require 'uri'
require 'cgi'
+class Unauthorized < Exception; end
+
class ApplicationController < ActionController::Base
include Redmine::I18n
protect_from_forgery
rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
+ rescue_from ::Unauthorized, :with => :deny_access
include Redmine::Search::Controller
include Redmine::MenuManager::MenuController
cond = "project_id IS NULL"
cond << " OR project_id = #{@project.id}" if @project
@query = Query.find(params[:query_id], :conditions => cond)
+ raise ::Unauthorized unless @query.visible?
@query.project = @project
session[:query] = {:id => @query.id, :project_id => @query.project_id}
sort_clear
["o", "c", "!*", "*", "t", "w"].include? operator_for(field)
end if filters
end
+
+ # Returns true if the query is visible to +user+ or the current user.
+ def visible?(user=User.current)
+ self.is_public? || self.user_id == user.id
+ end
def editable_by?(user)
return false unless user
require File.expand_path('../../test_helper', __FILE__)
require 'issues_controller'
-# Re-raise errors caught by the controller.
-class IssuesController; def rescue_action(e) raise e end; end
-
class IssuesControllerTest < ActionController::TestCase
fixtures :projects,
:users,
assert_not_nil assigns(:issues)
assert_not_nil assigns(:issue_count_by_group)
end
+
+ def test_private_query_should_not_be_available_to_other_users
+ q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
+ @request.session[:user_id] = 3
+
+ get :index, :query_id => q.id
+ assert_response 403
+ end
+
+ def test_private_query_should_be_available_to_its_user
+ q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
+ @request.session[:user_id] = 2
+
+ get :index, :query_id => q.id
+ assert_response :success
+ end
+
+ def test_public_query_should_be_available_to_other_users
+ q = Query.create!(:name => "private", :user => User.find(2), :is_public => true, :project => nil)
+ @request.session[:user_id] = 3
+
+ get :index, :query_id => q.id
+ assert_response :success
+ end
def test_index_sort_by_field_not_included_in_columns
Setting.issue_list_default_columns = %w(subject author)