Fixed that journal details about issue relations may disclose issues that are not visible (#1005).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11939 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
60a8230209
commit
019f57e5c7
|
@ -308,11 +308,11 @@ module IssuesHelper
|
||||||
label = l(:label_attachment)
|
label = l(:label_attachment)
|
||||||
when 'relation'
|
when 'relation'
|
||||||
if detail.value && !detail.old_value
|
if detail.value && !detail.old_value
|
||||||
rel_issue = Issue.find_by_id(detail.value)
|
rel_issue = Issue.visible.find_by_id(detail.value)
|
||||||
value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.value}" :
|
value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.value}" :
|
||||||
(no_html ? rel_issue : link_to_issue(rel_issue))
|
(no_html ? rel_issue : link_to_issue(rel_issue))
|
||||||
elsif detail.old_value && !detail.value
|
elsif detail.old_value && !detail.value
|
||||||
rel_issue = Issue.find_by_id(detail.old_value)
|
rel_issue = Issue.visible.find_by_id(detail.old_value)
|
||||||
old_value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.old_value}" :
|
old_value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.old_value}" :
|
||||||
(no_html ? rel_issue : link_to_issue(rel_issue))
|
(no_html ? rel_issue : link_to_issue(rel_issue))
|
||||||
end
|
end
|
||||||
|
|
|
@ -227,6 +227,16 @@ class IssuesHelperTest < ActionView::TestCase
|
||||||
assert_equal "<strong>Precedes</strong> <i>Issue #{non_existed_issue_number}</i> added", show_detail(detail, false)
|
assert_equal "<strong>Precedes</strong> <i>Issue #{non_existed_issue_number}</i> added", show_detail(detail, false)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_show_detail_relation_added_should_not_disclose_issue_that_is_not_visible
|
||||||
|
issue = Issue.generate!(:is_private => true)
|
||||||
|
detail = JournalDetail.new(:property => 'relation',
|
||||||
|
:prop_key => 'label_precedes',
|
||||||
|
:value => issue.id)
|
||||||
|
|
||||||
|
assert_equal "Precedes Issue #{issue.id} added", show_detail(detail, true)
|
||||||
|
assert_equal "<strong>Precedes</strong> <i>Issue #{issue.id}</i> added", show_detail(detail, false)
|
||||||
|
end
|
||||||
|
|
||||||
def test_show_detail_delete_relation
|
def test_show_detail_delete_relation
|
||||||
detail = JournalDetail.new(:property => 'relation',
|
detail = JournalDetail.new(:property => 'relation',
|
||||||
:prop_key => 'label_precedes',
|
:prop_key => 'label_precedes',
|
||||||
|
@ -242,4 +252,14 @@ class IssuesHelperTest < ActionView::TestCase
|
||||||
assert_equal "Precedes deleted (Issue 9999)", show_detail(detail, true)
|
assert_equal "Precedes deleted (Issue 9999)", show_detail(detail, true)
|
||||||
assert_equal "<strong>Precedes</strong> deleted (<i>Issue 9999</i>)", show_detail(detail, false)
|
assert_equal "<strong>Precedes</strong> deleted (<i>Issue 9999</i>)", show_detail(detail, false)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_show_detail_relation_deleted_should_not_disclose_issue_that_is_not_visible
|
||||||
|
issue = Issue.generate!(:is_private => true)
|
||||||
|
detail = JournalDetail.new(:property => 'relation',
|
||||||
|
:prop_key => 'label_precedes',
|
||||||
|
:old_value => issue.id)
|
||||||
|
|
||||||
|
assert_equal "Precedes deleted (Issue #{issue.id})", show_detail(detail, true)
|
||||||
|
assert_equal "<strong>Precedes</strong> deleted (<i>Issue #{issue.id}</i>)", show_detail(detail, false)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue