| @@ -54,6 +54,11 class Issue < ActiveRecord::Base | |||
|
|
54 | 54 | named_scope :visible, lambda {|*args| { :include => :project, |
|
|
55 | 55 | :conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } } |
|
|
56 | 56 | |
|
|
57 | # Returns true if usr or current user is allowed to view the issue | |
|
|
58 | def visible?(usr=nil) | |
|
|
59 | (usr || User.current).allowed_to?(:view_issues, self.project) | |
|
|
60 | end | |
|
|
61 | ||
|
|
57 | 62 | def after_initialize |
|
|
58 | 63 | if new_record? |
|
|
59 | 64 | # set default values for new records only |
| @@ -8,7 +8,7 | |||
|
|
8 | 8 | |
|
|
9 | 9 | <% if @issue.relations.any? %> |
|
|
10 | 10 | <table style="width:100%"> |
|
|
11 | <% @issue.relations.each do |relation| %> | |
|
|
11 | <% @issue.relations.select {|r| r.other_issue(@issue).visible? }.each do |relation| %> | |
|
|
12 | 12 | <tr> |
|
|
13 | 13 | <td><%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %> |
|
|
14 | 14 | <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %></td> |
| @@ -324,6 +324,21 class IssuesControllerTest < Test::Unit::TestCase | |||
|
|
324 | 324 | :content => /Notes/ } } |
|
|
325 | 325 | end |
|
|
326 | 326 | |
|
|
327 | def test_show_should_not_disclose_relations_to_invisible_issues | |
|
|
328 | Setting.cross_project_issue_relations = '1' | |
|
|
329 | IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates') | |
|
|
330 | # Relation to a private project issue | |
|
|
331 | IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(4), :relation_type => 'relates') | |
|
|
332 | ||
|
|
333 | get :show, :id => 1 | |
|
|
334 | assert_response :success | |
|
|
335 | ||
|
|
336 | assert_tag :div, :attributes => { :id => 'relations' }, | |
|
|
337 | :descendant => { :tag => 'a', :content => /#2$/ } | |
|
|
338 | assert_no_tag :div, :attributes => { :id => 'relations' }, | |
|
|
339 | :descendant => { :tag => 'a', :content => /#4$/ } | |
|
|
340 | end | |
|
|
341 | ||
|
|
327 | 342 | def test_new_routing |
|
|
328 | 343 | assert_routing( |
|
|
329 | 344 | {:method => :get, :path => '/projects/1/issues/new'}, |
General Comments 0
You need to be logged in to leave comments.
Login now