Fixed: users should not be able to add relations with issues they're not allowed to view (#2589).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2323 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
cd55529eaa
commit
10994e9027
|
@ -21,6 +21,9 @@ class IssueRelationsController < ApplicationController
|
||||||
def new
|
def new
|
||||||
@relation = IssueRelation.new(params[:relation])
|
@relation = IssueRelation.new(params[:relation])
|
||||||
@relation.issue_from = @issue
|
@relation.issue_from = @issue
|
||||||
|
if params[:relation] && !params[:relation][:issue_to_id].blank?
|
||||||
|
@relation.issue_to = Issue.visible.find_by_id(params[:relation][:issue_to_id])
|
||||||
|
end
|
||||||
@relation.save if request.post?
|
@relation.save if request.post?
|
||||||
respond_to do |format|
|
respond_to do |format|
|
||||||
format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
|
format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
|
||||||
|
|
|
@ -35,6 +35,8 @@ class IssueRelation < ActiveRecord::Base
|
||||||
validates_numericality_of :delay, :allow_nil => true
|
validates_numericality_of :delay, :allow_nil => true
|
||||||
validates_uniqueness_of :issue_to_id, :scope => :issue_from_id
|
validates_uniqueness_of :issue_to_id, :scope => :issue_from_id
|
||||||
|
|
||||||
|
attr_protected :issue_from_id, :issue_to_id
|
||||||
|
|
||||||
def validate
|
def validate
|
||||||
if issue_from && issue_to
|
if issue_from && issue_to
|
||||||
errors.add :issue_to_id, :activerecord_error_invalid if issue_from_id == issue_to_id
|
errors.add :issue_to_id, :activerecord_error_invalid if issue_from_id == issue_to_id
|
||||||
|
|
|
@ -6,6 +6,23 @@ class IssueRelationsController; def rescue_action(e) raise e end; end
|
||||||
|
|
||||||
|
|
||||||
class IssueRelationsControllerTest < Test::Unit::TestCase
|
class IssueRelationsControllerTest < Test::Unit::TestCase
|
||||||
|
fixtures :projects,
|
||||||
|
:users,
|
||||||
|
:roles,
|
||||||
|
:members,
|
||||||
|
:issues,
|
||||||
|
:issue_statuses,
|
||||||
|
:enabled_modules,
|
||||||
|
:enumerations,
|
||||||
|
:trackers
|
||||||
|
|
||||||
|
def setup
|
||||||
|
@controller = IssueRelationsController.new
|
||||||
|
@request = ActionController::TestRequest.new
|
||||||
|
@response = ActionController::TestResponse.new
|
||||||
|
User.current = nil
|
||||||
|
end
|
||||||
|
|
||||||
def test_new_routing
|
def test_new_routing
|
||||||
assert_routing(
|
assert_routing(
|
||||||
{:method => :post, :path => '/issues/1/relations'},
|
{:method => :post, :path => '/issues/1/relations'},
|
||||||
|
@ -19,4 +36,23 @@ class IssueRelationsControllerTest < Test::Unit::TestCase
|
||||||
{:method => :post, :path => '/issues/1/relations/23/destroy'}
|
{:method => :post, :path => '/issues/1/relations/23/destroy'}
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_new
|
||||||
|
assert_difference 'IssueRelation.count' do
|
||||||
|
@request.session[:user_id] = 3
|
||||||
|
post :new, :issue_id => 1,
|
||||||
|
:relation => {:issue_to_id => '2', :relation_type => 'relates', :delay => ''}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_should_create_relations_with_visible_issues_only
|
||||||
|
Setting.cross_project_issue_relations = '1'
|
||||||
|
assert_nil Issue.visible(User.find(3)).find_by_id(4)
|
||||||
|
|
||||||
|
assert_no_difference 'IssueRelation.count' do
|
||||||
|
@request.session[:user_id] = 3
|
||||||
|
post :new, :issue_id => 1,
|
||||||
|
:relation => {:issue_to_id => '4', :relation_type => 'relates', :delay => ''}
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue