Merged r21975 from trunk to 5.0-stable (#37772).

git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@21980 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb
index 7b0ded8f9890a94a82b31c8abee2b0560583e2bd..5c8d72b9063f48b02bf6efc00d97769e3f7215f0 100644 (file)
--- a/test/functional/attachments_controller_test.rb
+++ b/test/functional/attachments_controller_test.rb
@@ -623,6 +623,22 @@ class AttachmentsControllerTest < Redmine::ControllerTest
     assert_response 404
   end
 
+  def test_download_all_with_invisible_journal
+    Project.find(1).update_column :is_public, false
+    Member.delete_all
+    @request.session[:user_id] = 2
+    User.current = User.find(2)
+    assert_not Journal.find(3).journalized.visible?
+    get(
+      :download_all,
+      :params => {
+        :object_type => 'journals',
+        :object_id => '3'
+      }
+    )
+    assert_response 403
+  end
+
   def test_download_all_with_maximum_bulk_download_size_larger_than_attachments
     with_settings :bulk_download_max_size => 0 do
       @request.session[:user_id] = 2

diff --git a/test/integration/attachments_test.rb b/test/integration/attachments_test.rb
index 197eda6aa8f4019f9be60a509d3cbc5c2e25db57..ab07f3a314ac4a3ecb9b382b840f9ec04a6c4bad 100644 (file)
--- a/test/integration/attachments_test.rb
+++ b/test/integration/attachments_test.rb
@@ -25,7 +25,9 @@ class AttachmentsTest < Redmine::IntegrationTest
            :roles, :members, :member_roles,
            :trackers, :projects_trackers,
            :issues, :issue_statuses, :enumerations,
-           :attachments
+           :attachments,
+           :wiki_content_versions, :wiki_contents, :wiki_pages,
+           :journals, :journal_details
 
   def test_upload_should_set_default_content_type
     log_user('jsmith', 'jsmith')
@@ -223,6 +225,54 @@ class AttachmentsTest < Redmine::IntegrationTest
     set_tmp_attachments_directory
   end
 
+  def test_download_all_with_wrong_container_type
+    set_tmp_attachments_directory
+
+    # make the attachment readable
+    assert a = Attachment.find(3)
+    FileUtils.mkdir_p File.dirname(a.diskfile)
+    (File.open(a.diskfile, 'wb') << 'test').close
+
+    # there is no 'download all' for WikiContentVersions
+    with_settings :login_required => '0' do
+      get "/attachments/wiki_content_versions/7/download"
+      assert_response :not_found
+    end
+    with_settings :login_required => '1' do
+      get "/attachments/wiki_content_versions/7/download"
+      assert_response :not_found
+    end
+  end
+
+  def test_download_all_for_journal_should_check_visibility
+    set_tmp_attachments_directory
+    Project.find(1).update_column :is_public, false
+
+    # make the attachment readable
+    assert a = Attachment.find(4)
+    FileUtils.mkdir_p File.dirname(a.diskfile)
+    (File.open(a.diskfile, 'wb') << 'test').close
+
+    with_settings :login_required => '0' do
+      get "/attachments/journals/3/download"
+      assert_response 403
+    end
+    with_settings :login_required => '1' do
+      get "/attachments/journals/3/download"
+      assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
+    end
+
+    Project.find(1).update_column :is_public, true
+    with_settings :login_required => '0' do
+      get "/attachments/journals/3/download"
+      assert_response :success
+    end
+    with_settings :login_required => '1' do
+      get "/attachments/journals/3/download"
+      assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
+    end
+  end
+
   private
 
   def ajax_upload(filename, content, attachment_id=1)