From: Jean-Philippe Lang Date: Fri, 4 Dec 2015 12:42:13 +0000 (+0000) Subject: Information leak in Atom feed (#21419). X-Git-Tag: 3.3.0~375 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=7e423fb4538247d59e01958c48b491f196a1de56;p=redmine.git Information leak in Atom feed (#21419). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14913 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/views/journals/index.builder b/app/views/journals/index.builder index 5b907b828..f157ae968 100644 --- a/app/views/journals/index.builder +++ b/app/views/journals/index.builder @@ -20,7 +20,7 @@ xml.feed "xmlns" => "http://www.w3.org/2005/Atom" do end xml.content "type" => "html" do xml.text! '' diff --git a/test/functional/journals_controller_test.rb b/test/functional/journals_controller_test.rb index 557fd3912..c82d2e588 100644 --- a/test/functional/journals_controller_test.rb +++ b/test/functional/journals_controller_test.rb @@ -19,7 +19,7 @@ require File.expand_path('../../test_helper', __FILE__) class JournalsControllerTest < ActionController::TestCase fixtures :projects, :users, :members, :member_roles, :roles, :issues, :journals, :journal_details, :enabled_modules, - :trackers, :issue_statuses, :enumerations, :custom_fields, :custom_values, :custom_fields_projects + :trackers, :issue_statuses, :enumerations, :custom_fields, :custom_values, :custom_fields_projects, :projects_trackers def setup User.current = nil @@ -51,6 +51,46 @@ class JournalsControllerTest < ActionController::TestCase assert_not_include journal, assigns(:journals) end + def test_index_should_show_visible_custom_fields_only + Issue.destroy_all + field_attributes = {:field_format => 'string', :is_for_all => true, :is_filter => true, :trackers => Tracker.all} + @fields = [] + @fields << (@field1 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 1', :visible => true))) + @fields << (@field2 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 2', :visible => false, :role_ids => [1, 2]))) + @fields << (@field3 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 3', :visible => false, :role_ids => [1, 3]))) + @issue = Issue.generate!( + :author_id => 1, + :project_id => 1, + :tracker_id => 1, + :custom_field_values => {@field1.id => 'Value0', @field2.id => 'Value1', @field3.id => 'Value2'} + ) + @issue.init_journal(User.find(1)) + @issue.update_attribute :custom_field_values, {@field1.id => 'NewValue0', @field2.id => 'NewValue1', @field3.id => 'NewValue2'} + + + user_with_role_on_other_project = User.generate! + User.add_to_project(user_with_role_on_other_project, Project.find(2), Role.find(3)) + users_to_test = { + User.find(1) => [@field1, @field2, @field3], + User.find(3) => [@field1, @field2], + user_with_role_on_other_project => [@field1], # should see field1 only on Project 1 + User.generate! => [@field1], + User.anonymous => [@field1] + } + + users_to_test.each do |user, visible_fields| + get :index, :format => 'atom', :key => user.rss_key + @fields.each_with_index do |field, i| + if visible_fields.include?(field) + assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 1 }, "User #{user.id} was not able to view #{field.name} in API" + else + assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 0 }, "User #{user.id} was able to view #{field.name} in API" + end + end + end + + end + def test_diff_for_description_change get :diff, :id => 3, :detail_id => 4 assert_response :success