diff options
author | Marius Balteanu <marius.balteanu@zitec.com> | 2024-07-08 21:28:24 +0000 |
---|---|---|
committer | Marius Balteanu <marius.balteanu@zitec.com> | 2024-07-08 21:28:24 +0000 |
commit | 2d20811f406ab4f9b6ac27a935f27c721833f882 (patch) | |
tree | 26d2a90a0a66777a40c76adfbdeb42a268d8bc94 /test/functional/watchers_controller_test.rb | |
parent | fe38f5e83f7b2269d685db484732dd81ca0fa5f5 (diff) | |
download | redmine-2d20811f406ab4f9b6ac27a935f27c721833f882.tar.gz redmine-2d20811f406ab4f9b6ac27a935f27c721833f882.zip |
Improve watcher list permissions check to explicitly require @view_issue_watchers@ permission (#40946).
Patch by Felix Schäfer (@felix).
git-svn-id: https://svn.redmine.org/redmine/trunk@22913 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/functional/watchers_controller_test.rb')
-rw-r--r-- | test/functional/watchers_controller_test.rb | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb index d8719a991..65aad4e1f 100644 --- a/test/functional/watchers_controller_test.rb +++ b/test/functional/watchers_controller_test.rb @@ -211,6 +211,25 @@ class WatchersControllerTest < Redmine::ControllerTest ) end + def test_new_without_view_watchers_permission + @request.session[:user_id] = 2 + Role.find(1).remove_permission! :view_issue_watchers + get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true + assert_response :success + assert_match %r{name=\\\"watcher\[user_ids\]\[\]\\\" value=\\\"2\\\"}, response.body + # User should not be able to reverse engineer that User 3 is watching the issue already + assert_match %r{name=\\\"watcher\[user_ids\]\[\]\\\" value=\\\"3\\\"}, response.body + end + + def test_new_dont_show_self_when_watching_without_view_watchers_permission + @request.session[:user_id] = 2 + Role.find(1).remove_permission! :view_issue_watchers + Issue.find(2).add_watcher(User.find(2)) + get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true + assert_response :success + assert_no_match %r{name=\\\"watcher\[user_ids\]\[\]\\\" value=\\\"2\\\"}, response.body + end + def test_create_as_html @request.session[:user_id] = 2 assert_difference('Watcher.count') do |