jro_apps/redmine Commit - r11709:019f57e5c71e

Fixed that journal details about issue relations may disclose issues that are not visible (#1005)....

Jean-Philippe Lang -

r11709:019f57e5c71e

parent child

Context file:

r11709:019f57e5c71e

Collapse all files

app/helpers/issues_helper.rb +2 -2

                   label = l(:label_attachment)
                 when 'relation'
                   if detail.value && !detail.old_value
-                    rel_issue = Issue.find_by_id(detail.value)
+                    rel_issue = Issue.visible.find_by_id(detail.value)
                     value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.value}" :
                               (no_html ? rel_issue : link_to_issue(rel_issue))
                   elsif detail.old_value && !detail.value
-                    rel_issue = Issue.find_by_id(detail.old_value)
+                    rel_issue = Issue.visible.find_by_id(detail.old_value)
                     old_value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.old_value}" :
                                       (no_html ? rel_issue : link_to_issue(rel_issue))
                   end

test/unit/helpers/issues_helper_test.rb +20 0

@@ -227,6 +227,16 class IssuesHelperTest < ActionView::TestCase
227	assert_equal "<strong>Precedes</strong> <i>Issue #{non_existed_issue_number}</i> added", show_detail(detail, false)	227	assert_equal "<strong>Precedes</strong> <i>Issue #{non_existed_issue_number}</i> added", show_detail(detail, false)
228	end	228	end
229		229
		230	def test_show_detail_relation_added_should_not_disclose_issue_that_is_not_visible
		231	issue = Issue.generate!(:is_private => true)
		232	detail = JournalDetail.new(:property => 'relation',
		233	:prop_key => 'label_precedes',
		234	:value => issue.id)
		235
		236	assert_equal "Precedes Issue #{issue.id} added", show_detail(detail, true)
		237	assert_equal "<strong>Precedes</strong> <i>Issue #{issue.id}</i> added", show_detail(detail, false)
		238	end
		239
230	def test_show_detail_delete_relation	240	def test_show_detail_delete_relation
231	detail = JournalDetail.new(:property => 'relation',	241	detail = JournalDetail.new(:property => 'relation',
232	:prop_key => 'label_precedes',	242	:prop_key => 'label_precedes',
@@ -242,4 +252,14 class IssuesHelperTest < ActionView::TestCase
242	assert_equal "Precedes deleted (Issue 9999)", show_detail(detail, true)	252	assert_equal "Precedes deleted (Issue 9999)", show_detail(detail, true)
243	assert_equal "<strong>Precedes</strong> deleted (<i>Issue 9999</i>)", show_detail(detail, false)	253	assert_equal "<strong>Precedes</strong> deleted (<i>Issue 9999</i>)", show_detail(detail, false)
244	end	254	end
		255
		256	def test_show_detail_relation_deleted_should_not_disclose_issue_that_is_not_visible
		257	issue = Issue.generate!(:is_private => true)
		258	detail = JournalDetail.new(:property => 'relation',
		259	:prop_key => 'label_precedes',
		260	:old_value => issue.id)
		261
		262	assert_equal "Precedes deleted (Issue #{issue.id})", show_detail(detail, true)
		263	assert_equal "<strong>Precedes</strong> deleted (<i>Issue #{issue.id}</i>)", show_detail(detail, false)
		264	end
245	end	265	end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages