diff options
author | Marius Balteanu <marius.balteanu@zitec.com> | 2024-10-28 20:46:09 +0000 |
---|---|---|
committer | Marius Balteanu <marius.balteanu@zitec.com> | 2024-10-28 20:46:09 +0000 |
commit | 2c802a2bdf3ad125a4051f9b04a96a9b51e0661b (patch) | |
tree | 56d98827b40d1298c62db49b2b4a2e69820f73c9 /test/functional | |
parent | a5a086eba16af67f9841a617dac6942b73d8e5af (diff) | |
download | redmine-2c802a2bdf3ad125a4051f9b04a96a9b51e0661b.tar.gz redmine-2c802a2bdf3ad125a4051f9b04a96a9b51e0661b.zip |
Merged r22913-r22917 from trunk to 5.1-stable (#40946).
git-svn-id: https://svn.redmine.org/redmine/branches/5.1-stable@23167 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/functional')
-rw-r--r-- | test/functional/issues_controller_test.rb | 11 | ||||
-rw-r--r-- | test/functional/messages_controller_test.rb | 11 | ||||
-rw-r--r-- | test/functional/watchers_controller_test.rb | 60 | ||||
-rw-r--r-- | test/functional/wiki_controller_test.rb | 11 |
4 files changed, 90 insertions, 3 deletions
diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb index db45bb287..7501843cf 100644 --- a/test/functional/issues_controller_test.rb +++ b/test/functional/issues_controller_test.rb @@ -2733,6 +2733,17 @@ class IssuesControllerTest < Redmine::ControllerTest end end + def test_show_should_not_display_watchers_without_permission + @request.session[:user_id] = 2 + Role.find(1).remove_permission! :view_issue_watchers + issue = Issue.find(1) + issue.add_watcher User.find(2) + issue.add_watcher Group.find(10) + get(:show, :params => {:id => 1}) + assert_select 'div#watchers ul', 0 + assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0} + end + def test_show_should_display_watchers_with_gravatars @request.session[:user_id] = 2 issue = Issue.find(1) diff --git a/test/functional/messages_controller_test.rb b/test/functional/messages_controller_test.rb index 85f45f1d7..317c779a2 100644 --- a/test/functional/messages_controller_test.rb +++ b/test/functional/messages_controller_test.rb @@ -114,6 +114,17 @@ class MessagesControllerTest < Redmine::ControllerTest end end + def test_show_should_not_display_watchers_without_permission + @request.session[:user_id] = 2 + Role.find(1).remove_permission! :view_message_watchers + message = Message.find(1) + message.add_watcher User.find(2) + message.add_watcher Group.find(10) + get(:show, :params => {:board_id => 1, :id => 1}) + assert_select 'div#watchers ul', 0 + assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0} + end + def test_get_new @request.session[:user_id] = 2 get(:new, :params => {:board_id => 1}) diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb index 369d30b5b..67f4a4736 100644 --- a/test/functional/watchers_controller_test.rb +++ b/test/functional/watchers_controller_test.rb @@ -211,6 +211,25 @@ class WatchersControllerTest < Redmine::ControllerTest ) end + def test_new_without_view_watchers_permission + @request.session[:user_id] = 2 + Role.find(1).remove_permission! :view_issue_watchers + get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true + assert_response :success + assert_match %r{name=\\"watcher\[user_ids\]\[\]\\" value=\\"2\\"}, response.body + # User should not be able to reverse engineer that User 3 is watching the issue already + assert_match %r{name=\\"watcher\[user_ids\]\[\]\\" value=\\"3\\"}, response.body + end + + def test_new_dont_show_self_when_watching_without_view_watchers_permission + @request.session[:user_id] = 2 + Role.find(1).remove_permission! :view_issue_watchers + Issue.find(2).add_watcher(User.find(2)) + get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true + assert_response :success + assert_no_match %r{name=\\"watcher\[user_ids\]\[\]\\" value=\\"2\\"}, response.body + end + def test_create_as_html @request.session[:user_id] = 2 assert_difference('Watcher.count') do @@ -458,11 +477,11 @@ class WatchersControllerTest < Redmine::ControllerTest assert_response :success - # All users from two projects eCookbook (7) and Private child of eCookbook (9) - assert_select 'input', :count => 5 + # All users from two projects eCookbook (7) and Private child of eCookbook + # (9) who can see both issues + assert_select 'input', :count => 4 assert_select 'input[name=?][value="1"]', 'watcher[user_ids][]' assert_select 'input[name=?][value="2"]', 'watcher[user_ids][]' - assert_select 'input[name=?][value="3"]', 'watcher[user_ids][]' assert_select 'input[name=?][value="8"]', 'watcher[user_ids][]' assert_select 'input[name=?][value="10"]', 'watcher[user_ids][]' end @@ -559,6 +578,41 @@ class WatchersControllerTest < Redmine::ControllerTest assert !wiki_page.watched_by?(user) end + def test_destroy_without_permission + @request.session[:user_id] = 2 + wiki_page = WikiPage.find(1) + user = User.find(1) + Role.find(1).remove_permission! :delete_wiki_page_watchers + + assert wiki_page.watched_by?(user) + assert_no_difference('Watcher.count') do + delete :destroy, :params => { + :object_type => 'wiki_page', :object_id => '1', :user_id => '1' + }, :xhr => true + assert_response :forbidden + end + wiki_page.reload + assert wiki_page.watched_by?(user) + end + + def test_create_without_permission + @request.session[:user_id] = 2 + wiki_page = WikiPage.find(1) + user = User.find(1) + Role.find(1).remove_permission! :add_wiki_page_watchers + Watcher.delete_all + + assert_not wiki_page.watched_by?(user) + assert_no_difference('Watcher.count') do + post :create, :params => { + :object_type => 'wiki_page', :object_id => '1', :user_id => '1' + }, :xhr => true + assert_response :forbidden + end + wiki_page.reload + assert_not wiki_page.watched_by?(user) + end + def test_destroy_locked_user user = User.find(3) user.lock! diff --git a/test/functional/wiki_controller_test.rb b/test/functional/wiki_controller_test.rb index 1e1d98f32..ad5d34b58 100644 --- a/test/functional/wiki_controller_test.rb +++ b/test/functional/wiki_controller_test.rb @@ -150,6 +150,17 @@ class WikiControllerTest < Redmine::ControllerTest end end + def test_show_should_not_display_watchers_without_permission + @request.session[:user_id] = 2 + Role.find(1).remove_permission! :view_wiki_page_watchers + page = Project.find(1).wiki.find_page('Another_page') + page.add_watcher User.find(2) + page.add_watcher Group.find(10) + get(:show, :params => {:project_id => 1, :id => 'Another_page'}) + assert_select 'div#watchers ul', 0 + assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0} + end + def test_show_should_display_section_edit_links with_settings :text_formatting => 'textile' do @request.session[:user_id] = 2 |