From 15f035be518d65f6a8debed0dd19d58190e8b492 2013-01-20 16:04:25
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: 2013-01-20 16:04:25
Subject: [PATCH] Respond with 404 when params[:ids] is missing (#12898).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11226 e93f8b46-1217-0410-a6f0-8f06a7374b81

---

diff --git a/app/controllers/context_menus_controller.rb b/app/controllers/context_menus_controller.rb
index 553353b..bc434ea 100644
--- a/app/controllers/context_menus_controller.rb
+++ b/app/controllers/context_menus_controller.rb
@@ -21,6 +21,7 @@ class ContextMenusController < ApplicationController
 
   def issues
     @issues = Issue.visible.all(:conditions => {:id => params[:ids]}, :include => :project)
+    (render_404; return) unless @issues.present?
     if (@issues.size == 1)
       @issue = @issues.first
     end
@@ -74,6 +75,8 @@ class ContextMenusController < ApplicationController
   def time_entries
     @time_entries = TimeEntry.all(
        :conditions => {:id => params[:ids]}, :include => :project)
+    (render_404; return) unless @time_entries.present?
+
     @projects = @time_entries.collect(&:project).compact.uniq
     @project = @projects.first if @projects.size == 1
     @activities = TimeEntryActivity.shared.active
diff --git a/test/functional/context_menus_controller_test.rb b/test/functional/context_menus_controller_test.rb
index b3e6435..9039ab0 100644
--- a/test/functional/context_menus_controller_test.rb
+++ b/test/functional/context_menus_controller_test.rb
@@ -226,6 +226,11 @@ class ContextMenusControllerTest < ActionController::TestCase
     assert_equal [1], assigns(:issues).collect(&:id)
   end
 
+  def test_should_respond_with_404_without_ids
+    get :issues
+    assert_response 404
+  end
+
   def test_time_entries_context_menu
     @request.session[:user_id] = 2
     get :time_entries, :ids => [1, 2]