Make sure user can not watch what he is not allowed to view.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3170 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
bb477a3a0f
commit
9a452a5c35
|
@ -25,8 +25,12 @@ class WatchersController < ApplicationController
|
|||
:render => { :nothing => true, :status => :method_not_allowed }
|
||||
|
||||
def watch
|
||||
if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
|
||||
render_403
|
||||
else
|
||||
set_watcher(User.current, true)
|
||||
end
|
||||
end
|
||||
|
||||
def unwatch
|
||||
set_watcher(User.current, false)
|
||||
|
|
|
@ -48,6 +48,15 @@ class WatchersControllerTest < ActionController::TestCase
|
|||
assert Issue.find(1).watched_by?(User.find(3))
|
||||
end
|
||||
|
||||
def test_watch_should_be_denied_without_permission
|
||||
Role.find(2).remove_permission! :view_issues
|
||||
@request.session[:user_id] = 3
|
||||
assert_no_difference('Watcher.count') do
|
||||
xhr :post, :watch, :object_type => 'issue', :object_id => '1'
|
||||
assert_response 403
|
||||
end
|
||||
end
|
||||
|
||||
def test_watch_with_multiple_replacements
|
||||
@request.session[:user_id] = 3
|
||||
assert_difference('Watcher.count') do
|
||||
|
|
Loading…
Reference in New Issue