Only allow project admins to export issues. export formats are: atom, rss, api, xls, csv, pdf. #25512

pull/41/head
Martin Linkhorst 13 years ago
parent fcac419324
commit 97ff222d1c
  1. 15
      app/controllers/issues_controller.rb
  2. 2
      app/views/issues/index.rhtml
  3. 1
      lib/redmine.rb
  4. 1
      test/fixtures/roles.yml
  5. 7
      test/unit/project_test.rb
  6. 6
      test/unit/user_test.rb

@ -13,6 +13,8 @@
#++
class IssuesController < ApplicationController
EXPORT_FORMATS = %w[atom rss api xls csv pdf]
menu_item :new_issue, :only => [:new, :create]
menu_item :view_all_issues, :only => [:all]
default_search_scope :issues
@ -22,6 +24,7 @@ class IssuesController < ApplicationController
before_filter :check_project_uniqueness, :only => [:move, :perform_move]
before_filter :find_project, :only => [:new, :create]
before_filter :authorize, :except => [:index, :all]
before_filter :protect_from_unauthorized_export, :only => [:index, :all]
before_filter :find_optional_project, :only => [:index, :all]
before_filter :check_for_default_issue_status, :only => [:new, :create]
before_filter :build_new_issue_from_params, :only => [:new, :create]
@ -320,4 +323,16 @@ private
attributes[:custom_field_values].reject! {|k,v| v.blank?} if attributes[:custom_field_values]
attributes
end
def protect_from_unauthorized_export
return true unless EXPORT_FORMATS.include? params[:format]
find_optional_project
return true if User.current.allowed_to? :export_issues, @project
# otherwise deny access
params[:format] = 'html'
deny_access
return false
end
end

@ -76,7 +76,7 @@
<%= f.link_to 'Atom', :url => { :project_id => @project, :query_id => (@query.new_record? ? nil : @query), :key => User.current.rss_key } %>
<%= f.link_to 'CSV', :url => { :project_id => @project } %>
<%= f.link_to 'PDF', :url => { :project_id => @project } %>
<% end %>
<% end if User.current.allowed_to? :export_issues, @project %>
<% end %>
<%= call_hook(:view_issues_index_bottom, { :issues => @issues, :project => @project, :query => @query }) %>

@ -81,6 +81,7 @@ Redmine::AccessControl.map do |map|
:journals => [:index, :diff],
:queries => :index,
:reports => [:issue_report, :issue_report_details]}
map.permission :export_issues, {:issues => [:index, :all]}
map.permission :add_issues, {:issues => [:new, :create, :update_form]}
map.permission :edit_issues, {:issues => [:edit, :update, :bulk_edit, :bulk_update, :update_form], :journals => [:new]}
map.permission :manage_issue_relations, {:issue_relations => [:new, :destroy]}

@ -52,6 +52,7 @@ roles_001:
- :manage_repository
- :view_changesets
- :manage_project_activities
- :export_issues
position: 1
roles_002:

@ -725,7 +725,12 @@ class ProjectTest < ActiveSupport::TestCase
assert_nil project.versions.detect {|v| v.completed? && v.status != 'closed'}
assert_not_nil project.versions.detect {|v| !v.completed? && v.status == 'open'}
end
def test_export_issues_is_allowed
project = Project.find(1)
assert project.allows_to?(:export_issues)
end
context "Project#copy" do
setup do
ProjectCustomField.destroy_all # Custom values are a mess to isolate in tests

@ -443,6 +443,12 @@ class UserTest < ActiveSupport::TestCase
assert @jsmith.allowed_to?(:delete_messages, project) #Manager
assert ! @dlopper.allowed_to?(:delete_messages, project) #Developper
end
should "only managers are allowed to export tickets" do
project = Project.find(1)
assert @jsmith.allowed_to?(:export_issues, project) #Manager
assert ! @dlopper.allowed_to?(:export_issues, project) #Developper
end
end
context "with multiple projects" do

Loading…
Cancel
Save