Check permission of wiki pages before generating a link to it (#23793).

Patch by Holger Just. git-svn-id: http://svn.redmine.org/redmine/trunk@16283 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-10-26 07:46:17 +01:00 · 2017-01-29 07:49:38 +00:00
parent 92068122ee
commit 19d2529faa
3 changed files with 10 additions and 1 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -726,7 +726,7 @@ module ApplicationHelper
          title ||= identifier if page.blank?
        end

-        if link_project && link_project.wiki
+        if link_project && link_project.wiki && User.current.allowed_to?(:view_wiki_pages, link_project)
          # extract anchor
          anchor = nil
          if page =~ /^(.+?)\#(.+)$/
--- a/test/fixtures/wikis.yml
+++ b/test/fixtures/wikis.yml
@@ -9,3 +9,8 @@ wikis_002:
  start_page: Start page
  project_id: 2
  id: 2
+wikis_005:
+  status: 1
+  start_page: Wiki
+  project_id: 5
+  id: 5
--- a/test/unit/helpers/application_helper_test.rb
+++ b/test/unit/helpers/application_helper_test.rb
@@ -665,6 +665,7 @@ RAW
  end

  def test_wiki_links
+    User.current = User.find_by_login('jsmith')
    russian_eacape = CGI.escape(@russian_test)
    to_test = {
      '[[CookBook documentation]]' =>
@@ -746,6 +747,9 @@ RAW
      # project does not exist
      '[[unknowproject:Start]]' => '[[unknowproject:Start]]',
      '[[unknowproject:Start|Page title]]' => '[[unknowproject:Start|Page title]]',
+      # missing permission to view wiki in project
+      '[[private-child:]]' => '[[private-child:]]',
+      '[[private-child:Wiki]]' => '[[private-child:Wiki]]',
    }
    @project = Project.find(1)
    to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }