From 10994e902779aba086f58a75abfbaf7fe10eb2f2 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Tue, 27 Jan 2009 19:33:03 +0000 Subject: [PATCH] Fixed: users should not be able to add relations with issues they're not allowed to view (#2589). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2323 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/issue_relations_controller.rb | 3 ++ app/models/issue_relation.rb | 2 ++ .../issue_relations_controller_test.rb | 36 +++++++++++++++++++ 3 files changed, 41 insertions(+) diff --git a/app/controllers/issue_relations_controller.rb b/app/controllers/issue_relations_controller.rb index 2ca3f0d6..8a41c383 100644 --- a/app/controllers/issue_relations_controller.rb +++ b/app/controllers/issue_relations_controller.rb @@ -21,6 +21,9 @@ class IssueRelationsController < ApplicationController def new @relation = IssueRelation.new(params[:relation]) @relation.issue_from = @issue + if params[:relation] && !params[:relation][:issue_to_id].blank? + @relation.issue_to = Issue.visible.find_by_id(params[:relation][:issue_to_id]) + end @relation.save if request.post? respond_to do |format| format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue } diff --git a/app/models/issue_relation.rb b/app/models/issue_relation.rb index 49329e0b..13e14ccc 100644 --- a/app/models/issue_relation.rb +++ b/app/models/issue_relation.rb @@ -35,6 +35,8 @@ class IssueRelation < ActiveRecord::Base validates_numericality_of :delay, :allow_nil => true validates_uniqueness_of :issue_to_id, :scope => :issue_from_id + attr_protected :issue_from_id, :issue_to_id + def validate if issue_from && issue_to errors.add :issue_to_id, :activerecord_error_invalid if issue_from_id == issue_to_id diff --git a/test/functional/issue_relations_controller_test.rb b/test/functional/issue_relations_controller_test.rb index 69464c5f..dc64a004 100644 --- a/test/functional/issue_relations_controller_test.rb +++ b/test/functional/issue_relations_controller_test.rb @@ -6,6 +6,23 @@ class IssueRelationsController; def rescue_action(e) raise e end; end class IssueRelationsControllerTest < Test::Unit::TestCase + fixtures :projects, + :users, + :roles, + :members, + :issues, + :issue_statuses, + :enabled_modules, + :enumerations, + :trackers + + def setup + @controller = IssueRelationsController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + User.current = nil + end + def test_new_routing assert_routing( {:method => :post, :path => '/issues/1/relations'}, @@ -19,4 +36,23 @@ class IssueRelationsControllerTest < Test::Unit::TestCase {:method => :post, :path => '/issues/1/relations/23/destroy'} ) end + + def test_new + assert_difference 'IssueRelation.count' do + @request.session[:user_id] = 3 + post :new, :issue_id => 1, + :relation => {:issue_to_id => '2', :relation_type => 'relates', :delay => ''} + end + end + + def test_should_create_relations_with_visible_issues_only + Setting.cross_project_issue_relations = '1' + assert_nil Issue.visible(User.find(3)).find_by_id(4) + + assert_no_difference 'IssueRelation.count' do + @request.session[:user_id] = 3 + post :new, :issue_id => 1, + :relation => {:issue_to_id => '4', :relation_type => 'relates', :delay => ''} + end + end end