.is_a?(Hash) |
|
|
317 | 316 | |
| @@ -321,8 +320,10 class Issue < ActiveRecord::Base | |||
|
|
321 | 320 | |
|
|
322 | 321 | # Project and Tracker must be set before since new_statuses_allowed_to depends on it. |
|
|
323 | 322 | if p = attrs.delete('project_id') |
|
|
323 | if allowed_target_projects(user).collect(&:id).include?(p.to_i) | |
|
|
324 | 324 | self.project_id = p |
|
|
325 | 325 | end |
|
|
326 | end | |
|
|
326 | 327 | |
|
|
327 | 328 | if t = attrs.delete('tracker_id') |
|
|
328 | 329 | self.tracker_id = t |
| @@ -769,7 +770,16 class Issue < ActiveRecord::Base | |||
|
|
769 | 770 | end |
|
|
770 | 771 | # End ReportsController extraction |
|
|
771 | 772 | |
|
|
772 |
# Returns an array of projects that |
|
|
|
773 | # Returns an array of projects that user can assign the issue to | |
|
|
774 | def allowed_target_projects(user=User.current) | |
|
|
775 | if new_record? | |
|
|
776 | Project.all(:conditions => Project.allowed_to_condition(user, :add_issues)) | |
|
|
777 | else | |
|
|
778 | self.class.allowed_target_projects_on_move(user) | |
|
|
779 | end | |
|
|
780 | end | |
|
|
781 | ||
|
|
782 | # Returns an array of projects that user can move issues to | |
|
|
773 | 783 | def self.allowed_target_projects_on_move(user=User.current) |
|
|
774 | 784 | projects = [] |
|
|
775 | 785 | if user.admin? |
| @@ -8,7 +8,7 | |||
|
|
8 | 8 | <% end %> |
|
|
9 | 9 | |
|
|
10 | 10 | <% if @issue.safe_attribute? 'project_id' %> |
|
|
11 |
<p><%= f.select :project_id, project_tree_options_for_select( |
|
|
|
11 | <p><%= f.select :project_id, project_tree_options_for_select(@issue.allowed_target_projects, :selected => @issue.project), :required => true %></p> | |
|
|
12 | 12 | <%= observe_field :issue_project_id, :url => project_issue_form_path(@project, :id => @issue, :project_change => '1'), |
|
|
13 | 13 | :with => "Form.serialize('issue-form')" %> |
|
|
14 | 14 | <% end %> |
| @@ -1630,6 +1630,18 class IssuesControllerTest < ActionController::TestCase | |||
|
|
1630 | 1630 | assert_tag 'input', :attributes => {:name => 'copy_from', :value => '1'} |
|
|
1631 | 1631 | end |
|
|
1632 | 1632 | |
|
|
1633 | def test_create_as_copy_on_project_without_permission_should_ignore_target_project | |
|
|
1634 | @request.session[:user_id] = 2 | |
|
|
1635 | assert !User.find(2).member_of?(Project.find(4)) | |
|
|
1636 | ||
|
|
1637 | assert_difference 'Issue.count' do | |
|
|
1638 | post :create, :project_id => 1, :copy_from => 1, | |
|
|
1639 | :issue => {:project_id => '4', :tracker_id => '3', :status_id => '1', :subject => 'Copy'} | |
|
|
1640 | end | |
|
|
1641 | issue = Issue.first(:order => 'id DESC') | |
|
|
1642 | assert_equal 1, issue.project_id | |
|
|
1643 | end | |
|
|
1644 | ||
|
|
1633 | 1645 | def test_get_edit |
|
|
1634 | 1646 | @request.session[:user_id] = 2 |
|
|
1635 | 1647 | get :edit, :id => 1 |
General Comments 0
You need to be logged in to leave comments.
Login now