diff options
| -rw-r--r-- | doc/CHANGELOG | 47 | ||||
| -rw-r--r-- | test/functional/attachments_controller_test.rb | 16 | ||||
| -rw-r--r-- | test/integration/attachments_test.rb | 52 |
3 files changed, 114 insertions, 1 deletions
diff --git a/doc/CHANGELOG b/doc/CHANGELOG index 72bce3ca7..b55dbfc8b 100644 --- a/doc/CHANGELOG +++ b/doc/CHANGELOG @@ -4,6 +4,53 @@ Redmine - project management software Copyright (C) 2006-2022 Jean-Philippe Lang https://www.redmine.org/ +== 2022-12-01 v5.0.4 + +=== [Activity view] + +* Defect #37875: Unnecessary closing li element when there is no "Next" button on Activity page + +=== [Code cleanup/refactoring] + +* Patch #37938: Unused permission "Mention user" + +=== [Documentation] + +* Defect #37983: Duplicate vertical-align property in wiki_syntax.css + +=== [Gems support] + +* Defect #37884: All system tests fail on 4.2-stable branch with "ArgumentError: unknown keyword: :desired_capabilities" +* Patch #37867: Limit puma < 6.0.0 to avoid system test error +* Patch #37883: Limit mocha version to < 2.0.0 when Ruby version is < 2.7 to avoid test error + +=== [Issues] + +* Defect #37958: Groups added to watchers are not shown as links + +=== [Issues workflow] + +* Defect #37685: Read-only field permission for the project field is ignored if the current project has subprojects + +=== [Projects] + +* Defect #37925: Do not allow unkown display_type for query + +=== [Rails support] + +* Defect #37814: Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception + +=== [Security] + +* Defect #37772: Access Control Issue in attachments#download_all +* Defect #37751: Persistent XSS in textile formatting due to blockquote citation +* Defect #37767: Redmine contains a cross-site scripting vulnerability +* Defect #37880: Open Redirect in attachments#download_all + +=== [Translations] + +* Defect #37812: "Yes" and "No" are swapped in Polish translation + == 2022-10-02 v5.0.3 === [Code cleanup/refactoring] diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb index cb82427cd..4839c612d 100644 --- a/test/functional/attachments_controller_test.rb +++ b/test/functional/attachments_controller_test.rb @@ -623,6 +623,22 @@ class AttachmentsControllerTest < Redmine::ControllerTest assert_response 404 end + def test_download_all_with_invisible_journal + Project.find(1).update_column :is_public, false + Member.delete_all + @request.session[:user_id] = 2 + User.current = User.find(2) + assert_not Journal.find(3).journalized.visible? + get( + :download_all, + :params => { + :object_type => 'journals', + :object_id => '3' + } + ) + assert_response 403 + end + def test_download_all_with_maximum_bulk_download_size_larger_than_attachments with_settings :bulk_download_max_size => 0 do @request.session[:user_id] = 2 diff --git a/test/integration/attachments_test.rb b/test/integration/attachments_test.rb index 197eda6aa..ab07f3a31 100644 --- a/test/integration/attachments_test.rb +++ b/test/integration/attachments_test.rb @@ -25,7 +25,9 @@ class AttachmentsTest < Redmine::IntegrationTest :roles, :members, :member_roles, :trackers, :projects_trackers, :issues, :issue_statuses, :enumerations, - :attachments + :attachments, + :wiki_content_versions, :wiki_contents, :wiki_pages, + :journals, :journal_details def test_upload_should_set_default_content_type log_user('jsmith', 'jsmith') @@ -223,6 +225,54 @@ class AttachmentsTest < Redmine::IntegrationTest set_tmp_attachments_directory end + def test_download_all_with_wrong_container_type + set_tmp_attachments_directory + + # make the attachment readable + assert a = Attachment.find(3) + FileUtils.mkdir_p File.dirname(a.diskfile) + (File.open(a.diskfile, 'wb') << 'test').close + + # there is no 'download all' for WikiContentVersions + with_settings :login_required => '0' do + get "/attachments/wiki_content_versions/7/download" + assert_response :not_found + end + with_settings :login_required => '1' do + get "/attachments/wiki_content_versions/7/download" + assert_response :not_found + end + end + + def test_download_all_for_journal_should_check_visibility + set_tmp_attachments_directory + Project.find(1).update_column :is_public, false + + # make the attachment readable + assert a = Attachment.find(4) + FileUtils.mkdir_p File.dirname(a.diskfile) + (File.open(a.diskfile, 'wb') << 'test').close + + with_settings :login_required => '0' do + get "/attachments/journals/3/download" + assert_response 403 + end + with_settings :login_required => '1' do + get "/attachments/journals/3/download" + assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" + end + + Project.find(1).update_column :is_public, true + with_settings :login_required => '0' do + get "/attachments/journals/3/download" + assert_response :success + end + with_settings :login_required => '1' do + get "/attachments/journals/3/download" + assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" + end + end + private def ajax_upload(filename, content, attachment_id=1) |