Merge branch 'master' into devel-2.0.1

app/controllers/dmsf_controller.rb

@@ -363,6 +363,7 @@ class DmsfController < ApplicationController
   end
 
   def email_entries(selected_folders, selected_files)
+    raise DmsfAccessError unless User.current.allowed_to?(:email_documents, @project)
     zip = Zip.new
     zip_entries(zip, selected_folders, selected_files)
 
@@ -506,6 +507,7 @@ class DmsfController < ApplicationController
     deleted_files = []
     not_deleted_files = []
     selected_files.each do |id|
+      raise DmsfAccessError unless User.current.allowed_to?(:file_delete, @project)
       file = DmsfFile.find_by(id: id)
       if file
         if file.delete(commit)
@@ -536,7 +538,13 @@ class DmsfController < ApplicationController
       flash[:warning] = l(:warning_some_entries_were_not_deleted, :entries => not_deleted_files.map{|e| e.title}.join(', '))
     end
     # Links
-    (selected_dir_links + selected_file_links + selected_url_links).each do |id|
+    selected_dir_links.each do |id|
+      raise DmsfAccessError unless User.current.allowed_to?(:folder_manipulation, @project)
+      link = DmsfLink.find_by(id: id)
+      link.delete commit if link
+    end
+    (selected_file_links + selected_url_links).each do |id|
+      raise DmsfAccessError unless User.current.allowed_to?(:file_delete, @project)
       link = DmsfLink.find_by(id: id)
       link.delete commit if link
     end
@@ -677,11 +685,12 @@ class DmsfController < ApplicationController
     @ajax_upload_size = Setting.plugin_redmine_dmsf['dmsf_max_ajax_upload_filesize'].presence || 100
 
     # Trash
-    @trash_visible = @folder_manipulation_allowed && @file_manipulation_allowed &&
+    visible = @folder_manipulation_allowed && @file_manipulation_allowed &&
       @file_delete_allowed && !@locked_for_user && !@folder
-    @trash_enabled = DmsfFolder.deleted.where(project_id: @project.id).exists? ||
+    enabled = DmsfFolder.deleted.where(project_id: @project.id).exists? ||
       DmsfFile.deleted.where(project_id: @project.id).exists? ||
       DmsfLink.deleted.where(project_id: @project.id).exists?
+    @trash_enabled = visible && enabled
   end
 
 end

app/views/dmsf_context_menus/dmsf.html.erb

@@ -29,12 +29,14 @@
   <li>
     <%= context_menu_link l(:field_mail), entries_operations_dmsf_path(:id => @project, :folder_id => @folder,
       :ids => params[:ids], :email_entries => true), :method => :post, :class => 'icon icon-email',
-      :disabled => @disabled %>
+      :disabled => @disabled || (!User.current.allowed_to?(:email_documents, @project)) %>
   </li>
   <li>
     <%= context_menu_link l(:button_delete), entries_operations_dmsf_path(:id => @project, :folder_id => @folder,
       :ids => params[:ids], :delete_entries => true), :method => :post, :class => 'icon icon-del',
-      :data => { :confirm => l(:text_are_you_sure) }, :id => 'dmsf-cm-delete', :disabled => @disabled %>
+      :data => { :confirm => l(:text_are_you_sure) }, :id => 'dmsf-cm-delete',
+      :disabled => @disabled || ((!User.current.allowed_to?(:folder_manipulation, @project)) &&
+          (!User.current.allowed_to?(:file_delete, @project)))%>
   </li>
   <% if @file %>
     <li>

test/functional/dmsf_controller_test.rb

@@ -176,6 +176,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
     @request.env['HTTP_REFERER'] = dmsf_folder_path(:id => @project.id)
     @role.add_permission! :view_dmsf_files
     @role.add_permission! :folder_manipulation
+    @role.add_permission! :file_delete
     flash[:errors] = nil
     get :entries_operation, :params => {:id => @project, :delete_entries => 'Delete',
         :ids => ["folder-#{@folder7.id}", "file-#{@file1.id}", "file-link-#{@file_link2.id}"]}
@@ -247,9 +248,17 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
     assert_response :success
   end
 
+  def test_email_entries_email_from_forbidden
+    Setting.plugin_redmine_dmsf['dmsf_documents_email_from'] = 'karel.picman@kontron.com'
+    @role.add_permission! :view_dmsf_files
+    get :entries_operation, params: {id: @project, email_entries: 'Email', ids: ["file-#{@file1.id}"]}
+    assert_response :forbidden
+  end
+
   def test_email_entries_email_from
     Setting.plugin_redmine_dmsf['dmsf_documents_email_from'] = 'karel.picman@kontron.com'
     @role.add_permission! :view_dmsf_files
+    @role.add_permission! :email_documents
     get :entries_operation, :params => {:id => @project, :email_entries => 'Email', :ids => ["file-#{@file1.id}"]}
     assert_response :success
     assert_select "input:match('value', ?)", Setting.plugin_redmine_dmsf['dmsf_documents_email_from']
@@ -258,6 +267,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
   def test_email_entries_reply_to
     Setting.plugin_redmine_dmsf['dmsf_documents_email_reply_to'] = 'karel.picman@kontron.com'
     @role.add_permission! :view_dmsf_files
+    @role.add_permission! :email_documents
     get :entries_operation, :params => {:id => @project, :email_entries => 'Email', :ids => ["file-#{@file1.id}"]}
     assert_response :success
     assert_select "input:match('value', ?)", Setting.plugin_redmine_dmsf['dmsf_documents_email_reply_to']
@@ -266,6 +276,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
   def test_email_entries_links_only
     Setting.plugin_redmine_dmsf['dmsf_documents_email_links_only'] = '1'
     @role.add_permission! :view_dmsf_files
+    @role.add_permission! :email_documents
     get :entries_operation, :params => {:id => @project, :email_entries => 'Email', :ids => ["file-#{@file1.id}"]}
     assert_response :success
     assert_select "input:match('value', ?)", Setting.plugin_redmine_dmsf['dmsf_documents_email_links_only']