Fixed that user with permission can't remove a locked watcher (#21382).

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sat, 5 Dec 2015 10:21:07 +0000 (10:21 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sat, 5 Dec 2015 10:21:07 +0000 (10:21 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 5 Dec 2015 10:21:07 +0000 (10:21 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 5 Dec 2015 10:21:07 +0000 (10:21 +0000)
diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb

index 27d3f159831ae819303d930928df68b28759eb2c..917eb5ed256c86c6e9522558836b6fbac120c741 100644 (file)
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -62,12 +62,14 @@ class WatchersController < ApplicationController
    end
  
    def destroy
-    @watched.set_watcher(User.visible.find(params[:user_id]), false)
+    @watched.set_watcher(User.find(params[:user_id]), false)
      respond_to do |format|
        format.html { redirect_to :back }
        format.js
        format.api { render_api_ok }
      end
+  rescue ActiveRecord::RecordNotFound
+    render_404
    end
  
    def autocomplete_for_user
diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb

index 6cd2eccdbd93da7f11106406c2831b1c68f8af60..1b64176f2b549cdb3e0ea8aa5a80f06a5983545d 100644 (file)
--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@@ -259,7 +259,7 @@ class WatchersControllerTest < ActionController::TestCase
      assert response.body.blank?
    end
  
-  def test_remove_watcher
+  def test_destroy
      @request.session[:user_id] = 2
      assert_difference('Watcher.count', -1) do
        xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3'
@@ -268,4 +268,26 @@ class WatchersControllerTest < ActionController::TestCase
      end
      assert !Issue.find(2).watched_by?(User.find(3))
    end
+
+  def test_destroy_locked_user
+    user = User.find(3)
+    user.lock!
+    assert user.reload.locked?
+
+    @request.session[:user_id] = 2
+    assert_difference('Watcher.count', -1) do
+      xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3'
+      assert_response :success
+      assert_match /watchers/, response.body
+    end
+    assert !Issue.find(2).watched_by?(User.find(3))
+  end
+
+  def test_destroy_invalid_user_should_respond_with_404
+    @request.session[:user_id] = 2
+    assert_no_difference('Watcher.count') do
+      delete :destroy, :object_type => 'issue', :object_id => '2', :user_id => '999'
+      assert_response 404
+    end
+  end
  end
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sat, 5 Dec 2015 10:21:07 +0000 (10:21 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sat, 5 Dec 2015 10:21:07 +0000 (10:21 +0000)
app/controllers/watchers_controller.rb		patch \| blob \| history
test/functional/watchers_controller_test.rb		patch \| blob \| history