Persmissions fix

app/controllers/dmsf_controller.rb

@@ -363,6 +363,7 @@ class DmsfController < ApplicationController
   end
 
   def email_entries(selected_folders, selected_files)
+    raise DmsfAccessError unless User.current.allowed_to?(:email_documents, @project)
     zip = Zip.new
     zip_entries(zip, selected_folders, selected_files)
 
@@ -506,6 +507,7 @@ class DmsfController < ApplicationController
     deleted_files = []
     not_deleted_files = []
     selected_files.each do |id|
+      raise DmsfAccessError unless User.current.allowed_to?(:file_delete, @project)
       file = DmsfFile.find_by(id: id)
       if file
         if file.delete(commit)
@@ -536,7 +538,13 @@ class DmsfController < ApplicationController
       flash[:warning] = l(:warning_some_entries_were_not_deleted, :entries => not_deleted_files.map{|e| e.title}.join(', '))
     end
     # Links
-    (selected_dir_links + selected_file_links + selected_url_links).each do |id|
+    selected_dir_links.each do |id|
+      raise DmsfAccessError unless User.current.allowed_to?(:folder_manipulation, @project)
+      link = DmsfLink.find_by(id: id)
+      link.delete commit if link
+    end
+    (selected_file_links + selected_url_links).each do |id|
+      raise DmsfAccessError unless User.current.allowed_to?(:file_delete, @project)
       link = DmsfLink.find_by(id: id)
       link.delete commit if link
     end
@@ -680,11 +688,12 @@ class DmsfController < ApplicationController
     @ajax_upload_size = Setting.plugin_redmine_dmsf['dmsf_max_ajax_upload_filesize'].presence || 100
 
     # Trash
-    @trash_visible = @folder_manipulation_allowed && @file_manipulation_allowed &&
+    visible = @folder_manipulation_allowed && @file_manipulation_allowed &&
       @file_delete_allowed && !@locked_for_user && !@folder
-    @trash_enabled = DmsfFolder.deleted.where(project_id: @project.id).exists? ||
+    enabled = DmsfFolder.deleted.where(project_id: @project.id).exists? ||
       DmsfFile.deleted.where(project_id: @project.id).exists? ||
       DmsfLink.deleted.where(project_id: @project.id).exists?
+    @trash_enabled = visible && enabled
   end
 
 end

app/views/dmsf_context_menus/dmsf.html.erb

@@ -29,12 +29,14 @@
   <li>
     <%= context_menu_link l(:field_mail), entries_operations_dmsf_path(:id => @project, :folder_id => @folder,
       :ids => params[:ids], :email_entries => true), :method => :post, :class => 'icon icon-email',
-      :disabled => @disabled %>
+      :disabled => @disabled || (!User.current.allowed_to?(:email_documents, @project)) %>
   </li>
   <li>
     <%= context_menu_link l(:button_delete), entries_operations_dmsf_path(:id => @project, :folder_id => @folder,
       :ids => params[:ids], :delete_entries => true), :method => :post, :class => 'icon icon-del',
-      :data => { :confirm => l(:text_are_you_sure) }, :id => 'dmsf-cm-delete', :disabled => @disabled %>
+      :data => { :confirm => l(:text_are_you_sure) }, :id => 'dmsf-cm-delete',
+      :disabled => @disabled || ((!User.current.allowed_to?(:folder_manipulation, @project)) &&
+          (!User.current.allowed_to?(:file_delete, @project)))%>
   </li>
   <% if @file %>
     <li>