kolan/Redmine
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make sure user can not watch what he is not allowed to view.

Browse Source 
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3170 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2009-12-13 14:48:28 +00:00
parent bb477a3a0f
commit 9a452a5c35
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/watchers_controller.rb
View File

@ -25,8 +25,12 @@ class WatchersController < ApplicationController
:render => { :nothing => true, :status => :method_not_allowed } :render => { :nothing => true, :status => :method_not_allowed }
def watch def watch
if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
render_403
else
set_watcher(User.current, true) set_watcher(User.current, true)
end end
end
def unwatch def unwatch
set_watcher(User.current, false) set_watcher(User.current, false)

9
test/functional/watchers_controller_test.rb
View File

@ -48,6 +48,15 @@ class WatchersControllerTest < ActionController::TestCase
assert Issue.find(1).watched_by?(User.find(3)) assert Issue.find(1).watched_by?(User.find(3))
end end
def test_watch_should_be_denied_without_permission
Role.find(2).remove_permission! :view_issues
@request.session[:user_id] = 3
assert_no_difference('Watcher.count') do
xhr :post, :watch, :object_type => 'issue', :object_id => '1'
assert_response 403
end
end
def test_watch_with_multiple_replacements def test_watch_with_multiple_replacements
@request.session[:user_id] = 3 @request.session[:user_id] = 3
assert_difference('Watcher.count') do assert_difference('Watcher.count') do