jro_apps/redmine Commit - r3056:9a452a5c351f

Make sure user can not watch what he is not allowed to view....

Jean-Philippe Lang -

r3056:9a452a5c351f

parent child

Context file:

r3056:9a452a5c351f

app/controllers/watchers_controller.rb +5 -1

                      :render => { :nothing => true, :status => :method_not_allowed }
               def watch
-                set_watcher(User.current, true)
+                if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
+                  render_403
+                else
+                  set_watcher(User.current, true)
+                end
               end
               def unwatch

test/functional/watchers_controller_test.rb +9 0

@@ -47,6 +47,15 class WatchersControllerTest < ActionController::TestCase
47	end	47	end
48	assert Issue.find(1).watched_by?(User.find(3))	48	assert Issue.find(1).watched_by?(User.find(3))
49	end	49	end
		50
		51	def test_watch_should_be_denied_without_permission
		52	Role.find(2).remove_permission! :view_issues
		53	@request.session[:user_id] = 3
		54	assert_no_difference('Watcher.count') do
		55	xhr :post, :watch, :object_type => 'issue', :object_id => '1'
		56	assert_response 403
		57	end
		58	end
50		59
51	def test_watch_with_multiple_replacements	60	def test_watch_with_multiple_replacements
52	@request.session[:user_id] = 3	61	@request.session[:user_id] = 3

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages