From: Jean-Philippe Lang Date: Thu, 6 Jan 2011 20:46:22 +0000 (+0000) Subject: Verify HTTP method on ProjectsController#create. X-Git-Tag: 1.2.0~1127 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=072c4ad14cf0649545ceab6261558a32c234e720;p=redmine.git Verify HTTP method on ProjectsController#create. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4646 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 1dffedc0e..6557af3e4 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -32,9 +32,6 @@ class ProjectsController < ApplicationController end end - # TODO: convert to PUT only - verify :method => [:post, :put], :only => :update, :render => {:nothing => true, :status => :method_not_allowed } - helper :sort include SortHelper helper :custom_fields @@ -71,6 +68,7 @@ class ProjectsController < ApplicationController @project = Project.new(params[:project]) end + verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } def create @issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position") @trackers = Tracker.all @@ -183,6 +181,8 @@ class ProjectsController < ApplicationController def edit end + # TODO: convert to PUT only + verify :method => [:post, :put], :only => :update, :render => {:nothing => true, :status => :method_not_allowed } def update @project.safe_attributes = params[:project] if validate_parent_id && @project.save diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb index d3a12f290..0b77daa50 100644 --- a/test/functional/projects_controller_test.rb +++ b/test/functional/projects_controller_test.rb @@ -288,6 +288,17 @@ class ProjectsControllerTest < ActionController::TestCase end end + context "GET :create" do + setup do + @request.session[:user_id] = 1 + end + + should "not be allowed" do + get :create + assert_response :method_not_allowed + end + end + def test_show_by_id get :show, :id => 1 assert_response :success