##// END OF EJS Templates
jro_apps » redmine
RSS
Adds an issues visibility level on roles (#7412)....
Jean-Philippe Lang -
r5296:aa0d01b3d9f5
parent child
Show More
Side by Side Unified
Context file:
r5296:aa0d01b3d9f5 Loading diff...:
Show file before | Show file after | Hide comments
@@ -0,0 +1,9
1 class AddRolesIssuesVisibility < ActiveRecord::Migration
2 def self.up
3 add_column :roles, :issues_visibility, :string, :limit => 30, :default => 'default', :null => false
4 end
5
6 def self.down
7 remove_column :roles, :issues_visibility
8 end
9 end
Show file before | Show file after | Hide comments
@@ -1,5 +1,5
1 # redMine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2007 Jean-Philippe Lang
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
@@ -221,6 +221,10 class ApplicationController < ActionController::Base
221 def find_issues
221 def find_issues
222 @issues = Issue.find_all_by_id(params[:id] || params[:ids])
222 @issues = Issue.find_all_by_id(params[:id] || params[:ids])
223 raise ActiveRecord::RecordNotFound if @issues.empty?
223 raise ActiveRecord::RecordNotFound if @issues.empty?
224 if @issues.detect {|issue| !issue.visible?}
225 deny_access
226 return
227 end
224 @projects = @issues.collect(&:project).compact.uniq
228 @projects = @issues.collect(&:project).compact.uniq
225 @project = @projects.first if @projects.size == 1
229 @project = @projects.first if @projects.size == 1
226 rescue ActiveRecord::RecordNotFound
230 rescue ActiveRecord::RecordNotFound
Show file before | Show file after | Hide comments
@@ -1,5 +1,5
1 # Redmine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2008 Jean-Philippe Lang
2 # Copyright (C) 2006-2011 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
@@ -251,7 +251,13 class IssuesController < ApplicationController
251
251
252 private
252 private
253 def find_issue
253 def find_issue
254 # Issue.visible.find(...) can not be used to redirect user to the login form
255 # if the issue actually exists but requires authentication
254 @issue = Issue.find(params[:id], :include => [:project, :tracker, :status, :author, :priority, :category])
256 @issue = Issue.find(params[:id], :include => [:project, :tracker, :status, :author, :priority, :category])
257 unless @issue.visible?
258 deny_access
259 return
260 end
255 @project = @issue.project
261 @project = @issue.project
256 rescue ActiveRecord::RecordNotFound
262 rescue ActiveRecord::RecordNotFound
257 render_404
263 render_404
Show file before | Show file after | Hide comments
@@ -88,12 +88,30 class Issue < ActiveRecord::Base
88
88
89 # Returns a SQL conditions string used to find all issues visible by the specified user
89 # Returns a SQL conditions string used to find all issues visible by the specified user
90 def self.visible_condition(user, options={})
90 def self.visible_condition(user, options={})
91 Project.allowed_to_condition(user, :view_issues, options)
91 Project.allowed_to_condition(user, :view_issues, options) do |role, user|
92 case role.issues_visibility
93 when 'default'
94 nil
95 when 'own'
96 "(#{table_name}.author_id = #{user.id} OR #{table_name}.assigned_to_id = #{user.id})"
97 else
98 '1=0'
99 end
100 end
92 end
101 end
93
102
94 # Returns true if usr or current user is allowed to view the issue
103 # Returns true if usr or current user is allowed to view the issue
95 def visible?(usr=nil)
104 def visible?(usr=nil)
96 (usr || User.current).allowed_to?(:view_issues, self.project)
105 (usr || User.current).allowed_to?(:view_issues, self.project) do |role, user|
106 case role.issues_visibility
107 when 'default'
108 true
109 when 'own'
110 self.author == user || self.assigned_to == user
111 else
112 false
113 end
114 end
97 end
115 end
98
116
99 def after_initialize
117 def after_initialize
Show file before | Show file after | Hide comments
@@ -174,6 +174,13 class Project < ActiveRecord::Base
174 if statement_by_role.empty?
174 if statement_by_role.empty?
175 "1=0"
175 "1=0"
176 else
176 else
177 if block_given?
178 statement_by_role.each do |role, statement|
179 if s = yield(role, user)
180 statement_by_role[role] = "(#{statement} AND (#{s}))"
181 end
182 end
183 end
177 "((#{base_statement}) AND (#{statement_by_role.values.join(' OR ')}))"
184 "((#{base_statement}) AND (#{statement_by_role.values.join(' OR ')}))"
178 end
185 end
179 end
186 end
Show file before | Show file after | Hide comments
@@ -19,6 +19,11 class Role < ActiveRecord::Base
19 # Built-in roles
19 # Built-in roles
20 BUILTIN_NON_MEMBER = 1
20 BUILTIN_NON_MEMBER = 1
21 BUILTIN_ANONYMOUS = 2
21 BUILTIN_ANONYMOUS = 2
22
23 ISSUES_VISIBILITY_OPTIONS = [
24 ['default', :label_issues_visibility_all],
25 ['own', :label_issues_visibility_own]
26 ]
22
27
23 named_scope :givable, { :conditions => "builtin = 0", :order => 'position' }
28 named_scope :givable, { :conditions => "builtin = 0", :order => 'position' }
24 named_scope :builtin, lambda { |*args|
29 named_scope :builtin, lambda { |*args|
@@ -43,7 +48,10 class Role < ActiveRecord::Base
43 validates_presence_of :name
48 validates_presence_of :name
44 validates_uniqueness_of :name
49 validates_uniqueness_of :name
45 validates_length_of :name, :maximum => 30
50 validates_length_of :name, :maximum => 30
46
51 validates_inclusion_of :issues_visibility,
52 :in => ISSUES_VISIBILITY_OPTIONS.collect(&:first),
53 :if => lambda {|role| role.respond_to?(:issues_visibility)}
54
47 def permissions
55 def permissions
48 read_attribute(:permissions) || []
56 read_attribute(:permissions) || []
49 end
57 end
Show file before | Show file after | Hide comments
@@ -394,10 +394,10 class User < Principal
394 # * a permission Symbol (eg. :edit_project)
394 # * a permission Symbol (eg. :edit_project)
395 # Context can be:
395 # Context can be:
396 # * a project : returns true if user is allowed to do the specified action on this project
396 # * a project : returns true if user is allowed to do the specified action on this project
397 # * a group of projects : returns true if user is allowed on every project
397 # * an array of projects : returns true if user is allowed on every project
398 # * nil with options[:global] set : check if user has at least one role allowed for this action,
398 # * nil with options[:global] set : check if user has at least one role allowed for this action,
399 # or falls back to Non Member / Anonymous permissions depending if the user is logged
399 # or falls back to Non Member / Anonymous permissions depending if the user is logged
400 def allowed_to?(action, context, options={})
400 def allowed_to?(action, context, options={}, &block)
401 if context && context.is_a?(Project)
401 if context && context.is_a?(Project)
402 # No action allowed on archived projects
402 # No action allowed on archived projects
403 return false unless context.active?
403 return false unless context.active?
@@ -408,12 +408,15 class User < Principal
408
408
409 roles = roles_for_project(context)
409 roles = roles_for_project(context)
410 return false unless roles
410 return false unless roles
411 roles.detect {|role| (context.is_public? || role.member?) && role.allowed_to?(action)}
411 roles.detect {|role|
412
412 (context.is_public? || role.member?) &&
413 role.allowed_to?(action) &&
414 (block_given? ? yield(role, self) : true)
415 }
413 elsif context && context.is_a?(Array)
416 elsif context && context.is_a?(Array)
414 # Authorize if user is authorized on every element of the array
417 # Authorize if user is authorized on every element of the array
415 context.map do |project|
418 context.map do |project|
416 allowed_to?(action,project,options)
419 allowed_to?(action, project, options, &block)
417 end.inject do |memo,allowed|
420 end.inject do |memo,allowed|
418 memo && allowed
421 memo && allowed
419 end
422 end
@@ -423,7 +426,11 class User < Principal
423
426
424 # authorize if user has at least one role that has this permission
427 # authorize if user has at least one role that has this permission
425 roles = memberships.collect {|m| m.roles}.flatten.uniq
428 roles = memberships.collect {|m| m.roles}.flatten.uniq
426 roles.detect {|r| r.allowed_to?(action)} || (self.logged? ? Role.non_member.allowed_to?(action) : Role.anonymous.allowed_to?(action))
429 roles << (self.logged? ? Role.non_member : Role.anonymous)
430 roles.detect {|role|
431 role.allowed_to?(action) &&
432 (block_given? ? yield(role, self) : true)
433 }
427 else
434 else
428 false
435 false
429 end
436 end
@@ -431,8 +438,8 class User < Principal
431
438
432 # Is the user allowed to do the specified action on any project?
439 # Is the user allowed to do the specified action on any project?
433 # See allowed_to? for the actions and valid options.
440 # See allowed_to? for the actions and valid options.
434 def allowed_to_globally?(action, options)
441 def allowed_to_globally?(action, options, &block)
435 allowed_to?(action, nil, options.reverse_merge(:global => true))
442 allowed_to?(action, nil, options.reverse_merge(:global => true), &block)
436 end
443 end
437
444
438 safe_attributes 'login',
445 safe_attributes 'login',
Show file before | Show file after | Hide comments
@@ -1,15 +1,16
1 <%= error_messages_for 'role' %>
1 <%= error_messages_for 'role' %>
2
2
3 <% unless @role.builtin? %>
4 <div class="box">
3 <div class="box">
4 <% unless @role.builtin? %>
5 <p><%= f.text_field :name, :required => true %></p>
5 <p><%= f.text_field :name, :required => true %></p>
6 <p><%= f.check_box :assignable %></p>
6 <p><%= f.check_box :assignable %></p>
7 <% end %>
8 <p><%= f.select :issues_visibility, Role::ISSUES_VISIBILITY_OPTIONS.collect {|v| [l(v.last), v.first]} %></p>
7 <% if @role.new_record? && @roles.any? %>
9 <% if @role.new_record? && @roles.any? %>
8 <p><label><%= l(:label_copy_workflow_from) %></label>
10 <p><label><%= l(:label_copy_workflow_from) %></label>
9 <%= select_tag(:copy_workflow_from, content_tag("option") + options_from_collection_for_select(@roles, :id, :name)) %></p>
11 <%= select_tag(:copy_workflow_from, content_tag("option") + options_from_collection_for_select(@roles, :id, :name)) %></p>
10 <% end %>
12 <% end %>
11 </div>
13 </div>
12 <% end %>
13
14
14 <h3><%= l(:label_permissions) %></h3>
15 <h3><%= l(:label_permissions) %></h3>
15 <div class="box" id="permissions">
16 <div class="box" id="permissions">
Show file before | Show file after | Hide comments
@@ -304,6 +304,7 en:
304 field_text: Text field
304 field_text: Text field
305 field_visible: Visible
305 field_visible: Visible
306 field_warn_on_leaving_unsaved: "Warn me when leaving a page with unsaved text"
306 field_warn_on_leaving_unsaved: "Warn me when leaving a page with unsaved text"
307 field_issues_visibility: Issues visibility
307
308
308 setting_app_title: Application title
309 setting_app_title: Application title
309 setting_app_subtitle: Application subtitle
310 setting_app_subtitle: Application subtitle
@@ -804,6 +805,8 en:
804 label_user_search: "Search for user:"
805 label_user_search: "Search for user:"
805 label_additional_workflow_transitions_for_author: Additional transitions allowed when the user is the author
806 label_additional_workflow_transitions_for_author: Additional transitions allowed when the user is the author
806 label_additional_workflow_transitions_for_assignee: Additional transitions allowed when the user is the assignee
807 label_additional_workflow_transitions_for_assignee: Additional transitions allowed when the user is the assignee
808 label_issues_visibility_all: All issues
809 label_issues_visibility_own: Issues created by or assigned to the user
807
810
808 button_login: Login
811 button_login: Login
809 button_submit: Submit
812 button_submit: Submit
Show file before | Show file after | Hide comments
@@ -308,6 +308,7 fr:
308 field_parent_issue: TΓ’che parente
308 field_parent_issue: TΓ’che parente
309 field_visible: Visible
309 field_visible: Visible
310 field_warn_on_leaving_unsaved: "M'avertir lorsque je quitte une page contenant du texte non sauvegardΓ©"
310 field_warn_on_leaving_unsaved: "M'avertir lorsque je quitte une page contenant du texte non sauvegardΓ©"
311 field_issues_visibility: VisibilitΓ© des demandes
311
312
312 setting_app_title: Titre de l'application
313 setting_app_title: Titre de l'application
313 setting_app_subtitle: Sous-titre de l'application
314 setting_app_subtitle: Sous-titre de l'application
@@ -791,6 +792,8 fr:
791 label_user_search: "Rechercher un utilisateur :"
792 label_user_search: "Rechercher un utilisateur :"
792 label_additional_workflow_transitions_for_author: Autorisations supplémentaires lorsque l'utilisateur a créé la demande
793 label_additional_workflow_transitions_for_author: Autorisations supplémentaires lorsque l'utilisateur a créé la demande
793 label_additional_workflow_transitions_for_assignee: Autorisations supplΓ©mentaires lorsque la demande est assignΓ©e Γ  l'utilisateur
794 label_additional_workflow_transitions_for_assignee: Autorisations supplΓ©mentaires lorsque la demande est assignΓ©e Γ  l'utilisateur
795 label_issues_visibility_all: Toutes les demandes
796 label_issues_visibility_own: Demandes créées par ou assignées à l'utilisateur
794
797
795 button_login: Connexion
798 button_login: Connexion
796 button_submit: Soumettre
799 button_submit: Soumettre
Show file before | Show file after | Hide comments
@@ -3,6 +3,7 roles_001:
3 name: Manager
3 name: Manager
4 id: 1
4 id: 1
5 builtin: 0
5 builtin: 0
6 issues_visibility: default
6 permissions: |
7 permissions: |
7 ---
8 ---
8 - :add_project
9 - :add_project
@@ -58,6 +59,7 roles_002:
58 name: Developer
59 name: Developer
59 id: 2
60 id: 2
60 builtin: 0
61 builtin: 0
62 issues_visibility: default
61 permissions: |
63 permissions: |
62 ---
64 ---
63 - :edit_project
65 - :edit_project
@@ -102,6 +104,7 roles_003:
102 name: Reporter
104 name: Reporter
103 id: 3
105 id: 3
104 builtin: 0
106 builtin: 0
107 issues_visibility: default
105 permissions: |
108 permissions: |
106 ---
109 ---
107 - :edit_project
110 - :edit_project
@@ -140,6 +143,7 roles_004:
140 name: Non member
143 name: Non member
141 id: 4
144 id: 4
142 builtin: 1
145 builtin: 1
146 issues_visibility: default
143 permissions: |
147 permissions: |
144 ---
148 ---
145 - :view_issues
149 - :view_issues
@@ -170,6 +174,7 roles_005:
170 name: Anonymous
174 name: Anonymous
171 id: 5
175 id: 5
172 builtin: 2
176 builtin: 2
177 issues_visibility: default
173 permissions: |
178 permissions: |
174 ---
179 ---
175 - :view_issues
180 - :view_issues
Show file before | Show file after | Hide comments
@@ -65,35 +65,76 class IssueTest < ActiveSupport::TestCase
65 assert_equal 'PostgreSQL', issue.custom_value_for(field).value
65 assert_equal 'PostgreSQL', issue.custom_value_for(field).value
66 end
66 end
67
67
68 def assert_visibility_match(user, issues)
69 assert_equal issues.collect(&:id).sort, Issue.all.select {|issue| issue.visible?(user)}.collect(&:id).sort
70 end
71
68 def test_visible_scope_for_anonymous
72 def test_visible_scope_for_anonymous
69 # Anonymous user should see issues of public projects only
73 # Anonymous user should see issues of public projects only
70 issues = Issue.visible(User.anonymous).all
74 issues = Issue.visible(User.anonymous).all
71 assert issues.any?
75 assert issues.any?
72 assert_nil issues.detect {|issue| !issue.project.is_public?}
76 assert_nil issues.detect {|issue| !issue.project.is_public?}
77 assert_visibility_match User.anonymous, issues
78 end
79
80 def test_visible_scope_for_anonymous_with_own_issues_visibility
81 Role.anonymous.update_attribute :issues_visibility, 'own'
82 Issue.create!(:project_id => 1, :tracker_id => 1, :author_id => User.anonymous.id, :subject => 'Issue by anonymous')
83
84 issues = Issue.visible(User.anonymous).all
85 assert issues.any?
86 assert_nil issues.detect {|issue| issue.author != User.anonymous}
87 assert_visibility_match User.anonymous, issues
88 end
89
90 def test_visible_scope_for_anonymous_without_view_issues_permissions
73 # Anonymous user should not see issues without permission
91 # Anonymous user should not see issues without permission
74 Role.anonymous.remove_permission!(:view_issues)
92 Role.anonymous.remove_permission!(:view_issues)
75 issues = Issue.visible(User.anonymous).all
93 issues = Issue.visible(User.anonymous).all
76 assert issues.empty?
94 assert issues.empty?
95 assert_visibility_match User.anonymous, issues
77 end
96 end
78
97
79 def test_visible_scope_for_user
98 def test_visible_scope_for_non_member
80 user = User.find(9)
99 user = User.find(9)
81 assert user.projects.empty?
100 assert user.projects.empty?
82 # Non member user should see issues of public projects only
101 # Non member user should see issues of public projects only
83 issues = Issue.visible(user).all
102 issues = Issue.visible(user).all
84 assert issues.any?
103 assert issues.any?
85 assert_nil issues.detect {|issue| !issue.project.is_public?}
104 assert_nil issues.detect {|issue| !issue.project.is_public?}
105 assert_visibility_match user, issues
106 end
107
108 def test_visible_scope_for_non_member_with_own_issues_visibility
109 Role.non_member.update_attribute :issues_visibility, 'own'
110 Issue.create!(:project_id => 1, :tracker_id => 1, :author_id => 9, :subject => 'Issue by non member')
111 user = User.find(9)
112
113 issues = Issue.visible(user).all
114 assert issues.any?
115 assert_nil issues.detect {|issue| issue.author != user}
116 assert_visibility_match user, issues
117 end
118
119 def test_visible_scope_for_non_member_without_view_issues_permissions
86 # Non member user should not see issues without permission
120 # Non member user should not see issues without permission
87 Role.non_member.remove_permission!(:view_issues)
121 Role.non_member.remove_permission!(:view_issues)
88 user.reload
122 user = User.find(9)
123 assert user.projects.empty?
89 issues = Issue.visible(user).all
124 issues = Issue.visible(user).all
90 assert issues.empty?
125 assert issues.empty?
126 assert_visibility_match user, issues
127 end
128
129 def test_visible_scope_for_member
130 user = User.find(9)
91 # User should see issues of projects for which he has view_issues permissions only
131 # User should see issues of projects for which he has view_issues permissions only
132 Role.non_member.remove_permission!(:view_issues)
92 Member.create!(:principal => user, :project_id => 2, :role_ids => [1])
133 Member.create!(:principal => user, :project_id => 2, :role_ids => [1])
93 user.reload
94 issues = Issue.visible(user).all
134 issues = Issue.visible(user).all
95 assert issues.any?
135 assert issues.any?
96 assert_nil issues.detect {|issue| issue.project_id != 2}
136 assert_nil issues.detect {|issue| issue.project_id != 2}
137 assert_visibility_match user, issues
97 end
138 end
98
139
99 def test_visible_scope_for_admin
140 def test_visible_scope_for_admin
@@ -104,6 +145,7 class IssueTest < ActiveSupport::TestCase
104 assert issues.any?
145 assert issues.any?
105 # Admin should see issues on private projects that he does not belong to
146 # Admin should see issues on private projects that he does not belong to
106 assert issues.detect {|issue| !issue.project.is_public?}
147 assert issues.detect {|issue| !issue.project.is_public?}
148 assert_visibility_match user, issues
107 end
149 end
108
150
109 def test_visible_scope_with_project
151 def test_visible_scope_with_project
General Comments 0
You need to be logged in to leave comments. Login now