##// END OF EJS Templates
jro_apps » redmine
RSS
Fixed: private queries should not be accessible to other users (#8729)....
Jean-Philippe Lang -
r6043:8914d323ee14
parent child
Show More
Side by Side Unified
Context file:
r6043:8914d323ee14 Loading diff...:
Show file before | Show file after | Hide comments
@@ -18,6 +18,8
18 require 'uri'
18 require 'uri'
19 require 'cgi'
19 require 'cgi'
20
20
21 class Unauthorized < Exception; end
22
21 class ApplicationController < ActionController::Base
23 class ApplicationController < ActionController::Base
22 include Redmine::I18n
24 include Redmine::I18n
23
25
@@ -41,6 +43,7 class ApplicationController < ActionController::Base
41 protect_from_forgery
43 protect_from_forgery
42
44
43 rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
45 rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
46 rescue_from ::Unauthorized, :with => :deny_access
44
47
45 include Redmine::Search::Controller
48 include Redmine::Search::Controller
46 include Redmine::MenuManager::MenuController
49 include Redmine::MenuManager::MenuController
Show file before | Show file after | Hide comments
@@ -70,6 +70,7 module QueriesHelper
70 cond = "project_id IS NULL"
70 cond = "project_id IS NULL"
71 cond << " OR project_id = #{@project.id}" if @project
71 cond << " OR project_id = #{@project.id}" if @project
72 @query = Query.find(params[:query_id], :conditions => cond)
72 @query = Query.find(params[:query_id], :conditions => cond)
73 raise ::Unauthorized unless @query.visible?
73 @query.project = @project
74 @query.project = @project
74 session[:query] = {:id => @query.id, :project_id => @query.project_id}
75 session[:query] = {:id => @query.id, :project_id => @query.project_id}
75 sort_clear
76 sort_clear
Show file before | Show file after | Hide comments
@@ -165,6 +165,11 class Query < ActiveRecord::Base
165 ["o", "c", "!*", "*", "t", "w"].include? operator_for(field)
165 ["o", "c", "!*", "*", "t", "w"].include? operator_for(field)
166 end if filters
166 end if filters
167 end
167 end
168
169 # Returns true if the query is visible to +user+ or the current user.
170 def visible?(user=User.current)
171 self.is_public? || self.user_id == user.id
172 end
168
173
169 def editable_by?(user)
174 def editable_by?(user)
170 return false unless user
175 return false unless user
Show file before | Show file after | Hide comments
@@ -18,9 +18,6
18 require File.expand_path('../../test_helper', __FILE__)
18 require File.expand_path('../../test_helper', __FILE__)
19 require 'issues_controller'
19 require 'issues_controller'
20
20
21 # Re-raise errors caught by the controller.
22 class IssuesController; def rescue_action(e) raise e end; end
23
24 class IssuesControllerTest < ActionController::TestCase
21 class IssuesControllerTest < ActionController::TestCase
25 fixtures :projects,
22 fixtures :projects,
26 :users,
23 :users,
@@ -193,6 +190,30 class IssuesControllerTest < ActionController::TestCase
193 assert_not_nil assigns(:issues)
190 assert_not_nil assigns(:issues)
194 assert_not_nil assigns(:issue_count_by_group)
191 assert_not_nil assigns(:issue_count_by_group)
195 end
192 end
193
194 def test_private_query_should_not_be_available_to_other_users
195 q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
196 @request.session[:user_id] = 3
197
198 get :index, :query_id => q.id
199 assert_response 403
200 end
201
202 def test_private_query_should_be_available_to_its_user
203 q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
204 @request.session[:user_id] = 2
205
206 get :index, :query_id => q.id
207 assert_response :success
208 end
209
210 def test_public_query_should_be_available_to_other_users
211 q = Query.create!(:name => "private", :user => User.find(2), :is_public => true, :project => nil)
212 @request.session[:user_id] = 3
213
214 get :index, :query_id => q.id
215 assert_response :success
216 end
196
217
197 def test_index_sort_by_field_not_included_in_columns
218 def test_index_sort_by_field_not_included_in_columns
198 Setting.issue_list_default_columns = %w(subject author)
219 Setting.issue_list_default_columns = %w(subject author)
General Comments 0
You need to be logged in to leave comments. Login now