Fixed: issue details view discloses relations to issues that the user is not allowed...

author Jean-Philippe Lang <jp_lang@yahoo.fr>

Sat, 31 Jan 2009 13:22:29 +0000 (13:22 +0000)

committer Jean-Philippe Lang <jp_lang@yahoo.fr>

Sat, 31 Jan 2009 13:22:29 +0000 (13:22 +0000)
author Jean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 31 Jan 2009 13:22:29 +0000 (13:22 +0000)
committer Jean-Philippe Lang <jp_lang@yahoo.fr>
Sat, 31 Jan 2009 13:22:29 +0000 (13:22 +0000)
diff --git a/app/models/issue.rb b/app/models/issue.rb

index d333fe3cc8783720b43646e7d7eeef1b26a715bd..cbd2628004a81954f99219770fe7566485eec4fe 100644 (file)
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -54,6 +54,11 @@ class Issue < ActiveRecord::Base
    named_scope :visible, lambda {|*args| { :include => :project,
                                            :conditions => Project.allowed_to_condition(args.first || User.current, :view_issues) } }
    
+  # Returns true if usr or current user is allowed to view the issue
+  def visible?(usr=nil)
+    (usr || User.current).allowed_to?(:view_issues, self.project)
+  end
+  
    def after_initialize
      if new_record?
        # set default values for new records only
diff --git a/app/views/issues/_relations.rhtml b/app/views/issues/_relations.rhtml

index 7139210bc5c8a586c5f979b1b4d8cd886b5d391e..f99976f5cc32d0e759df0ea75c75dac6f362b81f 100644 (file)
--- a/app/views/issues/_relations.rhtml
+++ b/app/views/issues/_relations.rhtml
@@ -8,7 +8,7 @@
  
  <% if @issue.relations.any? %>
  <table style="width:100%">
-<% @issue.relations.each do |relation| %>
+<% @issue.relations.select {|r| r.other_issue(@issue).visible? }.each do |relation| %>
  <tr>
  <td><%= l(relation.label_for(@issue)) %> <%= "(#{lwr(:actionview_datehelper_time_in_words_day, relation.delay)})" if relation.delay && relation.delay != 0 %>
      <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %> <%= link_to_issue relation.other_issue(@issue) %></td>
diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb

index 1097ca5d10f4392836154309f6b910199f6085e6..cc1c7740802dc65d6fff1ff1dcc13f9c3216695a 100644 (file)
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@@ -324,6 +324,21 @@ class IssuesControllerTest < Test::Unit::TestCase
                                              :content => /Notes/ } }
    end
    
+  def test_show_should_not_disclose_relations_to_invisible_issues
+    Setting.cross_project_issue_relations = '1'
+    IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(2), :relation_type => 'relates')
+    # Relation to a private project issue
+    IssueRelation.create!(:issue_from => Issue.find(1), :issue_to => Issue.find(4), :relation_type => 'relates')
+    
+    get :show, :id => 1
+    assert_response :success
+    
+    assert_tag :div, :attributes => { :id => 'relations' },
+                     :descendant => { :tag => 'a', :content => /#2$/ }
+    assert_no_tag :div, :attributes => { :id => 'relations' },
+                        :descendant => { :tag => 'a', :content => /#4$/ }
+  end
+  
    def test_new_routing
      assert_routing(
        {:method => :get, :path => '/projects/1/issues/new'},
author	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sat, 31 Jan 2009 13:22:29 +0000 (13:22 +0000)
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>
	Sat, 31 Jan 2009 13:22:29 +0000 (13:22 +0000)
app/models/issue.rb		patch \| blob \| history
app/views/issues/_relations.rhtml		patch \| blob \| history
test/functional/issues_controller_test.rb		patch \| blob \| history