summaryrefslogtreecommitdiffstats
path: root/test/functional/journals_controller_test.rb
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2015-12-04 12:42:13 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2015-12-04 12:42:13 +0000
commit7e423fb4538247d59e01958c48b491f196a1de56 (patch)
treef208c9f8d204fa92ff9fd310fb6fb9799970bec5 /test/functional/journals_controller_test.rb
parent12ede7d07f5e6d427bc17b945f92854c1403a787 (diff)
downloadredmine-7e423fb4538247d59e01958c48b491f196a1de56.tar.gz
redmine-7e423fb4538247d59e01958c48b491f196a1de56.zip
Information leak in Atom feed (#21419).
Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14913 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/functional/journals_controller_test.rb')
-rw-r--r--test/functional/journals_controller_test.rb42
1 files changed, 41 insertions, 1 deletions
diff --git a/test/functional/journals_controller_test.rb b/test/functional/journals_controller_test.rb
index 557fd3912..c82d2e588 100644
--- a/test/functional/journals_controller_test.rb
+++ b/test/functional/journals_controller_test.rb
@@ -19,7 +19,7 @@ require File.expand_path('../../test_helper', __FILE__)
class JournalsControllerTest < ActionController::TestCase
fixtures :projects, :users, :members, :member_roles, :roles, :issues, :journals, :journal_details, :enabled_modules,
- :trackers, :issue_statuses, :enumerations, :custom_fields, :custom_values, :custom_fields_projects
+ :trackers, :issue_statuses, :enumerations, :custom_fields, :custom_values, :custom_fields_projects, :projects_trackers
def setup
User.current = nil
@@ -51,6 +51,46 @@ class JournalsControllerTest < ActionController::TestCase
assert_not_include journal, assigns(:journals)
end
+ def test_index_should_show_visible_custom_fields_only
+ Issue.destroy_all
+ field_attributes = {:field_format => 'string', :is_for_all => true, :is_filter => true, :trackers => Tracker.all}
+ @fields = []
+ @fields << (@field1 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 1', :visible => true)))
+ @fields << (@field2 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 2', :visible => false, :role_ids => [1, 2])))
+ @fields << (@field3 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 3', :visible => false, :role_ids => [1, 3])))
+ @issue = Issue.generate!(
+ :author_id => 1,
+ :project_id => 1,
+ :tracker_id => 1,
+ :custom_field_values => {@field1.id => 'Value0', @field2.id => 'Value1', @field3.id => 'Value2'}
+ )
+ @issue.init_journal(User.find(1))
+ @issue.update_attribute :custom_field_values, {@field1.id => 'NewValue0', @field2.id => 'NewValue1', @field3.id => 'NewValue2'}
+
+
+ user_with_role_on_other_project = User.generate!
+ User.add_to_project(user_with_role_on_other_project, Project.find(2), Role.find(3))
+ users_to_test = {
+ User.find(1) => [@field1, @field2, @field3],
+ User.find(3) => [@field1, @field2],
+ user_with_role_on_other_project => [@field1], # should see field1 only on Project 1
+ User.generate! => [@field1],
+ User.anonymous => [@field1]
+ }
+
+ users_to_test.each do |user, visible_fields|
+ get :index, :format => 'atom', :key => user.rss_key
+ @fields.each_with_index do |field, i|
+ if visible_fields.include?(field)
+ assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 1 }, "User #{user.id} was not able to view #{field.name} in API"
+ else
+ assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 0 }, "User #{user.id} was able to view #{field.name} in API"
+ end
+ end
+ end
+
+ end
+
def test_diff_for_description_change
get :diff, :id => 3, :detail_id => 4
assert_response :success