summaryrefslogtreecommitdiffstats
path: root/test/functional/watchers_controller_test.rb
diff options
context:
space:
mode:
authorMarius Balteanu <marius.balteanu@zitec.com>2024-07-08 21:28:24 +0000
committerMarius Balteanu <marius.balteanu@zitec.com>2024-07-08 21:28:24 +0000
commit2d20811f406ab4f9b6ac27a935f27c721833f882 (patch)
tree26d2a90a0a66777a40c76adfbdeb42a268d8bc94 /test/functional/watchers_controller_test.rb
parentfe38f5e83f7b2269d685db484732dd81ca0fa5f5 (diff)
downloadredmine-2d20811f406ab4f9b6ac27a935f27c721833f882.tar.gz
redmine-2d20811f406ab4f9b6ac27a935f27c721833f882.zip
Improve watcher list permissions check to explicitly require @view_issue_watchers@ permission (#40946).
Patch by Felix Schäfer (@felix). git-svn-id: https://svn.redmine.org/redmine/trunk@22913 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/functional/watchers_controller_test.rb')
-rw-r--r--test/functional/watchers_controller_test.rb19
1 files changed, 19 insertions, 0 deletions
diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb
index d8719a991..65aad4e1f 100644
--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@@ -211,6 +211,25 @@ class WatchersControllerTest < Redmine::ControllerTest
)
end
+ def test_new_without_view_watchers_permission
+ @request.session[:user_id] = 2
+ Role.find(1).remove_permission! :view_issue_watchers
+ get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true
+ assert_response :success
+ assert_match %r{name=\\\"watcher\[user_ids\]\[\]\\\" value=\\\"2\\\"}, response.body
+ # User should not be able to reverse engineer that User 3 is watching the issue already
+ assert_match %r{name=\\\"watcher\[user_ids\]\[\]\\\" value=\\\"3\\\"}, response.body
+ end
+
+ def test_new_dont_show_self_when_watching_without_view_watchers_permission
+ @request.session[:user_id] = 2
+ Role.find(1).remove_permission! :view_issue_watchers
+ Issue.find(2).add_watcher(User.find(2))
+ get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true
+ assert_response :success
+ assert_no_match %r{name=\\\"watcher\[user_ids\]\[\]\\\" value=\\\"2\\\"}, response.body
+ end
+
def test_create_as_html
@request.session[:user_id] = 2
assert_difference('Watcher.count') do