Fixes a data disclosure issue introduced in r3941.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4535 e93f8b46-1217-0410-a6f0-8f06a7374b81
2010-12-18 17:11:41 +00:00 · 2010-12-18 17:11:41 +00:00 · 93847ae337
parent 525656a490
commit 93847ae337
2 changed files with 9 additions and 2 deletions
--- a/app/controllers/journals_controller.rb
+++ b/app/controllers/journals_controller.rb
@ -19,6 +19,7 @@ class JournalsController < ApplicationController
  before_filter :find_journal, :only => [:edit]
  before_filter :find_issue, :only => [:new]
  before_filter :find_optional_project, :only => [:index]
+  before_filter :authorize, :only => [:new, :edit]
  accept_key_auth :index

  helper :issues
--- a/test/functional/journals_controller_test.rb
+++ b/test/functional/journals_controller_test.rb
@ -40,14 +40,20 @@ class JournalsControllerTest < ActionController::TestCase
  
  def test_reply_to_issue
    @request.session[:user_id] = 2
-    get :new, :id => 1
+    get :new, :id => 6
    assert_response :success
    assert_select_rjs :show, "update"
  end
+  
+  def test_reply_to_issue_without_permission
+    @request.session[:user_id] = 7
+    get :new, :id => 6
+    assert_response 403
+  end

  def test_reply_to_note
    @request.session[:user_id] = 2
-    get :new, :id => 1, :journal_id => 2
+    get :new, :id => 6, :journal_id => 4
    assert_response :success
    assert_select_rjs :show, "update"
  end