jro_apps/redmine Commit - r11709:019f57e5c71e

Fixed that journal details about issue relations may disclose issues that are not visible (#1005)....

Jean-Philippe Lang -

r11709:019f57e5c71e

parent child

Context file:

r11709:019f57e5c71e

Collapse all files

app/helpers/issues_helper.rb +2 -2

                    label = l(:label_attachment)
                  when 'relation'
                    if detail.value && !detail.old_value
-                     rel_issue = Issue.find_by_id(detail.value)
+                     rel_issue = Issue.visible.find_by_id(detail.value)
                      value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.value}" :
                                (no_html ? rel_issue : link_to_issue(rel_issue))
                    elsif detail.old_value && !detail.value
-                     rel_issue = Issue.find_by_id(detail.old_value)
+                     rel_issue = Issue.visible.find_by_id(detail.old_value)
                      old_value = rel_issue.nil? ? "#{l(:label_issue)} #{detail.old_value}" :
                                        (no_html ? rel_issue : link_to_issue(rel_issue))
                    end

test/unit/helpers/issues_helper_test.rb +20 0

                  assert_equal "<strong>Precedes</strong> <i>Issue #{non_existed_issue_number}</i> added", show_detail(detail, false)
                end
+               def test_show_detail_relation_added_should_not_disclose_issue_that_is_not_visible
+                 issue = Issue.generate!(:is_private => true)
+                 detail = JournalDetail.new(:property => 'relation',
+                                            :prop_key => 'label_precedes',
+                                            :value    => issue.id)
+                 assert_equal "Precedes Issue #{issue.id} added", show_detail(detail, true)
+                 assert_equal "<strong>Precedes</strong> <i>Issue #{issue.id}</i> added", show_detail(detail, false)
+               end
                def test_show_detail_delete_relation
                  detail = JournalDetail.new(:property  => 'relation',
                                             :prop_key  => 'label_precedes',
                  assert_equal "Precedes deleted (Issue 9999)", show_detail(detail, true)
                  assert_equal "<strong>Precedes</strong> deleted (<i>Issue 9999</i>)", show_detail(detail, false)
                end
+               def test_show_detail_relation_deleted_should_not_disclose_issue_that_is_not_visible
+                 issue = Issue.generate!(:is_private => true)
+                 detail = JournalDetail.new(:property => 'relation',
+                                            :prop_key => 'label_precedes',
+                                            :old_value    => issue.id)
+                 assert_equal "Precedes deleted (Issue #{issue.id})", show_detail(detail, true)
+                 assert_equal "<strong>Precedes</strong> deleted (<i>Issue #{issue.id}</i>)", show_detail(detail, false)
+               end
              end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages