Fixed: private queries should not be accessible to other users (#8729).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@6163 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
aede35d226
commit
8914d323ee
|
@ -18,6 +18,8 @@
|
||||||
require 'uri'
|
require 'uri'
|
||||||
require 'cgi'
|
require 'cgi'
|
||||||
|
|
||||||
|
class Unauthorized < Exception; end
|
||||||
|
|
||||||
class ApplicationController < ActionController::Base
|
class ApplicationController < ActionController::Base
|
||||||
include Redmine::I18n
|
include Redmine::I18n
|
||||||
|
|
||||||
|
@ -41,6 +43,7 @@ class ApplicationController < ActionController::Base
|
||||||
protect_from_forgery
|
protect_from_forgery
|
||||||
|
|
||||||
rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
|
rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
|
||||||
|
rescue_from ::Unauthorized, :with => :deny_access
|
||||||
|
|
||||||
include Redmine::Search::Controller
|
include Redmine::Search::Controller
|
||||||
include Redmine::MenuManager::MenuController
|
include Redmine::MenuManager::MenuController
|
||||||
|
|
|
@ -70,6 +70,7 @@ module QueriesHelper
|
||||||
cond = "project_id IS NULL"
|
cond = "project_id IS NULL"
|
||||||
cond << " OR project_id = #{@project.id}" if @project
|
cond << " OR project_id = #{@project.id}" if @project
|
||||||
@query = Query.find(params[:query_id], :conditions => cond)
|
@query = Query.find(params[:query_id], :conditions => cond)
|
||||||
|
raise ::Unauthorized unless @query.visible?
|
||||||
@query.project = @project
|
@query.project = @project
|
||||||
session[:query] = {:id => @query.id, :project_id => @query.project_id}
|
session[:query] = {:id => @query.id, :project_id => @query.project_id}
|
||||||
sort_clear
|
sort_clear
|
||||||
|
|
|
@ -166,6 +166,11 @@ class Query < ActiveRecord::Base
|
||||||
end if filters
|
end if filters
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Returns true if the query is visible to +user+ or the current user.
|
||||||
|
def visible?(user=User.current)
|
||||||
|
self.is_public? || self.user_id == user.id
|
||||||
|
end
|
||||||
|
|
||||||
def editable_by?(user)
|
def editable_by?(user)
|
||||||
return false unless user
|
return false unless user
|
||||||
# Admin can edit them all and regular users can edit their private queries
|
# Admin can edit them all and regular users can edit their private queries
|
||||||
|
|
|
@ -18,9 +18,6 @@
|
||||||
require File.expand_path('../../test_helper', __FILE__)
|
require File.expand_path('../../test_helper', __FILE__)
|
||||||
require 'issues_controller'
|
require 'issues_controller'
|
||||||
|
|
||||||
# Re-raise errors caught by the controller.
|
|
||||||
class IssuesController; def rescue_action(e) raise e end; end
|
|
||||||
|
|
||||||
class IssuesControllerTest < ActionController::TestCase
|
class IssuesControllerTest < ActionController::TestCase
|
||||||
fixtures :projects,
|
fixtures :projects,
|
||||||
:users,
|
:users,
|
||||||
|
@ -194,6 +191,30 @@ class IssuesControllerTest < ActionController::TestCase
|
||||||
assert_not_nil assigns(:issue_count_by_group)
|
assert_not_nil assigns(:issue_count_by_group)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_private_query_should_not_be_available_to_other_users
|
||||||
|
q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
|
||||||
|
@request.session[:user_id] = 3
|
||||||
|
|
||||||
|
get :index, :query_id => q.id
|
||||||
|
assert_response 403
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_private_query_should_be_available_to_its_user
|
||||||
|
q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
|
||||||
|
@request.session[:user_id] = 2
|
||||||
|
|
||||||
|
get :index, :query_id => q.id
|
||||||
|
assert_response :success
|
||||||
|
end
|
||||||
|
|
||||||
|
def test_public_query_should_be_available_to_other_users
|
||||||
|
q = Query.create!(:name => "private", :user => User.find(2), :is_public => true, :project => nil)
|
||||||
|
@request.session[:user_id] = 3
|
||||||
|
|
||||||
|
get :index, :query_id => q.id
|
||||||
|
assert_response :success
|
||||||
|
end
|
||||||
|
|
||||||
def test_index_sort_by_field_not_included_in_columns
|
def test_index_sort_by_field_not_included_in_columns
|
||||||
Setting.issue_list_default_columns = %w(subject author)
|
Setting.issue_list_default_columns = %w(subject author)
|
||||||
get :index, :sort => 'tracker'
|
get :index, :sort => 'tracker'
|
||||||
|
|
Loading…
Reference in New Issue