git-svn-id: https://svn.redmine.org/redmine/trunk@21977 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/5.1.0
@@ -4,53 +4,6 @@ Redmine - project management software | |||
Copyright (C) 2006-2022 Jean-Philippe Lang | |||
https://www.redmine.org/ | |||
== 2022-12-01 v5.0.4 | |||
=== [Activity view] | |||
* Defect #37875: Unnecessary closing li element when there is no "Next" button on Activity page | |||
=== [Code cleanup/refactoring] | |||
* Patch #37938: Unused permission "Mention user" | |||
=== [Documentation] | |||
* Defect #37983: Duplicate vertical-align property in wiki_syntax.css | |||
=== [Gems support] | |||
* Defect #37884: All system tests fail on 4.2-stable branch with "ArgumentError: unknown keyword: :desired_capabilities" | |||
* Patch #37867: Limit puma < 6.0.0 to avoid system test error | |||
* Patch #37883: Limit mocha version to < 2.0.0 when Ruby version is < 2.7 to avoid test error | |||
=== [Issues] | |||
* Defect #37958: Groups added to watchers are not shown as links | |||
=== [Issues workflow] | |||
* Defect #37685: Read-only field permission for the project field is ignored if the current project has subprojects | |||
=== [Projects] | |||
* Defect #37925: Do not allow unkown display_type for query | |||
=== [Rails support] | |||
* Defect #37814: Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception | |||
=== [Security] | |||
* Defect #37772: Access Control Issue in attachments#download_all | |||
* Defect #37751: Persistent XSS in textile formatting due to blockquote citation | |||
* Defect #37767: Redmine contains a cross-site scripting vulnerability | |||
* Defect #37880: Open Redirect in attachments#download_all | |||
=== [Translations] | |||
* Defect #37812: "Yes" and "No" are swapped in Polish translation | |||
== 2022-10-02 v5.0.3 | |||
=== [Code cleanup/refactoring] |
@@ -623,22 +623,6 @@ class AttachmentsControllerTest < Redmine::ControllerTest | |||
assert_response 404 | |||
end | |||
def test_download_all_with_invisible_journal | |||
Project.find(1).update_column :is_public, false | |||
Member.delete_all | |||
@request.session[:user_id] = 2 | |||
User.current = User.find(2) | |||
assert_not Journal.find(3).journalized.visible? | |||
get( | |||
:download_all, | |||
:params => { | |||
:object_type => 'journals', | |||
:object_id => '3' | |||
} | |||
) | |||
assert_response 403 | |||
end | |||
def test_download_all_with_maximum_bulk_download_size_larger_than_attachments | |||
with_settings :bulk_download_max_size => 0 do | |||
@request.session[:user_id] = 2 |
@@ -25,9 +25,7 @@ class AttachmentsTest < Redmine::IntegrationTest | |||
:roles, :members, :member_roles, | |||
:trackers, :projects_trackers, | |||
:issues, :issue_statuses, :enumerations, | |||
:attachments, | |||
:wiki_content_versions, :wiki_contents, :wiki_pages, | |||
:journals, :journal_details | |||
:attachments | |||
def test_upload_should_set_default_content_type | |||
log_user('jsmith', 'jsmith') | |||
@@ -225,54 +223,6 @@ class AttachmentsTest < Redmine::IntegrationTest | |||
set_tmp_attachments_directory | |||
end | |||
def test_download_all_with_wrong_container_type | |||
set_tmp_attachments_directory | |||
# make the attachment readable | |||
assert a = Attachment.find(3) | |||
FileUtils.mkdir_p File.dirname(a.diskfile) | |||
(File.open(a.diskfile, 'wb') << 'test').close | |||
# there is no 'download all' for WikiContentVersions | |||
with_settings :login_required => '0' do | |||
get "/attachments/wiki_content_versions/7/download" | |||
assert_response :not_found | |||
end | |||
with_settings :login_required => '1' do | |||
get "/attachments/wiki_content_versions/7/download" | |||
assert_response :not_found | |||
end | |||
end | |||
def test_download_all_for_journal_should_check_visibility | |||
set_tmp_attachments_directory | |||
Project.find(1).update_column :is_public, false | |||
# make the attachment readable | |||
assert a = Attachment.find(4) | |||
FileUtils.mkdir_p File.dirname(a.diskfile) | |||
(File.open(a.diskfile, 'wb') << 'test').close | |||
with_settings :login_required => '0' do | |||
get "/attachments/journals/3/download" | |||
assert_response 403 | |||
end | |||
with_settings :login_required => '1' do | |||
get "/attachments/journals/3/download" | |||
assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" | |||
end | |||
Project.find(1).update_column :is_public, true | |||
with_settings :login_required => '0' do | |||
get "/attachments/journals/3/download" | |||
assert_response :success | |||
end | |||
with_settings :login_required => '1' do | |||
get "/attachments/journals/3/download" | |||
assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" | |||
end | |||
end | |||
private | |||
def ajax_upload(filename, content, attachment_id=1) |