From: Jean-Philippe Lang Date: Sun, 3 Jul 2011 11:01:08 +0000 (+0000) Subject: Fixed: private queries should not be accessible to other users (#8729). X-Git-Tag: 1.3.0~1751 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=8914d323ee14c660c169ef143800343f87af33da;p=redmine.git Fixed: private queries should not be accessible to other users (#8729). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@6163 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 5c1215b4f..e3f768645 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -18,6 +18,8 @@ require 'uri' require 'cgi' +class Unauthorized < Exception; end + class ApplicationController < ActionController::Base include Redmine::I18n @@ -41,6 +43,7 @@ class ApplicationController < ActionController::Base protect_from_forgery rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token + rescue_from ::Unauthorized, :with => :deny_access include Redmine::Search::Controller include Redmine::MenuManager::MenuController diff --git a/app/helpers/queries_helper.rb b/app/helpers/queries_helper.rb index 61a1846d8..31a363d28 100644 --- a/app/helpers/queries_helper.rb +++ b/app/helpers/queries_helper.rb @@ -70,6 +70,7 @@ module QueriesHelper cond = "project_id IS NULL" cond << " OR project_id = #{@project.id}" if @project @query = Query.find(params[:query_id], :conditions => cond) + raise ::Unauthorized unless @query.visible? @query.project = @project session[:query] = {:id => @query.id, :project_id => @query.project_id} sort_clear diff --git a/app/models/query.rb b/app/models/query.rb index 678fca9d9..786751c8c 100644 --- a/app/models/query.rb +++ b/app/models/query.rb @@ -165,6 +165,11 @@ class Query < ActiveRecord::Base ["o", "c", "!*", "*", "t", "w"].include? operator_for(field) end if filters end + + # Returns true if the query is visible to +user+ or the current user. + def visible?(user=User.current) + self.is_public? || self.user_id == user.id + end def editable_by?(user) return false unless user diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb index eddb5493c..31e6ae11e 100644 --- a/test/functional/issues_controller_test.rb +++ b/test/functional/issues_controller_test.rb @@ -18,9 +18,6 @@ require File.expand_path('../../test_helper', __FILE__) require 'issues_controller' -# Re-raise errors caught by the controller. -class IssuesController; def rescue_action(e) raise e end; end - class IssuesControllerTest < ActionController::TestCase fixtures :projects, :users, @@ -193,6 +190,30 @@ class IssuesControllerTest < ActionController::TestCase assert_not_nil assigns(:issues) assert_not_nil assigns(:issue_count_by_group) end + + def test_private_query_should_not_be_available_to_other_users + q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil) + @request.session[:user_id] = 3 + + get :index, :query_id => q.id + assert_response 403 + end + + def test_private_query_should_be_available_to_its_user + q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil) + @request.session[:user_id] = 2 + + get :index, :query_id => q.id + assert_response :success + end + + def test_public_query_should_be_available_to_other_users + q = Query.create!(:name => "private", :user => User.find(2), :is_public => true, :project => nil) + @request.session[:user_id] = 3 + + get :index, :query_id => q.id + assert_response :success + end def test_index_sort_by_field_not_included_in_columns Setting.issue_list_default_columns = %w(subject author)