Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-12 00:06:01 +01:00
Code Issues Packages Projects Releases Activity

Revert r21975.

Browse Source 
git-svn-id: https://svn.redmine.org/redmine/trunk@21977 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Marius Balteanu
2022-12-01 15:21:37 +00:00
parent 3f5f020a78
commit e96d8038fc
3 changed files with 1 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
doc/CHANGELOG
View File

@@ -4,53 +4,6 @@ Redmine - project management software
Copyright (C) 2006-2022 Jean-Philippe Lang Copyright (C) 2006-2022 Jean-Philippe Lang
https://www.redmine.org/ https://www.redmine.org/
== 2022-12-01 v5.0.4
=== [Activity view]
* Defect #37875: Unnecessary closing li element when there is no "Next" button on Activity page
=== [Code cleanup/refactoring]
* Patch #37938: Unused permission "Mention user"
=== [Documentation]
* Defect #37983: Duplicate vertical-align property in wiki_syntax.css
=== [Gems support]
* Defect #37884: All system tests fail on 4.2-stable branch with "ArgumentError: unknown keyword: :desired_capabilities"
* Patch #37867: Limit puma < 6.0.0 to avoid system test error
* Patch #37883: Limit mocha version to < 2.0.0 when Ruby version is < 2.7 to avoid test error
=== [Issues]
* Defect #37958: Groups added to watchers are not shown as links
=== [Issues workflow]
* Defect #37685: Read-only field permission for the project field is ignored if the current project has subprojects
=== [Projects]
* Defect #37925: Do not allow unkown display_type for query
=== [Rails support]
* Defect #37814: Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception
=== [Security]
* Defect #37772: Access Control Issue in attachments#download_all
* Defect #37751: Persistent XSS in textile formatting due to blockquote citation
* Defect #37767: Redmine contains a cross-site scripting vulnerability
* Defect #37880: Open Redirect in attachments#download_all
=== [Translations]
* Defect #37812: "Yes" and "No" are swapped in Polish translation
== 2022-10-02 v5.0.3 == 2022-10-02 v5.0.3
=== [Code cleanup/refactoring] === [Code cleanup/refactoring]

16
test/functional/attachments_controller_test.rb
View File

@@ -623,22 +623,6 @@ class AttachmentsControllerTest < Redmine::ControllerTest
assert_response 404 assert_response 404
end end
def test_download_all_with_invisible_journal
Project.find(1).update_column :is_public, false
Member.delete_all
@request.session[:user_id] = 2
User.current = User.find(2)
assert_not Journal.find(3).journalized.visible?
get(
:download_all,
:params => {
:object_type => 'journals',
:object_id => '3'
}
)
assert_response 403
end
def test_download_all_with_maximum_bulk_download_size_larger_than_attachments def test_download_all_with_maximum_bulk_download_size_larger_than_attachments
with_settings :bulk_download_max_size => 0 do with_settings :bulk_download_max_size => 0 do
@request.session[:user_id] = 2 @request.session[:user_id] = 2

52
test/integration/attachments_test.rb
View File

@@ -25,9 +25,7 @@ class AttachmentsTest < Redmine::IntegrationTest
:roles, :members, :member_roles, :roles, :members, :member_roles,
:trackers, :projects_trackers, :trackers, :projects_trackers,
:issues, :issue_statuses, :enumerations, :issues, :issue_statuses, :enumerations,
:attachments, :attachments
:wiki_content_versions, :wiki_contents, :wiki_pages,
:journals, :journal_details
def test_upload_should_set_default_content_type def test_upload_should_set_default_content_type
log_user('jsmith', 'jsmith') log_user('jsmith', 'jsmith')
@@ -225,54 +223,6 @@ class AttachmentsTest < Redmine::IntegrationTest
set_tmp_attachments_directory set_tmp_attachments_directory
end end
def test_download_all_with_wrong_container_type
set_tmp_attachments_directory
# make the attachment readable
assert a = Attachment.find(3)
FileUtils.mkdir_p File.dirname(a.diskfile)
(File.open(a.diskfile, 'wb') << 'test').close
# there is no 'download all' for WikiContentVersions
with_settings :login_required => '0' do
get "/attachments/wiki_content_versions/7/download"
assert_response :not_found
end
with_settings :login_required => '1' do
get "/attachments/wiki_content_versions/7/download"
assert_response :not_found
end
end
def test_download_all_for_journal_should_check_visibility
set_tmp_attachments_directory
Project.find(1).update_column :is_public, false
# make the attachment readable
assert a = Attachment.find(4)
FileUtils.mkdir_p File.dirname(a.diskfile)
(File.open(a.diskfile, 'wb') << 'test').close
with_settings :login_required => '0' do
get "/attachments/journals/3/download"
assert_response 403
end
with_settings :login_required => '1' do
get "/attachments/journals/3/download"
assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
end
Project.find(1).update_column :is_public, true
with_settings :login_required => '0' do
get "/attachments/journals/3/download"
assert_response :success
end
with_settings :login_required => '1' do
get "/attachments/journals/3/download"
assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
end
end
private private
def ajax_upload(filename, content, attachment_id=1) def ajax_upload(filename, content, attachment_id=1)