yona-projects / yona star
Keesun Baik 2015-03-13
ProjectTransfer: fixed bug 
Problem: AccessControl is allowed all requests to site admin or member of the project in isProjectResourceAllowed method,
so a user of a project that should be transfered to other user or group, can accept the transfer request.

Solution: Changed isProjectResourceAllowed method to check the current user can accept the project-tansfer request
prior to check the current use is admin of the group or member of the project.
@01fa7dc6aadbcad0abe7d92d38552dfb1d6339b5
6339c73
01fa7dc
app/utils/AccessControl.java
--- app/utils/AccessControl.java
+++ app/utils/AccessControl.java
@@ -226,15 +226,7 @@
 
      * @return true if the user has the permission
 
      */
 
     private static boolean isProjectResourceAllowed(User user, Project project, Resource resource, Operation operation) {
 
-        if (OrganizationUser.isAdmin(project.organization, user)) {
 
-            return true;
 
-        }
 
-
 
-        if (user.isSiteManager()
 
-                || user.isManagerOf(project)
 
-                || isAllowedIfAuthor(user, resource)
 
-                || isAllowedIfAssignee(user, resource)
 
-                || isAllowedIfGroupMember(project, user)) {
 
+        if (user.isSiteManager()) {
 
             return true;
 
         }
@@ -255,6 +247,17 @@
 
             }
 
         }
 
 
+        if (OrganizationUser.isAdmin(project.organization, user)) {
 
+            return true;
 
+        }
 
+
 
+        if (user.isManagerOf(project)
 
+                || isAllowedIfAuthor(user, resource)
 
+                || isAllowedIfAssignee(user, resource)
 
+                || isAllowedIfGroupMember(project, user)) {
 
+            return true;
 
+        }
 
+
 
         // Some resource's permission depends on their container.
 
         switch(resource.getType()) {
 
             case ISSUE_STATE:
Add a comment
List