Browse Source
Revert r21975.
git-svn-id: https://svn.redmine.org/redmine/trunk@21977 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/5.1.0
Marius Balteanu
1 year ago
3 changed files with 1 additions and 114 deletions
+ 0
- 47
doc/CHANGELOG
View File
| @@ -4,53 +4,6 @@ Redmine - project management software | |||
| Copyright (C) 2006-2022 Jean-Philippe Lang | |||
| https://www.redmine.org/ | |||
| == 2022-12-01 v5.0.4 | |||
| === [Activity view] | |||
| * Defect #37875: Unnecessary closing li element when there is no "Next" button on Activity page | |||
| === [Code cleanup/refactoring] | |||
| * Patch #37938: Unused permission "Mention user" | |||
| === [Documentation] | |||
| * Defect #37983: Duplicate vertical-align property in wiki_syntax.css | |||
| === [Gems support] | |||
| * Defect #37884: All system tests fail on 4.2-stable branch with "ArgumentError: unknown keyword: :desired_capabilities" | |||
| * Patch #37867: Limit puma < 6.0.0 to avoid system test error | |||
| * Patch #37883: Limit mocha version to < 2.0.0 when Ruby version is < 2.7 to avoid test error | |||
| === [Issues] | |||
| * Defect #37958: Groups added to watchers are not shown as links | |||
| === [Issues workflow] | |||
| * Defect #37685: Read-only field permission for the project field is ignored if the current project has subprojects | |||
| === [Projects] | |||
| * Defect #37925: Do not allow unkown display_type for query | |||
| === [Rails support] | |||
| * Defect #37814: Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception | |||
| === [Security] | |||
| * Defect #37772: Access Control Issue in attachments#download_all | |||
| * Defect #37751: Persistent XSS in textile formatting due to blockquote citation | |||
| * Defect #37767: Redmine contains a cross-site scripting vulnerability | |||
| * Defect #37880: Open Redirect in attachments#download_all | |||
| === [Translations] | |||
| * Defect #37812: "Yes" and "No" are swapped in Polish translation | |||
| == 2022-10-02 v5.0.3 | |||
| === [Code cleanup/refactoring] | |||
+ 0
- 16
test/functional/attachments_controller_test.rb
View File
| @@ -623,22 +623,6 @@ class AttachmentsControllerTest < Redmine::ControllerTest | |||
| assert_response 404 | |||
| end | |||
| def test_download_all_with_invisible_journal | |||
| Project.find(1).update_column :is_public, false | |||
| Member.delete_all | |||
| @request.session[:user_id] = 2 | |||
| User.current = User.find(2) | |||
| assert_not Journal.find(3).journalized.visible? | |||
| get( | |||
| :download_all, | |||
| :params => { | |||
| :object_type => 'journals', | |||
| :object_id => '3' | |||
| } | |||
| ) | |||
| assert_response 403 | |||
| end | |||
| def test_download_all_with_maximum_bulk_download_size_larger_than_attachments | |||
| with_settings :bulk_download_max_size => 0 do | |||
| @request.session[:user_id] = 2 | |||
+ 1
- 51
test/integration/attachments_test.rb
View File
| @@ -25,9 +25,7 @@ class AttachmentsTest < Redmine::IntegrationTest | |||
| :roles, :members, :member_roles, | |||
| :trackers, :projects_trackers, | |||
| :issues, :issue_statuses, :enumerations, | |||
| :attachments, | |||
| :wiki_content_versions, :wiki_contents, :wiki_pages, | |||
| :journals, :journal_details | |||
| :attachments | |||
| def test_upload_should_set_default_content_type | |||
| log_user('jsmith', 'jsmith') | |||
| @@ -225,54 +223,6 @@ class AttachmentsTest < Redmine::IntegrationTest | |||
| set_tmp_attachments_directory | |||
| end | |||
| def test_download_all_with_wrong_container_type | |||
| set_tmp_attachments_directory | |||
| # make the attachment readable | |||
| assert a = Attachment.find(3) | |||
| FileUtils.mkdir_p File.dirname(a.diskfile) | |||
| (File.open(a.diskfile, 'wb') << 'test').close | |||
| # there is no 'download all' for WikiContentVersions | |||
| with_settings :login_required => '0' do | |||
| get "/attachments/wiki_content_versions/7/download" | |||
| assert_response :not_found | |||
| end | |||
| with_settings :login_required => '1' do | |||
| get "/attachments/wiki_content_versions/7/download" | |||
| assert_response :not_found | |||
| end | |||
| end | |||
| def test_download_all_for_journal_should_check_visibility | |||
| set_tmp_attachments_directory | |||
| Project.find(1).update_column :is_public, false | |||
| # make the attachment readable | |||
| assert a = Attachment.find(4) | |||
| FileUtils.mkdir_p File.dirname(a.diskfile) | |||
| (File.open(a.diskfile, 'wb') << 'test').close | |||
| with_settings :login_required => '0' do | |||
| get "/attachments/journals/3/download" | |||
| assert_response 403 | |||
| end | |||
| with_settings :login_required => '1' do | |||
| get "/attachments/journals/3/download" | |||
| assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" | |||
| end | |||
| Project.find(1).update_column :is_public, true | |||
| with_settings :login_required => '0' do | |||
| get "/attachments/journals/3/download" | |||
| assert_response :success | |||
| end | |||
| with_settings :login_required => '1' do | |||
| get "/attachments/journals/3/download" | |||
| assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" | |||
| end | |||
| end | |||
| private | |||
| def ajax_upload(filename, content, attachment_id=1) | |||
Loading…