From 3f5f020a78bf1862b99af05adf606ac21f9b1acd Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Thu, 1 Dec 2022 15:18:04 +0000
Subject: [PATCH] Add tests for #37772.

Patch by Holger Just.


git-svn-id: https://svn.redmine.org/redmine/trunk@21975 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 doc/CHANGELOG                                 | 47 +++++++++++++++++
 .../functional/attachments_controller_test.rb | 16 ++++++
 test/integration/attachments_test.rb          | 52 ++++++++++++++++++-
 3 files changed, 114 insertions(+), 1 deletion(-)

diff --git a/doc/CHANGELOG b/doc/CHANGELOG
index 72bce3ca7..b55dbfc8b 100644
--- a/doc/CHANGELOG
+++ b/doc/CHANGELOG
@@ -4,6 +4,53 @@ Redmine - project management software
 Copyright (C) 2006-2022  Jean-Philippe Lang
 https://www.redmine.org/
 
+== 2022-12-01 v5.0.4
+
+=== [Activity view]
+
+* Defect #37875: Unnecessary closing li element when there is no "Next" button on Activity page
+
+=== [Code cleanup/refactoring]
+
+* Patch #37938: Unused permission "Mention user"
+
+=== [Documentation]
+
+* Defect #37983: Duplicate vertical-align property in wiki_syntax.css
+
+=== [Gems support]
+
+* Defect #37884: All system tests fail on 4.2-stable branch with "ArgumentError: unknown keyword: :desired_capabilities"
+* Patch #37867: Limit puma < 6.0.0 to avoid system test error
+* Patch #37883: Limit mocha version to < 2.0.0 when Ruby version is < 2.7 to avoid test error
+
+=== [Issues]
+
+* Defect #37958: Groups added to watchers are not shown as links
+
+=== [Issues workflow]
+
+* Defect #37685: Read-only field permission for the project field is ignored if the current project has subprojects
+
+=== [Projects]
+
+* Defect #37925: Do not allow unkown display_type for query
+
+=== [Rails support]
+
+* Defect #37814: Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception
+
+=== [Security]
+
+* Defect #37772: Access Control Issue in attachments#download_all
+* Defect #37751: Persistent XSS in textile formatting due to blockquote citation
+* Defect #37767: Redmine contains a cross-site scripting vulnerability
+* Defect #37880: Open Redirect in attachments#download_all
+
+=== [Translations]
+
+* Defect #37812: "Yes" and "No" are swapped in Polish translation
+
 == 2022-10-02 v5.0.3
 
 === [Code cleanup/refactoring]
diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb
index cb82427cd..4839c612d 100644
--- a/test/functional/attachments_controller_test.rb
+++ b/test/functional/attachments_controller_test.rb
@@ -623,6 +623,22 @@ class AttachmentsControllerTest < Redmine::ControllerTest
     assert_response 404
   end
 
+  def test_download_all_with_invisible_journal
+    Project.find(1).update_column :is_public, false
+    Member.delete_all
+    @request.session[:user_id] = 2
+    User.current = User.find(2)
+    assert_not Journal.find(3).journalized.visible?
+    get(
+      :download_all,
+      :params => {
+        :object_type => 'journals',
+        :object_id => '3'
+      }
+    )
+    assert_response 403
+  end
+
   def test_download_all_with_maximum_bulk_download_size_larger_than_attachments
     with_settings :bulk_download_max_size => 0 do
       @request.session[:user_id] = 2
diff --git a/test/integration/attachments_test.rb b/test/integration/attachments_test.rb
index 197eda6aa..ab07f3a31 100644
--- a/test/integration/attachments_test.rb
+++ b/test/integration/attachments_test.rb
@@ -25,7 +25,9 @@ class AttachmentsTest < Redmine::IntegrationTest
            :roles, :members, :member_roles,
            :trackers, :projects_trackers,
            :issues, :issue_statuses, :enumerations,
-           :attachments
+           :attachments,
+           :wiki_content_versions, :wiki_contents, :wiki_pages,
+           :journals, :journal_details
 
   def test_upload_should_set_default_content_type
     log_user('jsmith', 'jsmith')
@@ -223,6 +225,54 @@ class AttachmentsTest < Redmine::IntegrationTest
     set_tmp_attachments_directory
   end
 
+  def test_download_all_with_wrong_container_type
+    set_tmp_attachments_directory
+
+    # make the attachment readable
+    assert a = Attachment.find(3)
+    FileUtils.mkdir_p File.dirname(a.diskfile)
+    (File.open(a.diskfile, 'wb') << 'test').close
+
+    # there is no 'download all' for WikiContentVersions
+    with_settings :login_required => '0' do
+      get "/attachments/wiki_content_versions/7/download"
+      assert_response :not_found
+    end
+    with_settings :login_required => '1' do
+      get "/attachments/wiki_content_versions/7/download"
+      assert_response :not_found
+    end
+  end
+
+  def test_download_all_for_journal_should_check_visibility
+    set_tmp_attachments_directory
+    Project.find(1).update_column :is_public, false
+
+    # make the attachment readable
+    assert a = Attachment.find(4)
+    FileUtils.mkdir_p File.dirname(a.diskfile)
+    (File.open(a.diskfile, 'wb') << 'test').close
+
+    with_settings :login_required => '0' do
+      get "/attachments/journals/3/download"
+      assert_response 403
+    end
+    with_settings :login_required => '1' do
+      get "/attachments/journals/3/download"
+      assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
+    end
+
+    Project.find(1).update_column :is_public, true
+    with_settings :login_required => '0' do
+      get "/attachments/journals/3/download"
+      assert_response :success
+    end
+    with_settings :login_required => '1' do
+      get "/attachments/journals/3/download"
+      assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
+    end
+  end
+
   private
 
   def ajax_upload(filename, content, attachment_id=1)
-- 
2.39.5