Fixed: users should not be able to add relations with issues they're not allowed to view (#2589).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2323 e93f8b46-1217-0410-a6f0-8f06a7374b81
2009-01-27 19:33:03 +00:00 · 2009-01-27 19:33:03 +00:00 · 10994e9027
parent cd55529eaa
commit 10994e9027
3 changed files with 41 additions and 0 deletions
--- a/app/controllers/issue_relations_controller.rb
+++ b/app/controllers/issue_relations_controller.rb
@ -21,6 +21,9 @@ class IssueRelationsController < ApplicationController
  def new
    @relation = IssueRelation.new(params[:relation])
    @relation.issue_from = @issue
+    if params[:relation] && !params[:relation][:issue_to_id].blank?
+      @relation.issue_to = Issue.visible.find_by_id(params[:relation][:issue_to_id])
+    end
    @relation.save if request.post?
    respond_to do |format|
      format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
--- a/app/models/issue_relation.rb
+++ b/app/models/issue_relation.rb
@ -35,6 +35,8 @@ class IssueRelation < ActiveRecord::Base
  validates_numericality_of :delay, :allow_nil => true
  validates_uniqueness_of :issue_to_id, :scope => :issue_from_id
  
+  attr_protected :issue_from_id, :issue_to_id
+  
  def validate
    if issue_from && issue_to
      errors.add :issue_to_id, :activerecord_error_invalid if issue_from_id == issue_to_id
--- a/test/functional/issue_relations_controller_test.rb
+++ b/test/functional/issue_relations_controller_test.rb
@ -6,6 +6,23 @@ class IssueRelationsController; def rescue_action(e) raise e end; end


 class IssueRelationsControllerTest < Test::Unit::TestCase
+  fixtures :projects,
+           :users,
+           :roles,
+           :members,
+           :issues,
+           :issue_statuses,
+           :enabled_modules,
+           :enumerations,
+           :trackers
+  
+  def setup
+    @controller = IssueRelationsController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    User.current = nil
+  end
+  
  def test_new_routing
    assert_routing(
      {:method => :post, :path => '/issues/1/relations'},
@ -19,4 +36,23 @@ class IssueRelationsControllerTest < Test::Unit::TestCase
      {:method => :post, :path => '/issues/1/relations/23/destroy'}
    )
  end
+  
+  def test_new
+    assert_difference 'IssueRelation.count' do
+      @request.session[:user_id] = 3
+      post :new, :issue_id => 1, 
+                 :relation => {:issue_to_id => '2', :relation_type => 'relates', :delay => ''}
+    end
+  end
+  
+  def test_should_create_relations_with_visible_issues_only
+    Setting.cross_project_issue_relations = '1'
+    assert_nil Issue.visible(User.find(3)).find_by_id(4)
+    
+    assert_no_difference 'IssueRelation.count' do
+      @request.session[:user_id] = 3
+      post :new, :issue_id => 1, 
+                 :relation => {:issue_to_id => '4', :relation_type => 'relates', :delay => ''}
+    end
+  end
 end