From f021c856c19ab4a30a77de6a39239ee437712fa5 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sat, 31 Jan 2009 13:22:29 +0000 Subject: [PATCH] Fixed: issue details view discloses relations to issues that the user is not allowed to view (#2589). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2343 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/models/issue.rb | 5 +++++ app/views/issues/_relations.rhtml | 2 +- test/functional/issues_controller_test.rb | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/app/models/issue.rb b/app/models/issue.rb index d333fe3c..cbd26280 100644 --- a/app/models/issue.rb +++ b/app/models/issue.rb @@ -54,6 +54,11 @@ class Issue < ActiveRecord::Base named_scope :visible, lambda {|*args| { :include => :project, :conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } } + # Returns true if usr or current user is allowed to view the issue + def visible?(usr=nil) + (usr || User.current).allowed_to?(:view_issues, self.project) + end + def after_initialize if new_record? # set default values for new records only diff --git a/app/views/issues/_relations.rhtml b/app/views/issues/_relations.rhtml index 7139210b..f99976f5 100644 --- a/app/views/issues/_relations.rhtml +++ b/app/views/issues/_relations.rhtml @@ -8,7 +8,7 @@ <% if @issue.relations.any? %> -<% @issue.relations.each do |relation| %> +<% @issue.relations.select {|r| r.other_issue(@issue).visible? }.each do |relation| %> diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb index 1097ca5d..cc1c7740 100644 --- a/test/functional/issues_controller_test.rb +++ b/test/functional/issues_controller_test.rb @@ -324,6 +324,21 @@ class IssuesControllerTest < Test::Unit::TestCase :content => /Notes/ } } end + def test_show_should_not_disclose_relations_to_invisible_issues + Setting.cross_project_issue_relations = '1' + IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates') + # Relation to a private project issue + IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(4), :relation_type => 'relates') + + get :show, :id => 1 + assert_response :success + + assert_tag :div, :attributes => { :id => 'relations' }, + :descendant => { :tag => 'a', :content => /#2$/ } + assert_no_tag :div, :attributes => { :id => 'relations' }, + :descendant => { :tag => 'a', :content => /#4$/ } + end + def test_new_routing assert_routing( {:method => :get, :path => '/projects/1/issues/new'},
<%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %> <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %>