diff options
| author | Marius Balteanu <marius.balteanu@zitec.com> | 2021-08-06 07:00:56 +0000 |
|---|---|---|
| committer | Marius Balteanu <marius.balteanu@zitec.com> | 2021-08-06 07:00:56 +0000 |
| commit | 38034aa4af45ec5a120cd6b7b9d219af756a706c (patch) | |
| tree | 5f13d800ec23bf6129d93905cb85941e20e61984 /test | |
| parent | 22e90f5b49e89ff33cac55f7efc1c3a56a5b4a1e (diff) | |
| download | redmine-38034aa4af45ec5a120cd6b7b9d219af756a706c.tar.gz redmine-38034aa4af45ec5a120cd6b7b9d219af756a706c.zip | |
Merged r21142 to 4.1-stable (#35634).
git-svn-id: http://svn.redmine.org/redmine/branches/4.1-stable@21146 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test')
| -rw-r--r-- | test/functional/attachments_controller_test.rb | 21 | ||||
| -rw-r--r-- | test/functional/issues_controller_test.rb | 13 |
2 files changed, 34 insertions, 0 deletions
diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb index 7ffe20423..ffd4ed954 100644 --- a/test/functional/attachments_controller_test.rb +++ b/test/functional/attachments_controller_test.rb @@ -676,4 +676,25 @@ class AttachmentsControllerTest < Redmine::ControllerTest assert_response 302 assert Attachment.find_by_id(3) end + + def test_destroy_issue_attachment_by_user_without_edit_issue_permission_on_tracker + role = Role.find(2) + role.set_permission_trackers 'edit_issues', [2, 3] + role.save! + + @request.session[:user_id] = 2 + + set_tmp_attachments_directory + assert_no_difference 'Attachment.count' do + delete( + :destroy, + :params => { + :id => 7 + } + ) + end + + assert_response 403 + assert Attachment.find_by_id(7) + end end diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb index 3491e0c2d..2e663c1c3 100644 --- a/test/functional/issues_controller_test.rb +++ b/test/functional/issues_controller_test.rb @@ -2687,6 +2687,19 @@ class IssuesControllerTest < Redmine::ControllerTest assert_select 'div.attachments .icon-edit', 0 end + def test_show_should_not_display_delete_attachment_icon_for_user_without_edit_issue_permission_on_tracker + role = Role.find(2) + role.set_permission_trackers 'edit_issues', [2, 3] + role.save! + + @request.session[:user_id] = 2 + + get :show, params: {id: 4} + + assert_response :success + assert_select 'div.attachments .icon-del', 0 + end + def test_get_new @request.session[:user_id] = 2 get :new, :params => { |