git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@9061 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/1.4.0
@@ -82,7 +82,6 @@ class AttachmentsController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy | |||
def destroy | |||
# Make sure association callbacks are called | |||
@attachment.container.attachments.delete(@attachment) |
@@ -20,10 +20,6 @@ class AuthSourcesController < ApplicationController | |||
before_filter :require_admin | |||
# GETs should be safe (see http://www.w3.org/2001/tag/doc/whenToUseGet.html) | |||
verify :method => :post, :only => [ :destroy, :create, :update ], | |||
:redirect_to => { :template => :index } | |||
def index | |||
@auth_source_pages, @auth_sources = paginate auth_source_class.name.tableize, :per_page => 10 | |||
render "auth_sources/index" |
@@ -63,7 +63,6 @@ class BoardsController < ApplicationController | |||
@board = @project.boards.build(params[:board]) | |||
end | |||
verify :method => :post, :only => :create, :redirect_to => { :action => :index } | |||
def create | |||
@board = @project.boards.build(params[:board]) | |||
if @board.save | |||
@@ -77,7 +76,6 @@ class BoardsController < ApplicationController | |||
def edit | |||
end | |||
verify :method => :put, :only => :update, :redirect_to => { :action => :index } | |||
def update | |||
if @board.update_attributes(params[:board]) | |||
redirect_to_settings_in_projects | |||
@@ -86,7 +84,6 @@ class BoardsController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy, :redirect_to => { :action => :index } | |||
def destroy | |||
@board.destroy | |||
redirect_to_settings_in_projects |
@@ -22,7 +22,6 @@ class CommentsController < ApplicationController | |||
before_filter :find_project_from_association | |||
before_filter :authorize | |||
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } | |||
def create | |||
raise Unauthorized unless @news.commentable? | |||
@@ -35,7 +34,6 @@ class CommentsController < ApplicationController | |||
redirect_to :controller => 'news', :action => 'show', :id => @news | |||
end | |||
verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed } | |||
def destroy | |||
@news.comments.find(params[:comment_id]).destroy | |||
redirect_to :controller => 'news', :action => 'show', :id => @news |
@@ -51,7 +51,6 @@ class EnumerationsController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy, :render => { :nothing => true, :status => :method_not_allowed } | |||
def destroy | |||
if !@enumeration.in_use? | |||
# No associated objects |
@@ -42,7 +42,6 @@ class IssueCategoriesController < ApplicationController | |||
@category = @project.issue_categories.build(params[:issue_category]) | |||
end | |||
verify :method => :post, :only => :create | |||
def create | |||
@category = @project.issue_categories.build(params[:issue_category]) | |||
if @category.save | |||
@@ -73,7 +72,6 @@ class IssueCategoriesController < ApplicationController | |||
def edit | |||
end | |||
verify :method => :put, :only => :update | |||
def update | |||
if @category.update_attributes(params[:issue_category]) | |||
respond_to do |format| | |||
@@ -91,7 +89,6 @@ class IssueCategoriesController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy | |||
def destroy | |||
@issue_count = @category.issues.size | |||
if @issue_count == 0 || params[:todo] || api_request? |
@@ -39,7 +39,6 @@ class IssueRelationsController < ApplicationController | |||
end | |||
end | |||
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } | |||
def create | |||
@relation = IssueRelation.new(params[:relation]) | |||
@relation.issue_from = @issue | |||
@@ -70,7 +69,6 @@ class IssueRelationsController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed } | |||
def destroy | |||
raise Unauthorized unless @relation.deletable? | |||
@relation.destroy |
@@ -62,7 +62,6 @@ class IssueStatusesController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy, :redirect_to => { :action => :index } | |||
def destroy | |||
IssueStatus.find(params[:id]).destroy | |||
redirect_to :action => 'index' |
@@ -53,10 +53,6 @@ class IssuesController < ApplicationController | |||
helper :gantt | |||
include Redmine::Export::PDF | |||
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } | |||
verify :method => :post, :only => :bulk_update, :render => {:nothing => true, :status => :method_not_allowed } | |||
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed } | |||
def index | |||
retrieve_query | |||
sort_init(@query.sort_criteria.empty? ? [['id', 'desc']] : @query.sort_criteria) | |||
@@ -275,7 +271,6 @@ class IssuesController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy, :render => { :nothing => true, :status => :method_not_allowed } | |||
def destroy | |||
@hours = TimeEntry.sum(:hours, :conditions => ['issue_id IN (?)', @issues]).to_f | |||
if @hours > 0 |
@@ -18,10 +18,6 @@ | |||
class MailHandlerController < ActionController::Base | |||
before_filter :check_credential | |||
verify :method => :post, | |||
:only => :index, | |||
:render => { :nothing => true, :status => 405 } | |||
# Submits an incoming email to MailHandler | |||
def index | |||
options = params.dup |
@@ -22,9 +22,6 @@ class MessagesController < ApplicationController | |||
before_filter :find_message, :except => [:new, :preview] | |||
before_filter :authorize, :except => [:preview, :edit, :destroy] | |||
verify :method => :post, :only => [ :reply, :destroy ], :redirect_to => { :action => :show } | |||
verify :xhr => true, :only => :quote | |||
helper :watchers | |||
helper :attachments | |||
include AttachmentsHelper |
@@ -35,9 +35,6 @@ class MyController < ApplicationController | |||
'right' => ['issuesreportedbyme'] | |||
}.freeze | |||
verify :xhr => true, | |||
:only => [:add_block, :remove_block, :order_blocks] | |||
def index | |||
page | |||
render :action => 'page' |
@@ -69,7 +69,6 @@ class ProjectsController < ApplicationController | |||
@project = Project.new(params[:project]) | |||
end | |||
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } | |||
def create | |||
@issue_custom_fields = IssueCustomField.find(:all, :order => "#{CustomField.table_name}.position") | |||
@trackers = Tracker.all | |||
@@ -182,8 +181,6 @@ class ProjectsController < ApplicationController | |||
def edit | |||
end | |||
# TODO: convert to PUT only | |||
verify :method => [:post, :put], :only => :update, :render => {:nothing => true, :status => :method_not_allowed } | |||
def update | |||
@project.safe_attributes = params[:project] | |||
if validate_parent_id && @project.save | |||
@@ -206,7 +203,6 @@ class ProjectsController < ApplicationController | |||
end | |||
end | |||
verify :method => :post, :only => :modules, :render => {:nothing => true, :status => :method_not_allowed } | |||
def modules | |||
@project.enabled_module_names = params[:enabled_module_names] | |||
flash[:notice] = l(:notice_successful_update) | |||
@@ -227,7 +223,6 @@ class ProjectsController < ApplicationController | |||
redirect_to(url_for(:controller => 'admin', :action => 'projects', :status => params[:status])) | |||
end | |||
verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed } | |||
# Delete @project | |||
def destroy | |||
@project_to_destroy = @project |
@@ -50,7 +50,6 @@ class QueriesController < ApplicationController | |||
build_query_from_params | |||
end | |||
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } | |||
def create | |||
@query = Query.new(params[:query]) | |||
@query.user = User.current | |||
@@ -70,7 +69,6 @@ class QueriesController < ApplicationController | |||
def edit | |||
end | |||
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed } | |||
def update | |||
@query.attributes = params[:query] | |||
@query.project = nil if params[:query_is_for_all] | |||
@@ -86,7 +84,6 @@ class QueriesController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed } | |||
def destroy | |||
@query.destroy | |||
redirect_to :controller => 'issues', :action => 'index', :project_id => @project, :set_filter => 1 |
@@ -68,7 +68,6 @@ class RolesController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy, :redirect_to => { :action => :index } | |||
def destroy | |||
@role.destroy | |||
redirect_to :action => 'index' |
@@ -121,7 +121,6 @@ class TimelogController < ApplicationController | |||
@time_entry.attributes = params[:time_entry] | |||
end | |||
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } | |||
def create | |||
@time_entry ||= TimeEntry.new(:project => @project, :issue => @issue, :user => User.current, :spent_on => User.current.today) | |||
@time_entry.attributes = params[:time_entry] | |||
@@ -156,7 +155,6 @@ class TimelogController < ApplicationController | |||
@time_entry.attributes = params[:time_entry] | |||
end | |||
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed } | |||
def update | |||
@time_entry.attributes = params[:time_entry] | |||
@@ -200,7 +198,6 @@ class TimelogController < ApplicationController | |||
redirect_back_or_default({:controller => 'timelog', :action => 'index', :project_id => @projects.first}) | |||
end | |||
verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed } | |||
def destroy | |||
@time_entries.each do |t| | |||
begin |
@@ -71,7 +71,6 @@ class TrackersController < ApplicationController | |||
render :action => 'edit' | |||
end | |||
verify :method => :delete, :only => :destroy, :redirect_to => { :action => :index } | |||
def destroy | |||
@tracker = Tracker.find(params[:id]) | |||
unless @tracker.issues.empty? |
@@ -86,7 +86,6 @@ class UsersController < ApplicationController | |||
@auth_sources = AuthSource.find(:all) | |||
end | |||
verify :method => :post, :only => :create, :render => {:nothing => true, :status => :method_not_allowed } | |||
def create | |||
@user = User.new(:language => Setting.default_language, :mail_notification => Setting.default_notification_option) | |||
@user.safe_attributes = params[:user] | |||
@@ -131,7 +130,6 @@ class UsersController < ApplicationController | |||
@membership ||= Member.new | |||
end | |||
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed } | |||
def update | |||
@user.admin = params[:user][:admin] if params[:user][:admin] | |||
@user.login = params[:user][:login] if params[:user][:login] | |||
@@ -177,7 +175,6 @@ class UsersController < ApplicationController | |||
redirect_to :controller => 'users', :action => 'edit', :id => @user | |||
end | |||
verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed } | |||
def destroy | |||
@user.destroy | |||
respond_to do |format| | |||
@@ -186,7 +183,6 @@ class UsersController < ApplicationController | |||
end | |||
end | |||
verify :method => [:post, :put], :only => :edit_membership, :render => {:nothing => true, :status => :method_not_allowed } | |||
def edit_membership | |||
@membership = Member.edit_membership(params[:membership_id], params[:membership], @user) | |||
@membership.save | |||
@@ -209,7 +205,6 @@ class UsersController < ApplicationController | |||
end | |||
end | |||
verify :method => :delete, :only => :destroy_membership, :render => {:nothing => true, :status => :method_not_allowed } | |||
def destroy_membership | |||
@membership = Member.find(params[:membership_id]) | |||
if @membership.deletable? |
@@ -160,7 +160,6 @@ class VersionsController < ApplicationController | |||
redirect_to :controller => 'projects', :action => 'settings', :tab => 'versions', :id => @project | |||
end | |||
verify :method => :delete, :only => :destroy, :render => {:nothing => true, :status => :method_not_allowed } | |||
def destroy | |||
if @version.fixed_issues.empty? | |||
@version.destroy |
@@ -20,10 +20,6 @@ class WatchersController < ApplicationController | |||
before_filter :require_login, :check_project_privacy, :only => [:watch, :unwatch] | |||
before_filter :authorize, :only => [:new, :destroy] | |||
verify :method => :post, | |||
:only => [ :watch, :unwatch ], | |||
:render => { :nothing => true, :status => :method_not_allowed } | |||
def watch | |||
if @watched.respond_to?(:visible?) && !@watched.visible?(User.current) | |||
render_403 |
@@ -118,7 +118,6 @@ class WikiController < ApplicationController | |||
end | |||
end | |||
verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed } | |||
# Creates a new page or updates an existing one | |||
def update | |||
return render_403 unless editable? | |||
@@ -178,7 +177,6 @@ class WikiController < ApplicationController | |||
end | |||
end | |||
verify :method => :post, :only => :protect, :redirect_to => { :action => :show } | |||
def protect | |||
@page.update_attribute :protected, params[:protected] | |||
redirect_to :action => 'show', :project_id => @project, :id => @page.title | |||
@@ -208,7 +206,6 @@ class WikiController < ApplicationController | |||
render_404 unless @annotate | |||
end | |||
verify :method => :delete, :only => [:destroy], :redirect_to => { :action => :show } | |||
# Removes a wiki page and its history | |||
# Children can be either set as root pages, removed or reassigned to another parent page | |||
def destroy |
@@ -2138,20 +2138,6 @@ class IssuesControllerTest < ActionController::TestCase | |||
assert_equal 'This is the test_new issue', issue.subject | |||
end | |||
def test_update_using_invalid_http_verbs | |||
@request.session[:user_id] = 2 | |||
subject = 'Updated by an invalid http verb' | |||
get :update, :id => 1, :issue => {:subject => subject} | |||
assert_not_equal subject, Issue.find(1).subject | |||
post :update, :id => 1, :issue => {:subject => subject} | |||
assert_not_equal subject, Issue.find(1).subject | |||
delete :update, :id => 1, :issue => {:subject => subject} | |||
assert_not_equal subject, Issue.find(1).subject | |||
end | |||
def test_put_update_without_custom_fields_param | |||
@request.session[:user_id] = 2 | |||
ActionMailer::Base.deliveries.clear |
@@ -311,12 +311,6 @@ class ProjectsControllerTest < ActionController::TestCase | |||
end | |||
end | |||
def test_create_should_not_accept_get | |||
@request.session[:user_id] = 1 | |||
get :create | |||
assert_response :method_not_allowed | |||
end | |||
def test_show_by_id | |||
get :show, :id => 1 | |||
assert_response :success | |||
@@ -412,12 +406,6 @@ class ProjectsControllerTest < ActionController::TestCase | |||
assert_equal ['documents', 'issue_tracking', 'repository'], Project.find(1).enabled_module_names.sort | |||
end | |||
def test_modules_should_not_allow_get | |||
@request.session[:user_id] = 1 | |||
get :modules, :id => 1 | |||
assert_response :method_not_allowed | |||
end | |||
def test_destroy_without_confirmation | |||
@request.session[:user_id] = 1 # admin | |||
delete :destroy, :id => 1 |
@@ -289,13 +289,6 @@ class UsersControllerTest < ActionController::TestCase | |||
assert_nil User.find_by_id(2) | |||
end | |||
def test_destroy_should_not_accept_get_requests | |||
assert_no_difference 'User.count' do | |||
get :destroy, :id => 2 | |||
end | |||
assert_response 405 | |||
end | |||
def test_destroy_should_be_denied_for_non_admin_users | |||
@request.session[:user_id] = 3 | |||
@@ -32,12 +32,6 @@ class WatchersControllerTest < ActionController::TestCase | |||
User.current = nil | |||
end | |||
def test_get_watch_should_be_invalid | |||
@request.session[:user_id] = 3 | |||
get :watch, :object_type => 'issue', :object_id => '1' | |||
assert_response 405 | |||
end | |||
def test_watch | |||
@request.session[:user_id] = 3 | |||
assert_difference('Watcher.count') do |
@@ -206,4 +206,23 @@ class IssuesTest < ActionController::IntegrationTest | |||
} | |||
} | |||
end | |||
def test_update_using_invalid_http_verbs | |||
subject = 'Updated by an invalid http verb' | |||
get '/issues/update/1', {:issue => {:subject => subject}}, credentials('jsmith') | |||
assert_response 404 | |||
assert_not_equal subject, Issue.find(1).subject | |||
post '/issues/1', {:issue => {:subject => subject}}, credentials('jsmith') | |||
assert_response 405 | |||
assert_not_equal subject, Issue.find(1).subject | |||
end | |||
def test_get_watch_should_be_invalid | |||
assert_no_difference 'Watcher.count' do | |||
get '/watchers/watch?object_type=issue&object_id=1', {}, credentials('jsmith') | |||
assert_response 405 | |||
end | |||
end | |||
end |
@@ -18,7 +18,7 @@ | |||
require File.expand_path('../../test_helper', __FILE__) | |||
class ProjectsTest < ActionController::IntegrationTest | |||
fixtures :projects, :users, :members | |||
fixtures :projects, :users, :members, :enabled_modules | |||
def test_archive_project | |||
subproject = Project.find(1).children.first | |||
@@ -41,4 +41,11 @@ class ProjectsTest < ActionController::IntegrationTest | |||
get "projects/1" | |||
assert_response :success | |||
end | |||
def test_modules_should_not_allow_get | |||
assert_no_difference 'EnabledModule.count' do | |||
get '/projects/1/modules', {:enabled_module_names => ['']}, credentials('jsmith') | |||
assert_response :method_not_allowed | |||
end | |||
end | |||
end |
@@ -0,0 +1,29 @@ | |||
# Redmine - project management software | |||
# Copyright (C) 2006-2012 Jean-Philippe Lang | |||
# | |||
# This program is free software; you can redistribute it and/or | |||
# modify it under the terms of the GNU General Public License | |||
# as published by the Free Software Foundation; either version 2 | |||
# of the License, or (at your option) any later version. | |||
# | |||
# This program is distributed in the hope that it will be useful, | |||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
# GNU General Public License for more details. | |||
# | |||
# You should have received a copy of the GNU General Public License | |||
# along with this program; if not, write to the Free Software | |||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | |||
require File.expand_path('../../test_helper', __FILE__) | |||
class USersTest < ActionController::IntegrationTest | |||
fixtures :users | |||
def test_destroy_should_not_accept_get_requests | |||
assert_no_difference 'User.count' do | |||
get '/users/destroy/2', {}, credentials('admin') | |||
assert_response 404 | |||
end | |||
end | |||
end |