agileware-jp · jkraemer · Aug 31, 2023 · Aug 31, 2023
diff --git a/app/controllers/concerns/project_templates_common.rb b/app/controllers/concerns/project_templates_common.rb
@@ -3,7 +3,6 @@
 module ProjectTemplatesCommon
   extend ActiveSupport::Concern
   included do
-    before_action :find_user, :find_project, :authorize, except: %i[preview load load_selectable_fields]
     before_action :find_object, only: %i[show edit update destroy]
     accept_api_auth :index, :list_templates, :load
   end

diff --git a/app/controllers/issue_templates_controller.rb b/app/controllers/issue_templates_controller.rb
@@ -7,6 +7,7 @@ class IssueTemplatesController < ApplicationController
   include IssueTemplatesCommon
   include ProjectTemplatesCommon
   menu_item :issues
+  before_action :find_user, :find_project, :authorize, except: %i[preview]
   before_action :find_tracker, :find_templates, only: %i[set_pulldown list_templates]
 
   def index

diff --git a/app/controllers/note_templates_controller.rb b/app/controllers/note_templates_controller.rb
@@ -5,6 +5,7 @@ class NoteTemplatesController < ApplicationController
   layout 'base'
   helper :issue_templates
   menu_item :issues
+  before_action :find_user, :find_project, :authorize, except: %i[preview load]
 
   def index
     project_id = @project.id
@@ -60,6 +61,10 @@ def update
 
   # load template description
   def load
+    # work around weird parameter structure
+    @project = Project.find(template_params[:project_id])
+    return unless authorize
+
     note_template_id = template_params[:note_template_id]
     template_type = template_params[:template_type]
 

diff --git a/app/views/global_issue_templates/_form.html.erb b/app/views/global_issue_templates/_form.html.erb
@@ -152,7 +152,7 @@
 <% if builtin_fields_enable %>
 <script type="module">
   TEMPLATE_FIELDS({
-    loadSelectableFieldsPath: "<%= url_for(controller: 'issue_templates', action: 'load_selectable_fields') %>",
+    loadSelectableFieldsPath: "<%= url_for(controller: 'global_issue_templates', action: 'load_selectable_fields') %>",
     templateId: "<%= issue_template&.id || '' %>",
     templateType: 'global_issue_template',
     trackerPulldownId: 'global_issue_template_tracker_id',

diff --git a/app/views/issue_templates/index.html.erb b/app/views/issue_templates/index.html.erb
@@ -1,10 +1,10 @@
-<h2 class='issue_template'><%=h "#{l(:issue_template)}" %></h2>
 <%= render partial: 'common/nodata', locals: { trackers: tracker_ids } %>
 <div class='contextual issue_templates'>
   <%= link_to_if_authorized(l(:label_new_templates),
                             { controller: 'issue_templates', action: 'new', project_id: @project },
                               class: 'icon icon-add') %>
 </div>
+<h2 class='issue_template'><%=h "#{l(:issue_template)}" %></h2>
 <div style='clear: both;'></div>
 
 <% if @notice -%>

diff --git a/config/routes.rb b/config/routes.rb
@@ -10,7 +10,9 @@
     post 'preview', on: :collection
   end
 
-  resources :global_issue_templates, except: [:edit], concerns: %i[tamplate_common previewable]
+  resources :global_issue_templates, except: [:edit], concerns: %i[tamplate_common previewable] do
+    get 'load_selectable_fields', on: :collection
+  end
 
   # for project issue template
   resources :projects, only: [] do

diff --git a/init.rb b/init.rb
@@ -64,7 +64,7 @@ def template_menu_allowed?
          after: :settings, if: template_menu_allowed?
 
     project_module :issue_templates do
-      permission :edit_issue_templates, issue_templates: %i[new create edit update destroy move], note_templates: %i[new create edit update destroy move]
+      permission :edit_issue_templates, issue_templates: %i[new create edit update destroy move load_selectable_fields], note_templates: %i[new create edit update destroy move]
       permission :show_issue_templates, issue_templates: %i[index show load set_pulldown list_templates orphaned_templates],
                                         note_templates: %i[index show load list_templates]
       permission :manage_issue_templates, { issue_templates_settings: %i[index edit] }, require: :member

diff --git a/test/functional/issue_templates_controller_test.rb b/test/functional/issue_templates_controller_test.rb
@@ -32,6 +32,17 @@ def test_get_index_without_show_permission
     assert_response 403
   end
 
+  def test_list_templates
+    get :list_templates, params: { project_id: 1, issue_tracker_id: 1 }
+    assert_response :success
+  end
+
+  def test_list_templates_without_show_permission
+    Role.find(1).remove_permission! :show_issue_templates
+    get :list_templates, params: { project_id: 1, issue_tracker_id: 1 }
+    assert_response 403
+  end
+
   def test_get_index_with_normal
     get :index, params: { project_id: 1 }
     assert_response :success
@@ -120,6 +131,19 @@ def test_preview_template
     assert_select 'h1', /Test data\./, @response.body.to_s
   end
 
+  def test_create_template_without_edit_permission
+    post :create, params: { issue_template:
+      { title: 'new', note: 'note', description: 'description', tracker_id: 1, enabled: 1, author_id: 1 }, project_id: 1 }
+    assert_response 403
+  end
+
+  def test_update_template_without_edit_permission
+    put :update, params: { id: 2,
+                           issue_template: { description: 'Update Test template2' },
+                           project_id: 1 }
+    assert_response 403
+  end
+
   def test_update_template
     edit_permission
 

diff --git a/test/functional/note_templates_controller_test.rb b/test/functional/note_templates_controller_test.rb
@@ -6,7 +6,8 @@ class NoteTemplatesControllerTest < Redmine::ControllerTest
            :users, :roles,
            :members, :member_roles,
            :trackers, :projects_trackers,
-           :note_templates, :note_visible_roles
+           :note_templates, :note_visible_roles, :global_note_templates
+
 
   def setup
     @request.session[:user_id] = 2  # jsmith
@@ -111,4 +112,37 @@ def test_index_should_appear_note_templates_with_roles_visibility
       assert_select 'td a[href=?]', "/projects/ecookbook/note_templates/3", count: 1
     end
   end
+
+  def test_list_templates
+    get :list_templates, params: { project_id: 1, tracker_id: 1 }
+    assert_response :success
+  end
+
+  def test_list_templates_without_show_permission
+    Role.find(1).remove_permission! :show_issue_templates
+    get :list_templates, params: { project_id: 1, tracker_id: 1 }
+    assert_response 403
+  end
+
+  def test_load_return_json_hash
+    get :load, params: { note_template: { project_id: 1, note_template_id: 1 } }
+    assert_response :success
+    assert_equal "comment 1-1\ncomment 1-2", json_response['note_template']['description']
+  end
+
+  def test_load_return_json_hash_of_global
+    get :load, params: { note_template: { project_id: 1, note_template_id: 1, template_type: 'global' } }
+    assert_response :success
+    assert_equal "global description 1-1\nglobal description 1-2", json_response['note_template']['description']
+  end
+
+  def test_load_without_permission
+    Role.find(1).remove_permission! :show_issue_templates
+    get :load, params: { note_template: { project_id: 1, note_template_id: 1 } }
+    assert_response 403
+  end
+
+  def json_response
+    ActiveSupport::JSON.decode @response.body
+  end
 end