From 9435929e349f0af9ba1d059e41d80c65be50e833 Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Thu, 1 Dec 2022 15:27:57 +0000 Subject: [PATCH] Merged r21975 from trunk to 5.0-stable (#37772). git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@21980 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- .../functional/attachments_controller_test.rb | 16 ++++++ test/integration/attachments_test.rb | 52 ++++++++++++++++++- 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb index 7b0ded8f9..5c8d72b90 100644 --- a/test/functional/attachments_controller_test.rb +++ b/test/functional/attachments_controller_test.rb @@ -623,6 +623,22 @@ class AttachmentsControllerTest < Redmine::ControllerTest assert_response 404 end + def test_download_all_with_invisible_journal + Project.find(1).update_column :is_public, false + Member.delete_all + @request.session[:user_id] = 2 + User.current = User.find(2) + assert_not Journal.find(3).journalized.visible? + get( + :download_all, + :params => { + :object_type => 'journals', + :object_id => '3' + } + ) + assert_response 403 + end + def test_download_all_with_maximum_bulk_download_size_larger_than_attachments with_settings :bulk_download_max_size => 0 do @request.session[:user_id] = 2 diff --git a/test/integration/attachments_test.rb b/test/integration/attachments_test.rb index 197eda6aa..ab07f3a31 100644 --- a/test/integration/attachments_test.rb +++ b/test/integration/attachments_test.rb @@ -25,7 +25,9 @@ class AttachmentsTest < Redmine::IntegrationTest :roles, :members, :member_roles, :trackers, :projects_trackers, :issues, :issue_statuses, :enumerations, - :attachments + :attachments, + :wiki_content_versions, :wiki_contents, :wiki_pages, + :journals, :journal_details def test_upload_should_set_default_content_type log_user('jsmith', 'jsmith') @@ -223,6 +225,54 @@ class AttachmentsTest < Redmine::IntegrationTest set_tmp_attachments_directory end + def test_download_all_with_wrong_container_type + set_tmp_attachments_directory + + # make the attachment readable + assert a = Attachment.find(3) + FileUtils.mkdir_p File.dirname(a.diskfile) + (File.open(a.diskfile, 'wb') << 'test').close + + # there is no 'download all' for WikiContentVersions + with_settings :login_required => '0' do + get "/attachments/wiki_content_versions/7/download" + assert_response :not_found + end + with_settings :login_required => '1' do + get "/attachments/wiki_content_versions/7/download" + assert_response :not_found + end + end + + def test_download_all_for_journal_should_check_visibility + set_tmp_attachments_directory + Project.find(1).update_column :is_public, false + + # make the attachment readable + assert a = Attachment.find(4) + FileUtils.mkdir_p File.dirname(a.diskfile) + (File.open(a.diskfile, 'wb') << 'test').close + + with_settings :login_required => '0' do + get "/attachments/journals/3/download" + assert_response 403 + end + with_settings :login_required => '1' do + get "/attachments/journals/3/download" + assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" + end + + Project.find(1).update_column :is_public, true + with_settings :login_required => '0' do + get "/attachments/journals/3/download" + assert_response :success + end + with_settings :login_required => '1' do + get "/attachments/journals/3/download" + assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" + end + end + private def ajax_upload(filename, content, attachment_id=1) -- 2.39.5