diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 233d012d2a..0f9b0f52c5 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -288,8 +288,7 @@ class ProjectsController < ApplicationController :conditions => @query.statement, :limit => @issue_pages.items_per_page, :offset => @issue_pages.current.offset - end - @trackers = Tracker.find :all, :order => 'position' + end render :layout => false if request.xhr? end @@ -400,22 +399,6 @@ class ProjectsController < ApplicationController end end - def add_query - @query = Query.new(params[:query]) - @query.project = @project - @query.user = logged_in_user - - params[:fields].each do |field| - @query.add_filter(field, params[:operators][field], params[:values][field]) - end if params[:fields] - - if request.post? and @query.save - flash[:notice] = l(:notice_successful_create) - redirect_to :controller => 'reports', :action => 'issue_report', :id => @project - end - render :layout => false if request.xhr? - end - # Add a news to @project def add_news @news = News.new(:project => @project) diff --git a/app/controllers/queries_controller.rb b/app/controllers/queries_controller.rb index abafd19d47..6318952842 100644 --- a/app/controllers/queries_controller.rb +++ b/app/controllers/queries_controller.rb @@ -1,5 +1,5 @@ # redMine - project management software -# Copyright (C) 2006 Jean-Philippe Lang +# Copyright (C) 2006-2007 Jean-Philippe Lang # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License @@ -16,9 +16,35 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class QueriesController < ApplicationController - layout 'base' - before_filter :require_login, :find_query + layout 'base' + before_filter :require_login, :except => :index + before_filter :find_project, :check_project_privacy + def index + @queries = @project.queries.find(:all, + :order => "name ASC", + :conditions => ["is_public = ? or user_id = ?", true, (logged_in_user ? logged_in_user.id : 0)]) + end + + def new + @query = Query.new(params[:query]) + @query.project = @project + @query.user = logged_in_user + @query.executed_by = logged_in_user + @query.is_public = false unless logged_in_user.authorized_to(@project, 'projects/add_query') + + params[:fields].each do |field| + @query.add_filter(field, params[:operators][field], params[:values][field]) + end if params[:fields] + + if request.post? and @query.save + flash[:notice] = l(:notice_successful_create) + redirect_to :controller => 'projects', :action => 'list_issues', :id => @project, :query_id => @query + return + end + render :layout => false if request.xhr? + end + def edit if request.post? @query.filters = {} @@ -26,6 +52,7 @@ class QueriesController < ApplicationController @query.add_filter(field, params[:operators][field], params[:values][field]) end if params[:fields] @query.attributes = params[:query] + @query.is_public = false unless logged_in_user.authorized_to(@project, 'projects/add_query') if @query.save flash[:notice] = l(:notice_successful_update) @@ -36,16 +63,19 @@ class QueriesController < ApplicationController def destroy @query.destroy if request.post? - redirect_to :controller => 'reports', :action => 'issue_report', :id => @project + redirect_to :controller => 'queries', :project_id => @project end private - def find_query - @query = Query.find(params[:id]) - @query.executed_by = logged_in_user - @project = @query.project - # check if user is allowed to manage queries (same permission as add_query) - authorize('projects', 'add_query') + def find_project + if params[:id] + @query = Query.find(params[:id]) + @query.executed_by = logged_in_user + @project = @query.project + render_403 unless @query.editable_by?(logged_in_user) + else + @project = Project.find(params[:project_id]) + end rescue ActiveRecord::RecordNotFound render_404 end diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb index 59f13d7a53..fdbcc5a539 100644 --- a/app/controllers/reports_controller.rb +++ b/app/controllers/reports_controller.rb @@ -60,7 +60,6 @@ class ReportsController < ApplicationController @report_title = l(:field_subproject) render :template => "reports/issue_report_details" else - @queries = @project.queries.find :all, :conditions => ["is_public=? or user_id=?", true, (logged_in_user ? logged_in_user.id : 0)] @trackers = Tracker.find(:all, :order => 'position') @versions = @project.versions.sort @priorities = Enumeration::get_values('IPRI') diff --git a/app/models/query.rb b/app/models/query.rb index 081721ca23..b641436748 100644 --- a/app/models/query.rb +++ b/app/models/query.rb @@ -57,7 +57,6 @@ class Query < ActiveRecord::Base def initialize(attributes = nil) super attributes self.filters ||= { 'status_id' => {:operator => "o", :values => [""]} } - self.is_public = true end def executed_by=(user) @@ -75,6 +74,12 @@ class Query < ActiveRecord::Base end if filters end + def editable_by?(user) + return false unless user + return true if !is_public && self.user_id == user.id + is_public && user.authorized_to(project, "projects/add_query") + end + def available_filters return @available_filters if @available_filters @available_filters = { "status_id" => { :type => :list_status, :order => 1, :values => IssueStatus.find(:all, :order => 'position').collect{|s| [s.name, s.id.to_s] } }, diff --git a/app/models/user.rb b/app/models/user.rb index 917745b224..bc5d4ecf86 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -125,10 +125,17 @@ class User < ActiveRecord::Base end def role_for_project(project) + return nil unless project member = memberships.detect {|m| m.project_id == project.id} member ? member.role : nil end + def authorized_to(project, action) + return true if self.admin? + role = role_for_project(project) + role && Permission.allowed_to_role(action, role) + end + def pref self.preference ||= UserPreference.new(:user => self) end diff --git a/app/views/issues/_add_shortcut.rhtml b/app/views/issues/_add_shortcut.rhtml deleted file mode 100644 index c6a5a46676..0000000000 --- a/app/views/issues/_add_shortcut.rhtml +++ /dev/null @@ -1,5 +0,0 @@ -<% if authorize_for('projects', 'add_issue') %> -<% form_tag({ :controller => 'projects', :action => 'add_issue', :id => @project }, :method => 'get') do %> -<%= l(:label_issue_new) %>: <%= select_tag 'tracker_id', ("" + options_from_collection_for_select(trackers, 'id', 'name')), :onchange => "if (this.value!='') {this.form.submit();}" %> -<% end %> -<% end %> diff --git a/app/views/layouts/base.rhtml b/app/views/layouts/base.rhtml index 62dd48af20..bcc4026a00 100644 --- a/app/views/layouts/base.rhtml +++ b/app/views/layouts/base.rhtml @@ -77,6 +77,9 @@ <%= link_to l(:label_calendar), {:controller => 'projects', :action => 'calendar', :id => @project }, :class => "menuItem" %> <%= link_to l(:label_gantt), {:controller => 'projects', :action => 'gantt', :id => @project }, :class => "menuItem" %> <%= link_to l(:label_issue_plural), {:controller => 'projects', :action => 'list_issues', :id => @project }, :class => "menuItem" %> + <% if @project && authorize_for('projects', 'add_issue') %> + <%= l(:label_issue_new) %> + <% end %> <%= link_to l(:label_report_plural), {:controller => 'reports', :action => 'issue_report', :id => @project }, :class => "menuItem" %> <%= link_to l(:label_activity), {:controller => 'projects', :action => 'activity', :id => @project }, :class => "menuItem" %> <%= link_to l(:label_news_plural), {:controller => 'projects', :action => 'list_news', :id => @project }, :class => "menuItem" %> @@ -91,6 +94,14 @@ <%= link_to_if_authorized l(:label_settings), {:controller => 'projects', :action => 'settings', :id => @project }, :class => "menuItem" %> <% end %> + + <% if @project && authorize_for('projects', 'add_issue') %> + + <% end %> <% if loggedin? and @logged_in_user.memberships.any? %>