jro_apps/redmine Commit - r4378:a4d7a99c22d9

Declare safe attributes for User and Projects models....

Jean-Philippe Lang -

r4378:a4d7a99c22d9

parent child

Context file:

r4378:a4d7a99c22d9

Collapse all files

app/controllers/my_controller.rb +1 -1

             # Redmine - project management software
             # Copyright (C) 2006-2009  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class MyController < ApplicationController
               before_filter :require_login
               helper :issues
               helper :custom_fields
               BLOCKS = { 'issuesassignedtome' => :label_assigned_to_me_issues,
                          'issuesreportedbyme' => :label_reported_issues,
                          'issueswatched' => :label_watched_issues,
                          'news' => :label_news_latest,
                          'calendar' => :label_calendar,
                          'documents' => :label_document_plural,
                          'timelog' => :label_spent_time
                        }.merge(Redmine::Views::MyPage::Block.additional_blocks).freeze
               DEFAULT_LAYOUT = {  'left' => ['issuesassignedtome'],
                                   'right' => ['issuesreportedbyme']
                                }.freeze
               verify :xhr => true,
                      :only => [:add_block, :remove_block, :order_blocks]
               def index
                 page
                 render :action => 'page'
               end
               # Show user's page
               def page
                 @user = User.current
                 @blocks = @user.pref[:my_page_layout] || DEFAULT_LAYOUT
               end
               # Edit user's account
               def account
                 @user = User.current
                 @pref = @user.pref
                 if request.post?
-                  @user.attributes = params[:user]
+                  @user.safe_attributes = params[:user]
                   @user.mail_notification = params[:notification_option] || 'only_my_events'
                   @user.pref.attributes = params[:pref]
                   @user.pref[:no_self_notified] = (params[:no_self_notified] == '1')
                   if @user.save
                     @user.pref.save
                     @user.notified_project_ids = (params[:notification_option] == 'selected' ? params[:notified_project_ids] : [])
                     set_language_if_valid @user.language
                     flash[:notice] = l(:notice_account_updated)
                     redirect_to :action => 'account'
                     return
                   end
                 end
                 @notification_options = @user.valid_notification_options
                 @notification_option = @user.mail_notification #? ? 'all' : (@user.notified_projects_ids.empty? ? 'none' : 'selected')
               end
               # Manage user's password
               def password
                 @user = User.current
                 unless @user.change_password_allowed?
                   flash[:error] = l(:notice_can_t_change_password)
                   redirect_to :action => 'account'
                   return
                 end
                 if request.post?
                   if @user.check_password?(params[:password])
                     @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
                     if @user.save
                       flash[:notice] = l(:notice_account_password_updated)
                       redirect_to :action => 'account'
                     end
                   else
                     flash[:error] = l(:notice_account_wrong_password)
                   end
                 end
               end
               # Create a new feeds key
               def reset_rss_key
                 if request.post?
                   if User.current.rss_token
                     User.current.rss_token.destroy
                     User.current.reload
                   end
                   User.current.rss_key
                   flash[:notice] = l(:notice_feeds_access_key_reseted)
                 end
                 redirect_to :action => 'account'
               end
               # Create a new API key
               def reset_api_key
                 if request.post?
                   if User.current.api_token
                     User.current.api_token.destroy
                     User.current.reload
                   end
                   User.current.api_key
                   flash[:notice] = l(:notice_api_access_key_reseted)
                 end
                 redirect_to :action => 'account'
               end
               # User's page layout configuration
               def page_layout
                 @user = User.current
                 @blocks = @user.pref[:my_page_layout] || DEFAULT_LAYOUT.dup
                 @block_options = []
                 BLOCKS.each {|k, v| @block_options << [l("my.blocks.#{v}", :default => [v, v.to_s.humanize]), k.dasherize]}
               end
               # Add a block to user's page
               # The block is added on top of the page
               # params[:block] : id of the block to add
               def add_block
                 block = params[:block].to_s.underscore
                 (render :nothing => true; return) unless block && (BLOCKS.keys.include? block)
                 @user = User.current
                 layout = @user.pref[:my_page_layout] || {}
                 # remove if already present in a group
                 %w(top left right).each {|f| (layout[f] ||= []).delete block }
                 # add it on top
                 layout['top'].unshift block
                 @user.pref[:my_page_layout] = layout
                 @user.pref.save
                 render :partial => "block", :locals => {:user => @user, :block_name => block}
               end
               # Remove a block to user's page
               # params[:block] : id of the block to remove
               def remove_block
                 block = params[:block].to_s.underscore
                 @user = User.current
                 # remove block in all groups
                 layout = @user.pref[:my_page_layout] || {}
                 %w(top left right).each {|f| (layout[f] ||= []).delete block }
                 @user.pref[:my_page_layout] = layout
                 @user.pref.save
                 render :nothing => true
               end
               # Change blocks order on user's page
               # params[:group] : group to order (top, left or right)
               # params[:list-(top|left|right)] : array of block ids of the group
               def order_blocks
                 group = params[:group]
                 @user = User.current
                 if group.is_a?(String)
                   group_items = (params["list-#{group}"] || []).collect(&:underscore)
                   if group_items and group_items.is_a? Array
                     layout = @user.pref[:my_page_layout] || {}
                     # remove group blocks if they are presents in other groups
                     %w(top left right).each {|f|
                       layout[f] = (layout[f] || []) - group_items
                     }
                     layout[group] = group_items
                     @user.pref[:my_page_layout] = layout
                     @user.pref.save
                   end
                 end
                 render :nothing => true
               end
             end

app/controllers/projects_controller.rb +5 -3

             # Redmine - project management software
             # Copyright (C) 2006-2009  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class ProjectsController < ApplicationController
               menu_item :overview
               menu_item :roadmap, :only => :roadmap
               menu_item :settings, :only => :settings
               before_filter :find_project, :except => [ :index, :list, :new, :create, :copy ]
               before_filter :authorize, :except => [ :index, :list, :new, :create, :copy, :archive, :unarchive, :destroy]
               before_filter :authorize_global, :only => [:new, :create]
               before_filter :require_admin, :only => [ :copy, :archive, :unarchive, :destroy ]
               accept_key_auth :index, :show, :create, :update, :destroy
               after_filter :only => [:create, :edit, :update, :archive, :unarchive, :destroy] do |controller|
                 if controller.request.post?
                   controller.send :expire_action, :controller => 'welcome', :action => 'robots.txt'
                 end
               end
               # TODO: convert to PUT only
               verify :method => [:post, :put], :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
               helper :sort
               include SortHelper
               helper :custom_fields
               include CustomFieldsHelper
               helper :issues
               helper :queries
               include QueriesHelper
               helper :repositories
               include RepositoriesHelper
               include ProjectsHelper
               # Lists visible projects
               def index
                 respond_to do |format|
                   format.html {
                     @projects = Project.visible.find(:all, :order => 'lft')
                   }
                   format.api  {
                     @projects = Project.visible.find(:all, :order => 'lft')
                   }
                   format.atom {
                     projects = Project.visible.find(:all, :order => 'created_on DESC',
                                                           :limit => Setting.feeds_limit.to_i)
                     render_feed(projects, :title => "#{Setting.app_title}: #{l(:label_project_latest)}")
                   }
                 end
               end
               def new
                 @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
                 @trackers = Tracker.all
                 @project = Project.new(params[:project])
               end
               def create
                 @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
                 @trackers = Tracker.all
-                @project = Project.new(params[:project])
+                @project = Project.new
+                @project.safe_attributes = params[:project]
                 @project.enabled_module_names = params[:enabled_modules] if params[:enabled_modules]
                 if validate_parent_id && @project.save
                   @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
                   # Add current user as a project member if he is not admin
                   unless User.current.admin?
                     r = Role.givable.find_by_id(Setting.new_project_user_role_id.to_i) || Role.givable.first
                     m = Member.new(:user => User.current, :roles => [r])
                     @project.members << m
                   end
                   respond_to do |format|
                     format.html {
                       flash[:notice] = l(:notice_successful_create)
                       redirect_to :controller => 'projects', :action => 'settings', :id => @project
                     }
                     format.api  { render :action => 'show', :status => :created, :location => url_for(:controller => 'projects', :action => 'show', :id => @project.id) }
                   end
                 else
                   respond_to do |format|
                     format.html { render :action => 'new' }
                     format.api  { render_validation_errors(@project) }
                   end
                 end
               end
               def copy
                 @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
                 @trackers = Tracker.all
                 @root_projects = Project.find(:all,
                                               :conditions => "parent_id IS NULL AND status = #{Project::STATUS_ACTIVE}",
                                               :order => 'name')
                 @source_project = Project.find(params[:id])
                 if request.get?
                   @project = Project.copy_from(@source_project)
                   if @project
                     @project.identifier = Project.next_identifier if Setting.sequential_project_identifiers?
                   else
                     redirect_to :controller => 'admin', :action => 'projects'
                   end
                 else
                   Mailer.with_deliveries(params[:notifications] == '1') do
-                    @project = Project.new(params[:project])
+                    @project = Project.new
+                    @project.safe_attributes = params[:project]
                     @project.enabled_module_names = params[:enabled_modules]
                     if validate_parent_id && @project.copy(@source_project, :only => params[:only])
                       @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
                       flash[:notice] = l(:notice_successful_create)
                       redirect_to :controller => 'projects', :action => 'settings'
                     elsif !@project.new_record?
                       # Project was created
                       # But some objects were not copied due to validation failures
                       # (eg. issues from disabled trackers)
                       # TODO: inform about that
                       redirect_to :controller => 'projects', :action => 'settings'
                     end
                   end
                 end
               rescue ActiveRecord::RecordNotFound
                 redirect_to :controller => 'admin', :action => 'projects'
               end
               # Show @project
               def show
                 if params[:jump]
                   # try to redirect to the requested menu item
                   redirect_to_project_menu_item(@project, params[:jump]) && return
                 end
                 @users_by_role = @project.users_by_role
                 @subprojects = @project.children.visible
                 @news = @project.news.find(:all, :limit => 5, :include => [ :author, :project ], :order => "#{News.table_name}.created_on DESC")
                 @trackers = @project.rolled_up_trackers
                 cond = @project.project_condition(Setting.display_subprojects_issues?)
                 @open_issues_by_tracker = Issue.visible.count(:group => :tracker,
                                                         :include => [:project, :status, :tracker],
                                                         :conditions => ["(#{cond}) AND #{IssueStatus.table_name}.is_closed=?", false])
                 @total_issues_by_tracker = Issue.visible.count(:group => :tracker,
                                                         :include => [:project, :status, :tracker],
                                                         :conditions => cond)
                 TimeEntry.visible_by(User.current) do
                   @total_hours = TimeEntry.sum(:hours,
                                                :include => :project,
                                                :conditions => cond).to_f
                 end
                 @key = User.current.rss_key
                 respond_to do |format|
                   format.html
                   format.api
                 end
               end
               def settings
                 @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
                 @issue_category ||= IssueCategory.new
                 @member ||= @project.members.new
                 @trackers = Tracker.all
                 @repository ||= @project.repository
                 @wiki ||= @project.wiki
               end
               def edit
               end
               def update
-                @project.attributes = params[:project]
+                @project.safe_attributes = params[:project]
                 if validate_parent_id && @project.save
                   @project.set_allowed_parent!(params[:project]['parent_id']) if params[:project].has_key?('parent_id')
                   respond_to do |format|
                     format.html {
                       flash[:notice] = l(:notice_successful_update)
                       redirect_to :action => 'settings', :id => @project
                     }
                     format.api  { head :ok }
                   end
                 else
                   respond_to do |format|
                     format.html {
                       settings
                       render :action => 'settings'
                     }
                     format.api  { render_validation_errors(@project) }
                   end
                 end
               end
               def modules
                 @project.enabled_module_names = params[:enabled_modules]
                 flash[:notice] = l(:notice_successful_update)
                 redirect_to :action => 'settings', :id => @project, :tab => 'modules'
               end
               def archive
                 if request.post?
                   unless @project.archive
                     flash[:error] = l(:error_can_not_archive_project)
                   end
                 end
                 redirect_to(url_for(:controller => 'admin', :action => 'projects', :status => params[:status]))
               end
               def unarchive
                 @project.unarchive if request.post? && !@project.active?
                 redirect_to(url_for(:controller => 'admin', :action => 'projects', :status => params[:status]))
               end
               # Delete @project
               def destroy
                 @project_to_destroy = @project
                 if request.get?
                   # display confirmation view
                 else
                   if api_request? || params[:confirm]
                     @project_to_destroy.destroy
                     respond_to do |format|
                       format.html { redirect_to :controller => 'admin', :action => 'projects' }
                       format.api  { head :ok }
                     end
                   end
                 end
                 # hide project in layout
                 @project = nil
               end
             private
               def find_optional_project
                 return true unless params[:id]
                 @project = Project.find(params[:id])
                 authorize
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               # Validates parent_id param according to user's permissions
               # TODO: move it to Project model in a validation that depends on User.current
               def validate_parent_id
                 return true if User.current.admin?
                 parent_id = params[:project] && params[:project][:parent_id]
                 if parent_id || @project.new_record?
                   parent = parent_id.blank? ? nil : Project.find_by_id(parent_id.to_i)
                   unless @project.allowed_parents.include?(parent)
                     @project.errors.add :parent_id, :invalid
                     return false
                   end
                 end
                 true
               end
             end

app/controllers/users_controller.rb +3 -2

             # Redmine - project management software
             # Copyright (C) 2006-2010  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class UsersController < ApplicationController
               layout 'admin'
               before_filter :require_admin, :except => :show
               accept_key_auth :index, :show, :create, :update
               helper :sort
               include SortHelper
               helper :custom_fields
               include CustomFieldsHelper
               def index
                 sort_init 'login', 'asc'
                 sort_update %w(login firstname lastname mail admin created_on last_login_on)
                 case params[:format]
                 when 'xml', 'json'
                   @offset, @limit = api_offset_and_limit
                 else
                   @limit = per_page_option
                 end
                 @status = params[:status] ? params[:status].to_i : 1
                 c = ARCondition.new(@status == 0 ? "status <> 0" : ["status = ?", @status])
                 unless params[:name].blank?
                   name = "%#{params[:name].strip.downcase}%"
                   c << ["LOWER(login) LIKE ? OR LOWER(firstname) LIKE ? OR LOWER(lastname) LIKE ? OR LOWER(mail) LIKE ?", name, name, name, name]
                 end
                 @user_count = User.count(:conditions => c.conditions)
                 @user_pages = Paginator.new self, @user_count, @limit, params['page']
                 @offset ||= @user_pages.current.offset
                 @users =  User.find :all,
                                     :order => sort_clause,
                                     :conditions => c.conditions,
                                     :limit  =>  @limit,
                                     :offset =>  @offset
             		respond_to do |format|
             		  format.html { render :layout => !request.xhr? }
                   format.api
             		end
               end
               def show
                 @user = User.find(params[:id])
                 # show projects based on current user visibility
                 @memberships = @user.memberships.all(:conditions => Project.visible_by(User.current))
                 events = Redmine::Activity::Fetcher.new(User.current, :author => @user).events(nil, nil, :limit => 10)
                 @events_by_day = events.group_by(&:event_date)
                 unless User.current.admin?
                   if !@user.active? || (@user != User.current  && @memberships.empty? && events.empty?)
                     render_404
                     return
                   end
                 end
                 respond_to do |format|
                   format.html { render :layout => 'base' }
                   format.api
                 end
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               def new
                 @notification_options = User::MAIL_NOTIFICATION_OPTIONS
                 @notification_option = Setting.default_notification_option
                 @user = User.new(:language => Setting.default_language)
                 @auth_sources = AuthSource.find(:all)
               end
               verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
               def create
                 @notification_options = User::MAIL_NOTIFICATION_OPTIONS
                 @notification_option = Setting.default_notification_option
-                @user = User.new(params[:user])
+                @user = User.new
+                @user.safe_attributes = params[:user]
                 @user.admin = params[:user][:admin] || false
                 @user.login = params[:user][:login]
                 @user.password, @user.password_confirmation = params[:password], params[:password_confirmation] unless @user.auth_source_id
                 # TODO: Similar to My#account
                 @user.mail_notification = params[:notification_option] || 'only_my_events'
                 @user.pref.attributes = params[:pref]
                 @user.pref[:no_self_notified] = (params[:no_self_notified] == '1')
                 if @user.save
                   @user.pref.save
                   @user.notified_project_ids = (params[:notification_option] == 'selected' ? params[:notified_project_ids] : [])
                   Mailer.deliver_account_information(@user, params[:password]) if params[:send_information]
                   respond_to do |format|
                     format.html {
                       flash[:notice] = l(:notice_successful_create)
                       redirect_to(params[:continue] ?
                         {:controller => 'users', :action => 'new'} :
                         {:controller => 'users', :action => 'edit', :id => @user}
                       )
                     }
                     format.api  { render :action => 'show', :status => :created, :location => user_url(@user) }
                   end
                 else
                   @auth_sources = AuthSource.find(:all)
                   @notification_option = @user.mail_notification
                   respond_to do |format|
                     format.html { render :action => 'new' }
                     format.api  { render_validation_errors(@user) }
                   end
                 end
               end
               def edit
                 @user = User.find(params[:id])
                 @notification_options = @user.valid_notification_options
                 @notification_option = @user.mail_notification
                 @auth_sources = AuthSource.find(:all)
                 @membership ||= Member.new
               end
               verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
               def update
                 @user = User.find(params[:id])
                 @notification_options = @user.valid_notification_options
                 @notification_option = @user.mail_notification
                 @user.admin = params[:user][:admin] if params[:user][:admin]
                 @user.login = params[:user][:login] if params[:user][:login]
                 if params[:password].present? && (@user.auth_source_id.nil? || params[:user][:auth_source_id].blank?)
                   @user.password, @user.password_confirmation = params[:password], params[:password_confirmation]
                 end
                 @user.group_ids = params[:user][:group_ids] if params[:user][:group_ids]
-                @user.attributes = params[:user]
+                @user.safe_attributes = params[:user]
                 # Was the account actived ? (do it before User#save clears the change)
                 was_activated = (@user.status_change == [User::STATUS_REGISTERED, User::STATUS_ACTIVE])
                 # TODO: Similar to My#account
                 @user.mail_notification = params[:notification_option] || 'only_my_events'
                 @user.pref.attributes = params[:pref]
                 @user.pref[:no_self_notified] = (params[:no_self_notified] == '1')
                 if @user.save
                   @user.pref.save
                   @user.notified_project_ids = (params[:notification_option] == 'selected' ? params[:notified_project_ids] : [])
                   if was_activated
                     Mailer.deliver_account_activated(@user)
                   elsif @user.active? && params[:send_information] && !params[:password].blank? && @user.auth_source_id.nil?
                     Mailer.deliver_account_information(@user, params[:password])
                   end
                   respond_to do |format|
                     format.html {
                       flash[:notice] = l(:notice_successful_update)
                       redirect_to :back
                     }
                     format.api  { head :ok }
                   end
                 else
                   @auth_sources = AuthSource.find(:all)
                   @membership ||= Member.new
                   respond_to do |format|
                     format.html { render :action => :edit }
                     format.api  { render_validation_errors(@user) }
                   end
                 end
               rescue ::ActionController::RedirectBackError
                 redirect_to :controller => 'users', :action => 'edit', :id => @user
               end
               def edit_membership
                 @user = User.find(params[:id])
                 @membership = Member.edit_membership(params[:membership_id], params[:membership], @user)
                 @membership.save if request.post?
                 respond_to do |format|
                   if @membership.valid?
                     format.html { redirect_to :controller => 'users', :action => 'edit', :id => @user, :tab => 'memberships' }
                     format.js {
                       render(:update) {|page|
                         page.replace_html "tab-content-memberships", :partial => 'users/memberships'
                         page.visual_effect(:highlight, "member-#{@membership.id}")
                       }
                     }
                   else
                     format.js {
                       render(:update) {|page|
                         page.alert(l(:notice_failed_to_save_members, :errors => @membership.errors.full_messages.join(', ')))
                       }
                     }
                   end
                 end
               end
               def destroy_membership
                 @user = User.find(params[:id])
                 @membership = Member.find(params[:membership_id])
                 if request.post? && @membership.deletable?
                   @membership.destroy
                 end
                 respond_to do |format|
                   format.html { redirect_to :controller => 'users', :action => 'edit', :id => @user, :tab => 'memberships' }
                   format.js { render(:update) {|page| page.replace_html "tab-content-memberships", :partial => 'users/memberships'} }
                 end
               end
             end

app/models/project.rb +11 0

             # redMine - project management software
             # Copyright (C) 2006  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class Project < ActiveRecord::Base
+              include Redmine::SafeAttributes
               # Project statuses
               STATUS_ACTIVE     = 1
               STATUS_ARCHIVED   = 9
               # Maximum length for project identifiers
               IDENTIFIER_MAX_LENGTH = 100
               # Specific overidden Activities
               has_many :time_entry_activities
               has_many :members, :include => [:user, :roles], :conditions => "#{User.table_name}.type='User' AND #{User.table_name}.status=#{User::STATUS_ACTIVE}"
               has_many :memberships, :class_name => 'Member'
               has_many :member_principals, :class_name => 'Member',
                                            :include => :principal,
                                            :conditions => "#{Principal.table_name}.type='Group' OR (#{Principal.table_name}.type='User' AND #{Principal.table_name}.status=#{User::STATUS_ACTIVE})"
               has_many :users, :through => :members
               has_many :principals, :through => :member_principals, :source => :principal
               has_many :enabled_modules, :dependent => :delete_all
               has_and_belongs_to_many :trackers, :order => "#{Tracker.table_name}.position"
               has_many :issues, :dependent => :destroy, :order => "#{Issue.table_name}.created_on DESC", :include => [:status, :tracker]
               has_many :issue_changes, :through => :issues, :source => :journals
               has_many :versions, :dependent => :destroy, :order => "#{Version.table_name}.effective_date DESC, #{Version.table_name}.name DESC"
               has_many :time_entries, :dependent => :delete_all
               has_many :queries, :dependent => :delete_all
               has_many :documents, :dependent => :destroy
               has_many :news, :dependent => :delete_all, :include => :author
               has_many :issue_categories, :dependent => :delete_all, :order => "#{IssueCategory.table_name}.name"
               has_many :boards, :dependent => :destroy, :order => "position ASC"
               has_one :repository, :dependent => :destroy
               has_many :changesets, :through => :repository
               has_one :wiki, :dependent => :destroy
               # Custom field for the project issues
               has_and_belongs_to_many :issue_custom_fields,
                                       :class_name => 'IssueCustomField',
                                       :order => "#{CustomField.table_name}.position",
                                       :join_table => "#{table_name_prefix}custom_fields_projects#{table_name_suffix}",
                                       :association_foreign_key => 'custom_field_id'
               acts_as_nested_set :order => 'name'
               acts_as_attachable :view_permission => :view_files,
                                  :delete_permission => :manage_files
               acts_as_customizable
               acts_as_searchable :columns => ['name', 'identifier', 'description'], :project_key => 'id', :permission => nil
               acts_as_event :title => Proc.new {|o| "#{l(:label_project)}: #{o.name}"},
                             :url => Proc.new {|o| {:controller => 'projects', :action => 'show', :id => o}},
                             :author => nil
               attr_protected :status, :enabled_module_names
               validates_presence_of :name, :identifier
               validates_uniqueness_of :identifier
               validates_associated :repository, :wiki
               validates_length_of :name, :maximum => 255
               validates_length_of :homepage, :maximum => 255
               validates_length_of :identifier, :in => 1..IDENTIFIER_MAX_LENGTH
               # donwcase letters, digits, dashes but not digits only
               validates_format_of :identifier, :with => /^(?!\d+$)[a-z0-9\-]*$/, :if => Proc.new { |p| p.identifier_changed? }
               # reserved words
               validates_exclusion_of :identifier, :in => %w( new )
               before_destroy :delete_all_members, :destroy_children
               named_scope :has_module, lambda { |mod| { :conditions => ["#{Project.table_name}.id IN (SELECT em.project_id FROM #{EnabledModule.table_name} em WHERE em.name=?)", mod.to_s] } }
               named_scope :active, { :conditions => "#{Project.table_name}.status = #{STATUS_ACTIVE}"}
               named_scope :all_public, { :conditions => { :is_public => true } }
               named_scope :visible, lambda { { :conditions => Project.visible_by(User.current) } }
               def initialize(attributes = nil)
                 super
                 initialized = (attributes || {}).stringify_keys
                 if !initialized.key?('identifier') && Setting.sequential_project_identifiers?
                   self.identifier = Project.next_identifier
                 end
                 if !initialized.key?('is_public')
                   self.is_public = Setting.default_projects_public?
                 end
                 if !initialized.key?('enabled_module_names')
                   self.enabled_module_names = Setting.default_projects_modules
                 end
                 if !initialized.key?('trackers') && !initialized.key?('tracker_ids')
                   self.trackers = Tracker.all
                 end
               end
               def identifier=(identifier)
                 super unless identifier_frozen?
               end
               def identifier_frozen?
                 errors[:identifier].nil? && !(new_record? || identifier.blank?)
               end
               # returns latest created projects
               # non public projects will be returned only if user is a member of those
               def self.latest(user=nil, count=5)
                 find(:all, :limit => count, :conditions => visible_by(user), :order => "created_on DESC")
               end
               # Returns a SQL :conditions string used to find all active projects for the specified user.
               #
               # Examples:
               #     Projects.visible_by(admin)        => "projects.status = 1"
               #     Projects.visible_by(normal_user)  => "projects.status = 1 AND projects.is_public = 1"
               def self.visible_by(user=nil)
                 user ||= User.current
                 if user && user.admin?
                   return "#{Project.table_name}.status=#{Project::STATUS_ACTIVE}"
                 elsif user && user.memberships.any?
                   return "#{Project.table_name}.status=#{Project::STATUS_ACTIVE} AND (#{Project.table_name}.is_public = #{connection.quoted_true} or #{Project.table_name}.id IN (#{user.memberships.collect{|m| m.project_id}.join(',')}))"
                 else
                   return "#{Project.table_name}.status=#{Project::STATUS_ACTIVE} AND #{Project.table_name}.is_public = #{connection.quoted_true}"
                 end
               end
               def self.allowed_to_condition(user, permission, options={})
                 statements = []
                 base_statement = "#{Project.table_name}.status=#{Project::STATUS_ACTIVE}"
                 if perm = Redmine::AccessControl.permission(permission)
                   unless perm.project_module.nil?
                     # If the permission belongs to a project module, make sure the module is enabled
                     base_statement << " AND #{Project.table_name}.id IN (SELECT em.project_id FROM #{EnabledModule.table_name} em WHERE em.name='#{perm.project_module}')"
                   end
                 end
                 if options[:project]
                   project_statement = "#{Project.table_name}.id = #{options[:project].id}"
                   project_statement << " OR (#{Project.table_name}.lft > #{options[:project].lft} AND #{Project.table_name}.rgt < #{options[:project].rgt})" if options[:with_subprojects]
                   base_statement = "(#{project_statement}) AND (#{base_statement})"
                 end
                 if user.admin?
                   # no restriction
                 else
                   statements << "1=0"
                   if user.logged?
                     if Role.non_member.allowed_to?(permission) && !options[:member]
                       statements << "#{Project.table_name}.is_public = #{connection.quoted_true}"
                     end
                     allowed_project_ids = user.memberships.select {|m| m.roles.detect {|role| role.allowed_to?(permission)}}.collect {|m| m.project_id}
                     statements << "#{Project.table_name}.id IN (#{allowed_project_ids.join(',')})" if allowed_project_ids.any?
                   else
                     if Role.anonymous.allowed_to?(permission) && !options[:member]
                       # anonymous user allowed on public project
                       statements << "#{Project.table_name}.is_public = #{connection.quoted_true}"
                     end
                   end
                 end
                 statements.empty? ? base_statement : "((#{base_statement}) AND (#{statements.join(' OR ')}))"
               end
               # Returns the Systemwide and project specific activities
               def activities(include_inactive=false)
                 if include_inactive
                   return all_activities
                 else
                   return active_activities
                 end
               end
               # Will create a new Project specific Activity or update an existing one
               #
               # This will raise a ActiveRecord::Rollback if the TimeEntryActivity
               # does not successfully save.
               def update_or_create_time_entry_activity(id, activity_hash)
                 if activity_hash.respond_to?(:has_key?) && activity_hash.has_key?('parent_id')
                   self.create_time_entry_activity_if_needed(activity_hash)
                 else
                   activity = project.time_entry_activities.find_by_id(id.to_i)
                   activity.update_attributes(activity_hash) if activity
                 end
               end
               # Create a new TimeEntryActivity if it overrides a system TimeEntryActivity
               #
               # This will raise a ActiveRecord::Rollback if the TimeEntryActivity
               # does not successfully save.
               def create_time_entry_activity_if_needed(activity)
                 if activity['parent_id']
                   parent_activity = TimeEntryActivity.find(activity['parent_id'])
                   activity['name'] = parent_activity.name
                   activity['position'] = parent_activity.position
                   if Enumeration.overridding_change?(activity, parent_activity)
                     project_activity = self.time_entry_activities.create(activity)
                     if project_activity.new_record?
                       raise ActiveRecord::Rollback, "Overridding TimeEntryActivity was not successfully saved"
                     else
                       self.time_entries.update_all("activity_id = #{project_activity.id}", ["activity_id = ?", parent_activity.id])
                     end
                   end
                 end
               end
               # Returns a :conditions SQL string that can be used to find the issues associated with this project.
               #
               # Examples:
               #   project.project_condition(true)  => "(projects.id = 1 OR (projects.lft > 1 AND projects.rgt < 10))"
               #   project.project_condition(false) => "projects.id = 1"
               def project_condition(with_subprojects)
                 cond = "#{Project.table_name}.id = #{id}"
                 cond = "(#{cond} OR (#{Project.table_name}.lft > #{lft} AND #{Project.table_name}.rgt < #{rgt}))" if with_subprojects
                 cond
               end
               def self.find(*args)
                 if args.first && args.first.is_a?(String) && !args.first.match(/^\d*$/)
                   project = find_by_identifier(*args)
                   raise ActiveRecord::RecordNotFound, "Couldn't find Project with identifier=#{args.first}" if project.nil?
                   project
                 else
                   super
                 end
               end
               def to_param
                 # id is used for projects with a numeric identifier (compatibility)
                 @to_param ||= (identifier.to_s =~ %r{^\d*$} ? id : identifier)
               end
               def active?
                 self.status == STATUS_ACTIVE
               end
               def archived?
                 self.status == STATUS_ARCHIVED
               end
               # Archives the project and its descendants
               def archive
                 # Check that there is no issue of a non descendant project that is assigned
                 # to one of the project or descendant versions
                 v_ids = self_and_descendants.collect {|p| p.version_ids}.flatten
                 if v_ids.any? && Issue.find(:first, :include => :project,
                                                     :conditions => ["(#{Project.table_name}.lft < ? OR #{Project.table_name}.rgt > ?)" +
                                                                     " AND #{Issue.table_name}.fixed_version_id IN (?)", lft, rgt, v_ids])
                   return false
                 end
                 Project.transaction do
                   archive!
                 end
                 true
               end
               # Unarchives the project
               # All its ancestors must be active
               def unarchive
                 return false if ancestors.detect {|a| !a.active?}
                 update_attribute :status, STATUS_ACTIVE
               end
               # Returns an array of projects the project can be moved to
               # by the current user
               def allowed_parents
                 return @allowed_parents if @allowed_parents
                 @allowed_parents = Project.find(:all, :conditions => Project.allowed_to_condition(User.current, :add_subprojects))
                 @allowed_parents = @allowed_parents - self_and_descendants
                 if User.current.allowed_to?(:add_project, nil, :global => true) || (!new_record? && parent.nil?)
                   @allowed_parents << nil
                 end
                 unless parent.nil? || @allowed_parents.empty? || @allowed_parents.include?(parent)
                   @allowed_parents << parent
                 end
                 @allowed_parents
               end
               # Sets the parent of the project with authorization check
               def set_allowed_parent!(p)
                 unless p.nil? || p.is_a?(Project)
                   if p.to_s.blank?
                     p = nil
                   else
                     p = Project.find_by_id(p)
                     return false unless p
                   end
                 end
                 if p.nil?
                   if !new_record? && allowed_parents.empty?
                     return false
                   end
                 elsif !allowed_parents.include?(p)
                   return false
                 end
                 set_parent!(p)
               end
               # Sets the parent of the project
               # Argument can be either a Project, a String, a Fixnum or nil
               def set_parent!(p)
                 unless p.nil? || p.is_a?(Project)
                   if p.to_s.blank?
                     p = nil
                   else
                     p = Project.find_by_id(p)
                     return false unless p
                   end
                 end
                 if p == parent && !p.nil?
                   # Nothing to do
                   true
                 elsif p.nil? || (p.active? && move_possible?(p))
                   # Insert the project so that target's children or root projects stay alphabetically sorted
                   sibs = (p.nil? ? self.class.roots : p.children)
                   to_be_inserted_before = sibs.detect {|c| c.name.to_s.downcase > name.to_s.downcase }
                   if to_be_inserted_before
                     move_to_left_of(to_be_inserted_before)
                   elsif p.nil?
                     if sibs.empty?
                       # move_to_root adds the project in first (ie. left) position
                       move_to_root
                     else
                       move_to_right_of(sibs.last) unless self == sibs.last
                     end
                   else
                     # move_to_child_of adds the project in last (ie.right) position
                     move_to_child_of(p)
                   end
                   Issue.update_versions_from_hierarchy_change(self)
                   true
                 else
                   # Can not move to the given target
                   false
                 end
               end
               # Returns an array of the trackers used by the project and its active sub projects
               def rolled_up_trackers
                 @rolled_up_trackers ||=
                   Tracker.find(:all, :include => :projects,
                                      :select => "DISTINCT #{Tracker.table_name}.*",
                                      :conditions => ["#{Project.table_name}.lft >= ? AND #{Project.table_name}.rgt <= ? AND #{Project.table_name}.status = #{STATUS_ACTIVE}", lft, rgt],
                                      :order => "#{Tracker.table_name}.position")
               end
               # Closes open and locked project versions that are completed
               def close_completed_versions
                 Version.transaction do
                   versions.find(:all, :conditions => {:status => %w(open locked)}).each do |version|
                     if version.completed?
                       version.update_attribute(:status, 'closed')
                     end
                   end
                 end
               end
               # Returns a scope of the Versions on subprojects
               def rolled_up_versions
                 @rolled_up_versions ||=
                   Version.scoped(:include => :project,
                                  :conditions => ["#{Project.table_name}.lft >= ? AND #{Project.table_name}.rgt <= ? AND #{Project.table_name}.status = #{STATUS_ACTIVE}", lft, rgt])
               end
               # Returns a scope of the Versions used by the project
               def shared_versions
                 @shared_versions ||=
                   Version.scoped(:include => :project,
                                  :conditions => "#{Project.table_name}.id = #{id}" +
                                                 " OR (#{Project.table_name}.status = #{Project::STATUS_ACTIVE} AND (" +
                                                       " #{Version.table_name}.sharing = 'system'" +
                                                       " OR (#{Project.table_name}.lft >= #{root.lft} AND #{Project.table_name}.rgt <= #{root.rgt} AND #{Version.table_name}.sharing = 'tree')" +
                                                       " OR (#{Project.table_name}.lft < #{lft} AND #{Project.table_name}.rgt > #{rgt} AND #{Version.table_name}.sharing IN ('hierarchy', 'descendants'))" +
                                                       " OR (#{Project.table_name}.lft > #{lft} AND #{Project.table_name}.rgt < #{rgt} AND #{Version.table_name}.sharing = 'hierarchy')" +
                                                       "))")
               end
               # Returns a hash of project users grouped by role
               def users_by_role
                 members.find(:all, :include => [:user, :roles]).inject({}) do |h, m|
                   m.roles.each do |r|
                     h[r] ||= []
                     h[r] << m.user
                   end
                   h
                 end
               end
               # Deletes all project's members
               def delete_all_members
                 me, mr = Member.table_name, MemberRole.table_name
                 connection.delete("DELETE FROM #{mr} WHERE #{mr}.member_id IN (SELECT #{me}.id FROM #{me} WHERE #{me}.project_id = #{id})")
                 Member.delete_all(['project_id = ?', id])
               end
               # Users issues can be assigned to
               def assignable_users
                 members.select {|m| m.roles.detect {|role| role.assignable?}}.collect {|m| m.user}.sort
               end
               # Returns the mail adresses of users that should be always notified on project events
               def recipients
                 notified_users.collect {|user| user.mail}
               end
               # Returns the users that should be notified on project events
               def notified_users
                 # TODO: User part should be extracted to User#notify_about?
                 members.select {|m| m.mail_notification? || m.user.mail_notification == 'all'}.collect {|m| m.user}
               end
               # Returns an array of all custom fields enabled for project issues
               # (explictly associated custom fields and custom fields enabled for all projects)
               def all_issue_custom_fields
                 @all_issue_custom_fields ||= (IssueCustomField.for_all + issue_custom_fields).uniq.sort
               end
               def project
                 self
               end
               def <=>(project)
                 name.downcase <=> project.name.downcase
               end
               def to_s
                 name
               end
               # Returns a short description of the projects (first lines)
               def short_description(length = 255)
                 description.gsub(/^(.{#{length}}[^\n\r]*).*$/m, '\1...').strip if description
               end
               def css_classes
                 s = 'project'
                 s << ' root' if root?
                 s << ' child' if child?
                 s << (leaf? ? ' leaf' : ' parent')
                 s
               end
               # The earliest start date of a project, based on it's issues and versions
               def start_date
                 [
                  issues.minimum('start_date'),
                  shared_versions.collect(&:effective_date),
                  shared_versions.collect {|v| v.fixed_issues.minimum('start_date')}
                 ].flatten.compact.min
               end
               # The latest due date of an issue or version
               def due_date
                 [
                  issues.maximum('due_date'),
                  shared_versions.collect(&:effective_date),
                  shared_versions.collect {|v| v.fixed_issues.maximum('due_date')}
                 ].flatten.compact.max
               end
               def overdue?
                 active? && !due_date.nil? && (due_date < Date.today)
               end
               # Returns the percent completed for this project, based on the
               # progress on it's versions.
               def completed_percent(options={:include_subprojects => false})
                 if options.delete(:include_subprojects)
                   total = self_and_descendants.collect(&:completed_percent).sum
                   total / self_and_descendants.count
                 else
                   if versions.count > 0
                     total = versions.collect(&:completed_pourcent).sum
                     total / versions.count
                   else
                   end
                 end
               end
               # Return true if this project is allowed to do the specified action.
               # action can be:
               # * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')
               # * a permission Symbol (eg. :edit_project)
               def allows_to?(action)
                 if action.is_a? Hash
                   allowed_actions.include? "#{action[:controller]}/#{action[:action]}"
                 else
                   allowed_permissions.include? action
                 end
               end
               def module_enabled?(module_name)
                 module_name = module_name.to_s
                 enabled_modules.detect {|m| m.name == module_name}
               end
               def enabled_module_names=(module_names)
                 if module_names && module_names.is_a?(Array)
                   module_names = module_names.collect(&:to_s).reject(&:blank?)
                   # remove disabled modules
                   enabled_modules.each {|mod| mod.destroy unless module_names.include?(mod.name)}
                   # add new modules
                   module_names.reject {|name| module_enabled?(name)}.each {|name| enabled_modules << EnabledModule.new(:name => name)}
                 else
                   enabled_modules.clear
                 end
               end
               # Returns an array of the enabled modules names
               def enabled_module_names
                 enabled_modules.collect(&:name)
               end
+              safe_attributes 'name',
+                'description',
+                'homepage',
+                'is_public',
+                'identifier',
+                'custom_field_values',
+                'custom_fields',
+                'tracker_ids'
               # Returns an array of projects that are in this project's hierarchy
               #
               # Example: parents, children, siblings
               def hierarchy
                 parents = project.self_and_ancestors || []
                 descendants = project.descendants || []
                 project_hierarchy = parents | descendants # Set union
               end
               # Returns an auto-generated project identifier based on the last identifier used
               def self.next_identifier
                 p = Project.find(:first, :order => 'created_on DESC')
                 p.nil? ? nil : p.identifier.to_s.succ
               end
               # Copies and saves the Project instance based on the +project+.
               # Duplicates the source project's:
               # * Wiki
               # * Versions
               # * Categories
               # * Issues
               # * Members
               # * Queries
               #
               # Accepts an +options+ argument to specify what to copy
               #
               # Examples:
               #   project.copy(1)                                    # => copies everything
               #   project.copy(1, :only => 'members')                # => copies members only
               #   project.copy(1, :only => ['members', 'versions'])  # => copies members and versions
               def copy(project, options={})
                 project = project.is_a?(Project) ? project : Project.find(project)
                 to_be_copied = %w(wiki versions issue_categories issues members queries boards)
                 to_be_copied = to_be_copied & options[:only].to_a unless options[:only].nil?
                 Project.transaction do
                   if save
                     reload
                     to_be_copied.each do |name|
                       send "copy_#{name}", project
                     end
                     Redmine::Hook.call_hook(:model_project_copy_before_save, :source_project => project, :destination_project => self)
                     save
                   end
                 end
               end
               # Copies +project+ and returns the new instance.  This will not save
               # the copy
               def self.copy_from(project)
                 begin
                   project = project.is_a?(Project) ? project : Project.find(project)
                   if project
                     # clear unique attributes
                     attributes = project.attributes.dup.except('id', 'name', 'identifier', 'status', 'parent_id', 'lft', 'rgt')
                     copy = Project.new(attributes)
                     copy.enabled_modules = project.enabled_modules
                     copy.trackers = project.trackers
                     copy.custom_values = project.custom_values.collect {|v| v.clone}
                     copy.issue_custom_fields = project.issue_custom_fields
                     return copy
                   else
                     return nil
                   end
                 rescue ActiveRecord::RecordNotFound
                   return nil
                 end
               end
               # Yields the given block for each project with its level in the tree
               def self.project_tree(projects, &block)
                 ancestors = []
                 projects.sort_by(&:lft).each do |project|
                   while (ancestors.any? && !project.is_descendant_of?(ancestors.last))
                     ancestors.pop
                   end
                   yield project, ancestors.size
                   ancestors << project
                 end
               end
               private
               # Destroys children before destroying self
               def destroy_children
                 children.each do |child|
                   child.destroy
                 end
               end
               # Copies wiki from +project+
               def copy_wiki(project)
                 # Check that the source project has a wiki first
                 unless project.wiki.nil?
                   self.wiki ||= Wiki.new
                   wiki.attributes = project.wiki.attributes.dup.except("id", "project_id")
                   wiki_pages_map = {}
                   project.wiki.pages.each do |page|
                     # Skip pages without content
                     next if page.content.nil?
                     new_wiki_content = WikiContent.new(page.content.attributes.dup.except("id", "page_id", "updated_on"))
                     new_wiki_page = WikiPage.new(page.attributes.dup.except("id", "wiki_id", "created_on", "parent_id"))
                     new_wiki_page.content = new_wiki_content
                     wiki.pages << new_wiki_page
                     wiki_pages_map[page.id] = new_wiki_page
                   end
                   wiki.save
                   # Reproduce page hierarchy
                   project.wiki.pages.each do |page|
                     if page.parent_id && wiki_pages_map[page.id]
                       wiki_pages_map[page.id].parent = wiki_pages_map[page.parent_id]
                       wiki_pages_map[page.id].save
                     end
                   end
                 end
               end
               # Copies versions from +project+
               def copy_versions(project)
                 project.versions.each do |version|
                   new_version = Version.new
                   new_version.attributes = version.attributes.dup.except("id", "project_id", "created_on", "updated_on")
                   self.versions << new_version
                 end
               end
               # Copies issue categories from +project+
               def copy_issue_categories(project)
                 project.issue_categories.each do |issue_category|
                   new_issue_category = IssueCategory.new
                   new_issue_category.attributes = issue_category.attributes.dup.except("id", "project_id")
                   self.issue_categories << new_issue_category
                 end
               end
               # Copies issues from +project+
               def copy_issues(project)
                 # Stores the source issue id as a key and the copied issues as the
                 # value.  Used to map the two togeather for issue relations.
                 issues_map = {}
                 # Get issues sorted by root_id, lft so that parent issues
                 # get copied before their children
                 project.issues.find(:all, :order => 'root_id, lft').each do |issue|
                   new_issue = Issue.new
                   new_issue.copy_from(issue)
                   new_issue.project = self
                   # Reassign fixed_versions by name, since names are unique per
                   # project and the versions for self are not yet saved
                   if issue.fixed_version
                     new_issue.fixed_version = self.versions.select {|v| v.name == issue.fixed_version.name}.first
                   end
                   # Reassign the category by name, since names are unique per
                   # project and the categories for self are not yet saved
                   if issue.category
                     new_issue.category = self.issue_categories.select {|c| c.name == issue.category.name}.first
                   end
                   # Parent issue
                   if issue.parent_id
                     if copied_parent = issues_map[issue.parent_id]
                       new_issue.parent_issue_id = copied_parent.id
                     end
                   end
                   self.issues << new_issue
                   if new_issue.new_record?
                     logger.info "Project#copy_issues: issue ##{issue.id} could not be copied: #{new_issue.errors.full_messages}" if logger && logger.info
                   else
                     issues_map[issue.id] = new_issue unless new_issue.new_record?
                   end
                 end
                 # Relations after in case issues related each other
                 project.issues.each do |issue|
                   new_issue = issues_map[issue.id]
                   unless new_issue
                     # Issue was not copied
                     next
                   end
                   # Relations
                   issue.relations_from.each do |source_relation|
                     new_issue_relation = IssueRelation.new
                     new_issue_relation.attributes = source_relation.attributes.dup.except("id", "issue_from_id", "issue_to_id")
                     new_issue_relation.issue_to = issues_map[source_relation.issue_to_id]
                     if new_issue_relation.issue_to.nil? && Setting.cross_project_issue_relations?
                       new_issue_relation.issue_to = source_relation.issue_to
                     end
                     new_issue.relations_from << new_issue_relation
                   end
                   issue.relations_to.each do |source_relation|
                     new_issue_relation = IssueRelation.new
                     new_issue_relation.attributes = source_relation.attributes.dup.except("id", "issue_from_id", "issue_to_id")
                     new_issue_relation.issue_from = issues_map[source_relation.issue_from_id]
                     if new_issue_relation.issue_from.nil? && Setting.cross_project_issue_relations?
                       new_issue_relation.issue_from = source_relation.issue_from
                     end
                     new_issue.relations_to << new_issue_relation
                   end
                 end
               end
               # Copies members from +project+
               def copy_members(project)
                 project.memberships.each do |member|
                   new_member = Member.new
                   new_member.attributes = member.attributes.dup.except("id", "project_id", "created_on")
                   # only copy non inherited roles
                   # inherited roles will be added when copying the group membership
                   role_ids = member.member_roles.reject(&:inherited?).collect(&:role_id)
                   next if role_ids.empty?
                   new_member.role_ids = role_ids
                   new_member.project = self
                   self.members << new_member
                 end
               end
               # Copies queries from +project+
               def copy_queries(project)
                 project.queries.each do |query|
                   new_query = Query.new
                   new_query.attributes = query.attributes.dup.except("id", "project_id", "sort_criteria")
                   new_query.sort_criteria = query.sort_criteria if query.sort_criteria
                   new_query.project = self
                   self.queries << new_query
                 end
               end
               # Copies boards from +project+
               def copy_boards(project)
                 project.boards.each do |board|
                   new_board = Board.new
                   new_board.attributes = board.attributes.dup.except("id", "project_id", "topics_count", "messages_count", "last_message_id")
                   new_board.project = self
                   self.boards << new_board
                 end
               end
               def allowed_permissions
                 @allowed_permissions ||= begin
                   module_names = enabled_modules.all(:select => :name).collect {|m| m.name}
                   Redmine::AccessControl.modules_permissions(module_names).collect {|p| p.name}
                 end
               end
               def allowed_actions
                 @actions_allowed ||= allowed_permissions.inject([]) { |actions, permission| actions += Redmine::AccessControl.allowed_actions(permission) }.flatten
               end
               # Returns all the active Systemwide and project specific activities
               def active_activities
                 overridden_activity_ids = self.time_entry_activities.collect(&:parent_id)
                 if overridden_activity_ids.empty?
                   return TimeEntryActivity.shared.active
                 else
                   return system_activities_and_project_overrides
                 end
               end
               # Returns all the Systemwide and project specific activities
               # (inactive and active)
               def all_activities
                 overridden_activity_ids = self.time_entry_activities.collect(&:parent_id)
                 if overridden_activity_ids.empty?
                   return TimeEntryActivity.shared
                 else
                   return system_activities_and_project_overrides(true)
                 end
               end
               # Returns the systemwide active activities merged with the project specific overrides
               def system_activities_and_project_overrides(include_inactive=false)
                 if include_inactive
                   return TimeEntryActivity.shared.
                     find(:all,
                          :conditions => ["id NOT IN (?)", self.time_entry_activities.collect(&:parent_id)]) +
                     self.time_entry_activities
                 else
                   return TimeEntryActivity.shared.active.
                     find(:all,
                          :conditions => ["id NOT IN (?)", self.time_entry_activities.collect(&:parent_id)]) +
                     self.time_entry_activities.active
                 end
               end
               # Archives subprojects recursively
               def archive!
                 children.each do |subproject|
                   subproject.send :archive!
                 end
                 update_attribute :status, STATUS_ARCHIVED
               end
             end

app/models/user.rb +16 -1

             # Redmine - project management software
             # Copyright (C) 2006-2009  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require "digest/sha1"
             class User < Principal
+              include Redmine::SafeAttributes
               # Account statuses
               STATUS_ANONYMOUS  = 0
               STATUS_ACTIVE     = 1
               STATUS_REGISTERED = 2
               STATUS_LOCKED     = 3
               USER_FORMATS = {
                 :firstname_lastname => '#{firstname} #{lastname}',
                 :firstname => '#{firstname}',
                 :lastname_firstname => '#{lastname} #{firstname}',
                 :lastname_coma_firstname => '#{lastname}, #{firstname}',
                 :username => '#{login}'
               }
               MAIL_NOTIFICATION_OPTIONS = [
                                            [:all, :label_user_mail_option_all],
                                            [:selected, :label_user_mail_option_selected],
                                            [:none, :label_user_mail_option_none],
                                            [:only_my_events, :label_user_mail_option_only_my_events],
                                            [:only_assigned, :label_user_mail_option_only_assigned],
                                            [:only_owner, :label_user_mail_option_only_owner]
                                           ]
               has_and_belongs_to_many :groups, :after_add => Proc.new {|user, group| group.user_added(user)},
                                                :after_remove => Proc.new {|user, group| group.user_removed(user)}
               has_many :issue_categories, :foreign_key => 'assigned_to_id', :dependent => :nullify
               has_many :changesets, :dependent => :nullify
               has_one :preference, :dependent => :destroy, :class_name => 'UserPreference'
               has_one :rss_token, :dependent => :destroy, :class_name => 'Token', :conditions => "action='feeds'"
               has_one :api_token, :dependent => :destroy, :class_name => 'Token', :conditions => "action='api'"
               belongs_to :auth_source
               # Active non-anonymous users scope
               named_scope :active, :conditions => "#{User.table_name}.status = #{STATUS_ACTIVE}"
               acts_as_customizable
               attr_accessor :password, :password_confirmation
               attr_accessor :last_before_login_on
               # Prevents unauthorized assignments
               attr_protected :login, :admin, :password, :password_confirmation, :hashed_password, :group_ids
               validates_presence_of :login, :firstname, :lastname, :mail, :if => Proc.new { |user| !user.is_a?(AnonymousUser) }
               validates_uniqueness_of :login, :if => Proc.new { |user| !user.login.blank? }, :case_sensitive => false
               validates_uniqueness_of :mail, :if => Proc.new { |user| !user.mail.blank? }, :case_sensitive => false
               # Login must contain lettres, numbers, underscores only
               validates_format_of :login, :with => /^[a-z0-9_\-@\.]*$/i
               validates_length_of :login, :maximum => 30
               validates_format_of :firstname, :lastname, :with => /^[\w\s\'\-\.]*$/i
               validates_length_of :firstname, :lastname, :maximum => 30
               validates_format_of :mail, :with => /^([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})$/i, :allow_nil => true
               validates_length_of :mail, :maximum => 60, :allow_nil => true
               validates_confirmation_of :password, :allow_nil => true
               def before_create
                 self.mail_notification = Setting.default_notification_option if self.mail_notification.blank?
                 true
               end
               def before_save
                 # update hashed_password if password was set
                 self.hashed_password = User.hash_password(self.password) if self.password && self.auth_source_id.blank?
               end
               def reload(*args)
                 @name = nil
                 super
               end
               def mail=(arg)
                 write_attribute(:mail, arg.to_s.strip)
               end
               def identity_url=(url)
                 if url.blank?
                   write_attribute(:identity_url, '')
                 else
                   begin
                     write_attribute(:identity_url, OpenIdAuthentication.normalize_identifier(url))
                   rescue OpenIdAuthentication::InvalidOpenId
                     # Invlaid url, don't save
                   end
                 end
                 self.read_attribute(:identity_url)
               end
               # Returns the user that matches provided login and password, or nil
               def self.try_to_login(login, password)
                 # Make sure no one can sign in with an empty password
                 return nil if password.to_s.empty?
                 user = find_by_login(login)
                 if user
                   # user is already in local database
                   return nil if !user.active?
                   if user.auth_source
                     # user has an external authentication method
                     return nil unless user.auth_source.authenticate(login, password)
                   else
                     # authentication with local password
                     return nil unless User.hash_password(password) == user.hashed_password
                   end
                 else
                   # user is not yet registered, try to authenticate with available sources
                   attrs = AuthSource.authenticate(login, password)
                   if attrs
                     user = new(attrs)
                     user.login = login
                     user.language = Setting.default_language
                     if user.save
                       user.reload
                       logger.info("User '#{user.login}' created from external auth source: #{user.auth_source.type} - #{user.auth_source.name}") if logger && user.auth_source
                     end
                   end
                 end
                 user.update_attribute(:last_login_on, Time.now) if user && !user.new_record?
                 user
               rescue => text
                 raise text
               end
               # Returns the user who matches the given autologin +key+ or nil
               def self.try_to_autologin(key)
                 tokens = Token.find_all_by_action_and_value('autologin', key)
                 # Make sure there's only 1 token that matches the key
                 if tokens.size == 1
                   token = tokens.first
                   if (token.created_on > Setting.autologin.to_i.day.ago) && token.user && token.user.active?
                     token.user.update_attribute(:last_login_on, Time.now)
                     token.user
                   end
                 end
               end
               # Return user's full name for display
               def name(formatter = nil)
                 if formatter
                   eval('"' + (USER_FORMATS[formatter] || USER_FORMATS[:firstname_lastname]) + '"')
                 else
                   @name ||= eval('"' + (USER_FORMATS[Setting.user_format] || USER_FORMATS[:firstname_lastname]) + '"')
                 end
               end
               def active?
                 self.status == STATUS_ACTIVE
               end
               def registered?
                 self.status == STATUS_REGISTERED
               end
               def locked?
                 self.status == STATUS_LOCKED
               end
               def activate
                 self.status = STATUS_ACTIVE
               end
               def register
                 self.status = STATUS_REGISTERED
               end
               def lock
                 self.status = STATUS_LOCKED
               end
               def activate!
                 update_attribute(:status, STATUS_ACTIVE)
               end
               def register!
                 update_attribute(:status, STATUS_REGISTERED)
               end
               def lock!
                 update_attribute(:status, STATUS_LOCKED)
               end
               def check_password?(clear_password)
                 if auth_source_id.present?
                   auth_source.authenticate(self.login, clear_password)
                 else
                   User.hash_password(clear_password) == self.hashed_password
                 end
               end
               # Does the backend storage allow this user to change their password?
               def change_password_allowed?
                 return true if auth_source_id.blank?
                 return auth_source.allow_password_changes?
               end
               # Generate and set a random password.  Useful for automated user creation
               # Based on Token#generate_token_value
               #
               def random_password
                 chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
                 password = ''
 .times { |i| password << chars[rand(chars.size-1)] }
                 self.password = password
                 self.password_confirmation = password
                 self
               end
               def pref
                 self.preference ||= UserPreference.new(:user => self)
               end
               def time_zone
                 @time_zone ||= (self.pref.time_zone.blank? ? nil : ActiveSupport::TimeZone[self.pref.time_zone])
               end
               def wants_comments_in_reverse_order?
                 self.pref[:comments_sorting] == 'desc'
               end
               # Return user's RSS key (a 40 chars long string), used to access feeds
               def rss_key
                 token = self.rss_token || Token.create(:user => self, :action => 'feeds')
                 token.value
               end
               # Return user's API key (a 40 chars long string), used to access the API
               def api_key
                 token = self.api_token || self.create_api_token(:action => 'api')
                 token.value
               end
               # Return an array of project ids for which the user has explicitly turned mail notifications on
               def notified_projects_ids
                 @notified_projects_ids ||= memberships.select {|m| m.mail_notification?}.collect(&:project_id)
               end
               def notified_project_ids=(ids)
                 Member.update_all("mail_notification = #{connection.quoted_false}", ['user_id = ?', id])
                 Member.update_all("mail_notification = #{connection.quoted_true}", ['user_id = ? AND project_id IN (?)', id, ids]) if ids && !ids.empty?
                 @notified_projects_ids = nil
                 notified_projects_ids
               end
               # Only users that belong to more than 1 project can select projects for which they are notified
               def valid_notification_options
                 # Note that @user.membership.size would fail since AR ignores
                 # :include association option when doing a count
                 if memberships.length < 1
                   MAIL_NOTIFICATION_OPTIONS.delete_if {|option| option.first == :selected}
                 else
                   MAIL_NOTIFICATION_OPTIONS
                 end
               end
               # Find a user account by matching the exact login and then a case-insensitive
               # version.  Exact matches will be given priority.
               def self.find_by_login(login)
                 # force string comparison to be case sensitive on MySQL
                 type_cast = (ActiveRecord::Base.connection.adapter_name == 'MySQL') ? 'BINARY' : ''
                 # First look for an exact match
                 user = first(:conditions => ["#{type_cast} login = ?", login])
                 # Fail over to case-insensitive if none was found
                 user ||= first(:conditions => ["#{type_cast} LOWER(login) = ?", login.to_s.downcase])
               end
               def self.find_by_rss_key(key)
                 token = Token.find_by_value(key)
                 token && token.user.active? ? token.user : nil
               end
               def self.find_by_api_key(key)
                 token = Token.find_by_action_and_value('api', key)
                 token && token.user.active? ? token.user : nil
               end
               # Makes find_by_mail case-insensitive
               def self.find_by_mail(mail)
                 find(:first, :conditions => ["LOWER(mail) = ?", mail.to_s.downcase])
               end
               def to_s
                 name
               end
               # Returns the current day according to user's time zone
               def today
                 if time_zone.nil?
                   Date.today
                 else
                   Time.now.in_time_zone(time_zone).to_date
                 end
               end
               def logged?
                 true
               end
               def anonymous?
                 !logged?
               end
               # Return user's roles for project
               def roles_for_project(project)
                 roles = []
                 # No role on archived projects
                 return roles unless project && project.active?
                 if logged?
                   # Find project membership
                   membership = memberships.detect {|m| m.project_id == project.id}
                   if membership
                     roles = membership.roles
                   else
                     @role_non_member ||= Role.non_member
                     roles << @role_non_member
                   end
                 else
                   @role_anonymous ||= Role.anonymous
                   roles << @role_anonymous
                 end
                 roles
               end
               # Return true if the user is a member of project
               def member_of?(project)
                 !roles_for_project(project).detect {|role| role.member?}.nil?
               end
               # Return true if the user is allowed to do the specified action on a specific context
               # Action can be:
               # * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')
               # * a permission Symbol (eg. :edit_project)
               # Context can be:
               # * a project : returns true if user is allowed to do the specified action on this project
               # * a group of projects : returns true if user is allowed on every project
               # * nil with options[:global] set : check if user has at least one role allowed for this action,
               #   or falls back to Non Member / Anonymous permissions depending if the user is logged
               def allowed_to?(action, context, options={})
                 if context && context.is_a?(Project)
                   # No action allowed on archived projects
                   return false unless context.active?
                   # No action allowed on disabled modules
                   return false unless context.allows_to?(action)
                   # Admin users are authorized for anything else
                   return true if admin?
                   roles = roles_for_project(context)
                   return false unless roles
                   roles.detect {|role| (context.is_public? || role.member?) && role.allowed_to?(action)}
                 elsif context && context.is_a?(Array)
                   # Authorize if user is authorized on every element of the array
                   context.map do |project|
                     allowed_to?(action,project,options)
                   end.inject do |memo,allowed|
                     memo && allowed
                   end
                 elsif options[:global]
                   # Admin users are always authorized
                   return true if admin?
                   # authorize if user has at least one role that has this permission
                   roles = memberships.collect {|m| m.roles}.flatten.uniq
                   roles.detect {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
                 else
                   false
                 end
               end
               # Is the user allowed to do the specified action on any project?
               # See allowed_to? for the actions and valid options.
               def allowed_to_globally?(action, options)
                 allowed_to?(action, nil, options.reverse_merge(:global => true))
               end
+              safe_attributes 'login',
+                'firstname',
+                'lastname',
+                'mail',
+                'mail_notification',
+                'language',
+                'custom_field_values',
+                'custom_fields',
+                'identity_url'
+              safe_attributes 'status',
+                'auth_source_id',
+                :if => lambda {|user, current_user| current_user.admin?}
               # Utility method to help check if a user should be notified about an
               # event.
               #
               # TODO: only supports Issue events currently
               def notify_about?(object)
                 case mail_notification.to_sym
                 when :all
                   true
                 when :selected
                   # Handled by the Project
                 when :none
                   false
                 when :only_my_events
                   if object.is_a?(Issue) && (object.author == self || object.assigned_to == self)
                     true
                   else
                     false
                   end
                 when :only_assigned
                   if object.is_a?(Issue) && object.assigned_to == self
                     true
                   else
                     false
                   end
                 when :only_owner
                   if object.is_a?(Issue) && object.author == self
                     true
                   else
                     false
                   end
                 else
                   false
                 end
               end
               def self.current=(user)
                 @current_user = user
               end
               def self.current
                 @current_user ||= User.anonymous
               end
               # Returns the anonymous user.  If the anonymous user does not exist, it is created.  There can be only
               # one anonymous user per database.
               def self.anonymous
                 anonymous_user = AnonymousUser.find(:first)
                 if anonymous_user.nil?
                   anonymous_user = AnonymousUser.create(:lastname => 'Anonymous', :firstname => '', :mail => '', :login => '', :status => 0)
                   raise 'Unable to create the anonymous user.' if anonymous_user.new_record?
                 end
                 anonymous_user
               end
               protected
               def validate
                 # Password length validation based on setting
                 if !password.nil? && password.size < Setting.password_min_length.to_i
                   errors.add(:password, :too_short, :count => Setting.password_min_length.to_i)
                 end
               end
               private
               # Return password digest
               def self.hash_password(clear_password)
                 Digest::SHA1.hexdigest(clear_password || "")
               end
             end
             class AnonymousUser < User
               def validate_on_create
                 # There should be only one AnonymousUser in the database
                 errors.add_to_base 'An anonymous user already exists.' if AnonymousUser.find(:first)
               end
               def available_custom_fields
                 []
               end
               # Overrides a few properties
               def logged?; false end
               def admin; false end
               def name(*args); I18n.t(:label_user_anonymous) end
               def mail; nil end
               def time_zone; nil end
               def rss_key; nil end
             end

test/functional/projects_controller_test.rb +14 -6

             # Redmine - project management software
             # Copyright (C) 2006-2008  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require File.dirname(__FILE__) + '/../test_helper'
             require 'projects_controller'
             # Re-raise errors caught by the controller.
             class ProjectsController; def rescue_action(e) raise e end; end
             class ProjectsControllerTest < ActionController::TestCase
               fixtures :projects, :versions, :users, :roles, :members, :member_roles, :issues, :journals, :journal_details,
                        :trackers, :projects_trackers, :issue_statuses, :enabled_modules, :enumerations, :boards, :messages,
                        :attachments, :custom_fields, :custom_values, :time_entries
               def setup
                 @controller = ProjectsController.new
                 @request    = ActionController::TestRequest.new
                 @response   = ActionController::TestResponse.new
                 @request.session[:user_id] = nil
                 Setting.default_language = 'en'
               end
               def test_index
                 get :index
                 assert_response :success
                 assert_template 'index'
                 assert_not_nil assigns(:projects)
                 assert_tag :ul, :child => {:tag => 'li',
                                            :descendant => {:tag => 'a', :content => 'eCookbook'},
                                            :child => { :tag => 'ul',
                                                        :descendant => { :tag => 'a',
                                                                         :content => 'Child of private child'
                                                                        }
                                                       }
                                            }
                 assert_no_tag :a, :content => /Private child of eCookbook/
               end
               def test_index_atom
                 get :index, :format => 'atom'
                 assert_response :success
                 assert_template 'common/feed.atom.rxml'
                 assert_select 'feed>title', :text => 'Redmine: Latest projects'
                 assert_select 'feed>entry', :count => Project.count(:conditions => Project.visible_by(User.current))
               end
               context "#index" do
                 context "by non-admin user with view_time_entries permission" do
                   setup do
                     @request.session[:user_id] = 3
                   end
                   should "show overall spent time link" do
                     get :index
                     assert_template 'index'
                     assert_tag :a, :attributes => {:href => '/time_entries'}
                   end
                 end
                 context "by non-admin user without view_time_entries permission" do
                   setup do
                     Role.find(2).remove_permission! :view_time_entries
                     Role.non_member.remove_permission! :view_time_entries
                     Role.anonymous.remove_permission! :view_time_entries
                     @request.session[:user_id] = 3
                   end
                   should "not show overall spent time link" do
                     get :index
                     assert_template 'index'
                     assert_no_tag :a, :attributes => {:href => '/time_entries'}
                   end
                 end
               end
               context "#new" do
                 context "by admin user" do
                   setup do
                     @request.session[:user_id] = 1
                   end
                   should "accept get" do
                     get :new
                     assert_response :success
                     assert_template 'new'
                   end
                 end
                 context "by non-admin user with add_project permission" do
                   setup do
                     Role.non_member.add_permission! :add_project
                     @request.session[:user_id] = 9
                   end
                   should "accept get" do
                     get :new
                     assert_response :success
                     assert_template 'new'
                     assert_no_tag :select, :attributes => {:name => 'project[parent_id]'}
                   end
                 end
                 context "by non-admin user with add_subprojects permission" do
                   setup do
                     Role.find(1).remove_permission! :add_project
                     Role.find(1).add_permission! :add_subprojects
                     @request.session[:user_id] = 2
                   end
                   should "accept get" do
                     get :new, :parent_id => 'ecookbook'
                     assert_response :success
                     assert_template 'new'
                     # parent project selected
                     assert_tag :select, :attributes => {:name => 'project[parent_id]'},
                                         :child => {:tag => 'option', :attributes => {:value => '1', :selected => 'selected'}}
                     # no empty value
                     assert_no_tag :select, :attributes => {:name => 'project[parent_id]'},
                                            :child => {:tag => 'option', :attributes => {:value => ''}}
                   end
                 end
               end
               context "POST :create" do
                 context "by admin user" do
                   setup do
                     @request.session[:user_id] = 1
                   end
                   should "create a new project" do
-                    post :create, :project => { :name => "blog",
+                    post :create,
-                                             :description => "weblog",
+                      :project => {
-                                             :identifier => "blog",
+                        :name => "blog",
-                                             :is_public => 1,
+                        :description => "weblog",
-                                             :custom_field_values => { '3' => 'Beta' }
+                        :homepage => 'http://weblog',
+                        :identifier => "blog",
+                        :is_public => 1,
+                        :custom_field_values => { '3' => 'Beta' },
+                        :tracker_ids => ['1', '3']
+                      }
                     assert_redirected_to '/projects/blog/settings'
                     project = Project.find_by_name('blog')
                     assert_kind_of Project, project
+                    assert project.active?
                     assert_equal 'weblog', project.description
+                    assert_equal 'http://weblog', project.homepage
                     assert_equal true, project.is_public?
                     assert_nil project.parent
+                    assert_equal 'Beta', project.custom_value_for(3).value
+                    assert_equal [1, 3], project.trackers.map(&:id).sort
                   end
                   should "create a new subproject" do
                     post :create, :project => { :name => "blog",
                                              :description => "weblog",
                                              :identifier => "blog",
                                              :is_public => 1,
                                              :custom_field_values => { '3' => 'Beta' },
                                              :parent_id => 1
                                             }
                     assert_redirected_to '/projects/blog/settings'
                     project = Project.find_by_name('blog')
                     assert_kind_of Project, project
                     assert_equal Project.find(1), project.parent
                   end
                 end
                 context "by non-admin user with add_project permission" do
                   setup do
                     Role.non_member.add_permission! :add_project
                     @request.session[:user_id] = 9
                   end
                   should "accept create a Project" do
                     post :create, :project => { :name => "blog",
                                              :description => "weblog",
                                              :identifier => "blog",
                                              :is_public => 1,
                                              :custom_field_values => { '3' => 'Beta' }
                                             }
                     assert_redirected_to '/projects/blog/settings'
                     project = Project.find_by_name('blog')
                     assert_kind_of Project, project
                     assert_equal 'weblog', project.description
                     assert_equal true, project.is_public?
                     # User should be added as a project member
                     assert User.find(9).member_of?(project)
                     assert_equal 1, project.members.size
                   end
                   should "fail with parent_id" do
                     assert_no_difference 'Project.count' do
                       post :create, :project => { :name => "blog",
                                                :description => "weblog",
                                                :identifier => "blog",
                                                :is_public => 1,
                                                :custom_field_values => { '3' => 'Beta' },
                                                :parent_id => 1
                                               }
                     end
                     assert_response :success
                     project = assigns(:project)
                     assert_kind_of Project, project
                     assert_not_nil project.errors.on(:parent_id)
                   end
                 end
                 context "by non-admin user with add_subprojects permission" do
                   setup do
                     Role.find(1).remove_permission! :add_project
                     Role.find(1).add_permission! :add_subprojects
                     @request.session[:user_id] = 2
                   end
                   should "create a project with a parent_id" do
                     post :create, :project => { :name => "blog",
                                              :description => "weblog",
                                              :identifier => "blog",
                                              :is_public => 1,
                                              :custom_field_values => { '3' => 'Beta' },
                                              :parent_id => 1
                                             }
                     assert_redirected_to '/projects/blog/settings'
                     project = Project.find_by_name('blog')
                   end
                   should "fail without parent_id" do
                     assert_no_difference 'Project.count' do
                       post :create, :project => { :name => "blog",
                                                :description => "weblog",
                                                :identifier => "blog",
                                                :is_public => 1,
                                                :custom_field_values => { '3' => 'Beta' }
                                               }
                     end
                     assert_response :success
                     project = assigns(:project)
                     assert_kind_of Project, project
                     assert_not_nil project.errors.on(:parent_id)
                   end
                   should "fail with unauthorized parent_id" do
                     assert !User.find(2).member_of?(Project.find(6))
                     assert_no_difference 'Project.count' do
                       post :create, :project => { :name => "blog",
                                                :description => "weblog",
                                                :identifier => "blog",
                                                :is_public => 1,
                                                :custom_field_values => { '3' => 'Beta' },
                                                :parent_id => 6
                                               }
                     end
                     assert_response :success
                     project = assigns(:project)
                     assert_kind_of Project, project
                     assert_not_nil project.errors.on(:parent_id)
                   end
                 end
               end
               def test_show_by_id
                 get :show, :id => 1
                 assert_response :success
                 assert_template 'show'
                 assert_not_nil assigns(:project)
               end
               def test_show_by_identifier
                 get :show, :id => 'ecookbook'
                 assert_response :success
                 assert_template 'show'
                 assert_not_nil assigns(:project)
                 assert_equal Project.find_by_identifier('ecookbook'), assigns(:project)
                 assert_tag 'li', :content => /Development status/
               end
               def test_show_should_not_display_hidden_custom_fields
                 ProjectCustomField.find_by_name('Development status').update_attribute :visible, false
                 get :show, :id => 'ecookbook'
                 assert_response :success
                 assert_template 'show'
                 assert_not_nil assigns(:project)
                 assert_no_tag 'li', :content => /Development status/
               end
               def test_show_should_not_fail_when_custom_values_are_nil
                 project = Project.find_by_identifier('ecookbook')
                 project.custom_values.first.update_attribute(:value, nil)
                 get :show, :id => 'ecookbook'
                 assert_response :success
                 assert_template 'show'
                 assert_not_nil assigns(:project)
                 assert_equal Project.find_by_identifier('ecookbook'), assigns(:project)
               end
               def show_archived_project_should_be_denied
                 project = Project.find_by_identifier('ecookbook')
                 project.archive!
                 get :show, :id => 'ecookbook'
                 assert_response 403
                 assert_nil assigns(:project)
                 assert_tag :tag => 'p', :content => /archived/
               end
               def test_private_subprojects_hidden
                 get :show, :id => 'ecookbook'
                 assert_response :success
                 assert_template 'show'
                 assert_no_tag :tag => 'a', :content => /Private child/
               end
               def test_private_subprojects_visible
                 @request.session[:user_id] = 2 # manager who is a member of the private subproject
                 get :show, :id => 'ecookbook'
                 assert_response :success
                 assert_template 'show'
                 assert_tag :tag => 'a', :content => /Private child/
               end
               def test_settings
                 @request.session[:user_id] = 2 # manager
                 get :settings, :id => 1
                 assert_response :success
                 assert_template 'settings'
               end
               def test_update
                 @request.session[:user_id] = 2 # manager
                 post :update, :id => 1, :project => {:name => 'Test changed name',
                                                    :issue_custom_field_ids => ['']}
                 assert_redirected_to '/projects/ecookbook/settings'
                 project = Project.find(1)
                 assert_equal 'Test changed name', project.name
               end
               def test_get_destroy
                 @request.session[:user_id] = 1 # admin
                 get :destroy, :id => 1
                 assert_response :success
                 assert_template 'destroy'
                 assert_not_nil Project.find_by_id(1)
               end
               def test_post_destroy
                 @request.session[:user_id] = 1 # admin
                 post :destroy, :id => 1, :confirm => 1
                 assert_redirected_to '/admin/projects'
                 assert_nil Project.find_by_id(1)
               end
               def test_archive
                 @request.session[:user_id] = 1 # admin
                 post :archive, :id => 1
                 assert_redirected_to '/admin/projects'
                 assert !Project.find(1).active?
               end
               def test_unarchive
                 @request.session[:user_id] = 1 # admin
                 Project.find(1).archive
                 post :unarchive, :id => 1
                 assert_redirected_to '/admin/projects'
                 assert Project.find(1).active?
               end
               def test_project_breadcrumbs_should_be_limited_to_3_ancestors
                 CustomField.delete_all
                 parent = nil
 .times do |i|
                   p = Project.create!(:name => "Breadcrumbs #{i}", :identifier => "breadcrumbs-#{i}")
                   p.set_parent!(parent)
                   get :show, :id => p
                   assert_tag :h1, :parent => { :attributes => {:id => 'header'}},
                                   :children => { :count => [i, 3].min,
                                                  :only => { :tag => 'a' } }
                   parent = p
                 end
               end
               def test_copy_with_project
                 @request.session[:user_id] = 1 # admin
                 get :copy, :id => 1
                 assert_response :success
                 assert_template 'copy'
                 assert assigns(:project)
                 assert_equal Project.find(1).description, assigns(:project).description
                 assert_nil assigns(:project).id
               end
               def test_copy_without_project
                 @request.session[:user_id] = 1 # admin
                 get :copy
                 assert_response :redirect
                 assert_redirected_to :controller => 'admin', :action => 'projects'
               end
               context "POST :copy" do
                 should "TODO: test the rest of the method"
                 should "redirect to the project settings when successful" do
                   @request.session[:user_id] = 1 # admin
                   post :copy, :id => 1, :project => {:name => 'Copy', :identifier => 'unique-copy'}
                   assert_response :redirect
                   assert_redirected_to :controller => 'projects', :action => 'settings'
                 end
               end
               def test_jump_should_redirect_to_active_tab
                 get :show, :id => 1, :jump => 'issues'
                 assert_redirected_to '/projects/ecookbook/issues'
               end
               def test_jump_should_not_redirect_to_inactive_tab
                 get :show, :id => 3, :jump => 'documents'
                 assert_response :success
                 assert_template 'show'
               end
               def test_jump_should_not_redirect_to_unknown_tab
                 get :show, :id => 3, :jump => 'foobar'
                 assert_response :success
                 assert_template 'show'
               end
               # A hook that is manually registered later
               class ProjectBasedTemplate < Redmine::Hook::ViewListener
                 def view_layouts_base_html_head(context)
                   # Adds a project stylesheet
                   stylesheet_link_tag(context[:project].identifier) if context[:project]
                 end
               end
               # Don't use this hook now
               Redmine::Hook.clear_listeners
               def test_hook_response
                 Redmine::Hook.add_listener(ProjectBasedTemplate)
                 get :show, :id => 1
                 assert_tag :tag => 'link', :attributes => {:href => '/stylesheets/ecookbook.css'},
                                            :parent => {:tag => 'head'}
                 Redmine::Hook.clear_listeners
               end
             end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages