From af05257bd9d4b6694397a1d42c9bb424f5f19986 Mon Sep 17 00:00:00 2001
From: Gregor Schmidt <ruby@schmidtwisser.de>
Date: Wed, 3 Aug 2011 18:31:43 +0200
Subject: [PATCH] First attempt to properly implement allowed_to

mapping reporting_engine permissions to redmine_reporting permissions
---
 app/controllers/cost_reports_controller.rb | 41 ++++++++++++++++++++--
 1 file changed, 39 insertions(+), 2 deletions(-)

diff --git a/app/controllers/cost_reports_controller.rb b/app/controllers/cost_reports_controller.rb
index 0193a2f684..753f736324 100644
--- a/app/controllers/cost_reports_controller.rb
+++ b/app/controllers/cost_reports_controller.rb
@@ -182,9 +182,46 @@ class CostReportsController < ApplicationController
     @title = "label_#{@report_engine.name.underscore}"
   end
 
+  # N.B.: Users with save_cost_reports permission implicitly have
+  # save_private_cost_reports permission as well
+  #
   # @Override
-  def allowed_to?(action, query, user = User.current)
-    user.admin? or user.allowed_to?(:save_queries, @project, :global => true)
+  def allowed_to?(action, report, user = User.current)
+    # admins may do everything
+    return true if user.admin?
+
+    # If this report does belong to a project but not to the current project, we
+    # should not do anything with it. It fact, this should never happen.
+    return false if report.project.present? && report.project != @project
+
+    # If report does not belong to a project, it is ok to look for the
+    # permission in any project. Otherwise, the user should have the permission
+    # in this project.
+    if report.project.present?
+      options = {}
+    else
+      options = {:global => true}
+    end
+
+    case action
+    when :create
+      user.allowed_to?(:save_cost_reports, @project, options) or
+        user.allowed_to?(:save_private_cost_reports, @project, options)
+
+    when :save, :delete, :rename
+      if report.is_public?
+        user.allowed_to?(:save_cost_reports, @project, options)
+      else
+        user.allowed_to?(:save_cost_reports, @project, options) or
+          user.allowed_to?(:save_private_cost_reports, @project, options)
+      end
+
+    when :save_as_public
+      user.allowed_to?(:save_cost_reports, @project, options)
+
+    else
+      false
+    end
   end
 
   def public_queries