jro_apps/redmine Commit - r3056:9a452a5c351f

Make sure user can not watch what he is not allowed to view....

Jean-Philippe Lang -

r3056:9a452a5c351f

parent child

Context file:

r3056:9a452a5c351f

app/controllers/watchers_controller.rb +5 -1

                       :render => { :nothing => true, :status => :method_not_allowed }
                def watch
-                 set_watcher(User.current, true)
+                 if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
+                   render_403
+                 else
+                   set_watcher(User.current, true)
+                 end
                end
                def unwatch

test/functional/watchers_controller_test.rb +9 0

                  end
                  assert Issue.find(1).watched_by?(User.find(3))
                end
+               def test_watch_should_be_denied_without_permission
+                 Role.find(2).remove_permission! :view_issues
+                 @request.session[:user_id] = 3
+                 assert_no_difference('Watcher.count') do
+                   xhr :post, :watch, :object_type => 'issue', :object_id => '1'
+                   assert_response 403
+                 end
+               end
                def test_watch_with_multiple_replacements
                  @request.session[:user_id] = 3

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages