From: Marius Balteanu Date: Wed, 3 Jan 2024 01:19:25 +0000 (+0000) Subject: Explicitly render a 404 on non-JS requests to messages#quote (#39999). X-Git-Tag: 6.0.0~528 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=fe9fd97f6d0ee80a536a61b9f7cbe3f9a6bce262;p=redmine.git Explicitly render a 404 on non-JS requests to messages#quote (#39999). Patch by Holger Just (@hjust). git-svn-id: https://svn.redmine.org/redmine/trunk@22584 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index b41830b85..a4b4478a2 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -125,6 +125,11 @@ class MessagesController < ApplicationController @content = +"#{ll(Setting.default_language, :text_user_wrote_in, {:value => @message.author, :link => "message##{@message.id}"})}\n> " end @content << @message.content.to_s.strip.gsub(%r{
(.*?)
}m, '[...]').gsub(/(\r?\n|\r\n?)/, "\n> ") + "\n\n" + + respond_to do |format| + format.html { render_404 } + format.js + end end def preview diff --git a/test/functional/messages_controller_test.rb b/test/functional/messages_controller_test.rb index 2535e570b..4e146e4e6 100644 --- a/test/functional/messages_controller_test.rb +++ b/test/functional/messages_controller_test.rb @@ -311,6 +311,19 @@ class MessagesControllerTest < Redmine::ControllerTest assert_include '> An other reply', response.body end + def test_quote_as_html_should_respond_with_404 + @request.session[:user_id] = 2 + get( + :quote, + :params => { + :board_id => 1, + :id => 3 + }, + ) + + assert_response 404 + end + def test_preview_new @request.session[:user_id] = 2 post(