| @@ -54,6 +54,11 class Issue < ActiveRecord::Base | |||||
| 54 | named_scope :visible, lambda {|*args| { :include => :project, |
|
54 | named_scope :visible, lambda {|*args| { :include => :project, | |
| 55 | :conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } } |
|
55 | :conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } } | |
| 56 |
|
56 | |||
|
|
57 | # Returns true if usr or current user is allowed to view the issue | |||
|
|
58 | def visible?(usr=nil) | |||
|
|
59 | (usr || User.current).allowed_to?(:view_issues, self.project) | |||
|
|
60 | end | |||
|
|
61 | ||||
| 57 | def after_initialize |
|
62 | def after_initialize | |
| 58 | if new_record? |
|
63 | if new_record? | |
| 59 | # set default values for new records only |
|
64 | # set default values for new records only | |
| @@ -8,7 +8,7 | |||||
| 8 |
|
8 | |||
| 9 | <% if @issue.relations.any? %> |
|
9 | <% if @issue.relations.any? %> | |
| 10 | <table style="width:100%"> |
|
10 | <table style="width:100%"> | |
| 11 | <% @issue.relations.each do |relation| %> |
|
11 | <% @issue.relations.select {|r| r.other_issue(@issue).visible? }.each do |relation| %> | |
| 12 | <tr> |
|
12 | <tr> | |
| 13 | <td><%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %> |
|
13 | <td><%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %> | |
| 14 | <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %></td> |
|
14 | <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %></td> | |
| @@ -324,6 +324,21 class IssuesControllerTest < Test::Unit::TestCase | |||||
| 324 | :content => /Notes/ } } |
|
324 | :content => /Notes/ } } | |
| 325 | end |
|
325 | end | |
| 326 |
|
326 | |||
|
|
327 | def test_show_should_not_disclose_relations_to_invisible_issues | |||
|
|
328 | Setting.cross_project_issue_relations = '1' | |||
|
|
329 | IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates') | |||
|
|
330 | # Relation to a private project issue | |||
|
|
331 | IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(4), :relation_type => 'relates') | |||
|
|
332 | ||||
|
|
333 | get :show, :id => 1 | |||
|
|
334 | assert_response :success | |||
|
|
335 | ||||
|
|
336 | assert_tag :div, :attributes => { :id => 'relations' }, | |||
|
|
337 | :descendant => { :tag => 'a', :content => /#2$/ } | |||
|
|
338 | assert_no_tag :div, :attributes => { :id => 'relations' }, | |||
|
|
339 | :descendant => { :tag => 'a', :content => /#4$/ } | |||
|
|
340 | end | |||
|
|
341 | ||||
| 327 | def test_new_routing |
|
342 | def test_new_routing | |
| 328 | assert_routing( |
|
343 | assert_routing( | |
| 329 | {:method => :get, :path => '/projects/1/issues/new'}, |
|
344 | {:method => :get, :path => '/projects/1/issues/new'}, | |
General Comments 0
You need to be logged in to leave comments.
Login now