From 2eaabae2520b9de37aa21c54d9ce373bf175cf81 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Mon, 26 Jun 2017 21:04:34 +0000
Subject: [PATCH] Don't redirect anonymous users to the login form when module
 is disabled (#26145).

git-svn-id: http://svn.redmine.org/redmine/trunk@16726 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/application_controller.rb   | 3 +++
 test/functional/projects_controller_test.rb | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f1d57d4b8..a05f54077 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -260,6 +260,9 @@ class ApplicationController < ActionController::Base
     else
       if @project && @project.archived?
         render_403 :message => :notice_not_authorized_archived_project
+      elsif @project && !@project.allows_to?(:controller => ctrl, :action => action)
+        # Project module is disabled
+        render_403
       else
         deny_access
       end
diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb
index bc66e86d9..b0feee827 100644
--- a/test/functional/projects_controller_test.rb
+++ b/test/functional/projects_controller_test.rb
@@ -579,7 +579,7 @@ class ProjectsControllerTest < Redmine::ControllerTest
     get :settings, :params => {
         :id => 1
       }
-    assert_response 302
+    assert_response 403
   end
 
   def test_setting_with_wiki_module_and_no_wiki
@@ -700,7 +700,7 @@ class ProjectsControllerTest < Redmine::ControllerTest
           :name => 'Closed'
         }
       }
-    assert_response 302
+    assert_response 403
     assert_equal 'eCookbook', Project.find(1).name
   end
 
-- 
2.39.5