Fixed permission checking during Cost Reports

More fun with patch loading. Fixed some typos. git-svn-id: https://dev.finn.de/svn/cockpit/trunk@414 7926756e-e54e-46e6-9721-ed318f58905e
15 years ago · 9520423b37
parent da1ea19419
commit 9520423b37
6 changed files with 42 additions and 56 deletions
--- a/app/models/cost_entry.rb
+++ b/app/models/cost_entry.rb
@ -1,4 +1,6 @@
 class CostEntry < ActiveRecord::Base
+  unloadable
+
  belongs_to :project
  belongs_to :issue
  belongs_to :user
--- a/app/models/cost_query.rb
+++ b/app/models/cost_query.rb
@ -353,9 +353,9 @@ class CostQuery < ActiveRecord::Base
    end
  end
  
-  def project_statement(entry_type)
+  def projects
+    projects = [project]
    if project && !project.children.active.empty?
-      projects = [project]
      if subprojects = has_filter?(:issues, "subproject_id")
        subprojects = create_filter_from_hash(subprojects)

@ -375,16 +375,14 @@ class CostQuery < ActiveRecord::Base
    elsif project
      # show only the current project
    else
-      ids = []
+      projects = []
    end
    
-    # FIXME: Implement rights model here
-    #project_clauses <<  Project.allowed_to_condition(User.current, :view_issues)
-    if ids.blank?
-      "1=1"
-    else
-      User.current.allowed_for("view_#{entry_type}".to_sym, projects)
-    end
+    projects
+  end
+    
+  def project_statement
+    "#{Project.table_name}.id IN (#{projects.collect(&:id).join(',')})"
  end
  
  def group_by_fields()
@ -446,6 +444,7 @@ class CostQuery < ActiveRecord::Base
        LEFT OUTER JOIN #{CostType.table_name} ON #{CostType.table_name}.id = #{CostEntry.table_name}.cost_type_id
        LEFT OUTER JOIN #{User.table_name} ON #{User.table_name}.id = #{CostEntry.table_name}.user_id
        LEFT OUTER JOIN #{Issue.table_name} ON #{Issue.table_name}.id = #{CostEntry.table_name}.issue_id
+        LEFT OUTER JOIN #{Project.table_name} ON #{Project.table_name}.id = #{CostEntry.table_name}.project_id
      EOS
    when :time_entries
      from = <<-EOS
@ -453,6 +452,7 @@ class CostQuery < ActiveRecord::Base
        LEFT OUTER JOIN #{Enumeration.table_name} ON #{Enumeration.table_name}.id = #{TimeEntry.table_name}.activity_id
        LEFT OUTER JOIN #{User.table_name} ON #{User.table_name}.id = #{TimeEntry.table_name}.user_id
        LEFT OUTER JOIN #{Issue.table_name} ON #{Issue.table_name}.id = #{TimeEntry.table_name}.issue_id
+        LEFT OUTER JOIN #{Project.table_name} ON #{Project.table_name}.id = #{TimeEntry.table_name}.project_id
      EOS
    end
  end
@ -511,7 +511,7 @@ class CostQuery < ActiveRecord::Base
                    :select => "#{Issue.table_name}.id",
                    #:include => [ :assigned_to, :status, :tracker, :project, :priority, :category, :fixed_version ],
                    :from => from,
-                    :conditions => (issue_filter_clauses << project_statement(entry_scope)).join(' AND '))
+                    :conditions => (issue_filter_clauses << project_statement).join(' AND '))

    case entry_scope
    when :cost_entries
@ -520,6 +520,8 @@ class CostQuery < ActiveRecord::Base
      entry_filter_clauses << "#{TimeEntry.table_name}.issue_id IN (#{issue_ids})"
    end
    
+    entry_filter_clauses << User.current.allowed_for("view_#{entry_scope}".to_sym, projects)
+    
    entry_filter_clauses.join(' AND ')
  end
  
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@ -132,4 +132,4 @@ de:
  caption_default_rates: "Standards\xC3\xA4tze"
  currency_delimiter: .
  
-  error_generic: "Bei der Anfrage ist ein Fehler aufgetreten und wurde protokolliert. Bitte melden Sie das Problem Ihrem Redmine Administrator"
+  error_generic: "Bei der Anfrage ist ein Fehler aufgetreten. Sie wurde zurückgesetzt. Bitte melden Sie das Problem Ihrem Redmine Administrator"
--- a/init.rb
+++ b/init.rb
@ -15,8 +15,8 @@ unless defined? GLoc
  end
 end

-# Patches to the Redmine core.
-require_dependency 'costs_i18n_patch'
+
+require 'costs_i18n_patch'

 require 'dispatcher'

@ -40,11 +40,8 @@ Dispatcher.to_prepare do
  require_dependency 'costs_users_helper_patch'
  
  # Library Patches
-  require_dependency 'costs_access_control_permission_patch'
+  require_or_load 'costs_access_control_permission_patch'
  require_dependency 'costs_access_control_patch'
-  require_dependency 'costs_i18n_patch'
-
-

  # Issue.send(:include, CostsIssuePatch)
  # Project.send(:include, CostsProjectPatch)
@ -129,8 +126,8 @@ Redmine::Plugin.register :redmine_costs do
    
    # from controlling requirements 3.5 (3)

-    #Redmine::AccessControl::Permission.send(:include, CostsAccessControlPermissionPatch)
-
+    require_or_load 'costs_access_control_permission_patch'
+    
    permission :view_own_hourly_rate, {},
      :granular_for => :view_hourly_rates
    permission :view_hourly_rates, {:cost_reports => :index}
@ -143,7 +140,7 @@ Redmine::Plugin.register :redmine_costs do
      :inherits => :view_hourly_rates

    # from controlling requirements 4.5
-    permission :view_cost_rates, {:cost_reports => :index}
+    permission :view_cost_rates, {}
    permission :book_own_costs, {:costlog => :edit},
      :require => :loggedin,
      :granular_for => :book_costs
@ -156,9 +153,9 @@ Redmine::Plugin.register :redmine_costs do
    permission :edit_cost_entries, {:costlog => [:edit, :destroy]},
      :require => :member,
      :inherits => :view_cost_entries
-    permission :view_own_cost_entries, {:costlog => [:details], :cost_report => [:index]},
-      :granular_for => :view_cost_entries
    permission :view_cost_entries, {:costlog => [:details], :cost_report => [:index]}
+    permission :view_own_cost_entries, {:costlog => [:details], :cost_reports => [:index]},
+      :granular_for => :view_cost_entries
    permission :block_tickets, {}, :require => :member

    permission :view_cost_objects, {:cost_objects => [:index, :show]}
@ -168,12 +165,12 @@ Redmine::Plugin.register :redmine_costs do
  
  # register additional permissions for the time log
  project_module :time_tracking do
-    permission :view_own_time_entries, {:timelog => [:details, :report], :cost_report => [:index]},
+    permission :view_own_time_entries, {:timelog => [:details, :report], :cost_reports => [:index]},
      :granular_for => :view_time_entries
  end
  
  view_time_entries = Redmine::AccessControl.permission(:view_time_entries)
-  view_time_entries.actions << "cost_report/index"
+  view_time_entries.actions << "cost_reports/index"
  
  edit_time_entries = Redmine::AccessControl.permission(:edit_time_entries)
  edit_time_entries.instance_variable_set("@inherits", [:view_time_entries])
--- a/lib/costs_i18n_patch.rb
+++ b/lib/costs_i18n_patch.rb
@ -1,32 +1,17 @@
-module CostsI18nPatch
-  def self.included(base) # :nodoc:
-    base.send(:include, InstanceMethods)
-  
-    def self.included(base) # :nodoc:
-      base.send(:include, Redmine::I18n)
-      
-      base.send(:include, InstanceMethods)
-      base.class_eval do
-        alias_method_chain :number_to_currency, :l10n
-      end
-    end
-  end
-
-  module InstanceMethods
-    def number_to_currency_with_l10n(number, options = {})
-      options[:delimiter] = l(:currency_delimiter) unless options[:delimiter]
-      options[:separator] = l(:currency_separator) unless options[:separator]
+module ActionView::Helpers::NumberHelper
+  def number_to_currency_with_l10n(number, options = {})
+    options[:delimiter] = l(:currency_delimiter) unless options[:delimiter]
+    options[:separator] = l(:currency_separator) unless options[:separator]

-      options[:unit] = Setting.plugin_redmine_costs['costs_currency'] unless options[:unit]
-      options[:format] = Setting.plugin_redmine_costs['costs_currency_format'] unless options[:format]
-    
-      # FIXME: patch ruby instead of this code
-      # this circumvents the broken BigDecimal#to_f on Siemens's ruby
-      number = number.to_s if number.is_a? BigDecimal
-    
-      number_to_currency_without_l10n(number, options)
-    end
+    options[:unit] = Setting.plugin_redmine_costs['costs_currency'] unless options[:unit]
+    options[:format] = Setting.plugin_redmine_costs['costs_currency_format'] unless options[:format]
+  
+    # FIXME: patch ruby instead of this code
+    # this circumvents the broken BigDecimal#to_f on Siemens's ruby
+    number = number.to_s if number.is_a? BigDecimal
+  
+    number_to_currency_without_l10n(number, options)
  end
-end

-ActionView::Helpers::NumberHelper.send(:include, CostsI18nPatch)
+  alias_method_chain :number_to_currency, :l10n
+end
--- a/lib/costs_user_patch.rb
+++ b/lib/costs_user_patch.rb
@ -120,7 +120,7 @@ module CostsUserPatch
    end
    
    def allowed_for(permission, projects = nil)
-      if projects
+      unless projects.blank?
        projects = [projects] unless projects.is_a? Array
        projects, ids = projects.partition{|p| p.is_a?(Project)}
        projects += Project.find_all_by_id(ids)
@ -219,7 +219,7 @@ module CostsUserPatch
    end
    
    
-  private
+  #private
    def granular_roles(member_roles)
      roles = {}
      member_roles.each do |r|