From 5de43651ac40c360402385c5ee7ee991c0a3f866 Mon Sep 17 00:00:00 2001
From: Bryan Larsen <bryan@larsen.st>
Date: Fri, 19 Feb 2010 15:38:48 -0500
Subject: [PATCH] view-permission-based-on-project-membership

Note that users now have two collections of projects: `projects` are the projects that users own, and `joined_projects` are the projects they have joined as members.

We can now define view permission on projects, stories and tasks according to project membership.

SHOW_PATCH
---
 app/models/project.rb | 2 +-
 app/models/story.rb   | 2 +-
 app/models/task.rb    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/models/project.rb b/app/models/project.rb
index 53abe22..be59f11 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -28,7 +28,7 @@ def destroy_permitted?
   end
 
   def view_permitted?(field)
-    true
+    acting_user.administrator? || acting_user == owner || acting_user.in?(members)
   end
 
 end
diff --git a/app/models/story.rb b/app/models/story.rb
index 5843828..ccbc04b 100644
--- a/app/models/story.rb
+++ b/app/models/story.rb
@@ -28,7 +28,7 @@ def destroy_permitted?
   end
 
   def view_permitted?(field)
-    true
+    project.viewable_by?(acting_user)
   end
 
 end
diff --git a/app/models/task.rb b/app/models/task.rb
index 3a7a404..18b02d2 100644
--- a/app/models/task.rb
+++ b/app/models/task.rb
@@ -29,7 +29,7 @@ def destroy_permitted?
   end
 
   def view_permitted?(field)
-    true
+    story.viewable_by?(acting_user)
   end
 
 end