diff options
| -rw-r--r-- | app/Controller/TaskModificationController.php | 4 | ||||
| -rw-r--r-- | app/Helper/ProjectRoleHelper.php | 18 | ||||
| -rw-r--r-- | app/Helper/TaskHelper.php | 4 | ||||
| -rw-r--r-- | app/Model/ProjectRoleRestrictionModel.php | 16 | ||||
| -rw-r--r-- | tests/units/Helper/ProjectRoleHelperTest.php | 59 | ||||
| -rw-r--r-- | tests/units/Model/ProjectRoleRestrictionModelTest.php | 2 |
6 files changed, 93 insertions, 10 deletions
diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php index 520bf70e..d2b02a80 100644 --- a/app/Controller/TaskModificationController.php +++ b/app/Controller/TaskModificationController.php @@ -103,6 +103,10 @@ class TaskModificationController extends BaseController protected function updateTask(array &$task, array &$values, array &$errors) { + if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && ! $this->helper->projectRole->canChangeAssignee($task)) { + throw new AccessForbiddenException(t('You are not allowed to change the assignee')); + } + $result = $this->taskModificationModel->update($values); if ($result && ! empty($task['external_uri'])) { diff --git a/app/Helper/ProjectRoleHelper.php b/app/Helper/ProjectRoleHelper.php index fd7a690b..508dc9e0 100644 --- a/app/Helper/ProjectRoleHelper.php +++ b/app/Helper/ProjectRoleHelper.php @@ -172,6 +172,24 @@ class ProjectRoleHelper extends Base } /** + * Return true if the user can change assignee + * + * @public + * @param array $task + * @return bool + */ + public function canChangeAssignee(array $task) + { + $role = $this->getProjectUserRole($task['project_id']); + + if ($this->hasRestriction($task['project_id'], $role, ProjectRoleRestrictionModel::RULE_TASK_CHANGE_ASSIGNEE)) { + return false; + } + + return true; + } + + /** * Check project access * * @param string $controller diff --git a/app/Helper/TaskHelper.php b/app/Helper/TaskHelper.php index 69520c03..334f4f33 100644 --- a/app/Helper/TaskHelper.php +++ b/app/Helper/TaskHelper.php @@ -93,6 +93,10 @@ class TaskHelper extends Base public function renderAssigneeField(array $users, array $values, array $errors = array(), array $attributes = array()) { + if (isset($values['project_id']) && ! $this->helper->projectRole->canChangeAssignee($values)) { + return ''; + } + $attributes = array_merge(array('tabindex="3"'), $attributes); $html = $this->helper->form->label(t('Assignee'), 'owner_id'); diff --git a/app/Model/ProjectRoleRestrictionModel.php b/app/Model/ProjectRoleRestrictionModel.php index b8f00c17..714b2a65 100644 --- a/app/Model/ProjectRoleRestrictionModel.php +++ b/app/Model/ProjectRoleRestrictionModel.php @@ -14,10 +14,11 @@ class ProjectRoleRestrictionModel extends Base { const TABLE = 'project_role_has_restrictions'; - const RULE_TASK_CREATION = 'task_creation'; + const RULE_TASK_CREATION = 'task_creation'; const RULE_TASK_SUPPRESSION = 'task_remove'; - const RULE_TASK_OPEN_CLOSE = 'task_open_close'; - const RULE_TASK_MOVE = 'task_move'; + const RULE_TASK_OPEN_CLOSE = 'task_open_close'; + const RULE_TASK_MOVE = 'task_move'; + const RULE_TASK_CHANGE_ASSIGNEE = 'task_change_assignee'; /** * Get rules @@ -27,10 +28,11 @@ class ProjectRoleRestrictionModel extends Base public function getRules() { return array( - self::RULE_TASK_CREATION => t('Task creation is not permitted'), - self::RULE_TASK_SUPPRESSION => t('Task suppression is not permitted'), - self::RULE_TASK_OPEN_CLOSE => t('Closing or opening a task is not permitted'), - self::RULE_TASK_MOVE => t('Moving a task is not permitted'), + self::RULE_TASK_CREATION => t('Task creation is not permitted'), + self::RULE_TASK_SUPPRESSION => t('Task suppression is not permitted'), + self::RULE_TASK_OPEN_CLOSE => t('Closing or opening a task is not permitted'), + self::RULE_TASK_MOVE => t('Moving a task is not permitted'), + self::RULE_TASK_CHANGE_ASSIGNEE => t('Changing assignee is not permitted'), ); } diff --git a/tests/units/Helper/ProjectRoleHelperTest.php b/tests/units/Helper/ProjectRoleHelperTest.php index 6f6c9bde..d2335dfa 100644 --- a/tests/units/Helper/ProjectRoleHelperTest.php +++ b/tests/units/Helper/ProjectRoleHelperTest.php @@ -106,7 +106,7 @@ class ProjectRoleHelperTest extends Base $this->assertFalse($projectRoleHelper->canCreateTaskInColumn(1, 2)); } - public function testCanRemoveTaskWithCustomProjectRole() + public function testCanRemoveTaskWithCustomProjectRoleAndRestriction() { $projectRoleHelper = new ProjectRoleHelper($this->container); $projectModel = new ProjectModel($this->container); @@ -135,7 +135,7 @@ class ProjectRoleHelperTest extends Base $this->assertFalse($projectRoleHelper->canRemoveTask($task)); } - public function testCanRemoveTaskWithCustomProjectRoleWithRestriction() + public function testCanRemoveTaskWithCustomProjectRole() { $projectRoleHelper = new ProjectRoleHelper($this->container); $projectModel = new ProjectModel($this->container); @@ -161,6 +161,61 @@ class ProjectRoleHelperTest extends Base $this->assertTrue($projectRoleHelper->canRemoveTask($task)); } + public function testCanChangeAssigneeWithCustomProjectRoleAndRestriction() + { + $projectRoleHelper = new ProjectRoleHelper($this->container); + $projectModel = new ProjectModel($this->container); + $projectUserRole = new ProjectUserRoleModel($this->container); + $userModel = new UserModel($this->container); + $projectRoleModel = new ProjectRoleModel($this->container); + $taskCreationModel = new TaskCreationModel($this->container); + $taskFinderModel = new TaskFinderModel($this->container); + $projectRoleRestrictionModel = new ProjectRoleRestrictionModel($this->container); + + $this->container['sessionStorage']->user = array( + 'id' => 2, + 'role' => Role::APP_USER, + ); + + $this->assertEquals(2, $userModel->create(array('username' => 'user'))); + $this->assertEquals(1, $projectModel->create(array('name' => 'Test'))); + $this->assertEquals(1, $taskCreationModel->create(array('project_id' => 1 , 'title' => 'test'))); + + $this->assertEquals(1, $projectRoleModel->create(1, 'Custom Role')); + $this->assertTrue($projectUserRole->addUser(1, 2, 'Custom Role')); + + $this->assertEquals(1, $projectRoleRestrictionModel->create(1, 1, ProjectRoleRestrictionModel::RULE_TASK_CHANGE_ASSIGNEE)); + + $task = $taskFinderModel->getById(1); + $this->assertFalse($projectRoleHelper->canChangeAssignee($task)); + } + + public function testCanChangeAssigneeWithCustomProjectRole() + { + $projectRoleHelper = new ProjectRoleHelper($this->container); + $projectModel = new ProjectModel($this->container); + $projectUserRole = new ProjectUserRoleModel($this->container); + $userModel = new UserModel($this->container); + $projectRoleModel = new ProjectRoleModel($this->container); + $taskCreationModel = new TaskCreationModel($this->container); + $taskFinderModel = new TaskFinderModel($this->container); + + $this->container['sessionStorage']->user = array( + 'id' => 2, + 'role' => Role::APP_USER, + ); + + $this->assertEquals(2, $userModel->create(array('username' => 'user'))); + $this->assertEquals(1, $projectModel->create(array('name' => 'Test'))); + $this->assertEquals(1, $taskCreationModel->create(array('project_id' => 1 , 'title' => 'test'))); + + $this->assertEquals(1, $projectRoleModel->create(1, 'Custom Role')); + $this->assertTrue($projectUserRole->addUser(1, 2, 'Custom Role')); + + $task = $taskFinderModel->getById(1); + $this->assertTrue($projectRoleHelper->canChangeAssignee($task)); + } + public function testCanChangeTaskStatusInColumnWithProjectViewer() { $projectRoleHelper = new ProjectRoleHelper($this->container); diff --git a/tests/units/Model/ProjectRoleRestrictionModelTest.php b/tests/units/Model/ProjectRoleRestrictionModelTest.php index e18d2374..25a9fb08 100644 --- a/tests/units/Model/ProjectRoleRestrictionModelTest.php +++ b/tests/units/Model/ProjectRoleRestrictionModelTest.php @@ -90,7 +90,7 @@ class ProjectRoleRestrictionModelTest extends Base $projectRoleRestrictionModel = new ProjectRoleRestrictionModel($this->container); $rules = $projectRoleRestrictionModel->getRules(); - $this->assertCount(4, $rules); + $this->assertCount(5, $rules); $this->assertArrayHasKey(ProjectRoleRestrictionModel::RULE_TASK_OPEN_CLOSE, $rules); } } |