Creating a wiki page named "Sidebar" without proper permission raises an exception (#23700).

git-svn-id: http://svn.redmine.org/redmine/trunk@15749 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 12 insertions, 1 deletions

diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb
index de1931a0b..1dfb16640 100644
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@@ -62,10 +62,12 @@ class WikiController < ApplicationController
 
   def new
     @page = WikiPage.new(:wiki => @wiki, :title => params[:title])
-    unless User.current.allowed_to?(:edit_wiki_pages, @project) && editable?
+    unless User.current.allowed_to?(:edit_wiki_pages, @project)
       render_403
+      return
     end
     if request.post?
+      @page.title = '' unless editable?
       @page.validate
       if @page.errors[:title].blank?
         path = project_wiki_page_path(@project, @page.title)
diff --git a/test/functional/wiki_controller_test.rb b/test/functional/wiki_controller_test.rb
index ea200b60d..1cc0a3b7d 100644
--- a/test/functional/wiki_controller_test.rb
+++ b/test/functional/wiki_controller_test.rb
@@ -216,6 +216,15 @@ class WikiControllerTest < Redmine::ControllerTest
     assert_select_error 'Title has already been taken'
   end
 
+  def test_post_new_with_protected_title_should_display_errors
+    Role.find(1).remove_permission!(:protect_wiki_pages)
+    @request.session[:user_id] = 2
+
+    post :new, :params => {:project_id => 'ecookbook', :title => 'Sidebar'}
+    assert_response :success
+    assert_select_error /Title/
+  end
+
   def test_post_new_xhr_with_invalid_title_should_display_errors
     @request.session[:user_id] = 2