##// END OF EJS Templates
jro_apps » redmine
RSS
respond nothing in case of content type is not html with invalid query params (#8883, #6317)....
Toshi MARUYAMA -
r6904:3504fd038c1f
parent child
Show More
Side by Side Unified
Context file:
r6904:3504fd038c1f Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,340 +1,341
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class IssuesController < ApplicationController
19 19 menu_item :new_issue, :only => [:new, :create]
20 20 default_search_scope :issues
21 21
22 22 before_filter :find_issue, :only => [:show, :edit, :update]
23 23 before_filter :find_issues, :only => [:bulk_edit, :bulk_update, :move, :perform_move, :destroy]
24 24 before_filter :check_project_uniqueness, :only => [:move, :perform_move]
25 25 before_filter :find_project, :only => [:new, :create]
26 26 before_filter :authorize, :except => [:index]
27 27 before_filter :find_optional_project, :only => [:index]
28 28 before_filter :check_for_default_issue_status, :only => [:new, :create]
29 29 before_filter :build_new_issue_from_params, :only => [:new, :create]
30 30 accept_rss_auth :index, :show
31 31 accept_api_auth :index, :show, :create, :update, :destroy
32 32
33 33 rescue_from Query::StatementInvalid, :with => :query_statement_invalid
34 34
35 35 helper :journals
36 36 helper :projects
37 37 include ProjectsHelper
38 38 helper :custom_fields
39 39 include CustomFieldsHelper
40 40 helper :issue_relations
41 41 include IssueRelationsHelper
42 42 helper :watchers
43 43 include WatchersHelper
44 44 helper :attachments
45 45 include AttachmentsHelper
46 46 helper :queries
47 47 include QueriesHelper
48 48 helper :repositories
49 49 include RepositoriesHelper
50 50 helper :sort
51 51 include SortHelper
52 52 include IssuesHelper
53 53 helper :timelog
54 54 helper :gantt
55 55 include Redmine::Export::PDF
56 56
57 57 verify :method => [:post, :delete],
58 58 :only => :destroy,
59 59 :render => { :nothing => true, :status => :method_not_allowed }
60 60
61 61 verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
62 62 verify :method => :post, :only => :bulk_update, :render => {:nothing => true, :status => :method_not_allowed }
63 63 verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
64 64
65 65 def index
66 66 retrieve_query
67 67 sort_init(@query.sort_criteria.empty? ? [['id', 'desc']] : @query.sort_criteria)
68 68 sort_update(@query.sortable_columns)
69 69
70 70 if @query.valid?
71 71 case params[:format]
72 72 when 'csv', 'pdf'
73 73 @limit = Setting.issues_export_limit.to_i
74 74 when 'atom'
75 75 @limit = Setting.feeds_limit.to_i
76 76 when 'xml', 'json'
77 77 @offset, @limit = api_offset_and_limit
78 78 else
79 79 @limit = per_page_option
80 80 end
81 81
82 82 @issue_count = @query.issue_count
83 83 @issue_pages = Paginator.new self, @issue_count, @limit, params['page']
84 84 @offset ||= @issue_pages.current.offset
85 85 @issues = @query.issues(:include => [:assigned_to, :tracker, :priority, :category, :fixed_version],
86 86 :order => sort_clause,
87 87 :offset => @offset,
88 88 :limit => @limit)
89 89 @issue_count_by_group = @query.issue_count_by_group
90 90
91 91 respond_to do |format|
92 92 format.html { render :template => 'issues/index', :layout => !request.xhr? }
93 93 format.api {
94 94 Issue.load_relations(@issues) if include_in_api_response?('relations')
95 95 }
96 96 format.atom { render_feed(@issues, :title => "#{@project || Setting.app_title}: #{l(:label_issue_plural)}") }
97 97 format.csv { send_data(issues_to_csv(@issues, @project), :type => 'text/csv; header=present', :filename => 'export.csv') }
98 98 format.pdf { send_data(issues_to_pdf(@issues, @project, @query), :type => 'application/pdf', :filename => 'export.pdf') }
99 99 end
100 100 else
101 101 respond_to do |format|
102 format.any(:html, :atom, :csv, :pdf) { render(:template => 'issues/index', :layout => !request.xhr?) }
102 format.html { render(:template => 'issues/index', :layout => !request.xhr?) }
103 format.any(:atom, :csv, :pdf) { render(:nothing => true) }
103 104 format.api { render_validation_errors(@query) }
104 105 end
105 106 end
106 107 rescue ActiveRecord::RecordNotFound
107 108 render_404
108 109 end
109 110
110 111 def show
111 112 @journals = @issue.journals.find(:all, :include => [:user, :details], :order => "#{Journal.table_name}.created_on ASC")
112 113 @journals.each_with_index {|j,i| j.indice = i+1}
113 114 @journals.reverse! if User.current.wants_comments_in_reverse_order?
114 115
115 116 if User.current.allowed_to?(:view_changesets, @project)
116 117 @changesets = @issue.changesets.visible.all
117 118 @changesets.reverse! if User.current.wants_comments_in_reverse_order?
118 119 end
119 120
120 121 @relations = @issue.relations.select {|r| r.other_issue(@issue) && r.other_issue(@issue).visible? }
121 122 @allowed_statuses = @issue.new_statuses_allowed_to(User.current)
122 123 @edit_allowed = User.current.allowed_to?(:edit_issues, @project)
123 124 @priorities = IssuePriority.active
124 125 @time_entry = TimeEntry.new(:issue => @issue, :project => @issue.project)
125 126 respond_to do |format|
126 127 format.html { render :template => 'issues/show' }
127 128 format.api
128 129 format.atom { render :template => 'journals/index', :layout => false, :content_type => 'application/atom+xml' }
129 130 format.pdf { send_data(issue_to_pdf(@issue), :type => 'application/pdf', :filename => "#{@project.identifier}-#{@issue.id}.pdf") }
130 131 end
131 132 end
132 133
133 134 # Add a new issue
134 135 # The new issue will be created from an existing one if copy_from parameter is given
135 136 def new
136 137 respond_to do |format|
137 138 format.html { render :action => 'new', :layout => !request.xhr? }
138 139 format.js { render :partial => 'attributes' }
139 140 end
140 141 end
141 142
142 143 def create
143 144 call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
144 145 if @issue.save
145 146 attachments = Attachment.attach_files(@issue, params[:attachments])
146 147 call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue})
147 148 respond_to do |format|
148 149 format.html {
149 150 render_attachment_warning_if_needed(@issue)
150 151 flash[:notice] = l(:notice_issue_successful_create, :id => "<a href='#{issue_path(@issue)}'>##{@issue.id}</a>")
151 152 redirect_to(params[:continue] ? { :action => 'new', :project_id => @project, :issue => {:tracker_id => @issue.tracker, :parent_issue_id => @issue.parent_issue_id}.reject {|k,v| v.nil?} } :
152 153 { :action => 'show', :id => @issue })
153 154 }
154 155 format.api { render :action => 'show', :status => :created, :location => issue_url(@issue) }
155 156 end
156 157 return
157 158 else
158 159 respond_to do |format|
159 160 format.html { render :action => 'new' }
160 161 format.api { render_validation_errors(@issue) }
161 162 end
162 163 end
163 164 end
164 165
165 166 def edit
166 167 update_issue_from_params
167 168
168 169 @journal = @issue.current_journal
169 170
170 171 respond_to do |format|
171 172 format.html { }
172 173 format.xml { }
173 174 end
174 175 end
175 176
176 177 def update
177 178 update_issue_from_params
178 179
179 180 if @issue.save_issue_with_child_records(params, @time_entry)
180 181 render_attachment_warning_if_needed(@issue)
181 182 flash[:notice] = l(:notice_successful_update) unless @issue.current_journal.new_record?
182 183
183 184 respond_to do |format|
184 185 format.html { redirect_back_or_default({:action => 'show', :id => @issue}) }
185 186 format.api { head :ok }
186 187 end
187 188 else
188 189 render_attachment_warning_if_needed(@issue)
189 190 flash[:notice] = l(:notice_successful_update) unless @issue.current_journal.new_record?
190 191 @journal = @issue.current_journal
191 192
192 193 respond_to do |format|
193 194 format.html { render :action => 'edit' }
194 195 format.api { render_validation_errors(@issue) }
195 196 end
196 197 end
197 198 end
198 199
199 200 # Bulk edit a set of issues
200 201 def bulk_edit
201 202 @issues.sort!
202 203 @available_statuses = @projects.map{|p|Workflow.available_statuses(p)}.inject{|memo,w|memo & w}
203 204 @custom_fields = @projects.map{|p|p.all_issue_custom_fields}.inject{|memo,c|memo & c}
204 205 @assignables = @projects.map(&:assignable_users).inject{|memo,a| memo & a}
205 206 @trackers = @projects.map(&:trackers).inject{|memo,t| memo & t}
206 207 end
207 208
208 209 def bulk_update
209 210 @issues.sort!
210 211 attributes = parse_params_for_bulk_issue_attributes(params)
211 212
212 213 unsaved_issue_ids = []
213 214 @issues.each do |issue|
214 215 issue.reload
215 216 journal = issue.init_journal(User.current, params[:notes])
216 217 issue.safe_attributes = attributes
217 218 call_hook(:controller_issues_bulk_edit_before_save, { :params => params, :issue => issue })
218 219 unless issue.save
219 220 # Keep unsaved issue ids to display them in flash error
220 221 unsaved_issue_ids << issue.id
221 222 end
222 223 end
223 224 set_flash_from_bulk_issue_save(@issues, unsaved_issue_ids)
224 225 redirect_back_or_default({:controller => 'issues', :action => 'index', :project_id => @project})
225 226 end
226 227
227 228 def destroy
228 229 @hours = TimeEntry.sum(:hours, :conditions => ['issue_id IN (?)', @issues]).to_f
229 230 if @hours > 0
230 231 case params[:todo]
231 232 when 'destroy'
232 233 # nothing to do
233 234 when 'nullify'
234 235 TimeEntry.update_all('issue_id = NULL', ['issue_id IN (?)', @issues])
235 236 when 'reassign'
236 237 reassign_to = @project.issues.find_by_id(params[:reassign_to_id])
237 238 if reassign_to.nil?
238 239 flash.now[:error] = l(:error_issue_not_found_in_project)
239 240 return
240 241 else
241 242 TimeEntry.update_all("issue_id = #{reassign_to.id}", ['issue_id IN (?)', @issues])
242 243 end
243 244 else
244 245 # display the destroy form if it's a user request
245 246 return unless api_request?
246 247 end
247 248 end
248 249 @issues.each do |issue|
249 250 begin
250 251 issue.reload.destroy
251 252 rescue ::ActiveRecord::RecordNotFound # raised by #reload if issue no longer exists
252 253 # nothing to do, issue was already deleted (eg. by a parent)
253 254 end
254 255 end
255 256 respond_to do |format|
256 257 format.html { redirect_back_or_default(:action => 'index', :project_id => @project) }
257 258 format.api { head :ok }
258 259 end
259 260 end
260 261
261 262 private
262 263 def find_issue
263 264 # Issue.visible.find(...) can not be used to redirect user to the login form
264 265 # if the issue actually exists but requires authentication
265 266 @issue = Issue.find(params[:id], :include => [:project, :tracker, :status, :author, :priority, :category])
266 267 unless @issue.visible?
267 268 deny_access
268 269 return
269 270 end
270 271 @project = @issue.project
271 272 rescue ActiveRecord::RecordNotFound
272 273 render_404
273 274 end
274 275
275 276 def find_project
276 277 project_id = (params[:issue] && params[:issue][:project_id]) || params[:project_id]
277 278 @project = Project.find(project_id)
278 279 rescue ActiveRecord::RecordNotFound
279 280 render_404
280 281 end
281 282
282 283 # Used by #edit and #update to set some common instance variables
283 284 # from the params
284 285 # TODO: Refactor, not everything in here is needed by #edit
285 286 def update_issue_from_params
286 287 @allowed_statuses = @issue.new_statuses_allowed_to(User.current)
287 288 @priorities = IssuePriority.active
288 289 @edit_allowed = User.current.allowed_to?(:edit_issues, @project)
289 290 @time_entry = TimeEntry.new(:issue => @issue, :project => @issue.project)
290 291 @time_entry.attributes = params[:time_entry]
291 292
292 293 @notes = params[:notes] || (params[:issue].present? ? params[:issue][:notes] : nil)
293 294 @issue.init_journal(User.current, @notes)
294 295 @issue.safe_attributes = params[:issue]
295 296 end
296 297
297 298 # TODO: Refactor, lots of extra code in here
298 299 # TODO: Changing tracker on an existing issue should not trigger this
299 300 def build_new_issue_from_params
300 301 if params[:id].blank?
301 302 @issue = Issue.new
302 303 @issue.copy_from(params[:copy_from]) if params[:copy_from]
303 304 @issue.project = @project
304 305 else
305 306 @issue = @project.issues.visible.find(params[:id])
306 307 end
307 308
308 309 @issue.project = @project
309 310 @issue.author = User.current
310 311 # Tracker must be set before custom field values
311 312 @issue.tracker ||= @project.trackers.find((params[:issue] && params[:issue][:tracker_id]) || params[:tracker_id] || :first)
312 313 if @issue.tracker.nil?
313 314 render_error l(:error_no_tracker_in_project)
314 315 return false
315 316 end
316 317 @issue.start_date ||= Date.today
317 318 if params[:issue].is_a?(Hash)
318 319 @issue.safe_attributes = params[:issue]
319 320 if User.current.allowed_to?(:add_issue_watchers, @project) && @issue.new_record?
320 321 @issue.watcher_user_ids = params[:issue]['watcher_user_ids']
321 322 end
322 323 end
323 324 @priorities = IssuePriority.active
324 325 @allowed_statuses = @issue.new_statuses_allowed_to(User.current, true)
325 326 end
326 327
327 328 def check_for_default_issue_status
328 329 if IssueStatus.default.nil?
329 330 render_error l(:error_no_default_issue_status)
330 331 return false
331 332 end
332 333 end
333 334
334 335 def parse_params_for_bulk_issue_attributes(params)
335 336 attributes = (params[:issue] || {}).reject {|k,v| v.blank?}
336 337 attributes.keys.each {|k| attributes[k] = '' if attributes[k] == 'none'}
337 338 attributes[:custom_field_values].reject! {|k,v| v.blank?} if attributes[:custom_field_values]
338 339 attributes
339 340 end
340 341 end
General Comments 0
You need to be logged in to leave comments. Login now