From 93847ae33740232e7e6e7a6a4a2dba45ea421932 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sat, 18 Dec 2010 17:11:41 +0000 Subject: [PATCH] Fixes a data disclosure issue introduced in r3941. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4535 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/journals_controller.rb | 1 + test/functional/journals_controller_test.rb | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/app/controllers/journals_controller.rb b/app/controllers/journals_controller.rb index a3b1abde4..d3b56e8cb 100644 --- a/app/controllers/journals_controller.rb +++ b/app/controllers/journals_controller.rb @@ -19,6 +19,7 @@ class JournalsController < ApplicationController before_filter :find_journal, :only => [:edit] before_filter :find_issue, :only => [:new] before_filter :find_optional_project, :only => [:index] + before_filter :authorize, :only => [:new, :edit] accept_key_auth :index helper :issues diff --git a/test/functional/journals_controller_test.rb b/test/functional/journals_controller_test.rb index 9aa8fe277..ff123f915 100644 --- a/test/functional/journals_controller_test.rb +++ b/test/functional/journals_controller_test.rb @@ -40,14 +40,20 @@ class JournalsControllerTest < ActionController::TestCase def test_reply_to_issue @request.session[:user_id] = 2 - get :new, :id => 1 + get :new, :id => 6 assert_response :success assert_select_rjs :show, "update" end + + def test_reply_to_issue_without_permission + @request.session[:user_id] = 7 + get :new, :id => 6 + assert_response 403 + end def test_reply_to_note @request.session[:user_id] = 2 - get :new, :id => 1, :journal_id => 2 + get :new, :id => 6, :journal_id => 4 assert_response :success assert_select_rjs :show, "update" end -- 2.39.5