Explicitly render a 404 on non-JS requests to messages#quote (#39999).

Patch by Holger Just (@hjust).

git-svn-id: https://svn.redmine.org/redmine/trunk@22584 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index b41830b852d851bb063921bb442beed2cc175f98..a4b4478a235c450d301f24a378eb875cce288c73 100644 (file)
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -125,6 +125,11 @@ class MessagesController < ApplicationController
       @content = +"#{ll(Setting.default_language, :text_user_wrote_in, {:value => @message.author, :link => "message##{@message.id}"})}\n> "
     end
     @content << @message.content.to_s.strip.gsub(%r{<pre>(.*?)</pre>}m, '[...]').gsub(/(\r?\n|\r\n?)/, "\n> ") + "\n\n"
+
+    respond_to do |format|
+      format.html { render_404 }
+      format.js
+    end
   end
 
   def preview

diff --git a/test/functional/messages_controller_test.rb b/test/functional/messages_controller_test.rb
index 2535e570b80228464b972f2614c7e39a19aedc92..4e146e4e6ef13b15da10d1bf3c1b3f6c34bfc325 100644 (file)
--- a/test/functional/messages_controller_test.rb
+++ b/test/functional/messages_controller_test.rb
@@ -311,6 +311,19 @@ class MessagesControllerTest < Redmine::ControllerTest
     assert_include '> An other reply', response.body
   end
 
+  def test_quote_as_html_should_respond_with_404
+    @request.session[:user_id] = 2
+    get(
+      :quote,
+      :params => {
+        :board_id => 1,
+        :id => 3
+      },
+    )
+
+    assert_response 404
+  end
+
   def test_preview_new
     @request.session[:user_id] = 2
     post(