Make sure user can not watch what he is not allowed to view.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3170 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2009-12-13 14:48:28 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2009-12-13 14:48:28 +0000
commit: 9a452a5c351f4bffb80dee3df5a4fb6a3800ca17 (patch)
tree: 3de36bea82cd1596bc50bc483e9285e62e896ca9 /app
parent: bb477a3a0fe71f0e15b78b6e0fafb017065fba26 (diff)
download: redmine-9a452a5c351f4bffb80dee3df5a4fb6a3800ca17.tar.gz
redmine-9a452a5c351f4bffb80dee3df5a4fb6a3800ca17.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb
index 694718e28..06e5802f6 100644
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -25,7 +25,11 @@ class WatchersController < ApplicationController
          :render => { :nothing => true, :status => :method_not_allowed }
   
   def watch
-    set_watcher(User.current, true)
+    if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
+      render_403
+    else
+      set_watcher(User.current, true)
+    end
   end
   
   def unwatch
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2009-12-13 14:48:28 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2009-12-13 14:48:28 +0000
commit	9a452a5c351f4bffb80dee3df5a4fb6a3800ca17 (patch)
tree	3de36bea82cd1596bc50bc483e9285e62e896ca9 /app
parent	bb477a3a0fe71f0e15b78b6e0fafb017065fba26 (diff)
download	redmine-9a452a5c351f4bffb80dee3df5a4fb6a3800ca17.tar.gz redmine-9a452a5c351f4bffb80dee3df5a4fb6a3800ca17.zip