From 9d65eee4248acef921d102f1e614618514afcd51 Mon Sep 17 00:00:00 2001 From: Go MAEDA Date: Fri, 20 Jan 2023 03:31:41 +0000 Subject: [PATCH] Avoid double-render error with ApplicationController#find_optional_project (#38063). Patch by Holger Just. git-svn-id: https://svn.redmine.org/redmine/trunk@22066 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/application_controller.rb | 5 ++++- test/functional/news_controller_test.rb | 12 +++++++++++- test/integration/application_test.rb | 15 +++++++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 6bda01088..c39fe8ad1 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -354,9 +354,12 @@ class ApplicationController < ActionController::Base # and authorize the user for the requested action def find_optional_project if params[:project_id].present? - find_project(params[:project_id]) + @project = Project.find(params[:project_id]) end authorize_global + rescue ActiveRecord::RecordNotFound + User.current.logged? ? render_404 : require_login + false end # Finds and sets @project based on @object.project diff --git a/test/functional/news_controller_test.rb b/test/functional/news_controller_test.rb index ffa439073..d21835656 100644 --- a/test/functional/news_controller_test.rb +++ b/test/functional/news_controller_test.rb @@ -40,11 +40,21 @@ class NewsControllerTest < Redmine::ControllerTest assert_select 'h3 a', :text => 'eCookbook first release !' end - def test_index_with_invalid_project_should_respond_with_404 + def test_index_with_invalid_project_should_respond_with_404_for_logged_users + @request.session[:user_id] = 2 + get(:index, :params => {:project_id => 999}) assert_response 404 end + def test_index_with_invalid_project_should_respond_with_302_for_anonymous + Role.anonymous.remove_permission! :view_news + with_settings :login_required => '0' do + get(:index, :params => {:project_id => 999}) + assert_response 302 + end + end + def test_index_without_permission_should_fail Role.all.each {|r| r.remove_permission! :view_news} @request.session[:user_id] = 2 diff --git a/test/integration/application_test.rb b/test/integration/application_test.rb index d6caac41a..f80e9f81a 100644 --- a/test/integration/application_test.rb +++ b/test/integration/application_test.rb @@ -96,4 +96,19 @@ class ApplicationTest < Redmine::IntegrationTest assert_response 302 end end + + def test_find_optional_project_should_not_error + Role.anonymous.remove_permission! :view_gantt + with_settings :login_required => '0' do + get '/projects/nonexistingproject/issues/gantt' + assert_response 302 + end + end + + def test_find_optional_project_should_render_404_for_logged_users + log_user('jsmith', 'jsmith') + + get '/projects/nonexistingproject/issues/gantt' + assert_response 404 + end end -- 2.39.5