jro_apps/redmine Commit - r13759:d5093417971b

API: creating an issue with an invalid project_id should return 422 instead of 403 (#19276)....

Jean-Philippe Lang -

r13759:d5093417971b

parent child

Context file:

r13759:d5093417971b

Collapse all files

app/controllers/issues_controller.rb +1 -1

             # Redmine - project management software
             # Copyright (C) 2006-2015  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class IssuesController < ApplicationController
               menu_item :new_issue, :only => [:new, :create]
               default_search_scope :issues
               before_filter :find_issue, :only => [:show, :edit, :update]
               before_filter :find_issues, :only => [:bulk_edit, :bulk_update, :destroy]
               before_filter :authorize, :except => [:index, :new, :create]
               before_filter :find_optional_project, :only => [:index, :new, :create]
               before_filter :build_new_issue_from_params, :only => [:new, :create]
               accept_rss_auth :index, :show
               accept_api_auth :index, :show, :create, :update, :destroy
               rescue_from Query::StatementInvalid, :with => :query_statement_invalid
               helper :journals
               helper :projects
               helper :custom_fields
               helper :issue_relations
               helper :watchers
               helper :attachments
               helper :queries
               include QueriesHelper
               helper :repositories
               helper :sort
               include SortHelper
               helper :timelog
               def index
                 retrieve_query
                 sort_init(@query.sort_criteria.empty? ? [['id', 'desc']] : @query.sort_criteria)
                 sort_update(@query.sortable_columns)
                 @query.sort_criteria = sort_criteria.to_a
                 if @query.valid?
                   case params[:format]
                   when 'csv', 'pdf'
                     @limit = Setting.issues_export_limit.to_i
                     if params[:columns] == 'all'
                       @query.column_names = @query.available_inline_columns.map(&:name)
                     end
                   when 'atom'
                     @limit = Setting.feeds_limit.to_i
                   when 'xml', 'json'
                     @offset, @limit = api_offset_and_limit
                     @query.column_names = %w(author)
                   else
                     @limit = per_page_option
                   end
                   @issue_count = @query.issue_count
                   @issue_pages = Paginator.new @issue_count, @limit, params['page']
                   @offset ||= @issue_pages.offset
                   @issues = @query.issues(:include => [:assigned_to, :tracker, :priority, :category, :fixed_version],
                                           :order => sort_clause,
                                           :offset => @offset,
                                           :limit => @limit)
                   @issue_count_by_group = @query.issue_count_by_group
                   respond_to do |format|
                     format.html { render :template => 'issues/index', :layout => !request.xhr? }
                     format.api  {
                       Issue.load_visible_relations(@issues) if include_in_api_response?('relations')
                     }
                     format.atom { render_feed(@issues, :title => "#{@project || Setting.app_title}: #{l(:label_issue_plural)}") }
                     format.csv  { send_data(query_to_csv(@issues, @query, params), :type => 'text/csv; header=present', :filename => 'issues.csv') }
                     format.pdf  { send_file_headers! :type => 'application/pdf', :filename => 'issues.pdf' }
                   end
                 else
                   respond_to do |format|
                     format.html { render(:template => 'issues/index', :layout => !request.xhr?) }
                     format.any(:atom, :csv, :pdf) { render(:nothing => true) }
                     format.api { render_validation_errors(@query) }
                   end
                 end
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               def show
                 @journals = @issue.journals.includes(:user, :details).
                                 references(:user, :details).
                                 reorder("#{Journal.table_name}.id ASC").to_a
                 @journals.each_with_index {|j,i| j.indice = i+1}
                 @journals.reject!(&:private_notes?) unless User.current.allowed_to?(:view_private_notes, @issue.project)
                 Journal.preload_journals_details_custom_fields(@journals)
                 @journals.select! {|journal| journal.notes? || journal.visible_details.any?}
                 @journals.reverse! if User.current.wants_comments_in_reverse_order?
                 @changesets = @issue.changesets.visible.to_a
                 @changesets.reverse! if User.current.wants_comments_in_reverse_order?
                 @relations = @issue.relations.select {|r| r.other_issue(@issue) && r.other_issue(@issue).visible? }
                 @allowed_statuses = @issue.new_statuses_allowed_to(User.current)
                 @priorities = IssuePriority.active
                 @time_entry = TimeEntry.new(:issue => @issue, :project => @issue.project)
                 @relation = IssueRelation.new
                 respond_to do |format|
                   format.html {
                     retrieve_previous_and_next_issue_ids
                     render :template => 'issues/show'
                   }
                   format.api
                   format.atom { render :template => 'journals/index', :layout => false, :content_type => 'application/atom+xml' }
                   format.pdf  {
                     send_file_headers! :type => 'application/pdf', :filename => "#{@project.identifier}-#{@issue.id}.pdf"
                   }
                 end
               end
               def new
                 respond_to do |format|
                   format.html { render :action => 'new', :layout => !request.xhr? }
                   format.js
                 end
               end
               def create
-                unless User.current.allowed_to?(:add_issues, @issue.project)
+                unless User.current.allowed_to?(:add_issues, @issue.project, :global => true)
                   raise ::Unauthorized
                 end
                 call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
                 @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
                 if @issue.save
                   call_hook(:controller_issues_new_after_save, { :params => params, :issue => @issue})
                   respond_to do |format|
                     format.html {
                       render_attachment_warning_if_needed(@issue)
                       flash[:notice] = l(:notice_issue_successful_create, :id => view_context.link_to("##{@issue.id}", issue_path(@issue), :title => @issue.subject))
                       redirect_after_create
                     }
                     format.api  { render :action => 'show', :status => :created, :location => issue_url(@issue) }
                   end
                   return
                 else
                   respond_to do |format|
                     format.html { render :action => 'new' }
                     format.api  { render_validation_errors(@issue) }
                   end
                 end
               end
               def edit
                 return unless update_issue_from_params
                 respond_to do |format|
                   format.html { }
                   format.js
                 end
               end
               def update
                 return unless update_issue_from_params
                 @issue.save_attachments(params[:attachments] || (params[:issue] && params[:issue][:uploads]))
                 saved = false
                 begin
                   saved = save_issue_with_child_records
                 rescue ActiveRecord::StaleObjectError
                   @conflict = true
                   if params[:last_journal_id]
                     @conflict_journals = @issue.journals_after(params[:last_journal_id]).to_a
                     @conflict_journals.reject!(&:private_notes?) unless User.current.allowed_to?(:view_private_notes, @issue.project)
                   end
                 end
                 if saved
                   render_attachment_warning_if_needed(@issue)
                   flash[:notice] = l(:notice_successful_update) unless @issue.current_journal.new_record?
                   respond_to do |format|
                     format.html { redirect_back_or_default issue_path(@issue) }
                     format.api  { render_api_ok }
                   end
                 else
                   respond_to do |format|
                     format.html { render :action => 'edit' }
                     format.api  { render_validation_errors(@issue) }
                   end
                 end
               end
               # Bulk edit/copy a set of issues
               def bulk_edit
                 @issues.sort!
                 @copy = params[:copy].present?
                 @notes = params[:notes]
                 if @copy
                   unless User.current.allowed_to?(:copy_issues, @projects)
                     raise ::Unauthorized
                   end
                 end
                 @allowed_projects = Issue.allowed_target_projects
                 if params[:issue]
                   @target_project = @allowed_projects.detect {|p| p.id.to_s == params[:issue][:project_id].to_s}
                   if @target_project
                     target_projects = [@target_project]
                   end
                 end
                 target_projects ||= @projects
                 if @copy
                   # Copied issues will get their default statuses
                   @available_statuses = []
                 else
                   @available_statuses = @issues.map(&:new_statuses_allowed_to).reduce(:&)
                 end
                 @custom_fields = target_projects.map{|p|p.all_issue_custom_fields.visible}.reduce(:&)
                 @assignables = target_projects.map(&:assignable_users).reduce(:&)
                 @trackers = target_projects.map(&:trackers).reduce(:&)
                 @versions = target_projects.map {|p| p.shared_versions.open}.reduce(:&)
                 @categories = target_projects.map {|p| p.issue_categories}.reduce(:&)
                 if @copy
                   @attachments_present = @issues.detect {|i| i.attachments.any?}.present?
                   @subtasks_present = @issues.detect {|i| !i.leaf?}.present?
                 end
                 @safe_attributes = @issues.map(&:safe_attribute_names).reduce(:&)
                 @issue_params = params[:issue] || {}
                 @issue_params[:custom_field_values] ||= {}
               end
               def bulk_update
                 @issues.sort!
                 @copy = params[:copy].present?
                 attributes = parse_params_for_bulk_issue_attributes(params)
                 if @copy
                   unless User.current.allowed_to?(:copy_issues, @projects)
                     raise ::Unauthorized
                   end
                   target_projects = @projects
                   if attributes['project_id'].present?
                     target_projects = Project.where(:id => attributes['project_id']).to_a
                   end
                   unless User.current.allowed_to?(:add_issues, target_projects)
                     raise ::Unauthorized
                   end
                 end
                 unsaved_issues = []
                 saved_issues = []
                 if @copy && params[:copy_subtasks].present?
                   # Descendant issues will be copied with the parent task
                   # Don't copy them twice
                   @issues.reject! {|issue| @issues.detect {|other| issue.is_descendant_of?(other)}}
                 end
                 @issues.each do |orig_issue|
                   orig_issue.reload
                   if @copy
                     issue = orig_issue.copy({},
                       :attachments => params[:copy_attachments].present?,
                       :subtasks => params[:copy_subtasks].present?,
                       :link => link_copy?(params[:link_copy])
                     )
                   else
                     issue = orig_issue
                   end
                   journal = issue.init_journal(User.current, params[:notes])
                   issue.safe_attributes = attributes
                   call_hook(:controller_issues_bulk_edit_before_save, { :params => params, :issue => issue })
                   if issue.save
                     saved_issues << issue
                   else
                     unsaved_issues << orig_issue
                   end
                 end
                 if unsaved_issues.empty?
                   flash[:notice] = l(:notice_successful_update) unless saved_issues.empty?
                   if params[:follow]
                     if @issues.size == 1 && saved_issues.size == 1
                       redirect_to issue_path(saved_issues.first)
                     elsif saved_issues.map(&:project).uniq.size == 1
                       redirect_to project_issues_path(saved_issues.map(&:project).first)
                     end
                   else
                     redirect_back_or_default _project_issues_path(@project)
                   end
                 else
                   @saved_issues = @issues
                   @unsaved_issues = unsaved_issues
                   @issues = Issue.visible.where(:id => @unsaved_issues.map(&:id)).to_a
                   bulk_edit
                   render :action => 'bulk_edit'
                 end
               end
               def destroy
                 @hours = TimeEntry.where(:issue_id => @issues.map(&:id)).sum(:hours).to_f
                 if @hours > 0
                   case params[:todo]
                   when 'destroy'
                     # nothing to do
                   when 'nullify'
                     TimeEntry.where(['issue_id IN (?)', @issues]).update_all('issue_id = NULL')
                   when 'reassign'
                     reassign_to = @project.issues.find_by_id(params[:reassign_to_id])
                     if reassign_to.nil?
                       flash.now[:error] = l(:error_issue_not_found_in_project)
                       return
                     else
                       TimeEntry.where(['issue_id IN (?)', @issues]).
                         update_all("issue_id = #{reassign_to.id}")
                     end
                   else
                     # display the destroy form if it's a user request
                     return unless api_request?
                   end
                 end
                 @issues.each do |issue|
                   begin
                     issue.reload.destroy
                   rescue ::ActiveRecord::RecordNotFound # raised by #reload if issue no longer exists
                     # nothing to do, issue was already deleted (eg. by a parent)
                   end
                 end
                 respond_to do |format|
                   format.html { redirect_back_or_default _project_issues_path(@project) }
                   format.api  { render_api_ok }
                 end
               end
               private
               def retrieve_previous_and_next_issue_ids
                 retrieve_query_from_session
                 if @query
                   sort_init(@query.sort_criteria.empty? ? [['id', 'desc']] : @query.sort_criteria)
                   sort_update(@query.sortable_columns, 'issues_index_sort')
                   limit = 500
                   issue_ids = @query.issue_ids(:order => sort_clause, :limit => (limit + 1), :include => [:assigned_to, :tracker, :priority, :category, :fixed_version])
                   if (idx = issue_ids.index(@issue.id)) && idx < limit
                     if issue_ids.size < 500
                       @issue_position = idx + 1
                       @issue_count = issue_ids.size
                     end
                     @prev_issue_id = issue_ids[idx - 1] if idx > 0
                     @next_issue_id = issue_ids[idx + 1] if idx < (issue_ids.size - 1)
                   end
                 end
               end
               # Used by #edit and #update to set some common instance variables
               # from the params
               def update_issue_from_params
                 @time_entry = TimeEntry.new(:issue => @issue, :project => @issue.project)
                 if params[:time_entry]
                   @time_entry.attributes = params[:time_entry]
                 end
                 @issue.init_journal(User.current)
                 issue_attributes = params[:issue]
                 if issue_attributes && params[:conflict_resolution]
                   case params[:conflict_resolution]
                   when 'overwrite'
                     issue_attributes = issue_attributes.dup
                     issue_attributes.delete(:lock_version)
                   when 'add_notes'
                     issue_attributes = issue_attributes.slice(:notes)
                   when 'cancel'
                     redirect_to issue_path(@issue)
                     return false
                   end
                 end
                 @issue.safe_attributes = issue_attributes
                 @priorities = IssuePriority.active
                 @allowed_statuses = @issue.new_statuses_allowed_to(User.current)
                 true
               end
               # Used by #new and #create to build a new issue from the params
               # The new issue will be copied from an existing one if copy_from parameter is given
               def build_new_issue_from_params
                 @issue = Issue.new
                 if params[:copy_from]
                   begin
                     @issue.init_journal(User.current)
                     @copy_from = Issue.visible.find(params[:copy_from])
                     unless User.current.allowed_to?(:copy_issues, @copy_from.project)
                       raise ::Unauthorized
                     end
                     @link_copy = link_copy?(params[:link_copy]) || request.get?
                     @copy_attachments = params[:copy_attachments].present? || request.get?
                     @copy_subtasks = params[:copy_subtasks].present? || request.get?
                     @issue.copy_from(@copy_from, :attachments => @copy_attachments, :subtasks => @copy_subtasks, :link => @link_copy)
                   rescue ActiveRecord::RecordNotFound
                     render_404
                     return
                   end
                 end
                 @issue.project = @project
                 if request.get?
                   @issue.project ||= @issue.allowed_target_projects.first
                 end
                 @issue.author ||= User.current
                 @issue.start_date ||= Date.today if Setting.default_issue_start_date_to_creation_date?
                 if attrs = params[:issue].deep_dup
                   if params[:was_default_status] == attrs[:status_id]
                     attrs.delete(:status_id)
                   end
                   @issue.safe_attributes = attrs
                 end
                 if @issue.project
                   @issue.tracker ||= @issue.project.trackers.first
                   if @issue.tracker.nil?
                     render_error l(:error_no_tracker_in_project)
                     return false
                   end
                   if @issue.status.nil?
                     render_error l(:error_no_default_issue_status)
                     return false
                   end
                 end
                 @priorities = IssuePriority.active
                 @allowed_statuses = @issue.new_statuses_allowed_to(User.current, @issue.new_record?)
               end
               def parse_params_for_bulk_issue_attributes(params)
                 attributes = (params[:issue] || {}).reject {|k,v| v.blank?}
                 attributes.keys.each {|k| attributes[k] = '' if attributes[k] == 'none'}
                 if custom = attributes[:custom_field_values]
                   custom.reject! {|k,v| v.blank?}
                   custom.keys.each do |k|
                     if custom[k].is_a?(Array)
                       custom[k] << '' if custom[k].delete('__none__')
                     else
                       custom[k] = '' if custom[k] == '__none__'
                     end
                   end
                 end
                 attributes
               end
               # Saves @issue and a time_entry from the parameters
               def save_issue_with_child_records
                 Issue.transaction do
                   if params[:time_entry] && (params[:time_entry][:hours].present? || params[:time_entry][:comments].present?) && User.current.allowed_to?(:log_time, @issue.project)
                     time_entry = @time_entry || TimeEntry.new
                     time_entry.project = @issue.project
                     time_entry.issue = @issue
                     time_entry.user = User.current
                     time_entry.spent_on = User.current.today
                     time_entry.attributes = params[:time_entry]
                     @issue.time_entries << time_entry
                   end
                   call_hook(:controller_issues_edit_before_save, { :params => params, :issue => @issue, :time_entry => time_entry, :journal => @issue.current_journal})
                   if @issue.save
                     call_hook(:controller_issues_edit_after_save, { :params => params, :issue => @issue, :time_entry => time_entry, :journal => @issue.current_journal})
                   else
                     raise ActiveRecord::Rollback
                   end
                 end
               end
               # Returns true if the issue copy should be linked
               # to the original issue
               def link_copy?(param)
                 case Setting.link_copied_issue
                 when 'yes'
                   true
                 when 'no'
                   false
                 when 'ask'
                   param == '1'
                 end
               end
               # Redirects user after a successful issue creation
               def redirect_after_create
                 if params[:continue]
                   attrs = {:tracker_id => @issue.tracker, :parent_issue_id => @issue.parent_issue_id}.reject {|k,v| v.nil?}
                   if params[:project_id]
                     redirect_to new_project_issue_path(@issue.project, :issue => attrs)
                   else
                     attrs.merge! :project_id => @issue.project_id
                     redirect_to new_issue_path(:issue => attrs)
                   end
                 else
                   redirect_to issue_path(@issue)
                 end
               end
             end

test/integration/api_test/issues_test.rb +5 0

             # Redmine - project management software
             # Copyright (C) 2006-2015  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require File.expand_path('../../../test_helper', __FILE__)
             class Redmine::ApiTest::IssuesTest < Redmine::ApiTest::Base
               fixtures :projects,
                 :users,
                 :roles,
                 :members,
                 :member_roles,
                 :issues,
                 :issue_statuses,
                 :issue_relations,
                 :versions,
                 :trackers,
                 :projects_trackers,
                 :issue_categories,
                 :enabled_modules,
                 :enumerations,
                 :attachments,
                 :workflows,
                 :custom_fields,
                 :custom_values,
                 :custom_fields_projects,
                 :custom_fields_trackers,
                 :time_entries,
                 :journals,
                 :journal_details,
                 :queries,
                 :attachments
               test "GET /issues.xml should contain metadata" do
                 get '/issues.xml'
                 assert_select 'issues[type=array][total_count=?][limit="25"][offset="0"]',
                   assigns(:issue_count).to_s
               end
               test "GET /issues.xml with nometa param should not contain metadata" do
                 get '/issues.xml?nometa=1'
                 assert_select 'issues[type=array]:not([total_count]):not([limit]):not([offset])'
               end
               test "GET /issues.xml with nometa header should not contain metadata" do
                 get '/issues.xml', {}, {'X-Redmine-Nometa' => '1'}
                 assert_select 'issues[type=array]:not([total_count]):not([limit]):not([offset])'
               end
               test "GET /issues.xml with offset and limit" do
                 get '/issues.xml?offset=2&limit=3'
                 assert_equal 3, assigns(:limit)
                 assert_equal 2, assigns(:offset)
                 assert_select 'issues issue', 3
               end
               test "GET /issues.xml with relations" do
                 get '/issues.xml?include=relations'
                 assert_response :success
                 assert_equal 'application/xml', @response.content_type
                 assert_select 'issue id', :text => '3' do
                   assert_select '~ relations relation', 1
                   assert_select '~ relations relation[id="2"][issue_id="2"][issue_to_id="3"][relation_type=relates]'
                 end
                 assert_select 'issue id', :text => '1' do
                   assert_select '~ relations'
                   assert_select '~ relations relation', 0
                 end
               end
               test "GET /issues.xml with invalid query params" do
                 get '/issues.xml', {:f => ['start_date'], :op => {:start_date => '='}}
                 assert_response :unprocessable_entity
                 assert_equal 'application/xml', @response.content_type
                 assert_select 'errors error', :text => "Start date cannot be blank"
               end
               test "GET /issues.xml with custom field filter" do
                 get '/issues.xml',
                   {:set_filter => 1, :f => ['cf_1'], :op => {:cf_1 => '='}, :v => {:cf_1 => ['MySQL']}}
                 expected_ids = Issue.visible.
                     joins(:custom_values).
                     where(:custom_values => {:custom_field_id => 1, :value => 'MySQL'}).map(&:id)
                 assert expected_ids.any?
                 assert_select 'issues > issue > id', :count => expected_ids.count do |ids|
                    ids.each { |id| assert expected_ids.delete(id.children.first.content.to_i) }
                 end
               end
               test "GET /issues.xml with custom field filter (shorthand method)" do
                 get '/issues.xml', {:cf_1 => 'MySQL'}
                 expected_ids = Issue.visible.
                     joins(:custom_values).
                     where(:custom_values => {:custom_field_id => 1, :value => 'MySQL'}).map(&:id)
                 assert expected_ids.any?
                 assert_select 'issues > issue > id', :count => expected_ids.count do |ids|
                   ids.each { |id| assert expected_ids.delete(id.children.first.content.to_i) }
                 end
               end
               def test_index_should_include_issue_attributes
                 get '/issues.xml'
                 assert_select 'issues>issue>is_private', :text => 'false'
               end
               def test_index_should_allow_timestamp_filtering
                 Issue.delete_all
                 Issue.generate!(:subject => '1').update_column(:updated_on, Time.parse("2014-01-02T10:25:00Z"))
                 Issue.generate!(:subject => '2').update_column(:updated_on, Time.parse("2014-01-02T12:13:00Z"))
                 get '/issues.xml',
                   {:set_filter => 1, :f => ['updated_on'], :op => {:updated_on => '<='},
                    :v => {:updated_on => ['2014-01-02T12:00:00Z']}}
                 assert_select 'issues>issue', :count => 1
                 assert_select 'issues>issue>subject', :text => '1'
                 get '/issues.xml',
                   {:set_filter => 1, :f => ['updated_on'], :op => {:updated_on => '>='},
                    :v => {:updated_on => ['2014-01-02T12:00:00Z']}}
                 assert_select 'issues>issue', :count => 1
                 assert_select 'issues>issue>subject', :text => '2'
                 get '/issues.xml',
                   {:set_filter => 1, :f => ['updated_on'], :op => {:updated_on => '>='},
                    :v => {:updated_on => ['2014-01-02T08:00:00Z']}}
                 assert_select 'issues>issue', :count => 2
               end
               test "GET /issues.xml with filter" do
                 get '/issues.xml?status_id=5'
                 expected_ids = Issue.visible.where(:status_id => 5).map(&:id)
                 assert expected_ids.any?
                 assert_select 'issues > issue > id', :count => expected_ids.count do |ids|
                    ids.each { |id| assert expected_ids.delete(id.children.first.content.to_i) }
                 end
               end
               test "GET /issues.json with filter" do
                 get '/issues.json?status_id=5'
                 json = ActiveSupport::JSON.decode(response.body)
                 status_ids_used = json['issues'].collect {|j| j['status']['id'] }
                 assert_equal 3, status_ids_used.length
                 assert status_ids_used.all? {|id| id == 5 }
               end
               test "GET /issues/:id.xml with journals" do
                 get '/issues/1.xml?include=journals'
                 assert_select 'issue journals[type=array]' do
                   assert_select 'journal[id="1"]' do
                     assert_select 'details[type=array]' do
                       assert_select 'detail[name=status_id]' do
                         assert_select 'old_value', :text => '1'
                         assert_select 'new_value', :text => '2'
                       end
                     end
                   end
                 end
               end
               test "GET /issues/:id.xml with journals should format timestamps in ISO 8601" do
                 get '/issues/1.xml?include=journals'
                 iso_date = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$/
                 assert_select 'issue>created_on', :text => iso_date
                 assert_select 'issue>updated_on', :text => iso_date
                 assert_select 'issue journal>created_on', :text => iso_date
               end
               test "GET /issues/:id.xml with custom fields" do
                 get '/issues/3.xml'
                 assert_select 'issue custom_fields[type=array]' do
                   assert_select 'custom_field[id="1"]' do
                     assert_select 'value', :text => 'MySQL'
                   end
                 end
                 assert_nothing_raised do
                   Hash.from_xml(response.body).to_xml
                 end
               end
               test "GET /issues/:id.xml with multi custom fields" do
                 field = CustomField.find(1)
                 field.update_attribute :multiple, true
                 issue = Issue.find(3)
                 issue.custom_field_values = {1 => ['MySQL', 'Oracle']}
                 issue.save!
                 get '/issues/3.xml'
                 assert_response :success
                 assert_select 'issue custom_fields[type=array]' do
                   assert_select 'custom_field[id="1"]' do
                     assert_select 'value[type=array] value', 2
                   end
                 end
                 xml = Hash.from_xml(response.body)
                 custom_fields = xml['issue']['custom_fields']
                 assert_kind_of Array, custom_fields
                 field = custom_fields.detect {|f| f['id'] == '1'}
                 assert_kind_of Hash, field
                 assert_equal ['MySQL', 'Oracle'], field['value'].sort
               end
               test "GET /issues/:id.json with multi custom fields" do
                 field = CustomField.find(1)
                 field.update_attribute :multiple, true
                 issue = Issue.find(3)
                 issue.custom_field_values = {1 => ['MySQL', 'Oracle']}
                 issue.save!
                 get '/issues/3.json'
                 assert_response :success
                 json = ActiveSupport::JSON.decode(response.body)
                 custom_fields = json['issue']['custom_fields']
                 assert_kind_of Array, custom_fields
                 field = custom_fields.detect {|f| f['id'] == 1}
                 assert_kind_of Hash, field
                 assert_equal ['MySQL', 'Oracle'], field['value'].sort
               end
               test "GET /issues/:id.xml with empty value for multi custom field" do
                 field = CustomField.find(1)
                 field.update_attribute :multiple, true
                 issue = Issue.find(3)
                 issue.custom_field_values = {1 => ['']}
                 issue.save!
                 get '/issues/3.xml'
                 assert_select 'issue custom_fields[type=array]' do
                   assert_select 'custom_field[id="1"]' do
                     assert_select 'value[type=array]:empty'
                   end
                 end
                 xml = Hash.from_xml(response.body)
                 custom_fields = xml['issue']['custom_fields']
                 assert_kind_of Array, custom_fields
                 field = custom_fields.detect {|f| f['id'] == '1'}
                 assert_kind_of Hash, field
                 assert_equal [], field['value']
               end
               test "GET /issues/:id.json with empty value for multi custom field" do
                 field = CustomField.find(1)
                 field.update_attribute :multiple, true
                 issue = Issue.find(3)
                 issue.custom_field_values = {1 => ['']}
                 issue.save!
                 get '/issues/3.json'
                 assert_response :success
                 json = ActiveSupport::JSON.decode(response.body)
                 custom_fields = json['issue']['custom_fields']
                 assert_kind_of Array, custom_fields
                 field = custom_fields.detect {|f| f['id'] == 1}
                 assert_kind_of Hash, field
                 assert_equal [], field['value'].sort
               end
               test "GET /issues/:id.xml with attachments" do
                 get '/issues/3.xml?include=attachments'
                 assert_select 'issue attachments[type=array]' do
                   assert_select 'attachment', 4
                   assert_select 'attachment id', :text => '1' do
                     assert_select '~ filename', :text => 'error281.txt'
                     assert_select '~ content_url', :text => 'http://www.example.com/attachments/download/1/error281.txt'
                   end
                 end
               end
               test "GET /issues/:id.xml with subtasks" do
                 issue = Issue.generate_with_descendants!(:project_id => 1)
                 get "/issues/#{issue.id}.xml?include=children"
                 assert_select 'issue id', :text => issue.id.to_s do
                   assert_select '~ children[type=array] > issue', 2
                   assert_select '~ children[type=array] > issue > children', 1
                 end
               end
               test "GET /issues/:id.json with subtasks" do
                 issue = Issue.generate_with_descendants!(:project_id => 1)
                 get "/issues/#{issue.id}.json?include=children"
                 json = ActiveSupport::JSON.decode(response.body)
                 assert_equal 2, json['issue']['children'].size
                 assert_equal 1, json['issue']['children'].select {|child| child.key?('children')}.size
               end
               def test_show_should_include_issue_attributes
                 get '/issues/1.xml'
                 assert_select 'issue>is_private', :text => 'false'
               end
               test "GET /issues/:id.xml?include=watchers should include watchers" do
                 Watcher.create!(:user_id => 3, :watchable => Issue.find(1))
                 get '/issues/1.xml?include=watchers', {}, credentials('jsmith')
                 assert_response :ok
                 assert_equal 'application/xml', response.content_type
                 assert_select 'issue' do
                   assert_select 'watchers', Issue.find(1).watchers.count
                   assert_select 'watchers' do
                     assert_select 'user[id="3"]'
                   end
                 end
               end
               test "POST /issues.xml should create an issue with the attributes" do
             payload = <<-XML
             <?xml version="1.0" encoding="UTF-8" ?>
             <issue>
               <project_id>1</project_id>
               <tracker_id>2</tracker_id>
               <status_id>3</status_id>
               <subject>API test</subject>
             </issue>
             XML
                 assert_difference('Issue.count') do
                   post '/issues.xml', payload, {"CONTENT_TYPE" => 'application/xml'}.merge(credentials('jsmith'))
                 end
                 issue = Issue.order('id DESC').first
                 assert_equal 1, issue.project_id
                 assert_equal 2, issue.tracker_id
                 assert_equal 3, issue.status_id
                 assert_equal 'API test', issue.subject
                 assert_response :created
                 assert_equal 'application/xml', @response.content_type
                 assert_select 'issue > id', :text => issue.id.to_s
               end
               test "POST /issues.xml with watcher_user_ids should create issue with watchers" do
                 assert_difference('Issue.count') do
                   post '/issues.xml',
                        {:issue => {:project_id => 1, :subject => 'Watchers',
                         :tracker_id => 2, :status_id => 3, :watcher_user_ids => [3, 1]}}, credentials('jsmith')
                   assert_response :created
                 end
                 issue = Issue.order('id desc').first
                 assert_equal 2, issue.watchers.size
                 assert_equal [1, 3], issue.watcher_user_ids.sort
               end
               test "POST /issues.xml with failure should return errors" do
                 assert_no_difference('Issue.count') do
                   post '/issues.xml', {:issue => {:project_id => 1}}, credentials('jsmith')
                 end
                 assert_select 'errors error', :text => "Subject cannot be blank"
               end
               test "POST /issues.json should create an issue with the attributes" do
             payload = <<-JSON
             {
               "issue": {
                 "project_id": "1",
                 "tracker_id": "2",
                 "status_id": "3",
                 "subject": "API test"
               }
             }
             JSON
                 assert_difference('Issue.count') do
                   post '/issues.json', payload, {"CONTENT_TYPE" => 'application/json'}.merge(credentials('jsmith'))
                 end
                 issue = Issue.order('id DESC').first
                 assert_equal 1, issue.project_id
                 assert_equal 2, issue.tracker_id
                 assert_equal 3, issue.status_id
                 assert_equal 'API test', issue.subject
               end
               test "POST /issues.json without tracker_id should accept custom fields" do
                 field = IssueCustomField.generate!(
                   :field_format => 'list',
                   :multiple => true,
                   :possible_values => ["V1", "V2", "V3"],
                   :default_value => "V2",
                   :is_for_all => true,
                   :trackers => Tracker.all.to_a
                 )
             payload = <<-JSON
             {
               "issue": {
                 "project_id": "1",
                 "subject": "Multivalued custom field",
                 "custom_field_values":{"#{field.id}":["V1","V3"]}
               }
             }
             JSON
                 assert_difference('Issue.count') do
                   post '/issues.json', payload, {"CONTENT_TYPE" => 'application/json'}.merge(credentials('jsmith'))
                 end
                 assert_response :created
                 issue = Issue.order('id DESC').first
                 assert_equal ["V1", "V3"], issue.custom_field_value(field).sort
               end
               test "POST /issues.json with failure should return errors" do
                 assert_no_difference('Issue.count') do
                   post '/issues.json', {:issue => {:project_id => 1}}, credentials('jsmith')
                 end
                 json = ActiveSupport::JSON.decode(response.body)
                 assert json['errors'].include?("Subject cannot be blank")
               end
+              test "POST /issues.json with invalid project_id should respond with 422" do
+                post '/issues.json', {:issue => {:project_id => 999, :subject => "API"}}, credentials('jsmith')
+                assert_response 422
+              end
               test "PUT /issues/:id.xml" do
                 assert_difference('Journal.count') do
                   put '/issues/6.xml',
                     {:issue => {:subject => 'API update', :notes => 'A new note'}},
                     credentials('jsmith')
                 end
                 issue = Issue.find(6)
                 assert_equal "API update", issue.subject
                 journal = Journal.last
                 assert_equal "A new note", journal.notes
               end
               test "PUT /issues/:id.xml with custom fields" do
                 put '/issues/3.xml',
                   {:issue => {:custom_fields => [
                     {'id' => '1', 'value' => 'PostgreSQL' },
                     {'id' => '2', 'value' => '150'}
                     ]}},
                   credentials('jsmith')
                 issue = Issue.find(3)
                 assert_equal '150', issue.custom_value_for(2).value
                 assert_equal 'PostgreSQL', issue.custom_value_for(1).value
               end
               test "PUT /issues/:id.xml with multi custom fields" do
                 field = CustomField.find(1)
                 field.update_attribute :multiple, true
                 put '/issues/3.xml',
                   {:issue => {:custom_fields => [
                     {'id' => '1', 'value' => ['MySQL', 'PostgreSQL'] },
                     {'id' => '2', 'value' => '150'}
                     ]}},
                   credentials('jsmith')
                 issue = Issue.find(3)
                 assert_equal '150', issue.custom_value_for(2).value
                 assert_equal ['MySQL', 'PostgreSQL'], issue.custom_field_value(1).sort
               end
               test "PUT /issues/:id.xml with project change" do
                 put '/issues/3.xml',
                   {:issue => {:project_id => 2, :subject => 'Project changed'}},
                   credentials('jsmith')
                 issue = Issue.find(3)
                 assert_equal 2, issue.project_id
                 assert_equal 'Project changed', issue.subject
               end
               test "PUT /issues/:id.xml with notes only" do
                 assert_difference('Journal.count') do
                   put '/issues/6.xml',
                     {:issue => {:notes => 'Notes only'}},
                     credentials('jsmith')
                 end
                 journal = Journal.last
                 assert_equal "Notes only", journal.notes
               end
               test "PUT /issues/:id.xml with failed update" do
                 put '/issues/6.xml', {:issue => {:subject => ''}}, credentials('jsmith')
                 assert_response :unprocessable_entity
                 assert_select 'errors error', :text => "Subject cannot be blank"
               end
               test "PUT /issues/:id.json" do
                 assert_difference('Journal.count') do
                   put '/issues/6.json',
                     {:issue => {:subject => 'API update', :notes => 'A new note'}},
                     credentials('jsmith')
                   assert_response :ok
                   assert_equal '', response.body
                 end
                 issue = Issue.find(6)
                 assert_equal "API update", issue.subject
                 journal = Journal.last
                 assert_equal "A new note", journal.notes
               end
               test "PUT /issues/:id.json with failed update" do
                 put '/issues/6.json', {:issue => {:subject => ''}}, credentials('jsmith')
                 assert_response :unprocessable_entity
                 json = ActiveSupport::JSON.decode(response.body)
                 assert json['errors'].include?("Subject cannot be blank")
               end
               test "DELETE /issues/:id.xml" do
                 assert_difference('Issue.count', -1) do
                   delete '/issues/6.xml', {}, credentials('jsmith')
                   assert_response :ok
                   assert_equal '', response.body
                 end
                 assert_nil Issue.find_by_id(6)
               end
               test "DELETE /issues/:id.json" do
                 assert_difference('Issue.count', -1) do
                   delete '/issues/6.json', {}, credentials('jsmith')
                   assert_response :ok
                   assert_equal '', response.body
                 end
                 assert_nil Issue.find_by_id(6)
               end
               test "POST /issues/:id/watchers.xml should add watcher" do
                 assert_difference 'Watcher.count' do
                   post '/issues/1/watchers.xml', {:user_id => 3}, credentials('jsmith')
                   assert_response :ok
                   assert_equal '', response.body
                 end
                 watcher = Watcher.order('id desc').first
                 assert_equal Issue.find(1), watcher.watchable
                 assert_equal User.find(3), watcher.user
               end
               test "DELETE /issues/:id/watchers/:user_id.xml should remove watcher" do
                 Watcher.create!(:user_id => 3, :watchable => Issue.find(1))
                 assert_difference 'Watcher.count', -1 do
                   delete '/issues/1/watchers/3.xml', {}, credentials('jsmith')
                   assert_response :ok
                   assert_equal '', response.body
                 end
                 assert_equal false, Issue.find(1).watched_by?(User.find(3))
               end
               def test_create_issue_with_uploaded_file
                 token = xml_upload('test_create_with_upload', credentials('jsmith'))
                 attachment = Attachment.find_by_token(token)
                 # create the issue with the upload's token
                 assert_difference 'Issue.count' do
                   post '/issues.xml',
                        {:issue => {:project_id => 1, :subject => 'Uploaded file',
                                    :uploads => [{:token => token, :filename => 'test.txt',
                                                  :content_type => 'text/plain'}]}},
                        credentials('jsmith')
                   assert_response :created
                 end
                 issue = Issue.order('id DESC').first
                 assert_equal 1, issue.attachments.count
                 assert_equal attachment, issue.attachments.first
                 attachment.reload
                 assert_equal 'test.txt', attachment.filename
                 assert_equal 'text/plain', attachment.content_type
                 assert_equal 'test_create_with_upload'.size, attachment.filesize
                 assert_equal 2, attachment.author_id
                 # get the issue with its attachments
                 get "/issues/#{issue.id}.xml", :include => 'attachments'
                 assert_response :success
                 xml = Hash.from_xml(response.body)
                 attachments = xml['issue']['attachments']
                 assert_kind_of Array, attachments
                 assert_equal 1, attachments.size
                 url = attachments.first['content_url']
                 assert_not_nil url
                 # download the attachment
                 get url
                 assert_response :success
                 assert_equal 'test_create_with_upload', response.body
               end
               def test_create_issue_with_multiple_uploaded_files_as_xml
                 token1 = xml_upload('File content 1', credentials('jsmith'))
                 token2 = xml_upload('File content 2', credentials('jsmith'))
                 payload = <<-XML
             <?xml version="1.0" encoding="UTF-8" ?>
             <issue>
               <project_id>1</project_id>
               <tracker_id>1</tracker_id>
               <subject>Issue with multiple attachments</subject>
               <uploads type="array">
                 <upload>
                   <token>#{token1}</token>
                   <filename>test1.txt</filename>
                 </upload>
                 <upload>
                   <token>#{token2}</token>
                   <filename>test1.txt</filename>
                 </upload>
               </uploads>
             </issue>
             XML
                 assert_difference 'Issue.count' do
                   post '/issues.xml', payload, {"CONTENT_TYPE" => 'application/xml'}.merge(credentials('jsmith'))
                   assert_response :created
                 end
                 issue = Issue.order('id DESC').first
                 assert_equal 2, issue.attachments.count
               end
               def test_create_issue_with_multiple_uploaded_files_as_json
                 token1 = json_upload('File content 1', credentials('jsmith'))
                 token2 = json_upload('File content 2', credentials('jsmith'))
                 payload = <<-JSON
             {
               "issue": {
                 "project_id": "1",
                 "tracker_id": "1",
                 "subject": "Issue with multiple attachments",
                 "uploads": [
                   {"token": "#{token1}", "filename": "test1.txt"},
                   {"token": "#{token2}", "filename": "test2.txt"}
                 ]
               }
             }
             JSON
                 assert_difference 'Issue.count' do
                   post '/issues.json', payload, {"CONTENT_TYPE" => 'application/json'}.merge(credentials('jsmith'))
                   assert_response :created
                 end
                 issue = Issue.order('id DESC').first
                 assert_equal 2, issue.attachments.count
               end
               def test_update_issue_with_uploaded_file
                 token = xml_upload('test_upload_with_upload', credentials('jsmith'))
                 attachment = Attachment.find_by_token(token)
                 # update the issue with the upload's token
                 assert_difference 'Journal.count' do
                   put '/issues/1.xml',
                       {:issue => {:notes => 'Attachment added',
                                   :uploads => [{:token => token, :filename => 'test.txt',
                                                 :content_type => 'text/plain'}]}},
                       credentials('jsmith')
                   assert_response :ok
                   assert_equal '', @response.body
                 end
                 issue = Issue.find(1)
                 assert_include attachment, issue.attachments
               end
             end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages