diff options
author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2013-06-06 16:19:53 +0000 |
---|---|---|
committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2013-06-06 16:19:53 +0000 |
commit | 019f57e5c71e96b80b2fb1abc49c9fe4df50c705 (patch) | |
tree | 1b9b3d5d4ba897c70a532c1fac2d7d7234f3bfee /test/unit | |
parent | 60a8230209e41311178d80ea58066a5e1eb7aca3 (diff) | |
download | redmine-019f57e5c71e96b80b2fb1abc49c9fe4df50c705.tar.gz redmine-019f57e5c71e96b80b2fb1abc49c9fe4df50c705.zip |
Fixed that journal details about issue relations may disclose issues that are not visible (#1005).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@11939 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test/unit')
-rw-r--r-- | test/unit/helpers/issues_helper_test.rb | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/test/unit/helpers/issues_helper_test.rb b/test/unit/helpers/issues_helper_test.rb index 1c243d904..b49410f54 100644 --- a/test/unit/helpers/issues_helper_test.rb +++ b/test/unit/helpers/issues_helper_test.rb @@ -227,6 +227,16 @@ class IssuesHelperTest < ActionView::TestCase assert_equal "<strong>Precedes</strong> <i>Issue #{non_existed_issue_number}</i> added", show_detail(detail, false) end + def test_show_detail_relation_added_should_not_disclose_issue_that_is_not_visible + issue = Issue.generate!(:is_private => true) + detail = JournalDetail.new(:property => 'relation', + :prop_key => 'label_precedes', + :value => issue.id) + + assert_equal "Precedes Issue #{issue.id} added", show_detail(detail, true) + assert_equal "<strong>Precedes</strong> <i>Issue #{issue.id}</i> added", show_detail(detail, false) + end + def test_show_detail_delete_relation detail = JournalDetail.new(:property => 'relation', :prop_key => 'label_precedes', @@ -242,4 +252,14 @@ class IssuesHelperTest < ActionView::TestCase assert_equal "Precedes deleted (Issue 9999)", show_detail(detail, true) assert_equal "<strong>Precedes</strong> deleted (<i>Issue 9999</i>)", show_detail(detail, false) end + + def test_show_detail_relation_deleted_should_not_disclose_issue_that_is_not_visible + issue = Issue.generate!(:is_private => true) + detail = JournalDetail.new(:property => 'relation', + :prop_key => 'label_precedes', + :old_value => issue.id) + + assert_equal "Precedes deleted (Issue #{issue.id})", show_detail(detail, true) + assert_equal "<strong>Precedes</strong> deleted (<i>Issue #{issue.id}</i>)", show_detail(detail, false) + end end |