Fixed: users should not be able to add relations with issues they're not allowed to view (#2589).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2323 e93f8b46-1217-0410-a6f0-8f06a7374b81
2026-05-06 09:35:30 +02:00 · 2009-01-27 19:33:03 +00:00
parent cd55529eaa
commit 10994e9027
3 changed files with 41 additions and 0 deletions
--- a/test/functional/issue_relations_controller_test.rb
+++ b/test/functional/issue_relations_controller_test.rb
@@ -6,6 +6,23 @@ class IssueRelationsController; def rescue_action(e) raise e end; end


 class IssueRelationsControllerTest < Test::Unit::TestCase
+  fixtures :projects,
+           :users,
+           :roles,
+           :members,
+           :issues,
+           :issue_statuses,
+           :enabled_modules,
+           :enumerations,
+           :trackers
+  
+  def setup
+    @controller = IssueRelationsController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    User.current = nil
+  end
+  
  def test_new_routing
    assert_routing(
      {:method => :post, :path => '/issues/1/relations'},
@@ -19,4 +36,23 @@ class IssueRelationsControllerTest < Test::Unit::TestCase
      {:method => :post, :path => '/issues/1/relations/23/destroy'}
    )
  end
+  
+  def test_new
+    assert_difference 'IssueRelation.count' do
+      @request.session[:user_id] = 3
+      post :new, :issue_id => 1, 
+                 :relation => {:issue_to_id => '2', :relation_type => 'relates', :delay => ''}
+    end
+  end
+  
+  def test_should_create_relations_with_visible_issues_only
+    Setting.cross_project_issue_relations = '1'
+    assert_nil Issue.visible(User.find(3)).find_by_id(4)
+    
+    assert_no_difference 'IssueRelation.count' do
+      @request.session[:user_id] = 3
+      post :new, :issue_id => 1, 
+                 :relation => {:issue_to_id => '4', :relation_type => 'relates', :delay => ''}
+    end
+  end
 end