Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2026-01-05 15:20:50 +01:00
Code Issues Packages Projects Releases Activity

Fixed: issue details view discloses relations to issues that the user is not allowed to view (#2589).

Browse Source 
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2343 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang
2009-01-31 13:22:29 +00:00
parent 2679150ed4
commit f021c856c1
3 changed files with 21 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
test/functional/issues_controller_test.rb
View File

@@ -324,6 +324,21 @@ class IssuesControllerTest < Test::Unit::TestCase
:content => /Notes/ } }
end
def test_show_should_not_disclose_relations_to_invisible_issues
Setting.cross_project_issue_relations = '1'
IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates')
# Relation to a private project issue
IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(4), :relation_type => 'relates')
get :show, :id => 1
assert_response :success
assert_tag :div, :attributes => { :id => 'relations' },
:descendant => { :tag => 'a', :content => /#2$/ }
assert_no_tag :div, :attributes => { :id => 'relations' },
:descendant => { :tag => 'a', :content => /#4$/ }
end
def test_new_routing
assert_routing(
{:method => :get, :path => '/projects/1/issues/new'},