From 9b52ae5c5a6492c6a1a3c7eaf5d62f5e8dccd7fa Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sat, 5 Dec 2015 10:21:07 +0000
Subject: [PATCH] Fixed that user with permission can't remove a locked watcher
 (#21382).

git-svn-id: http://svn.redmine.org/redmine/trunk@14946 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/watchers_controller.rb      |  4 +++-
 test/functional/watchers_controller_test.rb | 24 ++++++++++++++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb
index 27d3f1598..917eb5ed2 100644
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -62,12 +62,14 @@ class WatchersController < ApplicationController
   end
 
   def destroy
-    @watched.set_watcher(User.visible.find(params[:user_id]), false)
+    @watched.set_watcher(User.find(params[:user_id]), false)
     respond_to do |format|
       format.html { redirect_to :back }
       format.js
       format.api { render_api_ok }
     end
+  rescue ActiveRecord::RecordNotFound
+    render_404
   end
 
   def autocomplete_for_user
diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb
index 6cd2eccdb..1b64176f2 100644
--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@@ -259,7 +259,7 @@ class WatchersControllerTest < ActionController::TestCase
     assert response.body.blank?
   end
 
-  def test_remove_watcher
+  def test_destroy
     @request.session[:user_id] = 2
     assert_difference('Watcher.count', -1) do
       xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3'
@@ -268,4 +268,26 @@ class WatchersControllerTest < ActionController::TestCase
     end
     assert !Issue.find(2).watched_by?(User.find(3))
   end
+
+  def test_destroy_locked_user
+    user = User.find(3)
+    user.lock!
+    assert user.reload.locked?
+
+    @request.session[:user_id] = 2
+    assert_difference('Watcher.count', -1) do
+      xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3'
+      assert_response :success
+      assert_match /watchers/, response.body
+    end
+    assert !Issue.find(2).watched_by?(User.find(3))
+  end
+
+  def test_destroy_invalid_user_should_respond_with_404
+    @request.session[:user_id] = 2
+    assert_no_difference('Watcher.count') do
+      delete :destroy, :object_type => 'issue', :object_id => '2', :user_id => '999'
+      assert_response 404
+    end
+  end
 end
-- 
2.39.5