| @@ -18,6 +18,8 | |||
|
|
18 | 18 | require 'uri' |
|
|
19 | 19 | require 'cgi' |
|
|
20 | 20 | |
|
|
21 | class Unauthorized < Exception; end | |
|
|
22 | ||
|
|
21 | 23 | class ApplicationController < ActionController::Base |
|
|
22 | 24 | include Redmine::I18n |
|
|
23 | 25 | |
| @@ -41,6 +43,7 class ApplicationController < ActionController::Base | |||
|
|
41 | 43 | protect_from_forgery |
|
|
42 | 44 | |
|
|
43 | 45 | rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token |
|
|
46 | rescue_from ::Unauthorized, :with => :deny_access | |
|
|
44 | 47 | |
|
|
45 | 48 | include Redmine::Search::Controller |
|
|
46 | 49 | include Redmine::MenuManager::MenuController |
| @@ -70,6 +70,7 module QueriesHelper | |||
|
|
70 | 70 | cond = "project_id IS NULL" |
|
|
71 | 71 | cond << " OR project_id = #{@project.id}" if @project |
|
|
72 | 72 | @query = Query.find(params[:query_id], :conditions => cond) |
|
|
73 | raise ::Unauthorized unless @query.visible? | |
|
|
73 | 74 | @query.project = @project |
|
|
74 | 75 | session[:query] = {:id => @query.id, :project_id => @query.project_id} |
|
|
75 | 76 | sort_clear |
| @@ -165,6 +165,11 class Query < ActiveRecord::Base | |||
|
|
165 | 165 | ["o", "c", "!*", "*", "t", "w"].include? operator_for(field) |
|
|
166 | 166 | end if filters |
|
|
167 | 167 | end |
|
|
168 | ||
|
|
169 | # Returns true if the query is visible to +user+ or the current user. | |
|
|
170 | def visible?(user=User.current) | |
|
|
171 | self.is_public? || self.user_id == user.id | |
|
|
172 | end | |
|
|
168 | 173 | |
|
|
169 | 174 | def editable_by?(user) |
|
|
170 | 175 | return false unless user |
| @@ -18,9 +18,6 | |||
|
|
18 | 18 | require File.expand_path('../../test_helper', __FILE__) |
|
|
19 | 19 | require 'issues_controller' |
|
|
20 | 20 | |
|
|
21 | # Re-raise errors caught by the controller. | |
|
|
22 | class IssuesController; def rescue_action(e) raise e end; end | |
|
|
23 | ||
|
|
24 | 21 | class IssuesControllerTest < ActionController::TestCase |
|
|
25 | 22 | fixtures :projects, |
|
|
26 | 23 | :users, |
| @@ -193,6 +190,30 class IssuesControllerTest < ActionController::TestCase | |||
|
|
193 | 190 | assert_not_nil assigns(:issues) |
|
|
194 | 191 | assert_not_nil assigns(:issue_count_by_group) |
|
|
195 | 192 | end |
|
|
193 | ||
|
|
194 | def test_private_query_should_not_be_available_to_other_users | |
|
|
195 | q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil) | |
|
|
196 | @request.session[:user_id] = 3 | |
|
|
197 | ||
|
|
198 | get :index, :query_id => q.id | |
|
|
199 | assert_response 403 | |
|
|
200 | end | |
|
|
201 | ||
|
|
202 | def test_private_query_should_be_available_to_its_user | |
|
|
203 | q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil) | |
|
|
204 | @request.session[:user_id] = 2 | |
|
|
205 | ||
|
|
206 | get :index, :query_id => q.id | |
|
|
207 | assert_response :success | |
|
|
208 | end | |
|
|
209 | ||
|
|
210 | def test_public_query_should_be_available_to_other_users | |
|
|
211 | q = Query.create!(:name => "private", :user => User.find(2), :is_public => true, :project => nil) | |
|
|
212 | @request.session[:user_id] = 3 | |
|
|
213 | ||
|
|
214 | get :index, :query_id => q.id | |
|
|
215 | assert_response :success | |
|
|
216 | end | |
|
|
196 | 217 | |
|
|
197 | 218 | def test_index_sort_by_field_not_included_in_columns |
|
|
198 | 219 | Setting.issue_list_default_columns = %w(subject author) |
General Comments 0
You need to be logged in to leave comments.
Login now