diff options
-rw-r--r-- | doc/CHANGELOG | 47 | ||||
-rw-r--r-- | test/functional/attachments_controller_test.rb | 16 | ||||
-rw-r--r-- | test/integration/attachments_test.rb | 52 |
3 files changed, 1 insertions, 114 deletions
diff --git a/doc/CHANGELOG b/doc/CHANGELOG index b55dbfc8b..72bce3ca7 100644 --- a/doc/CHANGELOG +++ b/doc/CHANGELOG @@ -4,53 +4,6 @@ Redmine - project management software Copyright (C) 2006-2022 Jean-Philippe Lang https://www.redmine.org/ -== 2022-12-01 v5.0.4 - -=== [Activity view] - -* Defect #37875: Unnecessary closing li element when there is no "Next" button on Activity page - -=== [Code cleanup/refactoring] - -* Patch #37938: Unused permission "Mention user" - -=== [Documentation] - -* Defect #37983: Duplicate vertical-align property in wiki_syntax.css - -=== [Gems support] - -* Defect #37884: All system tests fail on 4.2-stable branch with "ArgumentError: unknown keyword: :desired_capabilities" -* Patch #37867: Limit puma < 6.0.0 to avoid system test error -* Patch #37883: Limit mocha version to < 2.0.0 when Ruby version is < 2.7 to avoid test error - -=== [Issues] - -* Defect #37958: Groups added to watchers are not shown as links - -=== [Issues workflow] - -* Defect #37685: Read-only field permission for the project field is ignored if the current project has subprojects - -=== [Projects] - -* Defect #37925: Do not allow unkown display_type for query - -=== [Rails support] - -* Defect #37814: Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception - -=== [Security] - -* Defect #37772: Access Control Issue in attachments#download_all -* Defect #37751: Persistent XSS in textile formatting due to blockquote citation -* Defect #37767: Redmine contains a cross-site scripting vulnerability -* Defect #37880: Open Redirect in attachments#download_all - -=== [Translations] - -* Defect #37812: "Yes" and "No" are swapped in Polish translation - == 2022-10-02 v5.0.3 === [Code cleanup/refactoring] diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb index 4839c612d..cb82427cd 100644 --- a/test/functional/attachments_controller_test.rb +++ b/test/functional/attachments_controller_test.rb @@ -623,22 +623,6 @@ class AttachmentsControllerTest < Redmine::ControllerTest assert_response 404 end - def test_download_all_with_invisible_journal - Project.find(1).update_column :is_public, false - Member.delete_all - @request.session[:user_id] = 2 - User.current = User.find(2) - assert_not Journal.find(3).journalized.visible? - get( - :download_all, - :params => { - :object_type => 'journals', - :object_id => '3' - } - ) - assert_response 403 - end - def test_download_all_with_maximum_bulk_download_size_larger_than_attachments with_settings :bulk_download_max_size => 0 do @request.session[:user_id] = 2 diff --git a/test/integration/attachments_test.rb b/test/integration/attachments_test.rb index ab07f3a31..197eda6aa 100644 --- a/test/integration/attachments_test.rb +++ b/test/integration/attachments_test.rb @@ -25,9 +25,7 @@ class AttachmentsTest < Redmine::IntegrationTest :roles, :members, :member_roles, :trackers, :projects_trackers, :issues, :issue_statuses, :enumerations, - :attachments, - :wiki_content_versions, :wiki_contents, :wiki_pages, - :journals, :journal_details + :attachments def test_upload_should_set_default_content_type log_user('jsmith', 'jsmith') @@ -225,54 +223,6 @@ class AttachmentsTest < Redmine::IntegrationTest set_tmp_attachments_directory end - def test_download_all_with_wrong_container_type - set_tmp_attachments_directory - - # make the attachment readable - assert a = Attachment.find(3) - FileUtils.mkdir_p File.dirname(a.diskfile) - (File.open(a.diskfile, 'wb') << 'test').close - - # there is no 'download all' for WikiContentVersions - with_settings :login_required => '0' do - get "/attachments/wiki_content_versions/7/download" - assert_response :not_found - end - with_settings :login_required => '1' do - get "/attachments/wiki_content_versions/7/download" - assert_response :not_found - end - end - - def test_download_all_for_journal_should_check_visibility - set_tmp_attachments_directory - Project.find(1).update_column :is_public, false - - # make the attachment readable - assert a = Attachment.find(4) - FileUtils.mkdir_p File.dirname(a.diskfile) - (File.open(a.diskfile, 'wb') << 'test').close - - with_settings :login_required => '0' do - get "/attachments/journals/3/download" - assert_response 403 - end - with_settings :login_required => '1' do - get "/attachments/journals/3/download" - assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" - end - - Project.find(1).update_column :is_public, true - with_settings :login_required => '0' do - get "/attachments/journals/3/download" - assert_response :success - end - with_settings :login_required => '1' do - get "/attachments/journals/3/download" - assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload" - end - end - private def ajax_upload(filename, content, attachment_id=1) |