Commit d61ad013 authored by Holger Just's avatar Holger Just

Merge branch 'release-v3.1.0' into stable

parents 11e93ff3 f681ed8c
......@@ -29,3 +29,5 @@ doc/app
/Gemfile.lock
/Gemfile.local
/.rvmrc*
/*.iml
/.idea
......@@ -11,6 +11,7 @@ gem "liquid", "~> 2.3.0"
gem "acts-as-taggable-on", "= 2.1.0"
# Needed only on RUBY_VERSION = 1.8, ruby 1.9+ compatible interpreters should bring their csv
gem "fastercsv", "~> 1.5.0", :platforms => [:ruby_18, :jruby, :mingw_18]
gem "tzinfo", "~> 0.3.31" # Fixes #903. Not required for Rails >= 3.2
group :test do
gem 'shoulda', '~> 2.10.3'
......@@ -57,7 +58,7 @@ platforms :mri, :mingw do
end
group :postgres do
gem "pg", "~> 0.9.0"
gem "pg"
# gem "postgres-pr"
end
end
......
......@@ -33,7 +33,7 @@ class ActivitiesController < ApplicationController
:with_subprojects => @with_subprojects,
:author => @author)
@activity.scope_select {|t| !params["show_#{t}"].nil?}
@activity.scope = (@author.nil? ? :default : :all) if @activity.scope.empty?
@activity.scope = (@author.nil? ? :default : :all) if @activity.scope.empty? unless params[:set_filter]
events = @activity.events(@date_from, @date_to)
......
......@@ -64,7 +64,6 @@ class ApplicationController < ActionController::Base
before_filter :user_setup, :check_if_login_required, :set_localization
filter_parameter_logging :password
rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
# FIXME: This doesn't work with Rails >= 3.0 anymore
# Possible workaround: https://github.com/rails/rails/issues/671#issuecomment-1780159
rescue_from ActionController::RoutingError, :with => proc{render_404}
......@@ -336,13 +335,6 @@ class ApplicationController < ActionController::Base
request.xhr? ? false : 'base'
end
def invalid_authenticity_token
if api_request?
logger.error "Form authenticity token is missing or is invalid. API calls must include a proper Content-type header (text/xml or text/json)."
end
render_error "Invalid form authenticity token."
end
def render_feed(items, options={})
@items = items || []
@items.sort! {|x,y| y.event_datetime <=> x.event_datetime }
......
......@@ -21,7 +21,10 @@ class CommentsController < ApplicationController
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@comment = Comment.new(params[:comment])
raise Unauthorized unless @news.commentable?
@comment = Comment.new
@comment.safe_attributes = params[:comment]
@comment.author = User.current
if @news.comments << @comment
flash[:notice] = l(:label_comment_added)
......
......@@ -43,7 +43,8 @@ class DocumentsController < ApplicationController
end
def new
@document = @project.documents.build(params[:document])
@document = @project.documents.build
@document.safe_attributes = params[:document]
if request.post?
if User.current.allowed_to?(:add_document_watchers, @project) && params[:document]['watcher_user_ids'].present?
@document.watcher_user_ids = params[:document]['watcher_user_ids']
......
......@@ -23,7 +23,8 @@ class IssueCategoriesController < ApplicationController
verify :method => :post, :only => :destroy
def new
@category = @project.issue_categories.build(params[:category])
@category = @project.issue_categories.build
@category.safe_attributes = params[:category]
if request.post?
if @category.save
respond_to do |format|
......@@ -50,7 +51,8 @@ class IssueCategoriesController < ApplicationController
end
def edit
if request.post? and @category.update_attributes(params[:category])
@category.safe_attributes = params[:category]
if request.post? and @category.save
flash[:notice] = l(:notice_successful_update)
redirect_to :controller => 'projects', :action => 'settings', :tab => 'categories', :id => @project
end
......
......@@ -21,17 +21,19 @@ class MembersController < ApplicationController
def new
members = []
if params[:member] && request.post?
attrs = params[:member].dup
if (user_ids = attrs.delete(:user_ids))
if params[:member]
if params[:member][:user_ids]
attrs = params[:member].dup
user_ids = attrs.delete(:user_ids)
user_ids.each do |user_id|
members << Member.new(attrs.merge(:user_id => user_id))
members << Member.new(:role_ids => params[:member][:role_ids], :user_id => user_id)
end
else
members << Member.new(attrs)
members << Member.new(:role_ids => params[:member][:role_ids], :user_id => params[:member][:user_id])
end
@project.members << members
end
respond_to do |format|
if members.present? && members.all? {|m| m.valid? }
......
......@@ -48,26 +48,26 @@ class MessagesController < ApplicationController
# Create a new topic
def new
@message = Message.new(params[:message])
@message = Message.new
@message.author = User.current
@message.board = @board
if params[:message] && User.current.allowed_to?(:edit_messages, @project)
@message.locked = params[:message]['locked']
@message.sticky = params[:message]['sticky']
end
if request.post? && @message.save
call_hook(:controller_messages_new_after_save, { :params => params, :message => @message})
attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message)
redirect_to :action => 'show', :id => @message
@message.safe_attributes = params[:message]
if request.post?
if @message.save
call_hook(:controller_messages_new_after_save, { :params => params, :message => @message})
attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message)
redirect_to :action => 'show', :id => @message
end
end
end
# Reply to a topic
def reply
@reply = Message.new(params[:reply])
@reply = Message.new
@reply.author = User.current
@reply.board = @board
@reply.safe_attributes = params[:reply]
@topic.children << @reply
if !@reply.new_record?
call_hook(:controller_messages_reply_after_save, { :params => params, :message => @reply})
......@@ -80,11 +80,8 @@ class MessagesController < ApplicationController
# Edit a message
def edit
(render_403; return false) unless @message.editable_by?(User.current)
if params[:message]
@message.locked = params[:message]['locked']
@message.sticky = params[:message]['sticky']
end
if request.post? && @message.update_attributes(params[:message])
@message.safe_attributes = params[:message]
if request.post? && @message.save
attachments = Attachment.attach_files(@message, params[:attachments])
render_attachment_warning_if_needed(@message)
flash[:notice] = l(:notice_successful_update)
......
......@@ -59,14 +59,12 @@ class NewsController < ApplicationController
def create
@news = News.new(:project => @project, :author => User.current)
if request.post?
@news.attributes = params[:news]
if @news.save
flash[:notice] = l(:notice_successful_create)
redirect_to :controller => 'news', :action => 'index', :project_id => @project
else
render :action => 'new'
end
@news.safe_attributes = params[:news]
if @news.save
flash[:notice] = l(:notice_successful_create)
redirect_to :controller => 'news', :action => 'index', :project_id => @project
else
render :action => 'new'
end
end
......@@ -74,7 +72,8 @@ class NewsController < ApplicationController
end
def update
if request.put? and @news.update_attributes(params[:news])
@news.safe_attributes = params[:news]
if @news.save
flash[:notice] = l(:notice_successful_update)
redirect_to :action => 'show', :id => @news
else
......
......@@ -59,7 +59,8 @@ class ProjectsController < ApplicationController
def new
@issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
@trackers = Tracker.all
@project = Project.new(params[:project])
@project = Project.new
@project.safe_attributes = params[:project]
end
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
......
......@@ -97,7 +97,7 @@ class TimelogController < ApplicationController
def new
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
render :action => 'edit'
......@@ -106,7 +106,7 @@ class TimelogController < ApplicationController
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
......@@ -127,14 +127,14 @@ class TimelogController < ApplicationController
end
def edit
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
end
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
def update
@time_entry.attributes = params[:time_entry]
@time_entry.safe_attributes = params[:time_entry]
call_hook(:controller_timelog_edit_before_save, { :params => params, :time_entry => @time_entry })
......
......@@ -56,7 +56,7 @@ class VersionsController < ApplicationController
if params[:version]
attributes = params[:version].dup
attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
@version.attributes = attributes
@version.safe_attributes = attributes
end
end
......@@ -66,7 +66,7 @@ class VersionsController < ApplicationController
if params[:version]
attributes = params[:version].dup
attributes.delete('sharing') unless attributes.nil? || @version.allowed_sharings.include?(attributes['sharing'])
@version.attributes = attributes
@version.safe_attributes = attributes
end
if request.post?
......@@ -101,7 +101,8 @@ class VersionsController < ApplicationController
if request.put? && params[:version]
attributes = params[:version].dup
attributes.delete('sharing') unless @version.allowed_sharings.include?(attributes['sharing'])
if @version.update_attributes(attributes)
@version.safe_attributes = attributes
if @version.save
flash[:notice] = l(:notice_successful_update)
redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project
else
......
......@@ -19,7 +19,7 @@ class WikisController < ApplicationController
# Create or update a project's wiki
def edit
@wiki = @project.wiki || Wiki.new(:project => @project)
@wiki.attributes = params[:wiki]
@wiki.safe_attributes = params[:wiki]
@wiki.save if request.post?
render(:update) {|page| page.replace_html "tab-content-wiki", :partial => 'projects/settings/wiki'}
end
......
......@@ -502,7 +502,7 @@ module ApplicationHelper
@parsed_headings = []
text = parse_non_pre_blocks(text) do |text|
[:parse_inline_attachments, :parse_wiki_links, :parse_redmine_links, :parse_headings].each do |method_name|
[:parse_inline_attachments, :parse_wiki_links, :parse_redmine_links, :parse_headings, :parse_relative_urls].each do |method_name|
send method_name, text, project, obj, attr, only_path, options
end
end
......@@ -543,6 +543,41 @@ module ApplicationHelper
parsed
end
RELATIVE_LINK_RE = %r{
<a
(?:
(\shref=
(?: # the href and link
(?:'(\/[^>]+?)')|
(?:"(\/[^>]+?)")
)
)|
[^>]
)*
>
[^<]*?<\/a> # content and closing link tag.
}x unless const_defined?(:RELATIVE_LINK_RE)
def parse_relative_urls(text, project, obj, attr, only_path, options)
return if only_path
text.gsub!(RELATIVE_LINK_RE) do |m|
href, relative_url = $1, $2 || $3
next m unless href.present?
if defined?(request) && request.present?
# we have a request!
protocol, host_with_port = request.protocol, request.host_with_port
elsif @controller
# use the same methods as url_for in the Mailer
url_opts = @controller.class.default_url_options
next m unless url_opts && url_opts[:protocol] && url_opts[:host]
protocol, host_with_port = "#{url_opts[:protocol]}://", url_opts[:host]
else
next m
end
m.sub href, " href=\"#{protocol}#{host_with_port}#{relative_url}\""
end
end
def parse_inline_attachments(text, project, obj, attr, only_path, options)
# when using an image link, try to use an attachment, if possible
if options[:attachments] || (obj && obj.respond_to?(:attachments))
......@@ -816,7 +851,7 @@ module ApplicationHelper
def back_url_hidden_field_tag
back_url = params[:back_url] || request.env['HTTP_REFERER']
back_url = CGI.unescape(back_url.to_s)
hidden_field_tag('back_url', CGI.escape(back_url)) unless back_url.blank?
hidden_field_tag('back_url', CGI.escape(back_url), :id => nil) unless back_url.blank?
end
def check_all_links(form_name)
......@@ -850,7 +885,7 @@ module ApplicationHelper
def context_menu(url)
unless @context_menu_included
content_for :header_tags do
javascript_include_tag('context_menu') +
javascript_include_tag('context_menu.jquery') +
stylesheet_link_tag('context_menu')
end
if l(:direction) == 'rtl'
......@@ -860,7 +895,7 @@ module ApplicationHelper
end
@context_menu_included = true
end
javascript_tag "new ContextMenu('#{ url_for(url) }')"
javascript_tag "jQuery(document).ContextMenu('#{ url_for(url) }')"
end
def context_menu_link(name, url, options={})
......
......@@ -79,6 +79,22 @@ module IssuesHelper
s
end
def render_parents_and_subtree(issue)
return if issue.leaf? && !issue.parent
s = '<form><table id="issue_tree" class="list">'
issue_list(issue.self_and_ancestors.sort_by(&:lft) + issue.descendants.sort_by(&:lft)) do |el, level|
s << content_tag('tr',
content_tag('td', check_box_tag("ids[]", el.id, false, :id => nil), :class => 'checkbox') +
content_tag('td', link_to_issue(el, :truncate => 60), :class => 'subject') +
content_tag('td', h(el.status)) +
content_tag('td', link_to_user(el.assigned_to)) +
content_tag('td', progress_bar(el.done_ratio, :width => '80px')),
:class => "issue issue-#{el.id} #{"self" if el == issue} hascontextmenu #{level > 0 ? "idnt idnt-#{level}" : nil}")
end
s << '</table></form>'
s
end
def render_custom_fields_rows(issue)
return if issue.custom_field_values.empty?
ordered_values = []
......
......@@ -13,8 +13,11 @@
#++
class Comment < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :commented, :polymorphic => true, :counter_cache => true
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
validates_presence_of :commented, :author, :comments
safe_attributes 'comments'
end
......@@ -13,6 +13,7 @@
#++
class Document < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
belongs_to :category, :class_name => "DocumentCategory", :foreign_key => "category_id"
acts_as_attachable :delete_permission => :manage_documents
......@@ -32,6 +33,8 @@ class Document < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => :project,
:conditions => Project.allowed_to_condition(args.first || User.current, :view_documents) } }
safe_attributes 'category_id', 'title', 'description'
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_documents, project)
end
......
......@@ -48,4 +48,9 @@ class Group < Principal
:conditions => ["#{Member.table_name}.user_id = ? AND #{MemberRole.table_name}.inherited_from IN (?)", user.id, member.member_role_ids]).each(&:destroy)
end
end
def self.human_attribute_name(attribute_name)
attribute_name = "name" if attribute_name == "lastname"
super(attribute_name)
end
end
......@@ -707,6 +707,15 @@ class Issue < ActiveRecord::Base
projects
end
# Overrides Redmine::Acts::Journalized::Permissions
#
# The default assumption is that journals have the same permissions
# as the journaled object, issue notes have separate permissions though
def journal_editable_by?(journal, user)
return true if journal.author == user && user.allowed_to?(:edit_own_issue_notes, project)
user.allowed_to? :edit_issue_notes, project
end
private
def update_nested_set_attributes
......
......@@ -13,6 +13,7 @@
#++
class IssueCategory < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
belongs_to :assigned_to, :class_name => 'User', :foreign_key => 'assigned_to_id'
has_many :issues, :foreign_key => 'category_id', :dependent => :nullify
......@@ -21,6 +22,8 @@ class IssueCategory < ActiveRecord::Base
validates_uniqueness_of :name, :scope => [:project_id]
validates_length_of :name, :maximum => 30
safe_attributes 'name', 'assigned_to_id'
alias :destroy_without_reassign :destroy
# Destroy the category
......
......@@ -76,7 +76,7 @@ class Journal < ActiveRecord::Base
end
def editable_by?(user)
journaled.journal_editable_by?(user)
journaled.journal_editable_by?(self, user)
end
def details
......
......@@ -13,6 +13,7 @@
#++
class Message < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :board
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
acts_as_tree :counter_cache => :replies_count, :order => "#{Message.table_name}.created_on ASC"
......@@ -49,6 +50,12 @@ class Message < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => {:board => :project},
:conditions => Project.allowed_to_condition(args.first || User.current, :view_messages) } }
safe_attributes 'subject', 'content'
safe_attributes 'locked', 'sticky',
:if => lambda {|message, user|
user.allowed_to?(:edit_messages, message.project)
}
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_messages, project)
end
......
......@@ -13,6 +13,7 @@
#++
class News < ActiveRecord::Base
include Redmine::SafeAttributes
belongs_to :project
belongs_to :author, :class_name => 'User', :foreign_key => 'author_id'
has_many :comments, :as => :commented, :dependent => :delete_all, :order => "created_on"
......@@ -21,7 +22,8 @@ class News < ActiveRecord::Base
validates_length_of :title, :maximum => 60
validates_length_of :summary, :maximum => 255
acts_as_journalized :event_url => Proc.new {|o| {:controller => 'news', :action => 'show', :id => o.journaled_id} }
acts_as_journalized :event_url => Proc.new {|o| {:controller => 'news', :action => 'show', :id => o.journaled_id} },
:event_description => :description
acts_as_searchable :columns => ["#{table_name}.title", "#{table_name}.summary", "#{table_name}.description"], :include => :project
acts_as_watchable
......@@ -32,10 +34,17 @@ class News < ActiveRecord::Base
:conditions => Project.allowed_to_condition(args.first || User.current, :view_news)
}}
safe_attributes 'title', 'summary', 'description'
def visible?(user=User.current)
!user.nil? && user.allowed_to?(:view_news, project)
end
# Returns true if the news can be commented by user
def commentable?(user=User.current)
user.allowed_to?(:comment_news, project)
end
# returns latest news for projects visible by user
def self.latest(user = User.current, count = 5)
find(:all, :limit => count, :conditions => Project.allowed_to_condition(user, :view_news), :include => [ :author, :project ], :order => "#{News.table_name}.created_on DESC")
......
......@@ -12,7 +12,7 @@
# See doc/COPYRIGHT.rdoc for more details.
#++
require 'redmine/scm/adapters/bazaar_adapter'
require_dependency 'redmine/scm/adapters/bazaar_adapter'
class Repository::Bazaar < Repository
attr_protected :root_url
......
......@@ -12,7 +12,7 @@
# See doc/COPYRIGHT.rdoc for more details.
#++
require 'redmine/scm/adapters/cvs_adapter'
require_dependency 'redmine/scm/adapters/cvs_adapter'
require 'digest/sha1'
class Repository::Cvs < Repository
......
......@@ -12,7 +12,7 @@
# See doc/COPYRIGHT.rdoc for more details.
#++
require 'redmine/scm/adapters/darcs_adapter'
require_dependency 'redmine/scm/adapters/darcs_adapter'
class Repository::Darcs < Repository
validates_presence_of :url, :log_encoding
......
......@@ -12,7 +12,7 @@
# See doc/COPYRIGHT.rdoc for more details.
#++
require 'redmine/scm/adapters/filesystem_adapter'
require_dependency 'redmine/scm/adapters/filesystem_adapter'
class Repository::Filesystem < Repository
attr_protected :root_url
......
......@@ -12,7 +12,7 @@
# See doc/COPYRIGHT.rdoc for more details.
#++
require 'redmine/scm/adapters/git_adapter'
require_dependency 'redmine/scm/adapters/git_adapter'
class Repository::Git < Repository
attr_protected :root_url
......
......@@ -12,7 +12,7 @@
# See doc/COPYRIGHT.rdoc for more details.
#++
require 'redmine/scm/adapters/mercurial_adapter'
require_dependency 'redmine/scm/adapters/mercurial_adapter'
class Repository::Mercurial < Repository
# sort changesets by revision number
......
......@@ -12,7 +12,7 @@
# See doc/COPYRIGHT.rdoc for more details.
#++
require 'redmine/scm/adapters/subversion_adapter'
require_dependency 'redmine/scm/adapters/subversion_adapter'
class Repository::Subversion < Repository
attr_protected :root_url
......
......@@ -13,6 +13,7 @@
#++
class TimeEntry < ActiveRecord::Base
include Redmine::SafeAttributes
# could have used polymorphic association
# project association here allows easy loading of time entries at project level with one database trip
belongs_to :project
......@@ -37,6 +38,8 @@ class TimeEntry < ActiveRecord::Base
:conditions => Project.allowed_to_condition(args.first || User.current, :view_time_entries)
}}
safe_attributes 'hours', 'comments', 'issue_id', 'activity_id', 'spent_on', 'custom_field_values'
def after_initialize
if new_record? && self.activity.nil?
if default_activity = TimeEntryActivity.default
......
......@@ -64,10 +64,9 @@ class User < Principal
validates_uniqueness_of :mail, :if => Proc.new { |user| !user.mail.blank? }, :case_sensitive => false
# Login must contain lettres, numbers, underscores only
validates_format_of :login, :with => /^[a-z0-9_\-@\.]*$/i
validates_length_of :login, :maximum => 30
validates_length_of :firstname, :lastname, :maximum => 30
validates_length_of :login, :firstname, :lastname, :maximum => 255
validates_format_of :mail, :with => /^([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})$/i, :allow_nil => true
validates_length_of :mail, :maximum => 60, :allow_nil => true
validates_length_of :mail, :maximum => 255, :allow_nil => true
validates_confirmation_of :password, :allow_nil => true
validates_inclusion_of :mail_notification, :in => MAIL_NOTIFICATION_OPTIONS.collect(&:first), :allow_blank => true
validates_inclusion_of :status, :in => [STATUS_ANONYMOUS, STATUS_ACTIVE, STATUS_REGISTERED, STATUS_LOCKED]
......
......@@ -16,7 +16,7 @@ class UserPreference < ActiveRecord::Base
belongs_to :user
serialize :others
attr_protected :others
attr_protected :others, :user_id
def initialize(attributes = nil)
super
......
......@@ -13,6 +13,7 @@
#++
class Version < ActiveRecord::Base
include Redmine::SafeAttributes
after_update :update_issues_from_sharing_change
belongs_to :project
has_many :fixed_issues, :class_name => 'Issue', :foreign_key => 'fixed_version_id', :dependent => :nullify
......@@ -34,6 +35,15 @@ class Version < ActiveRecord::Base
named_scope :visible, lambda {|*args| { :include => :project,
:conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
safe_attributes 'name',
'description',
'effective_date',
'due_date',
'wiki_page_title',
'status',
'sharing',
'custom_field_values'