Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-09 06:46:01 +01:00
Code Issues Packages Projects Releases Activity

Improve watcher list permissions check to explicitly require @view_issue_watchers@ permission (#40946).

Browse Source 
Patch by Felix Schäfer (@felix).



git-svn-id: https://svn.redmine.org/redmine/trunk@22913 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Marius Balteanu
2024-07-08 21:28:24 +00:00
parent fe38f5e83f
commit 2d20811f40
7 changed files with 67 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/watchers_controller.rb
View File

@@ -156,7 +156,7 @@ class WatchersController < ApplicationController
users = scope.sorted.like(params[:q]).to_a users = scope.sorted.like(params[:q]).to_a
if @watchables && @watchables.size == 1 if @watchables && @watchables.size == 1
watchable_object = @watchables.first watchable_object = @watchables.first
users -= watchable_object.watcher_users users -= watchable_object.visible_watcher_users
if watchable_object.respond_to?(:visible?) if watchable_object.respond_to?(:visible?)
users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)} users.reject! {|user| user.is_a?(User) && !watchable_object.visible?(user)}

4
app/views/watchers/_watchers.html.erb
View File

@@ -8,6 +8,10 @@
</div> </div>
<% end %> <% end %>
<% if User.current.allowed_to?(:"view_#{watched_klass_name}_watchers", watched.project) %>
<h3><%= l(:"label_#{watched_klass_name}_watchers") %> (<%= watched.watcher_users.size %>)</h3> <h3><%= l(:"label_#{watched_klass_name}_watchers") %> (<%= watched.watcher_users.size %>)</h3>
<%= watchers_list(watched) %> <%= watchers_list(watched) %>
<% else %>
<h3><%= l(:"label_#{watched_klass_name}_watchers") %></h3>
<% end %>

10
lib/plugins/acts_as_watchable/lib/acts_as_watchable.rb
View File

@@ -60,6 +60,16 @@ module Redmine
users users
end end
# array of watchers that the given user is allowed to see
def visible_watcher_users(user = User.current)
if user.allowed_to?(:"view_#{self.class.name.underscore}_watchers", project)
watcher_users
else
# without permission, the user can only see themselves (if they're a watcher)
watcher_users & [user]
end
end
# Adds user as a watcher # Adds user as a watcher
def add_watcher(user) def add_watcher(user)
if persisted? if persisted?

11
test/functional/issues_controller_test.rb
View File

@@ -2801,6 +2801,17 @@ class IssuesControllerTest < Redmine::ControllerTest
end end
end end
def test_show_should_not_display_watchers_without_permission
@request.session[:user_id] = 2
Role.find(1).remove_permission! :view_issue_watchers
issue = Issue.find(1)
issue.add_watcher User.find(2)
issue.add_watcher Group.find(10)
get(:show, :params => {:id => 1})
assert_select 'div#watchers ul', 0
assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0}
end
def test_show_should_display_watchers_with_gravatars def test_show_should_display_watchers_with_gravatars
@request.session[:user_id] = 2 @request.session[:user_id] = 2
issue = Issue.find(1) issue = Issue.find(1)

11
test/functional/messages_controller_test.rb
View File

@@ -114,6 +114,17 @@ class MessagesControllerTest < Redmine::ControllerTest
end end
end end
def test_show_should_not_display_watchers_without_permission
@request.session[:user_id] = 2
Role.find(1).remove_permission! :view_message_watchers
message = Message.find(1)
message.add_watcher User.find(2)
message.add_watcher Group.find(10)
get(:show, :params => {:board_id => 1, :id => 1})
assert_select 'div#watchers ul', 0
assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0}
end
def test_get_new def test_get_new
@request.session[:user_id] = 2 @request.session[:user_id] = 2
get(:new, :params => {:board_id => 1}) get(:new, :params => {:board_id => 1})

19
test/functional/watchers_controller_test.rb
View File

@@ -211,6 +211,25 @@ class WatchersControllerTest < Redmine::ControllerTest
) )
end end
def test_new_without_view_watchers_permission
@request.session[:user_id] = 2
Role.find(1).remove_permission! :view_issue_watchers
get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true
assert_response :success
assert_match %r{name=\\\"watcher\[user_ids\]\[\]\\\" value=\\\"2\\\"}, response.body
# User should not be able to reverse engineer that User 3 is watching the issue already
assert_match %r{name=\\\"watcher\[user_ids\]\[\]\\\" value=\\\"3\\\"}, response.body
end
def test_new_dont_show_self_when_watching_without_view_watchers_permission
@request.session[:user_id] = 2
Role.find(1).remove_permission! :view_issue_watchers
Issue.find(2).add_watcher(User.find(2))
get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true
assert_response :success
assert_no_match %r{name=\\\"watcher\[user_ids\]\[\]\\\" value=\\\"2\\\"}, response.body
end
def test_create_as_html def test_create_as_html
@request.session[:user_id] = 2 @request.session[:user_id] = 2
assert_difference('Watcher.count') do assert_difference('Watcher.count') do

11
test/functional/wiki_controller_test.rb
View File

@@ -150,6 +150,17 @@ class WikiControllerTest < Redmine::ControllerTest
end end
end end
def test_show_should_not_display_watchers_without_permission
@request.session[:user_id] = 2
Role.find(1).remove_permission! :view_wiki_page_watchers
page = Project.find(1).wiki.find_page('Another_page')
page.add_watcher User.find(2)
page.add_watcher Group.find(10)
get(:show, :params => {:project_id => 1, :id => 'Another_page'})
assert_select 'div#watchers ul', 0
assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0}
end
def test_show_should_display_section_edit_links def test_show_should_display_section_edit_links
with_settings :text_formatting => 'textile' do with_settings :text_formatting => 'textile' do
@request.session[:user_id] = 2 @request.session[:user_id] = 2