58-view-permission-based-on-project-membership.patch

view-permission-based-on-project-membership

From: Bryan Larsen <bryan@larsen.st>

Note that users now have two collections of projects: `projects` are the projects that users own, and `joined_projects` are the projects they have joined as members.

We can now define view permission on projects, stories and tasks according to project membership.

SHOW_PATCH
---
 app/models/project.rb |    2 +-
 app/models/story.rb   |    2 +-
 app/models/task.rb    |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/models/project.rb b/app/models/project.rb
index d828958..2bed9de 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -34,7 +34,7 @@ class Project < ActiveRecord::Base
   end
 
   def view_permitted?(field)
-    true
+    acting_user.administrator? || acting_user == owner || acting_user.in?(members)
   end
 
 end
diff --git a/app/models/story.rb b/app/models/story.rb
index adadd86..35bb884 100644
--- a/app/models/story.rb
+++ b/app/models/story.rb
@@ -31,7 +31,7 @@ class Story < ActiveRecord::Base
   end
 
   def view_permitted?(field)
-    true
+    project.viewable_by?(acting_user)
   end
 
 end
diff --git a/app/models/task.rb b/app/models/task.rb
index 7894bf4..05f119d 100644
--- a/app/models/task.rb
+++ b/app/models/task.rb
@@ -30,7 +30,7 @@ class Task < ActiveRecord::Base
   end
 
   def view_permitted?(field)
-    true
+    story.viewable_by?(acting_user)
   end
 
 end