jro_apps/redmine Commit - r15239:1f9bbd6b42b3

Wrap journal attributes with a journal parameter and use safe_attributes (#22575)....

Jean-Philippe Lang -

r15239:1f9bbd6b42b3

parent child

Context file:

r15239:1f9bbd6b42b3

Collapse all files

app/controllers/journals_controller.rb +2 -4

             # Redmine - project management software
             # Copyright (C) 2006-2016  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class JournalsController < ApplicationController
               before_filter :find_journal, :only => [:edit, :update, :diff]
               before_filter :find_issue, :only => [:new]
               before_filter :find_optional_project, :only => [:index]
               before_filter :authorize, :only => [:new, :edit, :update, :diff]
               accept_rss_auth :index
               menu_item :issues
               helper :issues
               helper :custom_fields
               helper :queries
               include QueriesHelper
               helper :sort
               include SortHelper
               def index
                 retrieve_query
                 sort_init 'id', 'desc'
                 sort_update(@query.sortable_columns)
                 if @query.valid?
                   @journals = @query.journals(:order => "#{Journal.table_name}.created_on DESC",
                                               :limit => 25)
                 end
                 @title = (@project ? @project.name : Setting.app_title) + ": " + (@query.new_record? ? l(:label_changes_details) : @query.name)
                 render :layout => false, :content_type => 'application/atom+xml'
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               def diff
                 @issue = @journal.issue
                 if params[:detail_id].present?
                   @detail = @journal.details.find_by_id(params[:detail_id])
                 else
                   @detail = @journal.details.detect {|d| d.property == 'attr' && d.prop_key == 'description'}
                 end
                 unless @issue && @detail
                   render_404
                   return false
                 end
                 if @detail.property == 'cf'
                   unless @detail.custom_field && @detail.custom_field.visible_by?(@issue.project, User.current)
                     raise ::Unauthorized
                   end
                 end
                 @diff = Redmine::Helpers::Diff.new(@detail.value, @detail.old_value)
               end
               def new
                 @journal = Journal.visible.find(params[:journal_id]) if params[:journal_id]
                 if @journal
                   user = @journal.user
                   text = @journal.notes
                 else
                   user = @issue.author
                   text = @issue.description
                 end
                 # Replaces pre blocks with [...]
                 text = text.to_s.strip.gsub(%r{<pre>(.*?)</pre>}m, '[...]')
                 @content = "#{ll(Setting.default_language, :text_user_wrote, user)}\n> "
                 @content << text.gsub(/(\r?\n|\r\n?)/, "\n> ") + "\n\n"
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               def edit
                 (render_403; return false) unless @journal.editable_by?(User.current)
                 respond_to do |format|
                   # TODO: implement non-JS journal update
                   format.js
                 end
               end
               def update
                 (render_403; return false) unless @journal.editable_by?(User.current)
-                @journal.notes = params[:notes] if params[:notes]
+                @journal.safe_attributes = params[:journal]
-                @journal.private_notes = params[:private_notes].present?
+                @journal.save
-                (render_403; return false) if @journal.private_notes_changed? && User.current.allowed_to?(:set_notes_private, @journal.issue.project) == false
-                @journal.save if @journal.changed?
                 @journal.destroy if @journal.details.empty? && @journal.notes.blank?
                 call_hook(:controller_journals_edit_post, { :journal => @journal, :params => params})
                 respond_to do |format|
                   format.html { redirect_to issue_path(@journal.journalized) }
                   format.js
                 end
               end
               private
               def find_journal
                 @journal = Journal.visible.find(params[:id])
                 @project = @journal.journalized.project
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
             end

app/helpers/journals_helper.rb +1 -1

             # encoding: utf-8
             #
             # Redmine - project management software
             # Copyright (C) 2006-2016  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             module JournalsHelper
               # Returns the attachments of a journal that are displayed as thumbnails
               def journal_thumbnail_attachments(journal)
                 ids = journal.details.select {|d| d.property == 'attachment' && d.value.present?}.map(&:prop_key)
                 ids.any? ? Attachment.where(:id => ids).select(&:thumbnailable?) : []
               end
               def render_notes(issue, journal, options={})
                 content = ''
                 editable = User.current.logged? && (User.current.allowed_to?(:edit_issue_notes, issue.project) || (journal.user == User.current && User.current.allowed_to?(:edit_own_issue_notes, issue.project)))
                 links = []
                 if !journal.notes.blank?
                   links << link_to(l(:button_quote),
                                    quoted_issue_path(issue, :journal_id => journal),
                                    :remote => true,
                                    :method => 'post',
                                    :title => l(:button_quote),
                                    :class => 'icon-only icon-comment'
                                   ) if options[:reply_links]
                   links << link_to(l(:button_edit),
                                    edit_journal_path(journal),
                                    :remote => true,
                                    :method => 'get',
                                    :title => l(:button_edit),
                                    :class => 'icon-only icon-edit'
                                   ) if editable
                   links << link_to(l(:button_delete),
-                                   journal_path(journal, :notes => ""),
+                                   journal_path(journal, :journal => {:notes => ""}),
                                    :remote => true,
                                    :method => 'put', :data => {:confirm => l(:text_are_you_sure)},
                                    :title => l(:button_delete),
                                    :class => 'icon-only icon-del'
                                   ) if editable
                 end
                 content << content_tag('div', links.join(' ').html_safe, :class => 'contextual') unless links.empty?
                 content << textilizable(journal, :notes)
                 css_classes = "wiki"
                 css_classes << " editable" if editable
                 content_tag('div', content.html_safe, :id => "journal-#{journal.id}-notes", :class => css_classes)
               end
               def render_private_notes(journal)
                 content = journal.private_notes? ? l(:field_is_private) : ''
                 css_classes = journal.private_notes? ? 'private' : ''
                 content_tag('span', content.html_safe, :id => "journal-#{journal.id}-private_notes", :class => css_classes)
               end
             end

app/models/journal.rb +7 0

             # Redmine - project management software
             # Copyright (C) 2006-2016  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class Journal < ActiveRecord::Base
+              include Redmine::SafeAttributes
               belongs_to :journalized, :polymorphic => true
               # added as a quick fix to allow eager loading of the polymorphic association
               # since always associated to an issue, for now
               belongs_to :issue, :foreign_key => :journalized_id
               belongs_to :user
               has_many :details, :class_name => "JournalDetail", :dependent => :delete_all, :inverse_of => :journal
               attr_accessor :indice
               attr_protected :id
               acts_as_event :title => Proc.new {|o| status = ((s = o.new_status) ? " (#{s})" : nil); "#{o.issue.tracker} ##{o.issue.id}#{status}: #{o.issue.subject}" },
                             :description => :notes,
                             :author => :user,
                             :group => :issue,
                             :type => Proc.new {|o| (s = o.new_status) ? (s.is_closed? ? 'issue-closed' : 'issue-edit') : 'issue-note' },
                             :url => Proc.new {|o| {:controller => 'issues', :action => 'show', :id => o.issue.id, :anchor => "change-#{o.id}"}}
               acts_as_activity_provider :type => 'issues',
                                         :author_key => :user_id,
                                         :scope => preload({:issue => :project}, :user).
                                                   joins("LEFT OUTER JOIN #{JournalDetail.table_name} ON #{JournalDetail.table_name}.journal_id = #{Journal.table_name}.id").
                                                   where("#{Journal.table_name}.journalized_type = 'Issue' AND" +
                                                         " (#{JournalDetail.table_name}.prop_key = 'status_id' OR #{Journal.table_name}.notes <> '')").uniq
               before_create :split_private_notes
               after_create :send_notification
               scope :visible, lambda {|*args|
                 user = args.shift || User.current
                 joins(:issue => :project).
                   where(Issue.visible_condition(user, *args)).
                   where("(#{Journal.table_name}.private_notes = ? OR (#{Project.allowed_to_condition(user, :view_private_notes, *args)}))", false)
               }
+              safe_attributes 'notes',
+                :if => lambda {|journal, user| journal.new_record? || journal.editable_by?(user)}
+              safe_attributes 'private_notes',
+                :if => lambda {|journal, user| user.allowed_to?(:set_notes_private, journal.project)}
               def initialize(*args)
                 super
                 if journalized
                   if journalized.new_record?
                     self.notify = false
                   else
                     start
                   end
                 end
               end
               def save(*args)
                 journalize_changes
                 # Do not save an empty journal
                 (details.empty? && notes.blank?) ? false : super
               end
               # Returns journal details that are visible to user
               def visible_details(user=User.current)
                 details.select do |detail|
                   if detail.property == 'cf'
                     detail.custom_field && detail.custom_field.visible_by?(project, user)
                   elsif detail.property == 'relation'
                     Issue.find_by_id(detail.value || detail.old_value).try(:visible?, user)
                   else
                     true
                   end
                 end
               end
               def each_notification(users, &block)
                 if users.any?
                   users_by_details_visibility = users.group_by do |user|
                     visible_details(user)
                   end
                   users_by_details_visibility.each do |visible_details, users|
                     if notes? || visible_details.any?
                       yield(users)
                     end
                   end
                 end
               end
               # Returns the JournalDetail for the given attribute, or nil if the attribute
               # was not updated
               def detail_for_attribute(attribute)
                 details.detect {|detail| detail.prop_key == attribute}
               end
               # Returns the new status if the journal contains a status change, otherwise nil
               def new_status
                 s = new_value_for('status_id')
                 s ? IssueStatus.find_by_id(s.to_i) : nil
               end
               def new_value_for(prop)
                 detail_for_attribute(prop).try(:value)
               end
               def editable_by?(usr)
                 usr && usr.logged? && (usr.allowed_to?(:edit_issue_notes, project) || (self.user == usr && usr.allowed_to?(:edit_own_issue_notes, project)))
               end
               def project
                 journalized.respond_to?(:project) ? journalized.project : nil
               end
               def attachments
                 journalized.respond_to?(:attachments) ? journalized.attachments : nil
               end
               # Returns a string of css classes
               def css_classes
                 s = 'journal'
                 s << ' has-notes' unless notes.blank?
                 s << ' has-details' unless details.blank?
                 s << ' private-notes' if private_notes?
                 s
               end
               def notify?
                 @notify != false
               end
               def notify=(arg)
                 @notify = arg
               end
               def notified_users
                 notified = journalized.notified_users
                 if private_notes?
                   notified = notified.select {|user| user.allowed_to?(:view_private_notes, journalized.project)}
                 end
                 notified
               end
               def recipients
                 notified_users.map(&:mail)
               end
               def notified_watchers
                 notified = journalized.notified_watchers
                 if private_notes?
                   notified = notified.select {|user| user.allowed_to?(:view_private_notes, journalized.project)}
                 end
                 notified
               end
               def watcher_recipients
                 notified_watchers.map(&:mail)
               end
               # Sets @custom_field instance variable on journals details using a single query
               def self.preload_journals_details_custom_fields(journals)
                 field_ids = journals.map(&:details).flatten.select {|d| d.property == 'cf'}.map(&:prop_key).uniq
                 if field_ids.any?
                   fields_by_id = CustomField.where(:id => field_ids).inject({}) {|h, f| h[f.id] = f; h}
                   journals.each do |journal|
                     journal.details.each do |detail|
                       if detail.property == 'cf'
                         detail.instance_variable_set "@custom_field", fields_by_id[detail.prop_key.to_i]
                       end
                     end
                   end
                 end
                 journals
               end
               # Stores the values of the attributes and custom fields of the journalized object
               def start
                 if journalized
                   @attributes_before_change = journalized.journalized_attribute_names.inject({}) do |h, attribute|
                     h[attribute] = journalized.send(attribute)
                     h
                   end
                   @custom_values_before_change = journalized.custom_field_values.inject({}) do |h, c|
                     h[c.custom_field_id] = c.value
                     h
                   end
                 end
                 self
               end
               # Adds a journal detail for an attachment that was added or removed
               def journalize_attachment(attachment, added_or_removed)
                 key = (added_or_removed == :removed ? :old_value : :value)
                 details << JournalDetail.new(
                     :property => 'attachment',
                     :prop_key => attachment.id,
                     key => attachment.filename
                   )
               end
               # Adds a journal detail for an issue relation that was added or removed
               def journalize_relation(relation, added_or_removed)
                 key = (added_or_removed == :removed ? :old_value : :value)
                 details << JournalDetail.new(
                     :property  => 'relation',
                     :prop_key  => relation.relation_type_for(journalized),
                     key => relation.other_issue(journalized).try(:id)
                   )
               end
               private
               # Generates journal details for attribute and custom field changes
               def journalize_changes
                 # attributes changes
                 if @attributes_before_change
                   journalized.journalized_attribute_names.each {|attribute|
                     before = @attributes_before_change[attribute]
                     after = journalized.send(attribute)
                     next if before == after || (before.blank? && after.blank?)
                     add_attribute_detail(attribute, before, after)
                   }
                 end
                 if @custom_values_before_change
                   # custom fields changes
                   journalized.custom_field_values.each {|c|
                     before = @custom_values_before_change[c.custom_field_id]
                     after = c.value
                     next if before == after || (before.blank? && after.blank?)
                     if before.is_a?(Array) || after.is_a?(Array)
                       before = [before] unless before.is_a?(Array)
                       after = [after] unless after.is_a?(Array)
                       # values removed
                       (before - after).reject(&:blank?).each do |value|
                         add_custom_value_detail(c, value, nil)
                       end
                       # values added
                       (after - before).reject(&:blank?).each do |value|
                         add_custom_value_detail(c, nil, value)
                       end
                     else
                       add_custom_value_detail(c, before, after)
                     end
                   }
                 end
                 start
               end
               # Adds a journal detail for an attribute change
               def add_attribute_detail(attribute, old_value, value)
                 add_detail('attr', attribute, old_value, value)
               end
               # Adds a journal detail for a custom field value change
               def add_custom_value_detail(custom_value, old_value, value)
                 add_detail('cf', custom_value.custom_field_id, old_value, value)
               end
               # Adds a journal detail
               def add_detail(property, prop_key, old_value, value)
                 details << JournalDetail.new(
                     :property => property,
                     :prop_key => prop_key,
                     :old_value => old_value,
                     :value => value
                   )
               end
               def split_private_notes
                 if private_notes?
                   if notes.present?
                     if details.any?
                       # Split the journal (notes/changes) so we don't have half-private journals
                       journal = Journal.new(:journalized => journalized, :user => user, :notes => nil, :private_notes => false)
                       journal.details = details
                       journal.save
                       self.details = []
                       self.created_on = journal.created_on
                     end
                   else
                     # Blank notes should not be private
                     self.private_notes = false
                   end
                 end
                 true
               end
               def send_notification
                 if notify? && (Setting.notified_events.include?('issue_updated') ||
                     (Setting.notified_events.include?('issue_note_added') && notes.present?) ||
                     (Setting.notified_events.include?('issue_status_updated') && new_status.present?) ||
                     (Setting.notified_events.include?('issue_assigned_to_updated') && detail_for_attribute('assigned_to_id').present?) ||
                     (Setting.notified_events.include?('issue_priority_updated') && new_value_for('priority_id').present?)
                   )
                   Mailer.deliver_issue_edit(self)
                 end
               end
             end

app/views/journals/_notes_form.html.erb +5 -3

             <%= form_tag(journal_path(@journal),
                          :remote => true,
                          :method => 'put',
                          :id => "journal-#{@journal.id}-form") do %>
                 <%= label_tag "notes", l(:description_notes), :class => "hidden-for-sighted" %>
-                <%= text_area_tag :notes, @journal.notes,
+                <%= text_area_tag 'journal[notes]', @journal.notes,
                       :id => "journal_#{@journal.id}_notes",
                       :class => 'wiki-edit',
                       :rows => (@journal.notes.blank? ? 10 : [[10, @journal.notes.length / 50].max, 100].min) %>
-                <% if @journal.issue.safe_attribute? 'private_notes' %>
+                <% if @journal.safe_attribute? 'private_notes' %>
-                  <%= check_box_tag 'private_notes', '1', @journal.private_notes, :id => "journal_#{@journal.id}_private_notes" %> <label for="journal_<%= @journal.id %>_private_notes"><%= l(:field_private_notes) %></label>
+                  <%= hidden_field_tag 'journal[private_notes]', '0' %>
+                  <%= check_box_tag 'journal[private_notes]', '1', @journal.private_notes, :id => "journal_#{@journal.id}_private_notes" %>
+                  <label for="journal_<%= @journal.id %>_private_notes"><%= l(:field_private_notes) %></label>
                 <% end %>
                 <%= call_hook(:view_journals_notes_form_after_notes, { :journal => @journal}) %>
                 <p><%= submit_tag l(:button_save) %>
                 <%= preview_link preview_edit_issue_path(:project_id => @project, :id => @journal.issue),
                                  "journal-#{@journal.id}-form",
                                  "journal_#{@journal.id}_preview" %> |
                 <%= link_to l(:button_cancel), '#', :onclick => "$('#journal-#{@journal.id}-form').remove(); $('#journal-#{@journal.id}-notes').show(); return false;" %></p>
                 <div id="journal_<%= @journal.id %>_preview" class="wiki"></div>
             <% end %>
             <%= wikitoolbar_for "journal_#{@journal.id}_notes" %>

test/functional/journals_controller_test.rb +8 -7

             # Redmine - project management software
             # Copyright (C) 2006-2016  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require File.expand_path('../../test_helper', __FILE__)
             class JournalsControllerTest < ActionController::TestCase
               fixtures :projects, :users, :members, :member_roles, :roles, :issues, :journals, :journal_details, :enabled_modules,
                 :trackers, :issue_statuses, :enumerations, :custom_fields, :custom_values, :custom_fields_projects, :projects_trackers
               def setup
                 User.current = nil
               end
               def test_index
                 get :index, :project_id => 1
                 assert_response :success
                 assert_not_nil assigns(:journals)
                 assert_equal 'application/atom+xml', @response.content_type
               end
               def test_index_with_invalid_query_id
                 get :index, :project_id => 1, :query_id => 999
                 assert_response 404
               end
               def test_index_should_return_privates_notes_with_permission_only
                 journal = Journal.create!(:journalized => Issue.find(2), :notes => 'Privates notes', :private_notes => true, :user_id => 1)
                 @request.session[:user_id] = 2
                 get :index, :project_id => 1
                 assert_response :success
                 assert_include journal, assigns(:journals)
                 Role.find(1).remove_permission! :view_private_notes
                 get :index, :project_id => 1
                 assert_response :success
                 assert_not_include journal, assigns(:journals)
               end
               def test_index_should_show_visible_custom_fields_only
                 Issue.destroy_all
                 field_attributes = {:field_format => 'string', :is_for_all => true, :is_filter => true, :trackers => Tracker.all}
                 @fields = []
                 @fields << (@field1 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 1', :visible => true)))
                 @fields << (@field2 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 2', :visible => false, :role_ids => [1, 2])))
                 @fields << (@field3 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 3', :visible => false, :role_ids => [1, 3])))
                 @issue = Issue.generate!(
                   :author_id => 1,
                   :project_id => 1,
                   :tracker_id => 1,
                   :custom_field_values => {@field1.id => 'Value0', @field2.id => 'Value1', @field3.id => 'Value2'}
                 )
                 @issue.init_journal(User.find(1))
                 @issue.update_attribute :custom_field_values, {@field1.id => 'NewValue0', @field2.id => 'NewValue1', @field3.id => 'NewValue2'}
                 user_with_role_on_other_project = User.generate!
                 User.add_to_project(user_with_role_on_other_project, Project.find(2), Role.find(3))
                 users_to_test = {
                   User.find(1) => [@field1, @field2, @field3],
                   User.find(3) => [@field1, @field2],
                   user_with_role_on_other_project => [@field1], # should see field1 only on Project 1
                   User.generate! => [@field1],
                   User.anonymous => [@field1]
                 }
                 users_to_test.each do |user, visible_fields|
                   get :index, :format => 'atom', :key => user.rss_key
                   @fields.each_with_index do |field, i|
                     if visible_fields.include?(field)
                       assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 1 }, "User #{user.id} was not able to view #{field.name} in API"
                     else
                       assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 0 }, "User #{user.id} was able to view #{field.name} in API"
                     end
                   end
                 end
               end
               def test_diff_for_description_change
                 get :diff, :id => 3, :detail_id => 4
                 assert_response :success
                 assert_template 'diff'
                 assert_select 'span.diff_out', :text => /removed/
                 assert_select 'span.diff_in', :text => /added/
               end
               def test_diff_for_custom_field
                 field = IssueCustomField.create!(:name => "Long field", :field_format => 'text')
                 journal = Journal.create!(:journalized => Issue.find(2), :notes => 'Notes', :user_id => 1)
                 detail = JournalDetail.create!(:journal => journal, :property => 'cf', :prop_key => field.id,
                   :old_value => 'Foo', :value => 'Bar')
                 get :diff, :id => journal.id, :detail_id => detail.id
                 assert_response :success
                 assert_template 'diff'
                 assert_select 'span.diff_out', :text => /Foo/
                 assert_select 'span.diff_in', :text => /Bar/
               end
               def test_diff_for_custom_field_should_be_denied_if_custom_field_is_not_visible
                 field = IssueCustomField.create!(:name => "Long field", :field_format => 'text', :visible => false, :role_ids => [1])
                 journal = Journal.create!(:journalized => Issue.find(2), :notes => 'Notes', :user_id => 1)
                 detail = JournalDetail.create!(:journal => journal, :property => 'cf', :prop_key => field.id,
                   :old_value => 'Foo', :value => 'Bar')
                 get :diff, :id => journal.id, :detail_id => detail.id
                 assert_response 302
               end
               def test_diff_should_default_to_description_diff
                 get :diff, :id => 3
                 assert_response :success
                 assert_template 'diff'
                 assert_select 'span.diff_out', :text => /removed/
                 assert_select 'span.diff_in', :text => /added/
               end
               def test_reply_to_issue
                 @request.session[:user_id] = 2
                 xhr :get, :new, :id => 6
                 assert_response :success
                 assert_template 'new'
                 assert_equal 'text/javascript', response.content_type
                 assert_include '> This is an issue', response.body
               end
               def test_reply_to_issue_without_permission
                 @request.session[:user_id] = 7
                 xhr :get, :new, :id => 6
                 assert_response 403
               end
               def test_reply_to_note
                 @request.session[:user_id] = 2
                 xhr :get, :new, :id => 6, :journal_id => 4
                 assert_response :success
                 assert_template 'new'
                 assert_equal 'text/javascript', response.content_type
                 assert_include '> A comment with a private version', response.body
               end
               def test_reply_to_private_note_should_fail_without_permission
                 journal = Journal.create!(:journalized => Issue.find(2), :notes => 'Privates notes', :private_notes => true)
                 @request.session[:user_id] = 2
                 xhr :get, :new, :id => 2, :journal_id => journal.id
                 assert_response :success
                 assert_template 'new'
                 assert_equal 'text/javascript', response.content_type
                 assert_include '> Privates notes', response.body
                 Role.find(1).remove_permission! :view_private_notes
                 xhr :get, :new, :id => 2, :journal_id => journal.id
                 assert_response 404
               end
               def test_edit_xhr
                 @request.session[:user_id] = 1
                 xhr :get, :edit, :id => 2
                 assert_response :success
                 assert_template 'edit'
                 assert_equal 'text/javascript', response.content_type
                 assert_include 'textarea', response.body
               end
               def test_edit_private_note_should_fail_without_permission
                 journal = Journal.create!(:journalized => Issue.find(2), :notes => 'Privates notes', :private_notes => true)
                 @request.session[:user_id] = 2
                 Role.find(1).add_permission! :edit_issue_notes
                 xhr :get, :edit, :id => journal.id
                 assert_response :success
                 assert_template 'edit'
                 assert_equal 'text/javascript', response.content_type
                 assert_include 'textarea', response.body
                 Role.find(1).remove_permission! :view_private_notes
                 xhr :get, :edit, :id => journal.id
                 assert_response 404
               end
               def test_update_xhr
                 @request.session[:user_id] = 1
-                xhr :post, :update, :id => 2, :notes => 'Updated notes'
+                xhr :post, :update, :id => 2, :journal => {:notes => 'Updated notes'}
                 assert_response :success
                 assert_template 'update'
                 assert_equal 'text/javascript', response.content_type
                 assert_equal 'Updated notes', Journal.find(2).notes
                 assert_include 'journal-2-notes', response.body
               end
               def test_update_xhr_with_private_notes_checked
                 @request.session[:user_id] = 1
-                xhr :post, :update, :id => 2, :private_notes => '1'
+                xhr :post, :update, :id => 2, :journal => {:private_notes => '1'}
                 assert_response :success
                 assert_template 'update'
                 assert_equal 'text/javascript', response.content_type
                 assert_equal true, Journal.find(2).private_notes
                 assert_include 'change-2', response.body
                 assert_include 'journal-2-private_notes', response.body
               end
               def test_update_xhr_with_private_notes_unchecked
                 Journal.find(2).update_attributes(:private_notes => true)
                 @request.session[:user_id] = 1
-                xhr :post, :update, :id => 2
+                xhr :post, :update, :id => 2, :journal => {:private_notes => '0'}
                 assert_response :success
                 assert_template 'update'
                 assert_equal 'text/javascript', response.content_type
                 assert_equal false, Journal.find(2).private_notes
                 assert_include 'change-2', response.body
                 assert_include 'journal-2-private_notes', response.body
               end
-              def test_update_xhr_with_private_notes_changes_and_without_set_private_notes_permission
+              def test_update_xhr_without_set_private_notes_permission_should_ignore_private_notes
                 @request.session[:user_id] = 2
                 Role.find(1).add_permission! :edit_issue_notes
                 Role.find(1).add_permission! :view_private_notes
                 Role.find(1).remove_permission! :set_notes_private
-                xhr :post, :update, :id => 2, :private_notes => '1'
+                xhr :post, :update, :id => 2, :journal => {:private_notes => '1'}
-                assert_response 403
+                assert_response :success
+                assert_equal false, Journal.find(2).private_notes
               end
               def test_update_xhr_with_empty_notes_should_delete_the_journal
                 @request.session[:user_id] = 1
                 assert_difference 'Journal.count', -1 do
-                  xhr :post, :update, :id => 2, :notes => ''
+                  xhr :post, :update, :id => 2, :journal => {:notes => ''}
                   assert_response :success
                   assert_template 'update'
                   assert_equal 'text/javascript', response.content_type
                 end
                 assert_nil Journal.find_by_id(2)
                 assert_include 'change-2', response.body
               end
             end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages