summaryrefslogtreecommitdiffstats
path: root/test/unit
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2013-06-06 16:19:53 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2013-06-06 16:19:53 +0000
commit019f57e5c71e96b80b2fb1abc49c9fe4df50c705 (patch)
tree1b9b3d5d4ba897c70a532c1fac2d7d7234f3bfee /test/unit
parent60a8230209e41311178d80ea58066a5e1eb7aca3 (diff)
downloadredmine-019f57e5c71e96b80b2fb1abc49c9fe4df50c705.tar.gz
redmine-019f57e5c71e96b80b2fb1abc49c9fe4df50c705.zip
Fixed that journal details about issue relations may disclose issues that are not visible (#1005).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11939 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/unit')
-rw-r--r--test/unit/helpers/issues_helper_test.rb20
1 files changed, 20 insertions, 0 deletions
diff --git a/test/unit/helpers/issues_helper_test.rb b/test/unit/helpers/issues_helper_test.rb
index 1c243d904..b49410f54 100644
--- a/test/unit/helpers/issues_helper_test.rb
+++ b/test/unit/helpers/issues_helper_test.rb
@@ -227,6 +227,16 @@ class IssuesHelperTest < ActionView::TestCase
assert_equal "<strong>Precedes</strong> <i>Issue #{non_existed_issue_number}</i> added", show_detail(detail, false)
end
+ def test_show_detail_relation_added_should_not_disclose_issue_that_is_not_visible
+ issue = Issue.generate!(:is_private => true)
+ detail = JournalDetail.new(:property => 'relation',
+ :prop_key => 'label_precedes',
+ :value => issue.id)
+
+ assert_equal "Precedes Issue #{issue.id} added", show_detail(detail, true)
+ assert_equal "<strong>Precedes</strong> <i>Issue #{issue.id}</i> added", show_detail(detail, false)
+ end
+
def test_show_detail_delete_relation
detail = JournalDetail.new(:property => 'relation',
:prop_key => 'label_precedes',
@@ -242,4 +252,14 @@ class IssuesHelperTest < ActionView::TestCase
assert_equal "Precedes deleted (Issue 9999)", show_detail(detail, true)
assert_equal "<strong>Precedes</strong> deleted (<i>Issue 9999</i>)", show_detail(detail, false)
end
+
+ def test_show_detail_relation_deleted_should_not_disclose_issue_that_is_not_visible
+ issue = Issue.generate!(:is_private => true)
+ detail = JournalDetail.new(:property => 'relation',
+ :prop_key => 'label_precedes',
+ :old_value => issue.id)
+
+ assert_equal "Precedes deleted (Issue #{issue.id})", show_detail(detail, true)
+ assert_equal "<strong>Precedes</strong> deleted (<i>Issue #{issue.id}</i>)", show_detail(detail, false)
+ end
end