Keesun Baik 2015-03-13
ProjectTransfer: fixed bug
Problem: AccessControl is allowed all requests to site admin or member of the project in isProjectResourceAllowed method,
so a user of a project that should be transfered to other user or group, can accept the transfer request.

Solution: Changed isProjectResourceAllowed method to check the current user can accept the project-tansfer request
prior to check the current use is admin of the group or member of the project.
@01fa7dc6aadbcad0abe7d92d38552dfb1d6339b5
app/utils/AccessControl.java
--- app/utils/AccessControl.java
+++ app/utils/AccessControl.java
@@ -226,15 +226,7 @@
      * @return true if the user has the permission
      */
     private static boolean isProjectResourceAllowed(User user, Project project, Resource resource, Operation operation) {
-        if (OrganizationUser.isAdmin(project.organization, user)) {
-            return true;
-        }
-
-        if (user.isSiteManager()
-                || user.isManagerOf(project)
-                || isAllowedIfAuthor(user, resource)
-                || isAllowedIfAssignee(user, resource)
-                || isAllowedIfGroupMember(project, user)) {
+        if (user.isSiteManager()) {
             return true;
         }
 
@@ -255,6 +247,17 @@
             }
         }
 
+        if (OrganizationUser.isAdmin(project.organization, user)) {
+            return true;
+        }
+
+        if (user.isManagerOf(project)
+                || isAllowedIfAuthor(user, resource)
+                || isAllowedIfAssignee(user, resource)
+                || isAllowedIfGroupMember(project, user)) {
+            return true;
+        }
+
         // Some resource's permission depends on their container.
         switch(resource.getType()) {
             case ISSUE_STATE:
Add a comment
List