##// END OF EJS Templates
jro_apps » redmine
RSS
Fixes a data disclosure issue introduced in r3941....
Jean-Philippe Lang -
r4421:93847ae33740
parent child
Show More
Side by Side Unified
Context file:
r4421:93847ae33740 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,96 +1,97
1 1 # redMine - project management software
2 2 # Copyright (C) 2006-2008 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class JournalsController < ApplicationController
19 19 before_filter :find_journal, :only => [:edit]
20 20 before_filter :find_issue, :only => [:new]
21 21 before_filter :find_optional_project, :only => [:index]
22 before_filter :authorize, :only => [:new, :edit]
22 23 accept_key_auth :index
23 24
24 25 helper :issues
25 26 helper :queries
26 27 include QueriesHelper
27 28 helper :sort
28 29 include SortHelper
29 30
30 31 def index
31 32 retrieve_query
32 33 sort_init 'id', 'desc'
33 34 sort_update(@query.sortable_columns)
34 35
35 36 if @query.valid?
36 37 @journals = @query.journals(:order => "#{Journal.table_name}.created_on DESC",
37 38 :limit => 25)
38 39 end
39 40 @title = (@project ? @project.name : Setting.app_title) + ": " + (@query.new_record? ? l(:label_changes_details) : @query.name)
40 41 render :layout => false, :content_type => 'application/atom+xml'
41 42 rescue ActiveRecord::RecordNotFound
42 43 render_404
43 44 end
44 45
45 46 def new
46 47 journal = Journal.find(params[:journal_id]) if params[:journal_id]
47 48 if journal
48 49 user = journal.user
49 50 text = journal.notes
50 51 else
51 52 user = @issue.author
52 53 text = @issue.description
53 54 end
54 55 # Replaces pre blocks with [...]
55 56 text = text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]')
56 57 content = "#{ll(Setting.default_language, :text_user_wrote, user)}\n> "
57 58 content << text.gsub(/(\r?\n|\r\n?)/, "\n> ") + "\n\n"
58 59
59 60 render(:update) { |page|
60 61 page.<< "$('notes').value = \"#{escape_javascript content}\";"
61 62 page.show 'update'
62 63 page << "Form.Element.focus('notes');"
63 64 page << "Element.scrollTo('update');"
64 65 page << "$('notes').scrollTop = $('notes').scrollHeight - $('notes').clientHeight;"
65 66 }
66 67 end
67 68
68 69 def edit
69 70 if request.post?
70 71 @journal.update_attributes(:notes => params[:notes]) if params[:notes]
71 72 @journal.destroy if @journal.details.empty? && @journal.notes.blank?
72 73 call_hook(:controller_journals_edit_post, { :journal => @journal, :params => params})
73 74 respond_to do |format|
74 75 format.html { redirect_to :controller => 'issues', :action => 'show', :id => @journal.journalized_id }
75 76 format.js { render :action => 'update' }
76 77 end
77 78 end
78 79 end
79 80
80 81 private
81 82 def find_journal
82 83 @journal = Journal.find(params[:id])
83 84 (render_403; return false) unless @journal.editable_by?(User.current)
84 85 @project = @journal.journalized.project
85 86 rescue ActiveRecord::RecordNotFound
86 87 render_404
87 88 end
88 89
89 90 # TODO: duplicated in IssuesController
90 91 def find_issue
91 92 @issue = Issue.find(params[:id], :include => [:project, :tracker, :status, :author, :priority, :category])
92 93 @project = @issue.project
93 94 rescue ActiveRecord::RecordNotFound
94 95 render_404
95 96 end
96 97 end
Show file before | Show file after | Hide comments
@@ -1,80 +1,86
1 1 # redMine - project management software
2 2 # Copyright (C) 2006-2008 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 require File.expand_path('../../test_helper', __FILE__)
19 19 require 'journals_controller'
20 20
21 21 # Re-raise errors caught by the controller.
22 22 class JournalsController; def rescue_action(e) raise e end; end
23 23
24 24 class JournalsControllerTest < ActionController::TestCase
25 25 fixtures :projects, :users, :members, :member_roles, :roles, :issues, :journals, :journal_details, :enabled_modules
26 26
27 27 def setup
28 28 @controller = JournalsController.new
29 29 @request = ActionController::TestRequest.new
30 30 @response = ActionController::TestResponse.new
31 31 User.current = nil
32 32 end
33 33
34 34 def test_index
35 35 get :index, :project_id => 1
36 36 assert_response :success
37 37 assert_not_nil assigns(:journals)
38 38 assert_equal 'application/atom+xml', @response.content_type
39 39 end
40 40
41 41 def test_reply_to_issue
42 42 @request.session[:user_id] = 2
43 get :new, :id => 1
43 get :new, :id => 6
44 44 assert_response :success
45 45 assert_select_rjs :show, "update"
46 46 end
47
48 def test_reply_to_issue_without_permission
49 @request.session[:user_id] = 7
50 get :new, :id => 6
51 assert_response 403
52 end
47 53
48 54 def test_reply_to_note
49 55 @request.session[:user_id] = 2
50 get :new, :id => 1, :journal_id => 2
56 get :new, :id => 6, :journal_id => 4
51 57 assert_response :success
52 58 assert_select_rjs :show, "update"
53 59 end
54 60
55 61 def test_get_edit
56 62 @request.session[:user_id] = 1
57 63 xhr :get, :edit, :id => 2
58 64 assert_response :success
59 65 assert_select_rjs :insert, :after, 'journal-2-notes' do
60 66 assert_select 'form[id=journal-2-form]'
61 67 assert_select 'textarea'
62 68 end
63 69 end
64 70
65 71 def test_post_edit
66 72 @request.session[:user_id] = 1
67 73 xhr :post, :edit, :id => 2, :notes => 'Updated notes'
68 74 assert_response :success
69 75 assert_select_rjs :replace, 'journal-2-notes'
70 76 assert_equal 'Updated notes', Journal.find(2).notes
71 77 end
72 78
73 79 def test_post_edit_with_empty_notes
74 80 @request.session[:user_id] = 1
75 81 xhr :post, :edit, :id => 2, :notes => ''
76 82 assert_response :success
77 83 assert_select_rjs :remove, 'change-2'
78 84 assert_nil Journal.find_by_id(2)
79 85 end
80 86 end
General Comments 0
You need to be logged in to leave comments. Login now