Fixed: search engine may reveal private projects (#1613).

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1649 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2008-07-10 12:31:49 +00:00
parent de3d5a88e4
commit be4cc2f99e
4 changed files with 147 additions and 10 deletions

View File

@ -28,7 +28,8 @@ class Journal < ActiveRecord::Base
acts_as_searchable :columns => 'notes',
:include => {:issue => :project},
:project_key => "#{Issue.table_name}.project_id",
:date_column => "#{Issue.table_name}.created_on"
:date_column => "#{Issue.table_name}.created_on",
:permission => :view_issues
acts_as_event :title => Proc.new {|o| status = ((s = o.new_status) ? " (#{s})" : nil); "#{o.issue.tracker} ##{o.issue.id}#{status}: #{o.issue.subject}" },
:description => :notes,

View File

@ -112,7 +112,9 @@ class Project < ActiveRecord::Base
end
if user.admin?
# no restriction
elsif user.logged?
else
statements << "1=0"
if user.logged?
statements << "#{Project.table_name}.is_public = #{connection.quoted_true}" if Role.non_member.allowed_to?(permission)
allowed_project_ids = user.memberships.select {|m| m.role.allowed_to?(permission)}.collect {|m| m.project_id}
statements << "#{Project.table_name}.id IN (#{allowed_project_ids.join(',')})" if allowed_project_ids.any?
@ -121,7 +123,7 @@ class Project < ActiveRecord::Base
statements << "#{Project.table_name}.is_public = #{connection.quoted_true}"
else
# anonymous user is not authorized
statements << "1=0"
end
end
statements.empty? ? base_statement : "((#{base_statement}) AND (#{statements.join(' OR ')}))"
end

134
test/unit/search_test.rb Normal file
View File

@ -0,0 +1,134 @@
# redMine - project management software
# Copyright (C) 2006-2008 Jean-Philippe Lang
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
require File.dirname(__FILE__) + '/../test_helper'
class SearchTest < Test::Unit::TestCase
fixtures :users,
:members,
:projects,
:roles,
:enabled_modules,
:issues,
:trackers,
:journals,
:journal_details,
:repositories,
:changesets
def setup
@project = Project.find(1)
@issue_keyword = '%Unable to print recipes%'
@issue = Issue.find(1)
@changeset_keyword = '%very first commit%'
@changeset = Changeset.find(100)
end
def test_search_by_anonymous
User.current = nil
r = Issue.search(@issue_keyword)
assert r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert r.include?(@changeset)
# Removes the :view_changesets permission from Anonymous role
remove_permission Role.anonymous, :view_changesets
r = Issue.search(@issue_keyword)
assert r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert !r.include?(@changeset)
# Make the project private
@project.update_attribute :is_public, false
r = Issue.search(@issue_keyword)
assert !r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert !r.include?(@changeset)
end
def test_search_by_user
User.current = User.find_by_login('rhill')
assert User.current.memberships.empty?
r = Issue.search(@issue_keyword)
assert r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert r.include?(@changeset)
# Removes the :view_changesets permission from Non member role
remove_permission Role.non_member, :view_changesets
r = Issue.search(@issue_keyword)
assert r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert !r.include?(@changeset)
# Make the project private
@project.update_attribute :is_public, false
r = Issue.search(@issue_keyword)
assert !r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert !r.include?(@changeset)
end
def test_search_by_allowed_member
User.current = User.find_by_login('jsmith')
assert User.current.projects.include?(@project)
r = Issue.search(@issue_keyword)
assert r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert r.include?(@changeset)
# Make the project private
@project.update_attribute :is_public, false
r = Issue.search(@issue_keyword)
assert r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert r.include?(@changeset)
end
def test_search_by_unallowed_member
# Removes the :view_changesets permission from user's and non member role
remove_permission Role.find(1), :view_changesets
remove_permission Role.non_member, :view_changesets
User.current = User.find_by_login('jsmith')
assert User.current.projects.include?(@project)
r = Issue.search(@issue_keyword)
assert r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert !r.include?(@changeset)
# Make the project private
@project.update_attribute :is_public, false
r = Issue.search(@issue_keyword)
assert r.include?(@issue)
r = Changeset.search(@changeset_keyword)
assert !r.include?(@changeset)
end
private
def remove_permission(role, permission)
role.permissions = role.permissions - [ permission ]
role.save
end
end

View File

@ -67,7 +67,7 @@ module Redmine
module ClassMethods
# Search the model for the given tokens
# projects argument can be either nil (will search all projects), a project or an array of projects
def search(tokens, projects, options={})
def search(tokens, projects=nil, options={})
tokens = [] << tokens unless tokens.is_a?(Array)
projects = [] << projects unless projects.nil? || projects.is_a?(Array)