Fixed that user with permission can't remove a locked watcher (#21382).

git-svn-id: http://svn.redmine.org/redmine/trunk@14946 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/watchers_controller.rb

@@ -62,12 +62,14 @@ class WatchersController < ApplicationController
   end
 
   def destroy
-    @watched.set_watcher(User.visible.find(params[:user_id]), false)
+    @watched.set_watcher(User.find(params[:user_id]), false)
     respond_to do |format|
       format.html { redirect_to :back }
       format.js
       format.api { render_api_ok }
     end
+  rescue ActiveRecord::RecordNotFound
+    render_404
   end
 
   def autocomplete_for_user

test/functional/watchers_controller_test.rb

@@ -259,7 +259,7 @@ class WatchersControllerTest < ActionController::TestCase
     assert response.body.blank?
   end
 
-  def test_remove_watcher
+  def test_destroy
     @request.session[:user_id] = 2
     assert_difference('Watcher.count', -1) do
       xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3'
@@ -268,4 +268,26 @@ class WatchersControllerTest < ActionController::TestCase
     end
     assert !Issue.find(2).watched_by?(User.find(3))
   end
+
+  def test_destroy_locked_user
+    user = User.find(3)
+    user.lock!
+    assert user.reload.locked?
+
+    @request.session[:user_id] = 2
+    assert_difference('Watcher.count', -1) do
+      xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3'
+      assert_response :success
+      assert_match /watchers/, response.body
+    end
+    assert !Issue.find(2).watched_by?(User.find(3))
+  end
+
+  def test_destroy_invalid_user_should_respond_with_404
+    @request.session[:user_id] = 2
+    assert_no_difference('Watcher.count') do
+      delete :destroy, :object_type => 'issue', :object_id => '2', :user_id => '999'
+      assert_response 404
+    end
+  end
 end