Verify issues are updated by HTTP PUT only. Regression from r3486.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3520 e93f8b46-1217-0410-a6f0-8f06a7374b81
2010-03-01 18:29:18 +00:00 · 2010-03-01 18:29:18 +00:00 · f5f5a5f64f
parent 8699e5bbcd
commit f5f5a5f64f
2 changed files with 17 additions and 1 deletions
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@ -50,7 +50,9 @@ class IssuesController < ApplicationController
  verify :method => [:post, :delete],
         :only => :destroy,
         :render => { :nothing => true, :status => :method_not_allowed }
-           
+
+  verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
+  
  def index
    retrieve_query
    sort_init(@query.sort_criteria.empty? ? [['id', 'desc']] : @query.sort_criteria)
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@ -657,6 +657,20 @@ class IssuesControllerTest < ActionController::TestCase
    assert_select_rjs :show, "update"
  end

+  def test_update_using_invalid_http_verbs
+    @request.session[:user_id] = 2
+    subject = 'Updated by an invalid http verb'
+
+    get :update, :id => 1, :issue => {:subject => subject}
+    assert_not_equal subject, Issue.find(1).subject
+
+    post :update, :id => 1, :issue => {:subject => subject}
+    assert_not_equal subject, Issue.find(1).subject
+
+    delete :update, :id => 1, :issue => {:subject => subject}
+    assert_not_equal subject, Issue.find(1).subject
+  end
+
  def test_put_update_without_custom_fields_param
    @request.session[:user_id] = 2
    ActionMailer::Base.deliveries.clear