Merged r3865 and r3866 from trunk.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/0.9-stable@3868 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/versions_controller.rb

@@ -25,6 +25,9 @@ class VersionsController < ApplicationController
   helper :projects
   
   def show
+    @issues = @version.fixed_issues.visible.find(:all,
+      :include => [:status, :tracker, :priority],
+      :order => "#{Tracker.table_name}.position, #{Issue.table_name}.id")
   end
   
   def edit

app/views/versions/show.rhtml

@@ -32,13 +32,10 @@
 <%= render :partial => 'versions/overview', :locals => {:version => @version} %>
 <%= render(:partial => "wiki/content", :locals => {:content => @version.wiki_page.content}) if @version.wiki_page %>
 
-<% issues = @version.fixed_issues.find(:all,
-                                       :include => [:status, :tracker, :priority],
-                                       :order => "#{Tracker.table_name}.position, #{Issue.table_name}.id") %>
-<% if issues.size > 0 %>
+<% if @issues.present? %>
 <fieldset class="related-issues"><legend><%= l(:label_related_issues) %></legend>
 <ul>
-<% issues.each do |issue| -%>
+<% @issues.each do |issue| -%>
     <li><%= link_to_issue(issue) %></li>
 <% end -%>
 </ul>

doc/CHANGELOG

@@ -8,7 +8,12 @@ http://www.redmine.org/
 
 Adds context menu to the roadmap issue lists
 
+== 2010-07-07 v0.9.6
+
+Fixed: Redmine.pm access by unauthorized users
+
 == 2010-06-24 v0.9.5
+
 Linkify folder names on revision view
 "fiters" and "options" should be hidden in print view via css
 Fixed: NoMethodError when no issue params are submitted

extra/svn/Redmine.pm

@@ -227,9 +227,38 @@ sub authen_handler {
   }
 }
 
+# check if authentication is forced
+sub is_authentication_forced {
+  my $r = shift;
+
+  my $dbh = connect_database($r);
+  my $sth = $dbh->prepare(
+    "SELECT value FROM settings where settings.name = 'login_required';"
+  );
+
+  $sth->execute();
+  my $ret = 0;
+  if (my @row = $sth->fetchrow_array) {
+    if ($row[0] eq "1" || $row[0] eq "t") {
+      $ret = 1;
+    }
+  }
+  $sth->finish();
+  undef $sth;
+  
+  $dbh->disconnect();
+  undef $dbh;
+
+  $ret;
+}
+
 sub is_public_project {
     my $project_id = shift;
     my $r = shift;
+    
+    if (is_authentication_forced($r)) {
+      return 0;
+    }
 
     my $dbh = connect_database($r);
     my $sth = $dbh->prepare(
@@ -309,7 +338,9 @@ sub is_member {
                 bindpw  =>      $rowldap[4] ? $rowldap[4] : "",
                 filter  =>      "(".$rowldap[6]."=%s)"
             );
-            $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass));
+            my $method = $r->method;
+            $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
+
           }
           $sthldap->finish();
           undef $sthldap;

lib/redmine/version.rb

@@ -4,7 +4,7 @@ module Redmine
   module VERSION #:nodoc:
     MAJOR = 0
     MINOR = 9
-    TINY  = 5
+    TINY  = 6
     
     # Branch values:
     # * official release: nil