gitlab-org--gitlab-foss/app/controllers/issues_controller.rb
Robert Speicher 8cfb197dfc Remove redundant access check for Issues#destroy
We were already calling `authorize_admin_issue!` in a before filter with
the same permission checks, so this deleted check wasn't actually doing
anything.
2012-09-16 10:06:29 -04:00

175 lines
4 KiB
Ruby

class IssuesController < ApplicationController
before_filter :authenticate_user!
before_filter :project
before_filter :module_enabled
before_filter :issue, only: [:edit, :update, :destroy, :show]
helper_method :issues_filter
layout "project"
# Authorize
before_filter :add_project_abilities
# Allow read any issue
before_filter :authorize_read_issue!
# Allow write(create) issue
before_filter :authorize_write_issue!, only: [:new, :create]
# Allow modify issue
before_filter :authorize_modify_issue!, only: [:edit, :update]
# Allow destroy issue
before_filter :authorize_admin_issue!, only: [:destroy]
respond_to :js, :html
def index
@issues = issues_filtered
@issues = @issues.page(params[:page]).per(20)
respond_to do |format|
format.html # index.html.erb
format.js
format.atom { render layout: false }
end
end
def new
@issue = @project.issues.new(params[:issue])
respond_with(@issue)
end
def edit
respond_with(@issue)
end
def show
@note = @project.notes.new(noteable: @issue)
respond_to do |format|
format.html
format.js
end
end
def create
@issue = @project.issues.new(params[:issue])
@issue.author = current_user
@issue.save
respond_to do |format|
format.html do
if @issue.valid?
redirect_to project_issue_path(@project, @issue)
else
render :new
end
end
format.js
end
end
def update
@issue.update_attributes(params[:issue].merge(author_id_of_changes: current_user.id))
respond_to do |format|
format.js
format.html do
if @issue.valid?
redirect_to [@project, @issue]
else
render :edit
end
end
end
end
def destroy
@issue.destroy
respond_to do |format|
format.html { redirect_to project_issues_path }
format.js { render nothing: true }
end
end
def sort
return render_404 unless can?(current_user, :admin_issue, @project)
@issues = @project.issues.where(id: params['issue'])
@issues.each do |issue|
issue.position = params['issue'].index(issue.id.to_s) + 1
issue.save
end
render nothing: true
end
def search
terms = params['terms']
@issues = issues_filtered
@issues = @issues.where("title LIKE ?", "%#{terms}%") unless terms.blank?
@issues = @issues.page(params[:page]).per(100)
render partial: 'issues'
end
def bulk_update
result = IssuesBulkUpdateContext.new(project, current_user, params).execute
redirect_to :back, notice: "#{result[:count]} issues updated"
end
protected
def issue
@issue ||= @project.issues.find(params[:id])
end
def authorize_modify_issue!
return render_404 unless can?(current_user, :modify_issue, @issue)
end
def authorize_admin_issue!
return render_404 unless can?(current_user, :admin_issue, @issue)
end
def module_enabled
return render_404 unless @project.issues_enabled
end
def issues_filtered
@issues = case params[:f]
when issues_filter[:all] then @project.issues
when issues_filter[:closed] then @project.issues.closed
when issues_filter[:to_me] then @project.issues.opened.assigned(current_user)
else @project.issues.opened
end
@issues = @issues.tagged_with(params[:label_name]) if params[:label_name].present?
@issues = @issues.includes(:author, :project).order("updated_at")
# Filter by specific assignee_id (or lack thereof)?
if params[:assignee_id].present?
@issues = @issues.where(assignee_id: (params[:assignee_id] == '0' ? nil : params[:assignee_id]))
end
# Filter by specific milestone_id (or lack thereof)?
if params[:milestone_id].present?
@issues = @issues.where(milestone_id: (params[:milestone_id] == '0' ? nil : params[:milestone_id]))
end
@issues
end
def issues_filter
{
all: "all",
closed: "closed",
to_me: "assigned-to-me",
open: "open"
}
end
end