From ea5a6e596ba27294136c29cb3953eecb34c8af3c Mon Sep 17 00:00:00 2001 From: Dombi Attila <83396+dombesz@users.noreply.github.com> Date: Thu, 11 Jun 2026 20:20:50 +0300 Subject: [PATCH] Roll custom authorization for the project dropdown menu. Project menus can be accessed by: 1. Users with read permission if the project is active. 2. Admins only if the project is archived. Since there is no dedicated authorization method for such case, a new helper method require_admin_or_active_project is added. --- app/controllers/projects_controller.rb | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index e8bceda1a65..01c59f2502c 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -34,17 +34,19 @@ class ProjectsController < ApplicationController menu_item :overview menu_item :roadmap, only: :roadmap - before_action :find_project, except: %i[index new create destroy destroy_info] - before_action :find_project_including_archived, only: %i[destroy destroy_info] + before_action :find_project, except: %i[index new create menu destroy destroy_info] + before_action :find_project_including_archived, only: %i[menu destroy destroy_info] before_action :load_query_or_deny_access, only: %i[index] before_action :authorize, - only: %i[copy_form copy deactivate_work_package_attachments export_project_initiation_pdf menu] + only: %i[copy_form copy deactivate_work_package_attachments export_project_initiation_pdf] before_action :authorize_global, only: %i[new create] before_action :require_admin, only: %i[destroy destroy_info] + before_action :require_admin_or_active_project, only: :menu before_action :find_optional_parent, only: :new before_action :find_optional_template, only: %i[new create] no_authorization_required! :index + authorization_checked! :menu include SortHelper include PaginationHelper @@ -186,6 +188,12 @@ class ProjectsController < ApplicationController private + def require_admin_or_active_project + return authorize unless @project.archived? + + render_403 message: :notice_not_authorized_archived_project unless current_user.admin? + end + def find_project_including_archived # The actions that use this method are only accessible to admins, so we can show them archived projects as well and # can skip the visible scope here.