end
end
- verify :method => :delete, :only => :destroy
def destroy
# Make sure association callbacks are called
@attachment.container.attachments.delete(@attachment)
before_filter :require_admin
- # GETs should be safe (see http://www.w3.org/2001/tag/doc/whenToUseGet.html)
- verify :method => :post, :only => [ :destroy, :create, :update ],
- :redirect_to => { :template => :index }
-
def index
@auth_source_pages, @auth_sources = paginate auth_source_class.name.tableize, :per_page => 10
render "auth_sources/index"
@board = @project.boards.build(params[:board])
end
- verify :method => :post, :only => :create, :redirect_to => { :action => :index }
def create
@board = @project.boards.build(params[:board])
if @board.save
def edit
end
- verify :method => :put, :only => :update, :redirect_to => { :action => :index }
def update
if @board.update_attributes(params[:board])
redirect_to_settings_in_projects
end
end
- verify :method => :delete, :only => :destroy, :redirect_to => { :action => :index }
def destroy
@board.destroy
redirect_to_settings_in_projects
before_filter :find_project_from_association
before_filter :authorize
- verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
raise Unauthorized unless @news.commentable?
redirect_to :controller => 'news', :action => 'show', :id => @news
end
- verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed }
def destroy
@news.comments.find(params[:comment_id]).destroy
redirect_to :controller => 'news', :action => 'show', :id => @news
end
end
- verify :method => :delete, :only => :destroy, :render => { :nothing => true, :status => :method_not_allowed }
def destroy
if !@enumeration.in_use?
# No associated objects
@category = @project.issue_categories.build(params[:issue_category])
end
- verify :method => :post, :only => :create
def create
@category = @project.issue_categories.build(params[:issue_category])
if @category.save
def edit
end
- verify :method => :put, :only => :update
def update
if @category.update_attributes(params[:issue_category])
respond_to do |format|
end
end
- verify :method => :delete, :only => :destroy
def destroy
@issue_count = @category.issues.size
if @issue_count == 0 || params[:todo] || api_request?
end
end
- verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@relation = IssueRelation.new(params[:relation])
@relation.issue_from = @issue
end
end
- verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed }
def destroy
raise Unauthorized unless @relation.deletable?
@relation.destroy
end
end
- verify :method => :delete, :only => :destroy, :redirect_to => { :action => :index }
def destroy
IssueStatus.find(params[:id]).destroy
redirect_to :action => 'index'
helper :gantt
include Redmine::Export::PDF
- verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
- verify :method => :post, :only => :bulk_update, :render => {:nothing => true, :status => :method_not_allowed }
- verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
-
def index
retrieve_query
sort_init(@query.sort_criteria.empty? ? [['id', 'desc']] : @query.sort_criteria)
end
end
- verify :method => :delete, :only => :destroy, :render => { :nothing => true, :status => :method_not_allowed }
def destroy
@hours = TimeEntry.sum(:hours, :conditions => ['issue_id IN (?)', @issues]).to_f
if @hours > 0
class MailHandlerController < ActionController::Base
before_filter :check_credential
- verify :method => :post,
- :only => :index,
- :render => { :nothing => true, :status => 405 }
-
# Submits an incoming email to MailHandler
def index
options = params.dup
before_filter :find_message, :except => [:new, :preview]
before_filter :authorize, :except => [:preview, :edit, :destroy]
- verify :method => :post, :only => [ :reply, :destroy ], :redirect_to => { :action => :show }
- verify :xhr => true, :only => :quote
-
helper :watchers
helper :attachments
include AttachmentsHelper
'right' => ['issuesreportedbyme']
}.freeze
- verify :xhr => true,
- :only => [:add_block, :remove_block, :order_blocks]
-
def index
page
render :action => 'page'
@project = Project.new(params[:project])
end
- verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position")
@trackers = Tracker.all
def edit
end
- # TODO: convert to PUT only
- verify :method => [:post, :put], :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
def update
@project.safe_attributes = params[:project]
if validate_parent_id && @project.save
end
end
- verify :method => :post, :only => :modules, :render => {:nothing => true, :status => :method_not_allowed }
def modules
@project.enabled_module_names = params[:enabled_module_names]
flash[:notice] = l(:notice_successful_update)
redirect_to(url_for(:controller => 'admin', :action => 'projects', :status => params[:status]))
end
- verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed }
# Delete @project
def destroy
@project_to_destroy = @project
build_query_from_params
end
- verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@query = Query.new(params[:query])
@query.user = User.current
def edit
end
- verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
def update
@query.attributes = params[:query]
@query.project = nil if params[:query_is_for_all]
end
end
- verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed }
def destroy
@query.destroy
redirect_to :controller => 'issues', :action => 'index', :project_id => @project, :set_filter => 1
end
end
- verify :method => :delete, :only => :destroy, :redirect_to => { :action => :index }
def destroy
@role.destroy
redirect_to :action => 'index'
@time_entry.attributes = params[:time_entry]
end
- verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today)
@time_entry.attributes = params[:time_entry]
@time_entry.attributes = params[:time_entry]
end
- verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
def update
@time_entry.attributes = params[:time_entry]
redirect_back_or_default({:controller => 'timelog', :action => 'index', :project_id => @projects.first})
end
- verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed }
def destroy
@time_entries.each do |t|
begin
render :action => 'edit'
end
- verify :method => :delete, :only => :destroy, :redirect_to => { :action => :index }
def destroy
@tracker = Tracker.find(params[:id])
unless @tracker.issues.empty?
@auth_sources = AuthSource.find(:all)
end
- verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed }
def create
@user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option)
@user.safe_attributes = params[:user]
@membership ||= Member.new
end
- verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
def update
@user.admin = params[:user][:admin] if params[:user][:admin]
@user.login = params[:user][:login] if params[:user][:login]
redirect_to :controller => 'users', :action => 'edit', :id => @user
end
- verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed }
def destroy
@user.destroy
respond_to do |format|
end
end
- verify :method => [:post, :put], :only => :edit_membership, :render => {:nothing => true, :status => :method_not_allowed }
def edit_membership
@membership = Member.edit_membership(params[:membership_id], params[:membership], @user)
@membership.save
end
end
- verify :method => :delete, :only => :destroy_membership, :render => {:nothing => true, :status => :method_not_allowed }
def destroy_membership
@membership = Member.find(params[:membership_id])
if @membership.deletable?
redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project
end
- verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed }
def destroy
if @version.fixed_issues.empty?
@version.destroy
before_filter :require_login, :check_project_privacy, :only => [:watch, :unwatch]
before_filter :authorize, :only => [:new, :destroy]
- verify :method => :post,
- :only => [ :watch, :unwatch ],
- :render => { :nothing => true, :status => :method_not_allowed }
-
def watch
if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
render_403
end
end
- verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed }
# Creates a new page or updates an existing one
def update
return render_403 unless editable?
end
end
- verify :method => :post, :only => :protect, :redirect_to => { :action => :show }
def protect
@page.update_attribute :protected, params[:protected]
redirect_to :action => 'show', :project_id => @project, :id => @page.title
render_404 unless @annotate
end
- verify :method => :delete, :only => [:destroy], :redirect_to => { :action => :show }
# Removes a wiki page and its history
# Children can be either set as root pages, removed or reassigned to another parent page
def destroy
assert_equal 'This is the test_new issue', issue.subject
end
- def test_update_using_invalid_http_verbs
- @request.session[:user_id] = 2
- subject = 'Updated by an invalid http verb'
-
- get :update, :id => 1, :issue => {:subject => subject}
- assert_not_equal subject, Issue.find(1).subject
-
- post :update, :id => 1, :issue => {:subject => subject}
- assert_not_equal subject, Issue.find(1).subject
-
- delete :update, :id => 1, :issue => {:subject => subject}
- assert_not_equal subject, Issue.find(1).subject
- end
-
def test_put_update_without_custom_fields_param
@request.session[:user_id] = 2
ActionMailer::Base.deliveries.clear
end
end
- def test_create_should_not_accept_get
- @request.session[:user_id] = 1
- get :create
- assert_response :method_not_allowed
- end
-
def test_show_by_id
get :show, :id => 1
assert_response :success
assert_equal ['documents', 'issue_tracking', 'repository'], Project.find(1).enabled_module_names.sort
end
- def test_modules_should_not_allow_get
- @request.session[:user_id] = 1
- get :modules, :id => 1
- assert_response :method_not_allowed
- end
-
def test_destroy_without_confirmation
@request.session[:user_id] = 1 # admin
delete :destroy, :id => 1
assert_nil User.find_by_id(2)
end
- def test_destroy_should_not_accept_get_requests
- assert_no_difference 'User.count' do
- get :destroy, :id => 2
- end
- assert_response 405
- end
-
def test_destroy_should_be_denied_for_non_admin_users
@request.session[:user_id] = 3
User.current = nil
end
- def test_get_watch_should_be_invalid
- @request.session[:user_id] = 3
- get :watch, :object_type => 'issue', :object_id => '1'
- assert_response 405
- end
-
def test_watch
@request.session[:user_id] = 3
assert_difference('Watcher.count') do
}
}
end
+
+ def test_update_using_invalid_http_verbs
+ subject = 'Updated by an invalid http verb'
+
+ get '/issues/update/1', {:issue => {:subject => subject}}, credentials('jsmith')
+ assert_response 404
+ assert_not_equal subject, Issue.find(1).subject
+
+ post '/issues/1', {:issue => {:subject => subject}}, credentials('jsmith')
+ assert_response 405
+ assert_not_equal subject, Issue.find(1).subject
+ end
+
+ def test_get_watch_should_be_invalid
+ assert_no_difference 'Watcher.count' do
+ get '/watchers/watch?object_type=issue&object_id=1', {}, credentials('jsmith')
+ assert_response 405
+ end
+ end
end
require File.expand_path('../../test_helper', __FILE__)
class ProjectsTest < ActionController::IntegrationTest
- fixtures :projects, :users, :members
+ fixtures :projects, :users, :members, :enabled_modules
def test_archive_project
subproject = Project.find(1).children.first
get "projects/1"
assert_response :success
end
+
+ def test_modules_should_not_allow_get
+ assert_no_difference 'EnabledModule.count' do
+ get '/projects/1/modules', {:enabled_module_names => ['']}, credentials('jsmith')
+ assert_response :method_not_allowed
+ end
+ end
end
--- /dev/null
+# Redmine - project management software
+# Copyright (C) 2006-2012 Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+require File.expand_path('../../test_helper', __FILE__)
+
+class USersTest < ActionController::IntegrationTest
+ fixtures :users
+
+ def test_destroy_should_not_accept_get_requests
+ assert_no_difference 'User.count' do
+ get '/users/destroy/2', {}, credentials('admin')
+ assert_response 404
+ end
+ end
+end