Commit e8f3dd07 authored by Jean-Baptiste Barth's avatar Jean-Baptiste Barth

Added ability to specify multiple projects in User#allowed_to? (#5332)

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4227 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent fda1a0cb
...@@ -344,12 +344,17 @@ class User < Principal ...@@ -344,12 +344,17 @@ class User < Principal
!roles_for_project(project).detect {|role| role.member?}.nil? !roles_for_project(project).detect {|role| role.member?}.nil?
end end
# Return true if the user is allowed to do the specified action on project # Return true if the user is allowed to do the specified action on a specific context
# action can be: # Action can be:
# * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit') # * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')
# * a permission Symbol (eg. :edit_project) # * a permission Symbol (eg. :edit_project)
# Context can be:
# * a project : returns true if user is allowed to do the specified action on this project
# * a group of projects : returns true if user is allowed on every project
# * nil with options[:global] set : check if user has at least one role allowed for this action,
# or falls back to Non Member / Anonymous permissions depending if the user is logged
def allowed_to?(action, project, options={}) def allowed_to?(action, project, options={})
if project if project && project.is_a?(Project)
# No action allowed on archived projects # No action allowed on archived projects
return false unless project.active? return false unless project.active?
# No action allowed on disabled modules # No action allowed on disabled modules
...@@ -361,6 +366,11 @@ class User < Principal ...@@ -361,6 +366,11 @@ class User < Principal
return false unless roles return false unless roles
roles.detect {|role| (project.is_public? || role.member?) && role.allowed_to?(action)} roles.detect {|role| (project.is_public? || role.member?) && role.allowed_to?(action)}
elsif project && project.is_a?(Array)
# Authorize if user is authorized on every element of the array
project.inject do |memo,p|
memo && allowed_to?(action,p,options)
end
elsif options[:global] elsif options[:global]
# Admin users are always authorized # Admin users are always authorized
return true if admin? return true if admin?
......
...@@ -396,6 +396,19 @@ class UserTest < ActiveSupport::TestCase ...@@ -396,6 +396,19 @@ class UserTest < ActiveSupport::TestCase
assert ! @dlopper.allowed_to?(:delete_messages, project) #Developper assert ! @dlopper.allowed_to?(:delete_messages, project) #Developper
end end
end end
context "with multiple projects" do
should "return false if array is empty" do
assert ! @admin.allowed_to?(:view_project, [])
end
should "return true only if user has permission on all these projects" do
assert @admin.allowed_to?(:view_project, Project.all)
assert ! @dlopper.allowed_to?(:view_project, Project.all) #cannot see Project(2)
assert @jsmith.allowed_to?(:edit_issues, @jsmith.projects) #Manager or Developer everywhere
assert ! @jsmith.allowed_to?(:delete_issue_watchers, @jsmith.projects) #Dev cannot delete_issue_watchers
end
end
context "with options[:global]" do context "with options[:global]" do
should "authorize if user has at least one role that has this permission" do should "authorize if user has at least one role that has this permission" do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment