jro_apps/redmine Commit - r6043:8914d323ee14

Fixed: private queries should not be accessible to other users (#8729)....

Jean-Philippe Lang -

r6043:8914d323ee14

parent child

Context file:

r6043:8914d323ee14

Collapse all files

app/controllers/application_controller.rb +3 0

             # Redmine - project management software
             # Copyright (C) 2006-2011  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require 'uri'
             require 'cgi'
+            class Unauthorized < Exception; end
             class ApplicationController < ActionController::Base
               include Redmine::I18n
               layout 'base'
               exempt_from_layout 'builder', 'rsb'
               # Remove broken cookie after upgrade from 0.8.x (#4292)
               # See https://rails.lighthouseapp.com/projects/8994/tickets/3360
               # TODO: remove it when Rails is fixed
               before_filter :delete_broken_cookies
               def delete_broken_cookies
                 if cookies['_redmine_session'] && cookies['_redmine_session'] !~ /--/
                   cookies.delete '_redmine_session'
                   redirect_to home_path
                   return false
                 end
               end
               before_filter :user_setup, :check_if_login_required, :set_localization
               filter_parameter_logging :password
               protect_from_forgery
               rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
+              rescue_from ::Unauthorized, :with => :deny_access
               include Redmine::Search::Controller
               include Redmine::MenuManager::MenuController
               helper Redmine::MenuManager::MenuHelper
               Redmine::Scm::Base.all.each do |scm|
                 require_dependency "repository/#{scm.underscore}"
               end
               def user_setup
                 # Check the settings cache for each request
                 Setting.check_cache
                 # Find the current user
                 User.current = find_current_user
               end
               # Returns the current user or nil if no user is logged in
               # and starts a session if needed
               def find_current_user
                 if session[:user_id]
                   # existing session
                   (User.active.find(session[:user_id]) rescue nil)
                 elsif cookies[:autologin] && Setting.autologin?
                   # auto-login feature starts a new session
                   user = User.try_to_autologin(cookies[:autologin])
                   session[:user_id] = user.id if user
                   user
                 elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
                   # RSS key authentication does not start a session
                   User.find_by_rss_key(params[:key])
                 elsif Setting.rest_api_enabled? && api_request?
                   if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action])
                     # Use API key
                     User.find_by_api_key(key)
                   else
                     # HTTP Basic, either username/password or API key/random
                     authenticate_with_http_basic do |username, password|
                       User.try_to_login(username, password) || User.find_by_api_key(username)
                     end
                   end
                 end
               end
               # Sets the logged in user
               def logged_user=(user)
                 reset_session
                 if user && user.is_a?(User)
                   User.current = user
                   session[:user_id] = user.id
                 else
                   User.current = User.anonymous
                 end
               end
               # check if login is globally required to access the application
               def check_if_login_required
                 # no check needed if user is already logged in
                 return true if User.current.logged?
                 require_login if Setting.login_required?
               end
               def set_localization
                 lang = nil
                 if User.current.logged?
                   lang = find_language(User.current.language)
                 end
                 if lang.nil? && request.env['HTTP_ACCEPT_LANGUAGE']
                   accept_lang = parse_qvalues(request.env['HTTP_ACCEPT_LANGUAGE']).first
                   if !accept_lang.blank?
                     accept_lang = accept_lang.downcase
                     lang = find_language(accept_lang) || find_language(accept_lang.split('-').first)
                   end
                 end
                 lang ||= Setting.default_language
                 set_language_if_valid(lang)
               end
               def require_login
                 if !User.current.logged?
                   # Extract only the basic url parameters on non-GET requests
                   if request.get?
                     url = url_for(params)
                   else
                     url = url_for(:controller => params[:controller], :action => params[:action], :id => params[:id], :project_id => params[:project_id])
                   end
                   respond_to do |format|
                     format.html { redirect_to :controller => "account", :action => "login", :back_url => url }
                     format.atom { redirect_to :controller => "account", :action => "login", :back_url => url }
                     format.xml  { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
                     format.js   { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
                     format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
                   end
                   return false
                 end
                 true
               end
               def require_admin
                 return unless require_login
                 if !User.current.admin?
                   render_403
                   return false
                 end
                 true
               end
               def deny_access
                 User.current.logged? ? render_403 : require_login
               end
               # Authorize the user for the requested action
               def authorize(ctrl = params[:controller], action = params[:action], global = false)
                 allowed = User.current.allowed_to?({:controller => ctrl, :action => action}, @project || @projects, :global => global)
                 if allowed
                   true
                 else
                   if @project && @project.archived?
                     render_403 :message => :notice_not_authorized_archived_project
                   else
                     deny_access
                   end
                 end
               end
               # Authorize the user for the requested action outside a project
               def authorize_global(ctrl = params[:controller], action = params[:action], global = true)
                 authorize(ctrl, action, global)
               end
               # Find project of id params[:id]
               def find_project
                 @project = Project.find(params[:id])
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               # Find project of id params[:project_id]
               def find_project_by_project_id
                 @project = Project.find(params[:project_id])
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               # Find a project based on params[:project_id]
               # TODO: some subclasses override this, see about merging their logic
               def find_optional_project
                 @project = Project.find(params[:project_id]) unless params[:project_id].blank?
                 allowed = User.current.allowed_to?({:controller => params[:controller], :action => params[:action]}, @project, :global => true)
                 allowed ? true : deny_access
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               # Finds and sets @project based on @object.project
               def find_project_from_association
                 render_404 unless @object.present?
                 @project = @object.project
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               def find_model_object
                 model = self.class.read_inheritable_attribute('model_object')
                 if model
                   @object = model.find(params[:id])
                   self.instance_variable_set('@' + controller_name.singularize, @object) if @object
                 end
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               def self.model_object(model)
                 write_inheritable_attribute('model_object', model)
               end
               # Filter for bulk issue operations
               def find_issues
                 @issues = Issue.find_all_by_id(params[:id] || params[:ids])
                 raise ActiveRecord::RecordNotFound if @issues.empty?
                 if @issues.detect {|issue| !issue.visible?}
                   deny_access
                   return
                 end
                 @projects = @issues.collect(&:project).compact.uniq
                 @project = @projects.first if @projects.size == 1
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               # Check if project is unique before bulk operations
               def check_project_uniqueness
                 unless @project
                   # TODO: let users bulk edit/move/destroy issues from different projects
                   render_error 'Can not bulk edit/move/destroy issues from different projects'
                   return false
                 end
               end
               # make sure that the user is a member of the project (or admin) if project is private
               # used as a before_filter for actions that do not require any particular permission on the project
               def check_project_privacy
                 if @project && @project.active?
                   if @project.is_public? || User.current.member_of?(@project) || User.current.admin?
                     true
                   else
                     User.current.logged? ? render_403 : require_login
                   end
                 else
                   @project = nil
                   render_404
                   false
                 end
               end
               def back_url
                 params[:back_url] || request.env['HTTP_REFERER']
               end
               def redirect_back_or_default(default)
                 back_url = CGI.unescape(params[:back_url].to_s)
                 if !back_url.blank?
                   begin
                     uri = URI.parse(back_url)
                     # do not redirect user to another host or to the login or register page
                     if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)})
                       redirect_to(back_url)
                       return
                     end
                   rescue URI::InvalidURIError
                     # redirect to default
                   end
                 end
                 redirect_to default
                 false
               end
               def render_403(options={})
                 @project = nil
                 render_error({:message => :notice_not_authorized, :status => 403}.merge(options))
                 return false
               end
               def render_404(options={})
                 render_error({:message => :notice_file_not_found, :status => 404}.merge(options))
                 return false
               end
               # Renders an error response
               def render_error(arg)
                 arg = {:message => arg} unless arg.is_a?(Hash)
                 @message = arg[:message]
                 @message = l(@message) if @message.is_a?(Symbol)
                 @status = arg[:status] || 500
                 respond_to do |format|
                   format.html {
                     render :template => 'common/error', :layout => use_layout, :status => @status
                   }
                   format.atom { head @status }
                   format.xml { head @status }
                   format.js { head @status }
                   format.json { head @status }
                 end
               end
               # Picks which layout to use based on the request
               #
               # @return [boolean, string] name of the layout to use or false for no layout
               def use_layout
                 request.xhr? ? false : 'base'
               end
               def invalid_authenticity_token
                 if api_request?
                   logger.error "Form authenticity token is missing or is invalid. API calls must include a proper Content-type header (text/xml or text/json)."
                 end
                 render_error "Invalid form authenticity token."
               end
               def render_feed(items, options={})
                 @items = items || []
                 @items.sort! {|x,y| y.event_datetime <=> x.event_datetime }
                 @items = @items.slice(0, Setting.feeds_limit.to_i)
                 @title = options[:title] || Setting.app_title
                 render :template => "common/feed.atom.rxml", :layout => false, :content_type => 'application/atom+xml'
               end
               def self.accept_key_auth(*actions)
                 actions = actions.flatten.map(&:to_s)
                 write_inheritable_attribute('accept_key_auth_actions', actions)
               end
               def accept_key_auth_actions
                 self.class.read_inheritable_attribute('accept_key_auth_actions') || []
               end
               # Returns the number of objects that should be displayed
               # on the paginated list
               def per_page_option
                 per_page = nil
                 if params[:per_page] && Setting.per_page_options_array.include?(params[:per_page].to_s.to_i)
                   per_page = params[:per_page].to_s.to_i
                   session[:per_page] = per_page
                 elsif session[:per_page]
                   per_page = session[:per_page]
                 else
                   per_page = Setting.per_page_options_array.first || 25
                 end
                 per_page
               end
               # Returns offset and limit used to retrieve objects
               # for an API response based on offset, limit and page parameters
               def api_offset_and_limit(options=params)
                 if options[:offset].present?
                   offset = options[:offset].to_i
                   if offset < 0
                     offset = 0
                   end
                 end
                 limit = options[:limit].to_i
                 if limit < 1
                   limit = 25
                 elsif limit > 100
                   limit = 100
                 end
                 if offset.nil? && options[:page].present?
                   offset = (options[:page].to_i - 1) * limit
                   offset = 0 if offset < 0
                 end
                 offset ||= 0
                 [offset, limit]
               end
               # qvalues http header parser
               # code taken from webrick
               def parse_qvalues(value)
                 tmp = []
                 if value
                   parts = value.split(/,\s*/)
                   parts.each {|part|
                     if m = %r{^([^\s,]+?)(?:;\s*q=(\d+(?:\.\d+)?))?$}.match(part)
                       val = m[1]
                       q = (m[2] or 1).to_f
                       tmp.push([val, q])
                     end
                   }
                   tmp = tmp.sort_by{|val, q| -q}
                   tmp.collect!{|val, q| val}
                 end
                 return tmp
               rescue
                 nil
               end
               # Returns a string that can be used as filename value in Content-Disposition header
               def filename_for_content_disposition(name)
                 request.env['HTTP_USER_AGENT'] =~ %r{MSIE} ? ERB::Util.url_encode(name) : name
               end
               def api_request?
                 %w(xml json).include? params[:format]
               end
               # Returns the API key present in the request
               def api_key_from_request
                 if params[:key].present?
                   params[:key]
                 elsif request.headers["X-Redmine-API-Key"].present?
                   request.headers["X-Redmine-API-Key"]
                 end
               end
               # Renders a warning flash if obj has unsaved attachments
               def render_attachment_warning_if_needed(obj)
                 flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present?
               end
               # Sets the `flash` notice or error based the number of issues that did not save
               #
               # @param [Array, Issue] issues all of the saved and unsaved Issues
               # @param [Array, Integer] unsaved_issue_ids the issue ids that were not saved
               def set_flash_from_bulk_issue_save(issues, unsaved_issue_ids)
                 if unsaved_issue_ids.empty?
                   flash[:notice] = l(:notice_successful_update) unless issues.empty?
                 else
                   flash[:error] = l(:notice_failed_to_save_issues,
                                     :count => unsaved_issue_ids.size,
                                     :total => issues.size,
                                     :ids => '#' + unsaved_issue_ids.join(', #'))
                 end
               end
               # Rescues an invalid query statement. Just in case...
               def query_statement_invalid(exception)
                 logger.error "Query::StatementInvalid: #{exception.message}" if logger
                 session.delete(:query)
                 sort_clear if respond_to?(:sort_clear)
                 render_error "An error occurred while executing the query and has been logged. Please report this error to your Redmine administrator."
               end
               # Converts the errors on an ActiveRecord object into a common JSON format
               def object_errors_to_json(object)
                 object.errors.collect do |attribute, error|
                   { attribute => error }
                 end.to_json
               end
               # Renders API response on validation failure
               def render_validation_errors(object)
                 options = { :status => :unprocessable_entity, :layout => false }
                 options.merge!(case params[:format]
                   when 'xml';  { :xml =>  object.errors }
                   when 'json'; { :json => {'errors' => object.errors} } # ActiveResource client compliance
                   else
                     raise "Unknown format #{params[:format]} in #render_validation_errors"
                   end
                 )
                 render options
               end
               # Overrides #default_template so that the api template
               # is used automatically if it exists
               def default_template(action_name = self.action_name)
                 if api_request?
                   begin
                     return self.view_paths.find_template(default_template_name(action_name), 'api')
                   rescue ::ActionView::MissingTemplate
                     # the api template was not found
                     # fallback to the default behaviour
                   end
                 end
                 super
               end
               # Overrides #pick_layout so that #render with no arguments
               # doesn't use the layout for api requests
               def pick_layout(*args)
                 api_request? ? nil : super
               end
             end

app/helpers/queries_helper.rb +1 0

             # Redmine - project management software
             # Copyright (C) 2006-2011  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             module QueriesHelper
               def operators_for_select(filter_type)
                 Query.operators_by_filter_type[filter_type].collect {|o| [l(Query.operators[o]), o]}
               end
               def column_header(column)
                 column.sortable ? sort_header_tag(column.name.to_s, :caption => column.caption,
                                                                     :default_order => column.default_order) :
                                   content_tag('th', column.caption)
               end
               def column_content(column, issue)
                 value = column.value(issue)
                 case value.class.name
                 when 'String'
                   if column.name == :subject
                     link_to(h(value), :controller => 'issues', :action => 'show', :id => issue)
                   else
                     h(value)
                   end
                 when 'Time'
                   format_time(value)
                 when 'Date'
                   format_date(value)
                 when 'Fixnum', 'Float'
                   if column.name == :done_ratio
                     progress_bar(value, :width => '80px')
                   else
                     value.to_s
                   end
                 when 'User'
                   link_to_user value
                 when 'Project'
                   link_to_project value
                 when 'Version'
                   link_to(h(value), :controller => 'versions', :action => 'show', :id => value)
                 when 'TrueClass'
                   l(:general_text_Yes)
                 when 'FalseClass'
                   l(:general_text_No)
                 when 'Issue'
                   link_to_issue(value, :subject => false)
                 else
                   h(value)
                 end
               end
               # Retrieve query from session or build a new query
               def retrieve_query
                 if !params[:query_id].blank?
                   cond = "project_id IS NULL"
                   cond << " OR project_id = #{@project.id}" if @project
                   @query = Query.find(params[:query_id], :conditions => cond)
+                  raise ::Unauthorized unless @query.visible?
                   @query.project = @project
                   session[:query] = {:id => @query.id, :project_id => @query.project_id}
                   sort_clear
                 else
                   if api_request? || params[:set_filter] || session[:query].nil? || session[:query][:project_id] != (@project ? @project.id : nil)
                     # Give it a name, required to be valid
                     @query = Query.new(:name => "_")
                     @query.project = @project
                     if params[:fields] || params[:f]
                       @query.filters = {}
                       @query.add_filters(params[:fields] || params[:f], params[:operators] || params[:op], params[:values] || params[:v])
                     else
                       @query.available_filters.keys.each do |field|
                         @query.add_short_filter(field, params[field]) if params[field]
                       end
                     end
                     @query.group_by = params[:group_by]
                     @query.column_names = params[:c] || (params[:query] && params[:query][:column_names])
                     session[:query] = {:project_id => @query.project_id, :filters => @query.filters, :group_by => @query.group_by, :column_names => @query.column_names}
                   else
                     @query = Query.find_by_id(session[:query][:id]) if session[:query][:id]
                     @query ||= Query.new(:name => "_", :project => @project, :filters => session[:query][:filters], :group_by => session[:query][:group_by], :column_names => session[:query][:column_names])
                     @query.project = @project
                   end
                 end
               end
             end

app/models/query.rb +5 0

             # Redmine - project management software
             # Copyright (C) 2006-2011  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class QueryColumn
               attr_accessor :name, :sortable, :groupable, :default_order
               include Redmine::I18n
               def initialize(name, options={})
                 self.name = name
                 self.sortable = options[:sortable]
                 self.groupable = options[:groupable] || false
                 if groupable == true
                   self.groupable = name.to_s
                 end
                 self.default_order = options[:default_order]
                 @caption_key = options[:caption] || "field_#{name}"
               end
               def caption
                 l(@caption_key)
               end
               # Returns true if the column is sortable, otherwise false
               def sortable?
                 !sortable.nil?
               end
               def value(issue)
                 issue.send name
               end
               def css_classes
                 name
               end
             end
             class QueryCustomFieldColumn < QueryColumn
               def initialize(custom_field)
                 self.name = "cf_#{custom_field.id}".to_sym
                 self.sortable = custom_field.order_statement || false
                 if %w(list date bool int).include?(custom_field.field_format)
                   self.groupable = custom_field.order_statement
                 end
                 self.groupable ||= false
                 @cf = custom_field
               end
               def caption
                 @cf.name
               end
               def custom_field
                 @cf
               end
               def value(issue)
                 cv = issue.custom_values.detect {|v| v.custom_field_id == @cf.id}
                 cv && @cf.cast_value(cv.value)
               end
               def css_classes
                 @css_classes ||= "#{name} #{@cf.field_format}"
               end
             end
             class Query < ActiveRecord::Base
               class StatementInvalid < ::ActiveRecord::StatementInvalid
               end
               belongs_to :project
               belongs_to :user
               serialize :filters
               serialize :column_names
               serialize :sort_criteria, Array
               attr_protected :project_id, :user_id
               validates_presence_of :name, :on => :save
               validates_length_of :name, :maximum => 255
               @@operators = { "="   => :label_equals,
                               "!"   => :label_not_equals,
                               "o"   => :label_open_issues,
                               "c"   => :label_closed_issues,
                               "!*"  => :label_none,
                               "*"   => :label_all,
                               ">="  => :label_greater_or_equal,
                               "<="  => :label_less_or_equal,
                               "<t+" => :label_in_less_than,
                               ">t+" => :label_in_more_than,
                               "t+"  => :label_in,
                               "t"   => :label_today,
                               "w"   => :label_this_week,
                               ">t-" => :label_less_than_ago,
                               "<t-" => :label_more_than_ago,
                               "t-"  => :label_ago,
                               "~"   => :label_contains,
                               "!~"  => :label_not_contains }
               cattr_reader :operators
               @@operators_by_filter_type = { :list => [ "=", "!" ],
                                              :list_status => [ "o", "=", "!", "c", "*" ],
                                              :list_optional => [ "=", "!", "!*", "*" ],
                                              :list_subprojects => [ "*", "!*", "=" ],
                                              :date => [ "<t+", ">t+", "t+", "t", "w", ">t-", "<t-", "t-" ],
                                              :date_past => [ ">t-", "<t-", "t-", "t", "w" ],
                                              :string => [ "=", "~", "!", "!~" ],
                                              :text => [  "~", "!~" ],
                                              :integer => [ "=", ">=", "<=", "!*", "*" ] }
               cattr_reader :operators_by_filter_type
               @@available_columns = [
                 QueryColumn.new(:project, :sortable => "#{Project.table_name}.name", :groupable => true),
                 QueryColumn.new(:tracker, :sortable => "#{Tracker.table_name}.position", :groupable => true),
                 QueryColumn.new(:parent, :sortable => ["#{Issue.table_name}.root_id", "#{Issue.table_name}.lft ASC"], :default_order => 'desc', :caption => :field_parent_issue),
                 QueryColumn.new(:status, :sortable => "#{IssueStatus.table_name}.position", :groupable => true),
                 QueryColumn.new(:priority, :sortable => "#{IssuePriority.table_name}.position", :default_order => 'desc', :groupable => true),
                 QueryColumn.new(:subject, :sortable => "#{Issue.table_name}.subject"),
                 QueryColumn.new(:author),
                 QueryColumn.new(:assigned_to, :sortable => ["#{User.table_name}.lastname", "#{User.table_name}.firstname", "#{User.table_name}.id"], :groupable => true),
                 QueryColumn.new(:updated_on, :sortable => "#{Issue.table_name}.updated_on", :default_order => 'desc'),
                 QueryColumn.new(:category, :sortable => "#{IssueCategory.table_name}.name", :groupable => true),
                 QueryColumn.new(:fixed_version, :sortable => ["#{Version.table_name}.effective_date", "#{Version.table_name}.name"], :default_order => 'desc', :groupable => true),
                 QueryColumn.new(:start_date, :sortable => "#{Issue.table_name}.start_date"),
                 QueryColumn.new(:due_date, :sortable => "#{Issue.table_name}.due_date"),
                 QueryColumn.new(:estimated_hours, :sortable => "#{Issue.table_name}.estimated_hours"),
                 QueryColumn.new(:done_ratio, :sortable => "#{Issue.table_name}.done_ratio", :groupable => true),
                 QueryColumn.new(:created_on, :sortable => "#{Issue.table_name}.created_on", :default_order => 'desc'),
               ]
               cattr_reader :available_columns
               def initialize(attributes = nil)
                 super attributes
                 self.filters ||= { 'status_id' => {:operator => "o", :values => [""]} }
               end
               def after_initialize
                 # Store the fact that project is nil (used in #editable_by?)
                 @is_for_all = project.nil?
               end
               def validate
                 filters.each_key do |field|
                   errors.add label_for(field), :blank unless
                       # filter requires one or more values
                       (values_for(field) and !values_for(field).first.blank?) or
                       # filter doesn't require any value
                       ["o", "c", "!*", "*", "t", "w"].include? operator_for(field)
                 end if filters
               end
+              # Returns true if the query is visible to +user+ or the current user.
+              def visible?(user=User.current)
+                self.is_public? || self.user_id == user.id
+              end
               def editable_by?(user)
                 return false unless user
                 # Admin can edit them all and regular users can edit their private queries
                 return true if user.admin? || (!is_public && self.user_id == user.id)
                 # Members can not edit public queries that are for all project (only admin is allowed to)
                 is_public && !@is_for_all && user.allowed_to?(:manage_public_queries, project)
               end
               def available_filters
                 return @available_filters if @available_filters
                 trackers = project.nil? ? Tracker.find(:all, :order => 'position') : project.rolled_up_trackers
                 @available_filters = { "status_id" => { :type => :list_status, :order => 1, :values => IssueStatus.find(:all, :order => 'position').collect{|s| [s.name, s.id.to_s] } },
                                        "tracker_id" => { :type => :list, :order => 2, :values => trackers.collect{|s| [s.name, s.id.to_s] } },
                                        "priority_id" => { :type => :list, :order => 3, :values => IssuePriority.all.collect{|s| [s.name, s.id.to_s] } },
                                        "subject" => { :type => :text, :order => 8 },
                                        "created_on" => { :type => :date_past, :order => 9 },
                                        "updated_on" => { :type => :date_past, :order => 10 },
                                        "start_date" => { :type => :date, :order => 11 },
                                        "due_date" => { :type => :date, :order => 12 },
                                        "estimated_hours" => { :type => :integer, :order => 13 },
                                        "done_ratio" =>  { :type => :integer, :order => 14 }}
                 user_values = []
                 user_values << ["<< #{l(:label_me)} >>", "me"] if User.current.logged?
                 if project
                   user_values += project.users.sort.collect{|s| [s.name, s.id.to_s] }
                 else
                   all_projects = Project.visible.all
                   if all_projects.any?
                     # members of visible projects
                     user_values += User.active.find(:all, :conditions => ["#{User.table_name}.id IN (SELECT DISTINCT user_id FROM members WHERE project_id IN (?))", all_projects.collect(&:id)]).sort.collect{|s| [s.name, s.id.to_s] }
                     # project filter
                     project_values = []
                     Project.project_tree(all_projects) do |p, level|
                       prefix = (level > 0 ? ('--' * level + ' ') : '')
                       project_values << ["#{prefix}#{p.name}", p.id.to_s]
                     end
                     @available_filters["project_id"] = { :type => :list, :order => 1, :values => project_values} unless project_values.empty?
                   end
                 end
                 @available_filters["assigned_to_id"] = { :type => :list_optional, :order => 4, :values => user_values } unless user_values.empty?
                 @available_filters["author_id"] = { :type => :list, :order => 5, :values => user_values } unless user_values.empty?
                 group_values = Group.all.collect {|g| [g.name, g.id.to_s] }
                 @available_filters["member_of_group"] = { :type => :list_optional, :order => 6, :values => group_values } unless group_values.empty?
                 role_values = Role.givable.collect {|r| [r.name, r.id.to_s] }
                 @available_filters["assigned_to_role"] = { :type => :list_optional, :order => 7, :values => role_values } unless role_values.empty?
                 if User.current.logged?
                   @available_filters["watcher_id"] = { :type => :list, :order => 15, :values => [["<< #{l(:label_me)} >>", "me"]] }
                 end
                 if project
                   # project specific filters
                   categories = @project.issue_categories.all
                   unless categories.empty?
                     @available_filters["category_id"] = { :type => :list_optional, :order => 6, :values => categories.collect{|s| [s.name, s.id.to_s] } }
                   end
                   versions = @project.shared_versions.all
                   unless versions.empty?
                     @available_filters["fixed_version_id"] = { :type => :list_optional, :order => 7, :values => versions.sort.collect{|s| ["#{s.project.name} - #{s.name}", s.id.to_s] } }
                   end
                   unless @project.leaf?
                     subprojects = @project.descendants.visible.all
                     unless subprojects.empty?
                       @available_filters["subproject_id"] = { :type => :list_subprojects, :order => 13, :values => subprojects.collect{|s| [s.name, s.id.to_s] } }
                     end
                   end
                   add_custom_fields_filters(@project.all_issue_custom_fields)
                 else
                   # global filters for cross project issue list
                   system_shared_versions = Version.visible.find_all_by_sharing('system')
                   unless system_shared_versions.empty?
                     @available_filters["fixed_version_id"] = { :type => :list_optional, :order => 7, :values => system_shared_versions.sort.collect{|s| ["#{s.project.name} - #{s.name}", s.id.to_s] } }
                   end
                   add_custom_fields_filters(IssueCustomField.find(:all, :conditions => {:is_filter => true, :is_for_all => true}))
                 end
                 @available_filters
               end
               def add_filter(field, operator, values)
                 # values must be an array
                 return unless values and values.is_a? Array # and !values.first.empty?
                 # check if field is defined as an available filter
                 if available_filters.has_key? field
                   filter_options = available_filters[field]
                   # check if operator is allowed for that filter
                   #if @@operators_by_filter_type[filter_options[:type]].include? operator
                   #  allowed_values = values & ([""] + (filter_options[:values] || []).collect {|val| val[1]})
                   #  filters[field] = {:operator => operator, :values => allowed_values } if (allowed_values.first and !allowed_values.first.empty?) or ["o", "c", "!*", "*", "t"].include? operator
                   #end
                   filters[field] = {:operator => operator, :values => values }
                 end
               end
               def add_short_filter(field, expression)
                 return unless expression
                 parms = expression.scan(/^(o|c|!\*|!|\*)?(.*)$/).first
                 add_filter field, (parms[0] || "="), [parms[1] || ""]
               end
               # Add multiple filters using +add_filter+
               def add_filters(fields, operators, values)
                 if fields.is_a?(Array) && operators.is_a?(Hash) && values.is_a?(Hash)
                   fields.each do |field|
                     add_filter(field, operators[field], values[field])
                   end
                 end
               end
               def has_filter?(field)
                 filters and filters[field]
               end
               def operator_for(field)
                 has_filter?(field) ? filters[field][:operator] : nil
               end
               def values_for(field)
                 has_filter?(field) ? filters[field][:values] : nil
               end
               def label_for(field)
                 label = available_filters[field][:name] if available_filters.has_key?(field)
                 label ||= field.gsub(/\_id$/, "")
               end
               def available_columns
                 return @available_columns if @available_columns
                 @available_columns = Query.available_columns
                 @available_columns += (project ?
                                         project.all_issue_custom_fields :
                                         IssueCustomField.find(:all)
                                        ).collect {|cf| QueryCustomFieldColumn.new(cf) }
               end
               def self.available_columns=(v)
                 self.available_columns = (v)
               end
               def self.add_available_column(column)
                 self.available_columns << (column) if column.is_a?(QueryColumn)
               end
               # Returns an array of columns that can be used to group the results
               def groupable_columns
                 available_columns.select {|c| c.groupable}
               end
               # Returns a Hash of columns and the key for sorting
               def sortable_columns
                 {'id' => "#{Issue.table_name}.id"}.merge(available_columns.inject({}) {|h, column|
                                                            h[column.name.to_s] = column.sortable
                                                            h
                                                          })
               end
               def columns
                 if has_default_columns?
                   available_columns.select do |c|
                     # Adds the project column by default for cross-project lists
                     Setting.issue_list_default_columns.include?(c.name.to_s) || (c.name == :project && project.nil?)
                   end
                 else
                   # preserve the column_names order
                   column_names.collect {|name| available_columns.find {|col| col.name == name}}.compact
                 end
               end
               def column_names=(names)
                 if names
                   names = names.select {|n| n.is_a?(Symbol) || !n.blank? }
                   names = names.collect {|n| n.is_a?(Symbol) ? n : n.to_sym }
                   # Set column_names to nil if default columns
                   if names.map(&:to_s) == Setting.issue_list_default_columns
                     names = nil
                   end
                 end
                 write_attribute(:column_names, names)
               end
               def has_column?(column)
                 column_names && column_names.include?(column.name)
               end
               def has_default_columns?
                 column_names.nil? || column_names.empty?
               end
               def sort_criteria=(arg)
                 c = []
                 if arg.is_a?(Hash)
                   arg = arg.keys.sort.collect {|k| arg[k]}
                 end
                 c = arg.select {|k,o| !k.to_s.blank?}.slice(0,3).collect {|k,o| [k.to_s, o == 'desc' ? o : 'asc']}
                 write_attribute(:sort_criteria, c)
               end
               def sort_criteria
                 read_attribute(:sort_criteria) || []
               end
               def sort_criteria_key(arg)
                 sort_criteria && sort_criteria[arg] && sort_criteria[arg].first
               end
               def sort_criteria_order(arg)
                 sort_criteria && sort_criteria[arg] && sort_criteria[arg].last
               end
               # Returns the SQL sort order that should be prepended for grouping
               def group_by_sort_order
                 if grouped? && (column = group_by_column)
                   column.sortable.is_a?(Array) ?
                     column.sortable.collect {|s| "#{s} #{column.default_order}"}.join(',') :
                     "#{column.sortable} #{column.default_order}"
                 end
               end
               # Returns true if the query is a grouped query
               def grouped?
                 !group_by_column.nil?
               end
               def group_by_column
                 groupable_columns.detect {|c| c.groupable && c.name.to_s == group_by}
               end
               def group_by_statement
                 group_by_column.try(:groupable)
               end
               def project_statement
                 project_clauses = []
                 if project && !@project.descendants.active.empty?
                   ids = [project.id]
                   if has_filter?("subproject_id")
                     case operator_for("subproject_id")
                     when '='
                       # include the selected subprojects
                       ids += values_for("subproject_id").each(&:to_i)
                     when '!*'
                       # main project only
                     else
                       # all subprojects
                       ids += project.descendants.collect(&:id)
                     end
                   elsif Setting.display_subprojects_issues?
                     ids += project.descendants.collect(&:id)
                   end
                   project_clauses << "#{Project.table_name}.id IN (%s)" % ids.join(',')
                 elsif project
                   project_clauses << "#{Project.table_name}.id = %d" % project.id
                 end
                 project_clauses.any? ? project_clauses.join(' AND ') : nil
               end
               def statement
                 # filters clauses
                 filters_clauses = []
                 filters.each_key do |field|
                   next if field == "subproject_id"
                   v = values_for(field).clone
                   next unless v and !v.empty?
                   operator = operator_for(field)
                   # "me" value subsitution
                   if %w(assigned_to_id author_id watcher_id).include?(field)
                     v.push(User.current.logged? ? User.current.id.to_s : "0") if v.delete("me")
                   end
                   sql = ''
                   if field =~ /^cf_(\d+)$/
                     # custom field
                     db_table = CustomValue.table_name
                     db_field = 'value'
                     is_custom_filter = true
                     sql << "#{Issue.table_name}.id IN (SELECT #{Issue.table_name}.id FROM #{Issue.table_name} LEFT OUTER JOIN #{db_table} ON #{db_table}.customized_type='Issue' AND #{db_table}.customized_id=#{Issue.table_name}.id AND #{db_table}.custom_field_id=#{$1} WHERE "
                     sql << sql_for_field(field, operator, v, db_table, db_field, true) + ')'
                   elsif field == 'watcher_id'
                     db_table = Watcher.table_name
                     db_field = 'user_id'
                     sql << "#{Issue.table_name}.id #{ operator == '=' ? 'IN' : 'NOT IN' } (SELECT #{db_table}.watchable_id FROM #{db_table} WHERE #{db_table}.watchable_type='Issue' AND "
                     sql << sql_for_field(field, '=', v, db_table, db_field) + ')'
                   elsif field == "member_of_group" # named field
                     if operator == '*' # Any group
                       groups = Group.all
                       operator = '=' # Override the operator since we want to find by assigned_to
                     elsif operator == "!*"
                       groups = Group.all
                       operator = '!' # Override the operator since we want to find by assigned_to
                     else
                       groups = Group.find_all_by_id(v)
                     end
                     groups ||= []
                     members_of_groups = groups.inject([]) {|user_ids, group|
                       if group && group.user_ids.present?
                         user_ids << group.user_ids
                       end
                       user_ids.flatten.uniq.compact
                     }.sort.collect(&:to_s)
                     sql << '(' + sql_for_field("assigned_to_id", operator, members_of_groups, Issue.table_name, "assigned_to_id", false) + ')'
                   elsif field == "assigned_to_role" # named field
                     if operator == "*" # Any Role
                       roles = Role.givable
                       operator = '=' # Override the operator since we want to find by assigned_to
                     elsif operator == "!*" # No role
                       roles = Role.givable
                       operator = '!' # Override the operator since we want to find by assigned_to
                     else
                       roles = Role.givable.find_all_by_id(v)
                     end
                     roles ||= []
                     members_of_roles = roles.inject([]) {|user_ids, role|
                       if role && role.members
                         user_ids << role.members.collect(&:user_id)
                       end
                       user_ids.flatten.uniq.compact
                     }.sort.collect(&:to_s)
                     sql << '(' + sql_for_field("assigned_to_id", operator, members_of_roles, Issue.table_name, "assigned_to_id", false) + ')'
                   else
                     # regular field
                     db_table = Issue.table_name
                     db_field = field
                     sql << '(' + sql_for_field(field, operator, v, db_table, db_field) + ')'
                   end
                   filters_clauses << sql
                 end if filters and valid?
                 filters_clauses << project_statement
                 filters_clauses.reject!(&:blank?)
                 filters_clauses.any? ? filters_clauses.join(' AND ') : nil
               end
               # Returns the issue count
               def issue_count
                 Issue.count(:include => [:status, :project], :conditions => statement)
               rescue ::ActiveRecord::StatementInvalid => e
                 raise StatementInvalid.new(e.message)
               end
               # Returns the issue count by group or nil if query is not grouped
               def issue_count_by_group
                 r = nil
                 if grouped?
                   begin
                     # Rails will raise an (unexpected) RecordNotFound if there's only a nil group value
                     r = Issue.visible.count(:group => group_by_statement, :include => [:status, :project], :conditions => statement)
                   rescue ActiveRecord::RecordNotFound
                     r = {nil => issue_count}
                   end
                   c = group_by_column
                   if c.is_a?(QueryCustomFieldColumn)
                     r = r.keys.inject({}) {|h, k| h[c.custom_field.cast_value(k)] = r[k]; h}
                   end
                 end
                 r
               rescue ::ActiveRecord::StatementInvalid => e
                 raise StatementInvalid.new(e.message)
               end
               # Returns the issues
               # Valid options are :order, :offset, :limit, :include, :conditions
               def issues(options={})
                 order_option = [group_by_sort_order, options[:order]].reject {|s| s.blank?}.join(',')
                 order_option = nil if order_option.blank?
                 Issue.visible.find :all, :include => ([:status, :project] + (options[:include] || [])).uniq,
                                  :conditions => Query.merge_conditions(statement, options[:conditions]),
                                  :order => order_option,
                                  :limit  => options[:limit],
                                  :offset => options[:offset]
               rescue ::ActiveRecord::StatementInvalid => e
                 raise StatementInvalid.new(e.message)
               end
               # Returns the journals
               # Valid options are :order, :offset, :limit
               def journals(options={})
                 Journal.visible.find :all, :include => [:details, :user, {:issue => [:project, :author, :tracker, :status]}],
                                    :conditions => statement,
                                    :order => options[:order],
                                    :limit => options[:limit],
                                    :offset => options[:offset]
               rescue ::ActiveRecord::StatementInvalid => e
                 raise StatementInvalid.new(e.message)
               end
               # Returns the versions
               # Valid options are :conditions
               def versions(options={})
                 Version.visible.find :all, :include => :project,
                                    :conditions => Query.merge_conditions(project_statement, options[:conditions])
               rescue ::ActiveRecord::StatementInvalid => e
                 raise StatementInvalid.new(e.message)
               end
               private
               # Helper method to generate the WHERE sql for a +field+, +operator+ and a +value+
               def sql_for_field(field, operator, value, db_table, db_field, is_custom_filter=false)
                 sql = ''
                 case operator
                 when "="
                   if value.any?
                     sql = "#{db_table}.#{db_field} IN (" + value.collect{|val| "'#{connection.quote_string(val)}'"}.join(",") + ")"
                   else
                     # IN an empty set
                     sql = "1=0"
                   end
                 when "!"
                   if value.any?
                     sql = "(#{db_table}.#{db_field} IS NULL OR #{db_table}.#{db_field} NOT IN (" + value.collect{|val| "'#{connection.quote_string(val)}'"}.join(",") + "))"
                   else
                     # NOT IN an empty set
                     sql = "1=1"
                   end
                 when "!*"
                   sql = "#{db_table}.#{db_field} IS NULL"
                   sql << " OR #{db_table}.#{db_field} = ''" if is_custom_filter
                 when "*"
                   sql = "#{db_table}.#{db_field} IS NOT NULL"
                   sql << " AND #{db_table}.#{db_field} <> ''" if is_custom_filter
                 when ">="
                   sql = "#{db_table}.#{db_field} >= #{value.first.to_i}"
                 when "<="
                   sql = "#{db_table}.#{db_field} <= #{value.first.to_i}"
                 when "o"
                   sql = "#{IssueStatus.table_name}.is_closed=#{connection.quoted_false}" if field == "status_id"
                 when "c"
                   sql = "#{IssueStatus.table_name}.is_closed=#{connection.quoted_true}" if field == "status_id"
                 when ">t-"
                   sql = date_range_clause(db_table, db_field, - value.first.to_i, 0)
                 when "<t-"
                   sql = date_range_clause(db_table, db_field, nil, - value.first.to_i)
                 when "t-"
                   sql = date_range_clause(db_table, db_field, - value.first.to_i, - value.first.to_i)
                 when ">t+"
                   sql = date_range_clause(db_table, db_field, value.first.to_i, nil)
                 when "<t+"
                   sql = date_range_clause(db_table, db_field, 0, value.first.to_i)
                 when "t+"
                   sql = date_range_clause(db_table, db_field, value.first.to_i, value.first.to_i)
                 when "t"
                   sql = date_range_clause(db_table, db_field, 0, 0)
                 when "w"
                   first_day_of_week = l(:general_first_day_of_week).to_i
                   day_of_week = Date.today.cwday
                   days_ago = (day_of_week >= first_day_of_week ? day_of_week - first_day_of_week : day_of_week + 7 - first_day_of_week)
                   sql = date_range_clause(db_table, db_field, - days_ago, - days_ago + 6)
                 when "~"
                   sql = "LOWER(#{db_table}.#{db_field}) LIKE '%#{connection.quote_string(value.first.to_s.downcase)}%'"
                 when "!~"
                   sql = "LOWER(#{db_table}.#{db_field}) NOT LIKE '%#{connection.quote_string(value.first.to_s.downcase)}%'"
                 end
                 return sql
               end
               def add_custom_fields_filters(custom_fields)
                 @available_filters ||= {}
                 custom_fields.select(&:is_filter?).each do |field|
                   case field.field_format
                   when "text"
                     options = { :type => :text, :order => 20 }
                   when "list"
                     options = { :type => :list_optional, :values => field.possible_values, :order => 20}
                   when "date"
                     options = { :type => :date, :order => 20 }
                   when "bool"
                     options = { :type => :list, :values => [[l(:general_text_yes), "1"], [l(:general_text_no), "0"]], :order => 20 }
                   when "user", "version"
                     next unless project
                     options = { :type => :list_optional, :values => field.possible_values_options(project), :order => 20}
                   else
                     options = { :type => :string, :order => 20 }
                   end
                   @available_filters["cf_#{field.id}"] = options.merge({ :name => field.name })
                 end
               end
               # Returns a SQL clause for a date or datetime field.
               def date_range_clause(table, field, from, to)
                 s = []
                 if from
                   s << ("#{table}.#{field} > '%s'" % [connection.quoted_date((Date.yesterday + from).to_time.end_of_day)])
                 end
                 if to
                   s << ("#{table}.#{field} <= '%s'" % [connection.quoted_date((Date.today + to).to_time.end_of_day)])
                 end
                 s.join(' AND ')
               end
             end

test/functional/issues_controller_test.rb +24 -3

             # Redmine - project management software
             # Copyright (C) 2006-2011  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require File.expand_path('../../test_helper', __FILE__)
             require 'issues_controller'
-            # Re-raise errors caught by the controller.
-            class IssuesController; def rescue_action(e) raise e end; end
             class IssuesControllerTest < ActionController::TestCase
               fixtures :projects,
                        :users,
                        :roles,
                        :members,
                        :member_roles,
                        :issues,
                        :issue_statuses,
                        :versions,
                        :trackers,
                        :projects_trackers,
                        :issue_categories,
                        :enabled_modules,
                        :enumerations,
                        :attachments,
                        :workflows,
                        :custom_fields,
                        :custom_values,
                        :custom_fields_projects,
                        :custom_fields_trackers,
                        :time_entries,
                        :journals,
                        :journal_details,
                        :queries
               def setup
                 @controller = IssuesController.new
                 @request    = ActionController::TestRequest.new
                 @response   = ActionController::TestResponse.new
                 User.current = nil
               end
               def test_index
                 Setting.default_language = 'en'
                 get :index
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 assert_nil assigns(:project)
                 assert_tag :tag => 'a', :content => /Can't print recipes/
                 assert_tag :tag => 'a', :content => /Subproject issue/
                 # private projects hidden
                 assert_no_tag :tag => 'a', :content => /Issue of a private subproject/
                 assert_no_tag :tag => 'a', :content => /Issue on project 2/
                 # project column
                 assert_tag :tag => 'th', :content => /Project/
               end
               def test_index_should_not_list_issues_when_module_disabled
                 EnabledModule.delete_all("name = 'issue_tracking' AND project_id = 1")
                 get :index
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 assert_nil assigns(:project)
                 assert_no_tag :tag => 'a', :content => /Can't print recipes/
                 assert_tag :tag => 'a', :content => /Subproject issue/
               end
               def test_index_should_not_list_issues_when_module_disabled
                 EnabledModule.delete_all("name = 'issue_tracking' AND project_id = 1")
                 get :index
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 assert_nil assigns(:project)
                 assert_no_tag :tag => 'a', :content => /Can't print recipes/
                 assert_tag :tag => 'a', :content => /Subproject issue/
               end
               def test_index_should_list_visible_issues_only
                 get :index, :per_page => 100
                 assert_response :success
                 assert_not_nil assigns(:issues)
                 assert_nil assigns(:issues).detect {|issue| !issue.visible?}
               end
               def test_index_with_project
                 Setting.display_subprojects_issues = 0
                 get :index, :project_id => 1
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 assert_tag :tag => 'a', :content => /Can't print recipes/
                 assert_no_tag :tag => 'a', :content => /Subproject issue/
               end
               def test_index_with_project_and_subprojects
                 Setting.display_subprojects_issues = 1
                 get :index, :project_id => 1
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 assert_tag :tag => 'a', :content => /Can't print recipes/
                 assert_tag :tag => 'a', :content => /Subproject issue/
                 assert_no_tag :tag => 'a', :content => /Issue of a private subproject/
               end
               def test_index_with_project_and_subprojects_should_show_private_subprojects
                 @request.session[:user_id] = 2
                 Setting.display_subprojects_issues = 1
                 get :index, :project_id => 1
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 assert_tag :tag => 'a', :content => /Can't print recipes/
                 assert_tag :tag => 'a', :content => /Subproject issue/
                 assert_tag :tag => 'a', :content => /Issue of a private subproject/
               end
               def test_index_with_project_and_default_filter
                 get :index, :project_id => 1, :set_filter => 1
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 query = assigns(:query)
                 assert_not_nil query
                 # default filter
                 assert_equal({'status_id' => {:operator => 'o', :values => ['']}}, query.filters)
               end
               def test_index_with_project_and_filter
                 get :index, :project_id => 1, :set_filter => 1,
                   :f => ['tracker_id'],
                   :op => {'tracker_id' => '='},
                   :v => {'tracker_id' => ['1']}
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 query = assigns(:query)
                 assert_not_nil query
                 assert_equal({'tracker_id' => {:operator => '=', :values => ['1']}}, query.filters)
               end
               def test_index_with_project_and_empty_filters
                 get :index, :project_id => 1, :set_filter => 1, :fields => ['']
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 query = assigns(:query)
                 assert_not_nil query
                 # no filter
                 assert_equal({}, query.filters)
               end
               def test_index_with_query
                 get :index, :project_id => 1, :query_id => 5
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 assert_nil assigns(:issue_count_by_group)
               end
               def test_index_with_query_grouped_by_tracker
                 get :index, :project_id => 1, :query_id => 6
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 assert_not_nil assigns(:issue_count_by_group)
               end
               def test_index_with_query_grouped_by_list_custom_field
                 get :index, :project_id => 1, :query_id => 9
                 assert_response :success
                 assert_template 'index.rhtml'
                 assert_not_nil assigns(:issues)
                 assert_not_nil assigns(:issue_count_by_group)
               end
+              def test_private_query_should_not_be_available_to_other_users
+                q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
+                @request.session[:user_id] = 3
+                get :index, :query_id => q.id
+                assert_response 403
+              end
+              def test_private_query_should_be_available_to_its_user
+                q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
+                @request.session[:user_id] = 2
+                get :index, :query_id => q.id
+                assert_response :success
+              end
+              def test_public_query_should_be_available_to_other_users
+                q = Query.create!(:name => "private", :user => User.find(2), :is_public => true, :project => nil)
+                @request.session[:user_id] = 3
+                get :index, :query_id => q.id
+                assert_response :success
+              end
               def test_index_sort_by_field_not_included_in_columns
                 Setting.issue_list_default_columns = %w(subject author)
                 get :index, :sort => 'tracker'
               end
               def test_index_csv_with_project
                 Setting.default_language = 'en'
                 get :index, :format => 'csv'
                 assert_response :success
                 assert_not_nil assigns(:issues)
                 assert_equal 'text/csv', @response.content_type
                 assert @response.body.starts_with?("#,")
                 get :index, :project_id => 1, :format => 'csv'
                 assert_response :success
                 assert_not_nil assigns(:issues)
                 assert_equal 'text/csv', @response.content_type
               end
               def test_index_pdf
                 get :index, :format => 'pdf'
                 assert_response :success
                 assert_not_nil assigns(:issues)
                 assert_equal 'application/pdf', @response.content_type
                 get :index, :project_id => 1, :format => 'pdf'
                 assert_response :success
                 assert_not_nil assigns(:issues)
                 assert_equal 'application/pdf', @response.content_type
                 get :index, :project_id => 1, :query_id => 6, :format => 'pdf'
                 assert_response :success
                 assert_not_nil assigns(:issues)
                 assert_equal 'application/pdf', @response.content_type
               end
               def test_index_pdf_with_query_grouped_by_list_custom_field
                 get :index, :project_id => 1, :query_id => 9, :format => 'pdf'
                 assert_response :success
                 assert_not_nil assigns(:issues)
                 assert_not_nil assigns(:issue_count_by_group)
                 assert_equal 'application/pdf', @response.content_type
               end
               def test_index_sort
                 get :index, :sort => 'tracker,id:desc'
                 assert_response :success
                 sort_params = @request.session['issues_index_sort']
                 assert sort_params.is_a?(String)
                 assert_equal 'tracker,id:desc', sort_params
                 issues = assigns(:issues)
                 assert_not_nil issues
                 assert !issues.empty?
                 assert_equal issues.sort {|a,b| a.tracker == b.tracker ? b.id <=> a.id : a.tracker <=> b.tracker }.collect(&:id), issues.collect(&:id)
               end
               def test_index_with_columns
                 columns = ['tracker', 'subject', 'assigned_to']
                 get :index, :set_filter => 1, :c => columns
                 assert_response :success
                 # query should use specified columns
                 query = assigns(:query)
                 assert_kind_of Query, query
                 assert_equal columns, query.column_names.map(&:to_s)
                 # columns should be stored in session
                 assert_kind_of Hash, session[:query]
                 assert_kind_of Array, session[:query][:column_names]
                 assert_equal columns, session[:query][:column_names].map(&:to_s)
                 # ensure only these columns are kept in the selected columns list
                 assert_tag :tag => 'select', :attributes => { :id => 'selected_columns' },
                                              :children => { :count => 3 }
                 assert_no_tag :tag => 'option', :attributes => { :value => 'project' },
                                                 :parent => { :tag => 'select', :attributes => { :id => "selected_columns" } }
               end
               def test_index_with_custom_field_column
                 columns = %w(tracker subject cf_2)
                 get :index, :set_filter => 1, :c => columns
                 assert_response :success
                 # query should use specified columns
                 query = assigns(:query)
                 assert_kind_of Query, query
                 assert_equal columns, query.column_names.map(&:to_s)
                 assert_tag :td,
                   :attributes => {:class => 'cf_2 string'},
                   :ancestor => {:tag => 'table', :attributes => {:class => /issues/}}
               end
               def test_show_by_anonymous
                 get :show, :id => 1
                 assert_response :success
                 assert_template 'show.rhtml'
                 assert_not_nil assigns(:issue)
                 assert_equal Issue.find(1), assigns(:issue)
                 # anonymous role is allowed to add a note
                 assert_tag :tag => 'form',
                            :descendant => { :tag => 'fieldset',
                                             :child => { :tag => 'legend',
                                                         :content => /Notes/ } }
               end
               def test_show_by_manager
                 @request.session[:user_id] = 2
                 get :show, :id => 1
                 assert_response :success
                 assert_tag :tag => 'a',
                   :content => /Quote/
                 assert_tag :tag => 'form',
                            :descendant => { :tag => 'fieldset',
                                             :child => { :tag => 'legend',
                                                         :content => /Change properties/ } },
                            :descendant => { :tag => 'fieldset',
                                             :child => { :tag => 'legend',
                                                         :content => /Log time/ } },
                            :descendant => { :tag => 'fieldset',
                                             :child => { :tag => 'legend',
                                                         :content => /Notes/ } }
               end
               def test_update_form_should_not_display_inactive_enumerations
                 @request.session[:user_id] = 2
                 get :show, :id => 1
                 assert_response :success
                 assert ! IssuePriority.find(15).active?
                 assert_no_tag :option, :attributes => {:value => '15'},
                                        :parent => {:tag => 'select', :attributes => {:id => 'issue_priority_id'} }
               end
               def test_show_should_deny_anonymous_access_without_permission
                 Role.anonymous.remove_permission!(:view_issues)
                 get :show, :id => 1
                 assert_response :redirect
               end
               def test_show_should_deny_anonymous_access_to_private_issue
                 Issue.update_all(["is_private = ?", true], "id = 1")
                 get :show, :id => 1
                 assert_response :redirect
               end
               def test_show_should_deny_non_member_access_without_permission
                 Role.non_member.remove_permission!(:view_issues)
                 @request.session[:user_id] = 9
                 get :show, :id => 1
                 assert_response 403
               end
               def test_show_should_deny_non_member_access_to_private_issue
                 Issue.update_all(["is_private = ?", true], "id = 1")
                 @request.session[:user_id] = 9
                 get :show, :id => 1
                 assert_response 403
               end
               def test_show_should_deny_member_access_without_permission
                 Role.find(1).remove_permission!(:view_issues)
                 @request.session[:user_id] = 2
                 get :show, :id => 1
                 assert_response 403
               end
               def test_show_should_deny_member_access_to_private_issue_without_permission
                 Issue.update_all(["is_private = ?", true], "id = 1")
                 @request.session[:user_id] = 3
                 get :show, :id => 1
                 assert_response 403
               end
               def test_show_should_allow_author_access_to_private_issue
                 Issue.update_all(["is_private = ?, author_id = 3", true], "id = 1")
                 @request.session[:user_id] = 3
                 get :show, :id => 1
                 assert_response :success
               end
               def test_show_should_allow_assignee_access_to_private_issue
                 Issue.update_all(["is_private = ?, assigned_to_id = 3", true], "id = 1")
                 @request.session[:user_id] = 3
                 get :show, :id => 1
                 assert_response :success
               end
               def test_show_should_allow_member_access_to_private_issue_with_permission
                 Issue.update_all(["is_private = ?", true], "id = 1")
                 User.find(3).roles_for_project(Project.find(1)).first.update_attribute :issues_visibility, 'all'
                 @request.session[:user_id] = 3
                 get :show, :id => 1
                 assert_response :success
               end
               def test_show_should_not_disclose_relations_to_invisible_issues
                 Setting.cross_project_issue_relations = '1'
                 IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates')
                 # Relation to a private project issue
                 IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(4), :relation_type => 'relates')
                 get :show, :id => 1
                 assert_response :success
                 assert_tag :div, :attributes => { :id => 'relations' },
                                  :descendant => { :tag => 'a', :content => /#2$/ }
                 assert_no_tag :div, :attributes => { :id => 'relations' },
                                     :descendant => { :tag => 'a', :content => /#4$/ }
               end
               def test_show_atom
                 get :show, :id => 2, :format => 'atom'
                 assert_response :success
                 assert_template 'journals/index.rxml'
                 # Inline image
                 assert_select 'content', :text => Regexp.new(Regexp.quote('http://test.host/attachments/download/10'))
               end
               def test_show_export_to_pdf
                 get :show, :id => 3, :format => 'pdf'
                 assert_response :success
                 assert_equal 'application/pdf', @response.content_type
                 assert @response.body.starts_with?('%PDF')
                 assert_not_nil assigns(:issue)
               end
               def test_get_new
                 @request.session[:user_id] = 2
                 get :new, :project_id => 1, :tracker_id => 1
                 assert_response :success
                 assert_template 'new'
                 assert_tag :tag => 'input', :attributes => { :name => 'issue[custom_field_values][2]',
                                                              :value => 'Default string' }
                 # Be sure we don't display inactive IssuePriorities
                 assert ! IssuePriority.find(15).active?
                 assert_no_tag :option, :attributes => {:value => '15'},
                                        :parent => {:tag => 'select', :attributes => {:id => 'issue_priority_id'} }
               end
               def test_get_new_without_tracker_id
                 @request.session[:user_id] = 2
                 get :new, :project_id => 1
                 assert_response :success
                 assert_template 'new'
                 issue = assigns(:issue)
                 assert_not_nil issue
                 assert_equal Project.find(1).trackers.first, issue.tracker
               end
               def test_get_new_with_no_default_status_should_display_an_error
                 @request.session[:user_id] = 2
                 IssueStatus.delete_all
                 get :new, :project_id => 1
                 assert_response 500
                 assert_error_tag :content => /No default issue/
               end
               def test_get_new_with_no_tracker_should_display_an_error
                 @request.session[:user_id] = 2
                 Tracker.delete_all
                 get :new, :project_id => 1
                 assert_response 500
                 assert_error_tag :content => /No tracker/
               end
               def test_update_new_form
                 @request.session[:user_id] = 2
                 xhr :post, :new, :project_id => 1,
                                  :issue => {:tracker_id => 2,
                                             :subject => 'This is the test_new issue',
                                             :description => 'This is the description',
                                             :priority_id => 5}
                 assert_response :success
                 assert_template 'attributes'
                 issue = assigns(:issue)
                 assert_kind_of Issue, issue
                 assert_equal 1, issue.project_id
                 assert_equal 2, issue.tracker_id
                 assert_equal 'This is the test_new issue', issue.subject
               end
               def test_post_create
                 @request.session[:user_id] = 2
                 assert_difference 'Issue.count' do
                   post :create, :project_id => 1,
                              :issue => {:tracker_id => 3,
                                         :status_id => 2,
                                         :subject => 'This is the test_new issue',
                                         :description => 'This is the description',
                                         :priority_id => 5,
                                         :start_date => '2010-11-07',
                                         :estimated_hours => '',
                                         :custom_field_values => {'2' => 'Value for field 2'}}
                 end
                 assert_redirected_to :controller => 'issues', :action => 'show', :id => Issue.last.id
                 issue = Issue.find_by_subject('This is the test_new issue')
                 assert_not_nil issue
                 assert_equal 2, issue.author_id
                 assert_equal 3, issue.tracker_id
                 assert_equal 2, issue.status_id
                 assert_equal Date.parse('2010-11-07'), issue.start_date
                 assert_nil issue.estimated_hours
                 v = issue.custom_values.find(:first, :conditions => {:custom_field_id => 2})
                 assert_not_nil v
                 assert_equal 'Value for field 2', v.value
               end
               def test_post_create_without_start_date
                 @request.session[:user_id] = 2
                 assert_difference 'Issue.count' do
                   post :create, :project_id => 1,
                              :issue => {:tracker_id => 3,
                                         :status_id => 2,
                                         :subject => 'This is the test_new issue',
                                         :description => 'This is the description',
                                         :priority_id => 5,
                                         :start_date => '',
                                         :estimated_hours => '',
                                         :custom_field_values => {'2' => 'Value for field 2'}}
                 end
                 assert_redirected_to :controller => 'issues', :action => 'show', :id => Issue.last.id
                 issue = Issue.find_by_subject('This is the test_new issue')
                 assert_not_nil issue
                 assert_nil issue.start_date
               end
               def test_post_create_and_continue
                 @request.session[:user_id] = 2
                 post :create, :project_id => 1,
                            :issue => {:tracker_id => 3,
                                       :subject => 'This is first issue',
                                       :priority_id => 5},
                            :continue => ''
                 assert_redirected_to :controller => 'issues', :action => 'new', :project_id => 'ecookbook',
                                      :issue => {:tracker_id => 3}
               end
               def test_post_create_without_custom_fields_param
                 @request.session[:user_id] = 2
                 assert_difference 'Issue.count' do
                   post :create, :project_id => 1,
                              :issue => {:tracker_id => 1,
                                         :subject => 'This is the test_new issue',
                                         :description => 'This is the description',
                                         :priority_id => 5}
                 end
                 assert_redirected_to :controller => 'issues', :action => 'show', :id => Issue.last.id
               end
               def test_post_create_with_required_custom_field_and_without_custom_fields_param
                 field = IssueCustomField.find_by_name('Database')
                 field.update_attribute(:is_required, true)
                 @request.session[:user_id] = 2
                 post :create, :project_id => 1,
                            :issue => {:tracker_id => 1,
                                       :subject => 'This is the test_new issue',
                                       :description => 'This is the description',
                                       :priority_id => 5}
                 assert_response :success
                 assert_template 'new'
                 issue = assigns(:issue)
                 assert_not_nil issue
                 assert_equal I18n.translate('activerecord.errors.messages.invalid'), issue.errors.on(:custom_values)
               end
               def test_post_create_with_watchers
                 @request.session[:user_id] = 2
                 ActionMailer::Base.deliveries.clear
                 assert_difference 'Watcher.count', 2 do
                   post :create, :project_id => 1,
                              :issue => {:tracker_id => 1,
                                         :subject => 'This is a new issue with watchers',
                                         :description => 'This is the description',
                                         :priority_id => 5,
                                         :watcher_user_ids => ['2', '3']}
                 end
                 issue = Issue.find_by_subject('This is a new issue with watchers')
                 assert_not_nil issue
                 assert_redirected_to :controller => 'issues', :action => 'show', :id => issue
                 # Watchers added
                 assert_equal [2, 3], issue.watcher_user_ids.sort
                 assert issue.watched_by?(User.find(3))
                 # Watchers notified
                 mail = ActionMailer::Base.deliveries.last
                 assert_kind_of TMail::Mail, mail
                 assert [mail.bcc, mail.cc].flatten.include?(User.find(3).mail)
               end
               def test_post_create_subissue
                 @request.session[:user_id] = 2
                 assert_difference 'Issue.count' do
                   post :create, :project_id => 1,
                              :issue => {:tracker_id => 1,
                                         :subject => 'This is a child issue',
                                         :parent_issue_id => 2}
                 end
                 issue = Issue.find_by_subject('This is a child issue')
                 assert_not_nil issue
                 assert_equal Issue.find(2), issue.parent
               end
               def test_post_create_subissue_with_non_numeric_parent_id
                 @request.session[:user_id] = 2
                 assert_difference 'Issue.count' do
                   post :create, :project_id => 1,
                              :issue => {:tracker_id => 1,
                                         :subject => 'This is a child issue',
                                         :parent_issue_id => 'ABC'}
                 end
                 issue = Issue.find_by_subject('This is a child issue')
                 assert_not_nil issue
                 assert_nil issue.parent
               end
               def test_post_create_private
                 @request.session[:user_id] = 2
                 assert_difference 'Issue.count' do
                   post :create, :project_id => 1,
                              :issue => {:tracker_id => 1,
                                         :subject => 'This is a private issue',
                                         :is_private => '1'}
                 end
                 issue = Issue.first(:order => 'id DESC')
                 assert issue.is_private?
               end
               def test_post_create_private_with_set_own_issues_private_permission
                 role = Role.find(1)
                 role.remove_permission! :set_issues_private
                 role.add_permission! :set_own_issues_private
                 @request.session[:user_id] = 2
                 assert_difference 'Issue.count' do
                   post :create, :project_id => 1,
                              :issue => {:tracker_id => 1,
                                         :subject => 'This is a private issue',
                                         :is_private => '1'}
                 end
                 issue = Issue.first(:order => 'id DESC')
                 assert issue.is_private?
               end
               def test_post_create_should_send_a_notification
                 ActionMailer::Base.deliveries.clear
                 @request.session[:user_id] = 2
                 assert_difference 'Issue.count' do
                   post :create, :project_id => 1,
                              :issue => {:tracker_id => 3,
                                         :subject => 'This is the test_new issue',
                                         :description => 'This is the description',
                                         :priority_id => 5,
                                         :estimated_hours => '',
                                         :custom_field_values => {'2' => 'Value for field 2'}}
                 end
                 assert_redirected_to :controller => 'issues', :action => 'show', :id => Issue.last.id
                 assert_equal 1, ActionMailer::Base.deliveries.size
               end
               def test_post_create_should_preserve_fields_values_on_validation_failure
                 @request.session[:user_id] = 2
                 post :create, :project_id => 1,
                            :issue => {:tracker_id => 1,
                                       # empty subject
                                       :subject => '',
                                       :description => 'This is a description',
                                       :priority_id => 6,
                                       :custom_field_values => {'1' => 'Oracle', '2' => 'Value for field 2'}}
                 assert_response :success
                 assert_template 'new'
                 assert_tag :textarea, :attributes => { :name => 'issue[description]' },
                                       :content => 'This is a description'
                 assert_tag :select, :attributes => { :name => 'issue[priority_id]' },
                                     :child => { :tag => 'option', :attributes => { :selected => 'selected',
                                                                                    :value => '6' },
                                                                   :content => 'High' }
                 # Custom fields
                 assert_tag :select, :attributes => { :name => 'issue[custom_field_values][1]' },
                                     :child => { :tag => 'option', :attributes => { :selected => 'selected',
                                                                                    :value => 'Oracle' },
                                                                   :content => 'Oracle' }
                 assert_tag :input, :attributes => { :name => 'issue[custom_field_values][2]',
                                                     :value => 'Value for field 2'}
               end
               def test_post_create_should_ignore_non_safe_attributes
                 @request.session[:user_id] = 2
                 assert_nothing_raised do
                   post :create, :project_id => 1, :issue => { :tracker => "A param can not be a Tracker" }
                 end
               end
               context "without workflow privilege" do
                 setup do
                   Workflow.delete_all(["role_id = ?", Role.anonymous.id])
                   Role.anonymous.add_permission! :add_issues, :add_issue_notes
                 end
                 context "#new" do
                   should "propose default status only" do
                     get :new, :project_id => 1
                     assert_response :success
                     assert_template 'new'
                     assert_tag :tag => 'select',
                       :attributes => {:name => 'issue[status_id]'},
                       :children => {:count => 1},
                       :child => {:tag => 'option', :attributes => {:value => IssueStatus.default.id.to_s}}
                   end
                   should "accept default status" do
                     assert_difference 'Issue.count' do
                       post :create, :project_id => 1,
                                  :issue => {:tracker_id => 1,
                                             :subject => 'This is an issue',
                                             :status_id => 1}
                     end
                     issue = Issue.last(:order => 'id')
                     assert_equal IssueStatus.default, issue.status
                   end
                   should "ignore unauthorized status" do
                     assert_difference 'Issue.count' do
                       post :create, :project_id => 1,
                                  :issue => {:tracker_id => 1,
                                             :subject => 'This is an issue',
                                             :status_id => 3}
                     end
                     issue = Issue.last(:order => 'id')
                     assert_equal IssueStatus.default, issue.status
                   end
                 end
                 context "#update" do
                   should "ignore status change" do
                     assert_difference 'Journal.count' do
                       put :update, :id => 1, :notes => 'just trying', :issue => {:status_id => 3}
                     end
                     assert_equal 1, Issue.find(1).status_id
                   end
                   should "ignore attributes changes" do
                     assert_difference 'Journal.count' do
                       put :update, :id => 1, :notes => 'just trying', :issue => {:subject => 'changed', :assigned_to_id => 2}
                     end
                     issue = Issue.find(1)
                     assert_equal "Can't print recipes", issue.subject
                     assert_nil issue.assigned_to
                   end
                 end
               end
               context "with workflow privilege" do
                 setup do
                   Workflow.delete_all(["role_id = ?", Role.anonymous.id])
                   Workflow.create!(:role => Role.anonymous, :tracker_id => 1, :old_status_id => 1, :new_status_id => 3)
                   Workflow.create!(:role => Role.anonymous, :tracker_id => 1, :old_status_id => 1, :new_status_id => 4)
                   Role.anonymous.add_permission! :add_issues, :add_issue_notes
                 end
                 context "#update" do
                   should "accept authorized status" do
                     assert_difference 'Journal.count' do
                       put :update, :id => 1, :notes => 'just trying', :issue => {:status_id => 3}
                     end
                     assert_equal 3, Issue.find(1).status_id
                   end
                   should "ignore unauthorized status" do
                     assert_difference 'Journal.count' do
                       put :update, :id => 1, :notes => 'just trying', :issue => {:status_id => 2}
                     end
                     assert_equal 1, Issue.find(1).status_id
                   end
                   should "accept authorized attributes changes" do
                     assert_difference 'Journal.count' do
                       put :update, :id => 1, :notes => 'just trying', :issue => {:assigned_to_id => 2}
                     end
                     issue = Issue.find(1)
                     assert_equal 2, issue.assigned_to_id
                   end
                   should "ignore unauthorized attributes changes" do
                     assert_difference 'Journal.count' do
                       put :update, :id => 1, :notes => 'just trying', :issue => {:subject => 'changed'}
                     end
                     issue = Issue.find(1)
                     assert_equal "Can't print recipes", issue.subject
                   end
                 end
                 context "and :edit_issues permission" do
                   setup do
                     Role.anonymous.add_permission! :add_issues, :edit_issues
                   end
                   should "accept authorized status" do
                     assert_difference 'Journal.count' do
                       put :update, :id => 1, :notes => 'just trying', :issue => {:status_id => 3}
                     end
                     assert_equal 3, Issue.find(1).status_id
                   end
                   should "ignore unauthorized status" do
                     assert_difference 'Journal.count' do
                       put :update, :id => 1, :notes => 'just trying', :issue => {:status_id => 2}
                     end
                     assert_equal 1, Issue.find(1).status_id
                   end
                   should "accept authorized attributes changes" do
                     assert_difference 'Journal.count' do
                       put :update, :id => 1, :notes => 'just trying', :issue => {:subject => 'changed', :assigned_to_id => 2}
                     end
                     issue = Issue.find(1)
                     assert_equal "changed", issue.subject
                     assert_equal 2, issue.assigned_to_id
                   end
                 end
               end
               def test_copy_issue
                 @request.session[:user_id] = 2
                 get :new, :project_id => 1, :copy_from => 1
                 assert_template 'new'
                 assert_not_nil assigns(:issue)
                 orig = Issue.find(1)
                 assert_equal orig.subject, assigns(:issue).subject
               end
               def test_get_edit
                 @request.session[:user_id] = 2
                 get :edit, :id => 1
                 assert_response :success
                 assert_template 'edit'
                 assert_not_nil assigns(:issue)
                 assert_equal Issue.find(1), assigns(:issue)
                 # Be sure we don't display inactive IssuePriorities
                 assert ! IssuePriority.find(15).active?
                 assert_no_tag :option, :attributes => {:value => '15'},
                                        :parent => {:tag => 'select', :attributes => {:id => 'issue_priority_id'} }
               end
               def test_get_edit_with_params
                 @request.session[:user_id] = 2
                 get :edit, :id => 1, :issue => { :status_id => 5, :priority_id => 7 },
                     :time_entry => { :hours => '2.5', :comments => 'test_get_edit_with_params', :activity_id => TimeEntryActivity.first.id }
                 assert_response :success
                 assert_template 'edit'
                 issue = assigns(:issue)
                 assert_not_nil issue
                 assert_equal 5, issue.status_id
                 assert_tag :select, :attributes => { :name => 'issue[status_id]' },
                                     :child => { :tag => 'option',
                                                 :content => 'Closed',
                                                 :attributes => { :selected => 'selected' } }
                 assert_equal 7, issue.priority_id
                 assert_tag :select, :attributes => { :name => 'issue[priority_id]' },
                                     :child => { :tag => 'option',
                                                 :content => 'Urgent',
                                                 :attributes => { :selected => 'selected' } }
                 assert_tag :input, :attributes => { :name => 'time_entry[hours]', :value => '2.5' }
                 assert_tag :select, :attributes => { :name => 'time_entry[activity_id]' },
                                     :child => { :tag => 'option',
                                                 :attributes => { :selected => 'selected', :value => TimeEntryActivity.first.id } }
                 assert_tag :input, :attributes => { :name => 'time_entry[comments]', :value => 'test_get_edit_with_params' }
               end
               def test_update_edit_form
                 @request.session[:user_id] = 2
                 xhr :post, :new, :project_id => 1,
                                          :id => 1,
                                          :issue => {:tracker_id => 2,
                                                     :subject => 'This is the test_new issue',
                                                     :description => 'This is the description',
                                                     :priority_id => 5}
                 assert_response :success
                 assert_template 'attributes'
                 issue = assigns(:issue)
                 assert_kind_of Issue, issue
                 assert_equal 1, issue.id
                 assert_equal 1, issue.project_id
                 assert_equal 2, issue.tracker_id
                 assert_equal 'This is the test_new issue', issue.subject
               end
               def test_update_using_invalid_http_verbs
                 @request.session[:user_id] = 2
                 subject = 'Updated by an invalid http verb'
                 get :update, :id => 1, :issue => {:subject => subject}
                 assert_not_equal subject, Issue.find(1).subject
                 post :update, :id => 1, :issue => {:subject => subject}
                 assert_not_equal subject, Issue.find(1).subject
                 delete :update, :id => 1, :issue => {:subject => subject}
                 assert_not_equal subject, Issue.find(1).subject
               end
               def test_put_update_without_custom_fields_param
                 @request.session[:user_id] = 2
                 ActionMailer::Base.deliveries.clear
                 issue = Issue.find(1)
                 assert_equal '125', issue.custom_value_for(2).value
                 old_subject = issue.subject
                 new_subject = 'Subject modified by IssuesControllerTest#test_post_edit'
                 assert_difference('Journal.count') do
                   assert_difference('JournalDetail.count', 2) do
                     put :update, :id => 1, :issue => {:subject => new_subject,
                                                      :priority_id => '6',
                                                      :category_id => '1' # no change
                                                     }
                   end
                 end
                 assert_redirected_to :action => 'show', :id => '1'
                 issue.reload
                 assert_equal new_subject, issue.subject
                 # Make sure custom fields were not cleared
                 assert_equal '125', issue.custom_value_for(2).value
                 mail = ActionMailer::Base.deliveries.last
                 assert_kind_of TMail::Mail, mail
                 assert mail.subject.starts_with?("[#{issue.project.name} - #{issue.tracker.name} ##{issue.id}]")
                 assert mail.body.include?("Subject changed from #{old_subject} to #{new_subject}")
               end
               def test_put_update_with_custom_field_change
                 @request.session[:user_id] = 2
                 issue = Issue.find(1)
                 assert_equal '125', issue.custom_value_for(2).value
                 assert_difference('Journal.count') do
                   assert_difference('JournalDetail.count', 3) do
                     put :update, :id => 1, :issue => {:subject => 'Custom field change',
                                                      :priority_id => '6',
                                                      :category_id => '1', # no change
                                                      :custom_field_values => { '2' => 'New custom value' }
                                                     }
                   end
                 end
                 assert_redirected_to :action => 'show', :id => '1'
                 issue.reload
                 assert_equal 'New custom value', issue.custom_value_for(2).value
                 mail = ActionMailer::Base.deliveries.last
                 assert_kind_of TMail::Mail, mail
                 assert mail.body.include?("Searchable field changed from 125 to New custom value")
               end
               def test_put_update_with_status_and_assignee_change
                 issue = Issue.find(1)
                 assert_equal 1, issue.status_id
                 @request.session[:user_id] = 2
                 assert_difference('TimeEntry.count', 0) do
                   put :update,
                        :id => 1,
                        :issue => { :status_id => 2, :assigned_to_id => 3 },
                        :notes => 'Assigned to dlopper',
                        :time_entry => { :hours => '', :comments => '', :activity_id => TimeEntryActivity.first }
                 end
                 assert_redirected_to :action => 'show', :id => '1'
                 issue.reload
                 assert_equal 2, issue.status_id
                 j = Journal.find(:first, :order => 'id DESC')
                 assert_equal 'Assigned to dlopper', j.notes
                 assert_equal 2, j.details.size
                 mail = ActionMailer::Base.deliveries.last
                 assert mail.body.include?("Status changed from New to Assigned")
                 # subject should contain the new status
                 assert mail.subject.include?("(#{ IssueStatus.find(2).name })")
               end
               def test_put_update_with_note_only
                 notes = 'Note added by IssuesControllerTest#test_update_with_note_only'
                 # anonymous user
                 put :update,
                      :id => 1,
                      :notes => notes
                 assert_redirected_to :action => 'show', :id => '1'
                 j = Journal.find(:first, :order => 'id DESC')
                 assert_equal notes, j.notes
                 assert_equal 0, j.details.size
                 assert_equal User.anonymous, j.user
                 mail = ActionMailer::Base.deliveries.last
                 assert mail.body.include?(notes)
               end
               def test_put_update_with_note_and_spent_time
                 @request.session[:user_id] = 2
                 spent_hours_before = Issue.find(1).spent_hours
                 assert_difference('TimeEntry.count') do
                   put :update,
                        :id => 1,
                        :notes => '2.5 hours added',
                        :time_entry => { :hours => '2.5', :comments => 'test_put_update_with_note_and_spent_time', :activity_id => TimeEntryActivity.first.id }
                 end
                 assert_redirected_to :action => 'show', :id => '1'
                 issue = Issue.find(1)
                 j = Journal.find(:first, :order => 'id DESC')
                 assert_equal '2.5 hours added', j.notes
                 assert_equal 0, j.details.size
                 t = issue.time_entries.find_by_comments('test_put_update_with_note_and_spent_time')
                 assert_not_nil t
                 assert_equal 2.5, t.hours
                 assert_equal spent_hours_before + 2.5, issue.spent_hours
               end
               def test_put_update_with_attachment_only
                 set_tmp_attachments_directory
                 # Delete all fixtured journals, a race condition can occur causing the wrong
                 # journal to get fetched in the next find.
                 Journal.delete_all
                 # anonymous user
                 put :update,
                      :id => 1,
                      :notes => '',
                      :attachments => {'1' => {'file' => uploaded_test_file('testfile.txt', 'text/plain')}}
                 assert_redirected_to :action => 'show', :id => '1'
                 j = Issue.find(1).journals.find(:first, :order => 'id DESC')
                 assert j.notes.blank?
                 assert_equal 1, j.details.size
                 assert_equal 'testfile.txt', j.details.first.value
                 assert_equal User.anonymous, j.user
                 mail = ActionMailer::Base.deliveries.last
                 assert mail.body.include?('testfile.txt')
               end
               def test_put_update_with_attachment_that_fails_to_save
                 set_tmp_attachments_directory
                 # Delete all fixtured journals, a race condition can occur causing the wrong
                 # journal to get fetched in the next find.
                 Journal.delete_all
                 # Mock out the unsaved attachment
                 Attachment.any_instance.stubs(:create).returns(Attachment.new)
                 # anonymous user
                 put :update,
                      :id => 1,
                      :notes => '',
                      :attachments => {'1' => {'file' => uploaded_test_file('testfile.txt', 'text/plain')}}
                 assert_redirected_to :action => 'show', :id => '1'
                 assert_equal '1 file(s) could not be saved.', flash[:warning]
               end if Object.const_defined?(:Mocha)
               def test_put_update_with_no_change
                 issue = Issue.find(1)
                 issue.journals.clear
                 ActionMailer::Base.deliveries.clear
                 put :update,
                      :id => 1,
                      :notes => ''
                 assert_redirected_to :action => 'show', :id => '1'
                 issue.reload
                 assert issue.journals.empty?
                 # No email should be sent
                 assert ActionMailer::Base.deliveries.empty?
               end
               def test_put_update_should_send_a_notification
                 @request.session[:user_id] = 2
                 ActionMailer::Base.deliveries.clear
                 issue = Issue.find(1)
                 old_subject = issue.subject
                 new_subject = 'Subject modified by IssuesControllerTest#test_post_edit'
                 put :update, :id => 1, :issue => {:subject => new_subject,
                                                  :priority_id => '6',
                                                  :category_id => '1' # no change
                                                 }
                 assert_equal 1, ActionMailer::Base.deliveries.size
               end
               def test_put_update_with_invalid_spent_time_hours_only
                 @request.session[:user_id] = 2
                 notes = 'Note added by IssuesControllerTest#test_post_edit_with_invalid_spent_time'
                 assert_no_difference('Journal.count') do
                   put :update,
                        :id => 1,
                        :notes => notes,
                        :time_entry => {"comments"=>"", "activity_id"=>"", "hours"=>"2z"}
                 end
                 assert_response :success
                 assert_template 'edit'
                 assert_error_tag :descendant => {:content => /Activity can't be blank/}
                 assert_tag :textarea, :attributes => { :name => 'notes' }, :content => notes
                 assert_tag :input, :attributes => { :name => 'time_entry[hours]', :value => "2z" }
               end
               def test_put_update_with_invalid_spent_time_comments_only
                 @request.session[:user_id] = 2
                 notes = 'Note added by IssuesControllerTest#test_post_edit_with_invalid_spent_time'
                 assert_no_difference('Journal.count') do
                   put :update,
                        :id => 1,
                        :notes => notes,
                        :time_entry => {"comments"=>"this is my comment", "activity_id"=>"", "hours"=>""}
                 end
                 assert_response :success
                 assert_template 'edit'
                 assert_error_tag :descendant => {:content => /Activity can't be blank/}
                 assert_error_tag :descendant => {:content => /Hours can't be blank/}
                 assert_tag :textarea, :attributes => { :name => 'notes' }, :content => notes
                 assert_tag :input, :attributes => { :name => 'time_entry[comments]', :value => "this is my comment" }
               end
               def test_put_update_should_allow_fixed_version_to_be_set_to_a_subproject
                 issue = Issue.find(2)
                 @request.session[:user_id] = 2
                 put :update,
                      :id => issue.id,
                      :issue => {
                        :fixed_version_id => 4
                      }
                 assert_response :redirect
                 issue.reload
                 assert_equal 4, issue.fixed_version_id
                 assert_not_equal issue.project_id, issue.fixed_version.project_id
               end
               def test_put_update_should_redirect_back_using_the_back_url_parameter
                 issue = Issue.find(2)
                 @request.session[:user_id] = 2
                 put :update,
                      :id => issue.id,
                      :issue => {
                        :fixed_version_id => 4
                      },
                      :back_url => '/issues'
                 assert_response :redirect
                 assert_redirected_to '/issues'
               end
               def test_put_update_should_not_redirect_back_using_the_back_url_parameter_off_the_host
                 issue = Issue.find(2)
                 @request.session[:user_id] = 2
                 put :update,
                      :id => issue.id,
                      :issue => {
                        :fixed_version_id => 4
                      },
                      :back_url => 'http://google.com'
                 assert_response :redirect
                 assert_redirected_to :controller => 'issues', :action => 'show', :id => issue.id
               end
               def test_get_bulk_edit
                 @request.session[:user_id] = 2
                 get :bulk_edit, :ids => [1, 2]
                 assert_response :success
                 assert_template 'bulk_edit'
                 assert_tag :input, :attributes => {:name => 'issue[parent_issue_id]'}
                 # Project specific custom field, date type
                 field = CustomField.find(9)
                 assert !field.is_for_all?
                 assert_equal 'date', field.field_format
                 assert_tag :input, :attributes => {:name => 'issue[custom_field_values][9]'}
                 # System wide custom field
                 assert CustomField.find(1).is_for_all?
                 assert_tag :select, :attributes => {:name => 'issue[custom_field_values][1]'}
                 # Be sure we don't display inactive IssuePriorities
                 assert ! IssuePriority.find(15).active?
                 assert_no_tag :option, :attributes => {:value => '15'},
                                        :parent => {:tag => 'select', :attributes => {:id => 'issue_priority_id'} }
               end
               def test_get_bulk_edit_on_different_projects
                 @request.session[:user_id] = 2
                 get :bulk_edit, :ids => [1, 2, 6]
                 assert_response :success
                 assert_template 'bulk_edit'
                 # Can not set issues from different projects as children of an issue
                 assert_no_tag :input, :attributes => {:name => 'issue[parent_issue_id]'}
                 # Project specific custom field, date type
                 field = CustomField.find(9)
                 assert !field.is_for_all?
                 assert !field.project_ids.include?(Issue.find(6).project_id)
                 assert_no_tag :input, :attributes => {:name => 'issue[custom_field_values][9]'}
               end
               def test_get_bulk_edit_with_user_custom_field
                 field = IssueCustomField.create!(:name => 'Tester', :field_format => 'user', :is_for_all => true)
                 @request.session[:user_id] = 2
                 get :bulk_edit, :ids => [1, 2]
                 assert_response :success
                 assert_template 'bulk_edit'
                 assert_tag :select,
                   :attributes => {:name => "issue[custom_field_values][#{field.id}]"},
                   :children => {
                     :only => {:tag => 'option'},
                     :count => Project.find(1).users.count + 1
                   }
               end
               def test_get_bulk_edit_with_version_custom_field
                 field = IssueCustomField.create!(:name => 'Affected version', :field_format => 'version', :is_for_all => true)
                 @request.session[:user_id] = 2
                 get :bulk_edit, :ids => [1, 2]
                 assert_response :success
                 assert_template 'bulk_edit'
                 assert_tag :select,
                   :attributes => {:name => "issue[custom_field_values][#{field.id}]"},
                   :children => {
                     :only => {:tag => 'option'},
                     :count => Project.find(1).versions.count + 1
                   }
               end
               def test_bulk_update
                 @request.session[:user_id] = 2
                 # update issues priority
                 post :bulk_update, :ids => [1, 2], :notes => 'Bulk editing',
                                                  :issue => {:priority_id => 7,
                                                             :assigned_to_id => '',
                                                             :custom_field_values => {'2' => ''}}
                 assert_response 302
                 # check that the issues were updated
                 assert_equal [7, 7], Issue.find_all_by_id([1, 2]).collect {|i| i.priority.id}
                 issue = Issue.find(1)
                 journal = issue.journals.find(:first, :order => 'created_on DESC')
                 assert_equal '125', issue.custom_value_for(2).value
                 assert_equal 'Bulk editing', journal.notes
                 assert_equal 1, journal.details.size
               end
               def test_bulk_update_on_different_projects
                 @request.session[:user_id] = 2
                 # update issues priority
                 post :bulk_update, :ids => [1, 2, 6], :notes => 'Bulk editing',
                                                  :issue => {:priority_id => 7,
                                                             :assigned_to_id => '',
                                                             :custom_field_values => {'2' => ''}}
                 assert_response 302
                 # check that the issues were updated
                 assert_equal [7, 7, 7], Issue.find([1,2,6]).map(&:priority_id)
                 issue = Issue.find(1)
                 journal = issue.journals.find(:first, :order => 'created_on DESC')
                 assert_equal '125', issue.custom_value_for(2).value
                 assert_equal 'Bulk editing', journal.notes
                 assert_equal 1, journal.details.size
               end
               def test_bulk_update_on_different_projects_without_rights
                 @request.session[:user_id] = 3
                 user = User.find(3)
                 action = { :controller => "issues", :action => "bulk_update" }
                 assert user.allowed_to?(action, Issue.find(1).project)
                 assert ! user.allowed_to?(action, Issue.find(6).project)
                 post :bulk_update, :ids => [1, 6], :notes => 'Bulk should fail',
                                                  :issue => {:priority_id => 7,
                                                             :assigned_to_id => '',
                                                             :custom_field_values => {'2' => ''}}
                 assert_response 403
                 assert_not_equal "Bulk should fail", Journal.last.notes
               end
               def test_bullk_update_should_send_a_notification
                 @request.session[:user_id] = 2
                 ActionMailer::Base.deliveries.clear
                 post(:bulk_update,
                      {
                        :ids => [1, 2],
                        :notes => 'Bulk editing',
                        :issue => {
                          :priority_id => 7,
                          :assigned_to_id => '',
                          :custom_field_values => {'2' => ''}
                        }
                      })
                 assert_response 302
                 assert_equal 2, ActionMailer::Base.deliveries.size
               end
               def test_bulk_update_status
                 @request.session[:user_id] = 2
                 # update issues priority
                 post :bulk_update, :ids => [1, 2], :notes => 'Bulk editing status',
                                                  :issue => {:priority_id => '',
                                                             :assigned_to_id => '',
                                                             :status_id => '5'}
                 assert_response 302
                 issue = Issue.find(1)
                 assert issue.closed?
               end
               def test_bulk_update_parent_id
                 @request.session[:user_id] = 2
                 post :bulk_update, :ids => [1, 3],
                   :notes => 'Bulk editing parent',
                   :issue => {:priority_id => '', :assigned_to_id => '', :status_id => '', :parent_issue_id => '2'}
                 assert_response 302
                 parent = Issue.find(2)
                 assert_equal parent.id, Issue.find(1).parent_id
                 assert_equal parent.id, Issue.find(3).parent_id
                 assert_equal [1, 3], parent.children.collect(&:id).sort
               end
               def test_bulk_update_custom_field
                 @request.session[:user_id] = 2
                 # update issues priority
                 post :bulk_update, :ids => [1, 2], :notes => 'Bulk editing custom field',
                                                  :issue => {:priority_id => '',
                                                             :assigned_to_id => '',
                                                             :custom_field_values => {'2' => '777'}}
                 assert_response 302
                 issue = Issue.find(1)
                 journal = issue.journals.find(:first, :order => 'created_on DESC')
                 assert_equal '777', issue.custom_value_for(2).value
                 assert_equal 1, journal.details.size
                 assert_equal '125', journal.details.first.old_value
                 assert_equal '777', journal.details.first.value
               end
               def test_bulk_update_unassign
                 assert_not_nil Issue.find(2).assigned_to
                 @request.session[:user_id] = 2
                 # unassign issues
                 post :bulk_update, :ids => [1, 2], :notes => 'Bulk unassigning', :issue => {:assigned_to_id => 'none'}
                 assert_response 302
                 # check that the issues were updated
                 assert_nil Issue.find(2).assigned_to
               end
               def test_post_bulk_update_should_allow_fixed_version_to_be_set_to_a_subproject
                 @request.session[:user_id] = 2
                 post :bulk_update, :ids => [1,2], :issue => {:fixed_version_id => 4}
                 assert_response :redirect
                 issues = Issue.find([1,2])
                 issues.each do |issue|
                   assert_equal 4, issue.fixed_version_id
                   assert_not_equal issue.project_id, issue.fixed_version.project_id
                 end
               end
               def test_post_bulk_update_should_redirect_back_using_the_back_url_parameter
                 @request.session[:user_id] = 2
                 post :bulk_update, :ids => [1,2], :back_url => '/issues'
                 assert_response :redirect
                 assert_redirected_to '/issues'
               end
               def test_post_bulk_update_should_not_redirect_back_using_the_back_url_parameter_off_the_host
                 @request.session[:user_id] = 2
                 post :bulk_update, :ids => [1,2], :back_url => 'http://google.com'
                 assert_response :redirect
                 assert_redirected_to :controller => 'issues', :action => 'index', :project_id => Project.find(1).identifier
               end
               def test_destroy_issue_with_no_time_entries
                 assert_nil TimeEntry.find_by_issue_id(2)
                 @request.session[:user_id] = 2
                 post :destroy, :id => 2
                 assert_redirected_to :action => 'index', :project_id => 'ecookbook'
                 assert_nil Issue.find_by_id(2)
               end
               def test_destroy_issues_with_time_entries
                 @request.session[:user_id] = 2
                 post :destroy, :ids => [1, 3]
                 assert_response :success
                 assert_template 'destroy'
                 assert_not_nil assigns(:hours)
                 assert Issue.find_by_id(1) && Issue.find_by_id(3)
               end
               def test_destroy_issues_and_destroy_time_entries
                 @request.session[:user_id] = 2
                 post :destroy, :ids => [1, 3], :todo => 'destroy'
                 assert_redirected_to :action => 'index', :project_id => 'ecookbook'
                 assert !(Issue.find_by_id(1) || Issue.find_by_id(3))
                 assert_nil TimeEntry.find_by_id([1, 2])
               end
               def test_destroy_issues_and_assign_time_entries_to_project
                 @request.session[:user_id] = 2
                 post :destroy, :ids => [1, 3], :todo => 'nullify'
                 assert_redirected_to :action => 'index', :project_id => 'ecookbook'
                 assert !(Issue.find_by_id(1) || Issue.find_by_id(3))
                 assert_nil TimeEntry.find(1).issue_id
                 assert_nil TimeEntry.find(2).issue_id
               end
               def test_destroy_issues_and_reassign_time_entries_to_another_issue
                 @request.session[:user_id] = 2
                 post :destroy, :ids => [1, 3], :todo => 'reassign', :reassign_to_id => 2
                 assert_redirected_to :action => 'index', :project_id => 'ecookbook'
                 assert !(Issue.find_by_id(1) || Issue.find_by_id(3))
                 assert_equal 2, TimeEntry.find(1).issue_id
                 assert_equal 2, TimeEntry.find(2).issue_id
               end
               def test_destroy_issues_from_different_projects
                 @request.session[:user_id] = 2
                 post :destroy, :ids => [1, 2, 6], :todo => 'destroy'
                 assert_redirected_to :controller => 'issues', :action => 'index'
                 assert !(Issue.find_by_id(1) || Issue.find_by_id(2) || Issue.find_by_id(6))
               end
               def test_destroy_parent_and_child_issues
                 parent = Issue.generate!(:project_id => 1, :tracker_id => 1)
                 child = Issue.generate!(:project_id => 1, :tracker_id => 1, :parent_issue_id => parent.id)
                 assert child.is_descendant_of?(parent.reload)
                 @request.session[:user_id] = 2
                 assert_difference 'Issue.count', -2 do
                   post :destroy, :ids => [parent.id, child.id], :todo => 'destroy'
                 end
                 assert_response 302
               end
               def test_default_search_scope
                 get :index
                 assert_tag :div, :attributes => {:id => 'quick-search'},
                                  :child => {:tag => 'form',
                                             :child => {:tag => 'input', :attributes => {:name => 'issues', :type => 'hidden', :value => '1'}}}
               end
             end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages