Add tests for #37772.

Patch by Holger Just.


git-svn-id: https://svn.redmine.org/redmine/trunk@21979 e93f8b46-1217-0410-a6f0-8f06a7374b81

test/functional/attachments_controller_test.rb

@@ -623,6 +623,22 @@ class AttachmentsControllerTest < Redmine::ControllerTest
     assert_response 404
   end
 
+  def test_download_all_with_invisible_journal
+    Project.find(1).update_column :is_public, false
+    Member.delete_all
+    @request.session[:user_id] = 2
+    User.current = User.find(2)
+    assert_not Journal.find(3).journalized.visible?
+    get(
+      :download_all,
+      :params => {
+        :object_type => 'journals',
+        :object_id => '3'
+      }
+    )
+    assert_response 403
+  end
+
   def test_download_all_with_maximum_bulk_download_size_larger_than_attachments
     with_settings :bulk_download_max_size => 0 do
       @request.session[:user_id] = 2

test/integration/attachments_test.rb

@@ -25,7 +25,9 @@ class AttachmentsTest < Redmine::IntegrationTest
            :roles, :members, :member_roles,
            :trackers, :projects_trackers,
            :issues, :issue_statuses, :enumerations,
-           :attachments
+           :attachments,
+           :wiki_content_versions, :wiki_contents, :wiki_pages,
+           :journals, :journal_details
 
   def test_upload_should_set_default_content_type
     log_user('jsmith', 'jsmith')
@@ -223,6 +225,54 @@ class AttachmentsTest < Redmine::IntegrationTest
     set_tmp_attachments_directory
   end
 
+  def test_download_all_with_wrong_container_type
+    set_tmp_attachments_directory
+
+    # make the attachment readable
+    assert a = Attachment.find(3)
+    FileUtils.mkdir_p File.dirname(a.diskfile)
+    (File.open(a.diskfile, 'wb') << 'test').close
+
+    # there is no 'download all' for WikiContentVersions
+    with_settings :login_required => '0' do
+      get "/attachments/wiki_content_versions/7/download"
+      assert_response :not_found
+    end
+    with_settings :login_required => '1' do
+      get "/attachments/wiki_content_versions/7/download"
+      assert_response :not_found
+    end
+  end
+
+  def test_download_all_for_journal_should_check_visibility
+    set_tmp_attachments_directory
+    Project.find(1).update_column :is_public, false
+
+    # make the attachment readable
+    assert a = Attachment.find(4)
+    FileUtils.mkdir_p File.dirname(a.diskfile)
+    (File.open(a.diskfile, 'wb') << 'test').close
+
+    with_settings :login_required => '0' do
+      get "/attachments/journals/3/download"
+      assert_response 403
+    end
+    with_settings :login_required => '1' do
+      get "/attachments/journals/3/download"
+      assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
+    end
+
+    Project.find(1).update_column :is_public, true
+    with_settings :login_required => '0' do
+      get "/attachments/journals/3/download"
+      assert_response :success
+    end
+    with_settings :login_required => '1' do
+      get "/attachments/journals/3/download"
+      assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
+    end
+  end
+
   private
 
   def ajax_upload(filename, content, attachment_id=1)