Make sure user can not watch what he is not allowed to view.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3170 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2009-12-13 14:48:28 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2009-12-13 14:48:28 +0000
commit: 9a452a5c351f4bffb80dee3df5a4fb6a3800ca17 (patch)
tree: 3de36bea82cd1596bc50bc483e9285e62e896ca9 /test/functional/watchers_controller_test.rb
parent: bb477a3a0fe71f0e15b78b6e0fafb017065fba26 (diff)
download: redmine-9a452a5c351f4bffb80dee3df5a4fb6a3800ca17.tar.gz
redmine-9a452a5c351f4bffb80dee3df5a4fb6a3800ca17.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb
index cf977887e..01dee3747 100644
--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@@ -47,6 +47,15 @@ class WatchersControllerTest < ActionController::TestCase
     end
     assert Issue.find(1).watched_by?(User.find(3))
   end
+  
+  def test_watch_should_be_denied_without_permission
+    Role.find(2).remove_permission! :view_issues
+    @request.session[:user_id] = 3
+    assert_no_difference('Watcher.count') do
+      xhr :post, :watch, :object_type => 'issue', :object_id => '1'
+      assert_response 403
+    end
+  end
 
   def test_watch_with_multiple_replacements
     @request.session[:user_id] = 3
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2009-12-13 14:48:28 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2009-12-13 14:48:28 +0000
commit	9a452a5c351f4bffb80dee3df5a4fb6a3800ca17 (patch)
tree	3de36bea82cd1596bc50bc483e9285e62e896ca9 /test/functional/watchers_controller_test.rb
parent	bb477a3a0fe71f0e15b78b6e0fafb017065fba26 (diff)
download	redmine-9a452a5c351f4bffb80dee3df5a4fb6a3800ca17.tar.gz redmine-9a452a5c351f4bffb80dee3df5a4fb6a3800ca17.zip