]> source.dussan.org Git - redmine.git/commitdiff
Fixed: private queries should not be accessible to other users (#8729).
authorJean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 3 Jul 2011 11:01:08 +0000 (11:01 +0000)
committerJean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 3 Jul 2011 11:01:08 +0000 (11:01 +0000)
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@6163 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/application_controller.rb
app/helpers/queries_helper.rb
app/models/query.rb
test/functional/issues_controller_test.rb

index 5c1215b4f5fd289136907b9df13c88d10536f4fa..e3f768645e37ca84592ed5ece75b7dd4b8cf4804 100644 (file)
@@ -18,6 +18,8 @@
 require 'uri'
 require 'cgi'
 
+class Unauthorized < Exception; end
+
 class ApplicationController < ActionController::Base
   include Redmine::I18n
 
@@ -41,6 +43,7 @@ class ApplicationController < ActionController::Base
   protect_from_forgery
 
   rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
+  rescue_from ::Unauthorized, :with => :deny_access
 
   include Redmine::Search::Controller
   include Redmine::MenuManager::MenuController
index 61a1846d8128b50d8c9da62e62c77b9f497c6637..31a363d2802abc7d52914ee7c826a12e1dd37101 100644 (file)
@@ -70,6 +70,7 @@ module QueriesHelper
       cond = "project_id IS NULL"
       cond << " OR project_id = #{@project.id}" if @project
       @query = Query.find(params[:query_id], :conditions => cond)
+      raise ::Unauthorized unless @query.visible?
       @query.project = @project
       session[:query] = {:id => @query.id, :project_id => @query.project_id}
       sort_clear
index 678fca9d905785b8735730fa66b889db83d3d754..786751c8c3e39acb71b632da0fb935a346f5eee8 100644 (file)
@@ -165,6 +165,11 @@ class Query < ActiveRecord::Base
           ["o", "c", "!*", "*", "t", "w"].include? operator_for(field)
     end if filters
   end
+  
+  # Returns true if the query is visible to +user+ or the current user.
+  def visible?(user=User.current)
+    self.is_public? || self.user_id == user.id
+  end
 
   def editable_by?(user)
     return false unless user
index eddb5493ccc2475859c4fc07bcccc45e9d61a92a..31e6ae11e0da6cef404826b1881b8f80839e6d71 100644 (file)
@@ -18,9 +18,6 @@
 require File.expand_path('../../test_helper', __FILE__)
 require 'issues_controller'
 
-# Re-raise errors caught by the controller.
-class IssuesController; def rescue_action(e) raise e end; end
-
 class IssuesControllerTest < ActionController::TestCase
   fixtures :projects,
            :users,
@@ -193,6 +190,30 @@ class IssuesControllerTest < ActionController::TestCase
     assert_not_nil assigns(:issues)
     assert_not_nil assigns(:issue_count_by_group)
   end
+  
+  def test_private_query_should_not_be_available_to_other_users
+    q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
+    @request.session[:user_id] = 3
+    
+    get :index, :query_id => q.id
+    assert_response 403
+  end
+  
+  def test_private_query_should_be_available_to_its_user
+    q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
+    @request.session[:user_id] = 2
+    
+    get :index, :query_id => q.id
+    assert_response :success
+  end
+  
+  def test_public_query_should_be_available_to_other_users
+    q = Query.create!(:name => "private", :user => User.find(2), :is_public => true, :project => nil)
+    @request.session[:user_id] = 3
+    
+    get :index, :query_id => q.id
+    assert_response :success
+  end
 
   def test_index_sort_by_field_not_included_in_columns
     Setting.issue_list_default_columns = %w(subject author)