diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-12-05 10:21:07 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2015-12-05 10:21:07 +0000 |
| commit | 9b52ae5c5a6492c6a1a3c7eaf5d62f5e8dccd7fa (patch) | |
| tree | 32404c0b219246a7fec051c7850b25541630a1dd | |
| parent | 3f44fad9bac023bee0ae023e4a0cce0aa578f0e3 (diff) | |
| download | redmine-9b52ae5c5a6492c6a1a3c7eaf5d62f5e8dccd7fa.tar.gz redmine-9b52ae5c5a6492c6a1a3c7eaf5d62f5e8dccd7fa.zip | |
Fixed that user with permission can't remove a locked watcher (#21382).
git-svn-id: http://svn.redmine.org/redmine/trunk@14946 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | app/controllers/watchers_controller.rb | 4 | ||||
| -rw-r--r-- | test/functional/watchers_controller_test.rb | 24 |
2 files changed, 26 insertions, 2 deletions
diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb index 27d3f1598..917eb5ed2 100644 --- a/app/controllers/watchers_controller.rb +++ b/app/controllers/watchers_controller.rb @@ -62,12 +62,14 @@ class WatchersController < ApplicationController end def destroy - @watched.set_watcher(User.visible.find(params[:user_id]), false) + @watched.set_watcher(User.find(params[:user_id]), false) respond_to do |format| format.html { redirect_to :back } format.js format.api { render_api_ok } end + rescue ActiveRecord::RecordNotFound + render_404 end def autocomplete_for_user diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb index 6cd2eccdb..1b64176f2 100644 --- a/test/functional/watchers_controller_test.rb +++ b/test/functional/watchers_controller_test.rb @@ -259,7 +259,7 @@ class WatchersControllerTest < ActionController::TestCase assert response.body.blank? end - def test_remove_watcher + def test_destroy @request.session[:user_id] = 2 assert_difference('Watcher.count', -1) do xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3' @@ -268,4 +268,26 @@ class WatchersControllerTest < ActionController::TestCase end assert !Issue.find(2).watched_by?(User.find(3)) end + + def test_destroy_locked_user + user = User.find(3) + user.lock! + assert user.reload.locked? + + @request.session[:user_id] = 2 + assert_difference('Watcher.count', -1) do + xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3' + assert_response :success + assert_match /watchers/, response.body + end + assert !Issue.find(2).watched_by?(User.find(3)) + end + + def test_destroy_invalid_user_should_respond_with_404 + @request.session[:user_id] = 2 + assert_no_difference('Watcher.count') do + delete :destroy, :object_type => 'issue', :object_id => '2', :user_id => '999' + assert_response 404 + end + end end |