Fixes a data disclosure issue introduced in r3941.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4535 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/journals_controller.rb b/app/controllers/journals_controller.rb
index a3b1abde4d72c215437579aa7aabb680694b8e99..d3b56e8cb8c89e3d012f00e169ce7fc2ccd45e7f 100644 (file)
--- a/app/controllers/journals_controller.rb
+++ b/app/controllers/journals_controller.rb
@@ -19,6 +19,7 @@ class JournalsController < ApplicationController
   before_filter :find_journal, :only => [:edit]
   before_filter :find_issue, :only => [:new]
   before_filter :find_optional_project, :only => [:index]
+  before_filter :authorize, :only => [:new, :edit]
   accept_key_auth :index
 
   helper :issues

diff --git a/test/functional/journals_controller_test.rb b/test/functional/journals_controller_test.rb
index 9aa8fe277633aedeb50052b2be4c717a2305b2c5..ff123f91550ea15ddd8e51b7c65d6e81e2f3009f 100644 (file)
--- a/test/functional/journals_controller_test.rb
+++ b/test/functional/journals_controller_test.rb
@@ -40,14 +40,20 @@ class JournalsControllerTest < ActionController::TestCase
   
   def test_reply_to_issue
     @request.session[:user_id] = 2
-    get :new, :id => 1
+    get :new, :id => 6
     assert_response :success
     assert_select_rjs :show, "update"
   end
+  
+  def test_reply_to_issue_without_permission
+    @request.session[:user_id] = 7
+    get :new, :id => 6
+    assert_response 403
+  end
 
   def test_reply_to_note
     @request.session[:user_id] = 2
-    get :new, :id => 1, :journal_id => 2
+    get :new, :id => 6, :journal_id => 4
     assert_response :success
     assert_select_rjs :show, "update"
   end