Merge branch 'deny-system-notes-edit' into 'master'

Don't allow edit of system notes Fix #1412 See merge request !1052
2014-08-29 13:16:26 +00:00 · 2014-08-29 13:16:26 +00:00 · 8aca1ff003
parent dc22419c25 01520d5d77
commit 8aca1ff003
3 changed files with 13 additions and 5 deletions
--- a/app/controllers/projects/notes_controller.rb
+++ b/app/controllers/projects/notes_controller.rb
@ -30,8 +30,10 @@ class Projects::NotesController < Projects::ApplicationController
  end

  def update
-    note.update_attributes(note_params)
-    note.reset_events_cache
+    if note.editable?
+      note.update_attributes(note_params)
+      note.reset_events_cache
+    end

    respond_to do |format|
      format.json { render_note_json(note) }
@ -40,8 +42,10 @@ class Projects::NotesController < Projects::ApplicationController
  end

  def destroy
-    note.destroy
-    note.reset_events_cache
+    if note.editable?
+      note.destroy
+      note.reset_events_cache
+    end

    respond_to do |format|
      format.js { render nothing: true }
--- a/app/models/note.rb
+++ b/app/models/note.rb
@ -337,4 +337,8 @@ class Note < ActiveRecord::Base
  def set_references
    notice_added_references(project, author)
  end
+
+  def editable?
+    !system
+  end
 end
--- a/app/views/projects/notes/_note.html.haml
+++ b/app/views/projects/notes/_note.html.haml
@ -9,7 +9,7 @@
            %i.icon-link
            Link here
          &nbsp;
-          - if(note.author_id == current_user.try(:id)) || can?(current_user, :admin_note, @project)
+          - if can?(current_user, :admin_note, note) && note.editable?
            = link_to "#", title: "Edit comment", class: "js-note-edit" do
              %i.icon-edit
              Edit