##// END OF EJS Templates
Make sure user can not watch what he is not allowed to view....
Jean-Philippe Lang -
r3056:9a452a5c351f
parent child
Show More
@@ -25,8 +25,12 class WatchersController < ApplicationController
25 25 :render => { :nothing => true, :status => :method_not_allowed }
26 26
27 27 def watch
28 if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
29 render_403
30 else
28 31 set_watcher(User.current, true)
29 32 end
33 end
30 34
31 35 def unwatch
32 36 set_watcher(User.current, false)
@@ -48,6 +48,15 class WatchersControllerTest < ActionController::TestCase
48 48 assert Issue.find(1).watched_by?(User.find(3))
49 49 end
50 50
51 def test_watch_should_be_denied_without_permission
52 Role.find(2).remove_permission! :view_issues
53 @request.session[:user_id] = 3
54 assert_no_difference('Watcher.count') do
55 xhr :post, :watch, :object_type => 'issue', :object_id => '1'
56 assert_response 403
57 end
58 end
59
51 60 def test_watch_with_multiple_replacements
52 61 @request.session[:user_id] = 3
53 62 assert_difference('Watcher.count') do
General Comments 0
You need to be logged in to leave comments. Login now