Fixed: users should not be able to add relations with issues they're not allowed to view (#2589).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2323 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2009-01-27 19:33:03 +00:00
parent cd55529eaa
commit 10994e9027
3 changed files with 41 additions and 0 deletions

View File

@ -21,6 +21,9 @@ class IssueRelationsController < ApplicationController
def new
@relation = IssueRelation.new(params[:relation])
@relation.issue_from = @issue
if params[:relation] && !params[:relation][:issue_to_id].blank?
@relation.issue_to = Issue.visible.find_by_id(params[:relation][:issue_to_id])
end
@relation.save if request.post?
respond_to do |format|
format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }

View File

@ -35,6 +35,8 @@ class IssueRelation < ActiveRecord::Base
validates_numericality_of :delay, :allow_nil => true
validates_uniqueness_of :issue_to_id, :scope => :issue_from_id
attr_protected :issue_from_id, :issue_to_id
def validate
if issue_from && issue_to
errors.add :issue_to_id, :activerecord_error_invalid if issue_from_id == issue_to_id

View File

@ -6,6 +6,23 @@ class IssueRelationsController; def rescue_action(e) raise e end; end
class IssueRelationsControllerTest < Test::Unit::TestCase
fixtures :projects,
:users,
:roles,
:members,
:issues,
:issue_statuses,
:enabled_modules,
:enumerations,
:trackers
def setup
@controller = IssueRelationsController.new
@request = ActionController::TestRequest.new
@response = ActionController::TestResponse.new
User.current = nil
end
def test_new_routing
assert_routing(
{:method => :post, :path => '/issues/1/relations'},
@ -19,4 +36,23 @@ class IssueRelationsControllerTest < Test::Unit::TestCase
{:method => :post, :path => '/issues/1/relations/23/destroy'}
)
end
def test_new
assert_difference 'IssueRelation.count' do
@request.session[:user_id] = 3
post :new, :issue_id => 1,
:relation => {:issue_to_id => '2', :relation_type => 'relates', :delay => ''}
end
end
def test_should_create_relations_with_visible_issues_only
Setting.cross_project_issue_relations = '1'
assert_nil Issue.visible(User.find(3)).find_by_id(4)
assert_no_difference 'IssueRelation.count' do
@request.session[:user_id] = 3
post :new, :issue_id => 1,
:relation => {:issue_to_id => '4', :relation_type => 'relates', :delay => ''}
end
end
end