summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/CHANGELOG47
-rw-r--r--test/functional/attachments_controller_test.rb16
-rw-r--r--test/integration/attachments_test.rb52
3 files changed, 1 insertions, 114 deletions
diff --git a/doc/CHANGELOG b/doc/CHANGELOG
index b55dbfc8b..72bce3ca7 100644
--- a/doc/CHANGELOG
+++ b/doc/CHANGELOG
@@ -4,53 +4,6 @@ Redmine - project management software
Copyright (C) 2006-2022 Jean-Philippe Lang
https://www.redmine.org/
-== 2022-12-01 v5.0.4
-
-=== [Activity view]
-
-* Defect #37875: Unnecessary closing li element when there is no "Next" button on Activity page
-
-=== [Code cleanup/refactoring]
-
-* Patch #37938: Unused permission "Mention user"
-
-=== [Documentation]
-
-* Defect #37983: Duplicate vertical-align property in wiki_syntax.css
-
-=== [Gems support]
-
-* Defect #37884: All system tests fail on 4.2-stable branch with "ArgumentError: unknown keyword: :desired_capabilities"
-* Patch #37867: Limit puma < 6.0.0 to avoid system test error
-* Patch #37883: Limit mocha version to < 2.0.0 when Ruby version is < 2.7 to avoid test error
-
-=== [Issues]
-
-* Defect #37958: Groups added to watchers are not shown as links
-
-=== [Issues workflow]
-
-* Defect #37685: Read-only field permission for the project field is ignored if the current project has subprojects
-
-=== [Projects]
-
-* Defect #37925: Do not allow unkown display_type for query
-
-=== [Rails support]
-
-* Defect #37814: Plugins that serialize Date or Time objects cause Psych::DisallowedClass exception
-
-=== [Security]
-
-* Defect #37772: Access Control Issue in attachments#download_all
-* Defect #37751: Persistent XSS in textile formatting due to blockquote citation
-* Defect #37767: Redmine contains a cross-site scripting vulnerability
-* Defect #37880: Open Redirect in attachments#download_all
-
-=== [Translations]
-
-* Defect #37812: "Yes" and "No" are swapped in Polish translation
-
== 2022-10-02 v5.0.3
=== [Code cleanup/refactoring]
diff --git a/test/functional/attachments_controller_test.rb b/test/functional/attachments_controller_test.rb
index 4839c612d..cb82427cd 100644
--- a/test/functional/attachments_controller_test.rb
+++ b/test/functional/attachments_controller_test.rb
@@ -623,22 +623,6 @@ class AttachmentsControllerTest < Redmine::ControllerTest
assert_response 404
end
- def test_download_all_with_invisible_journal
- Project.find(1).update_column :is_public, false
- Member.delete_all
- @request.session[:user_id] = 2
- User.current = User.find(2)
- assert_not Journal.find(3).journalized.visible?
- get(
- :download_all,
- :params => {
- :object_type => 'journals',
- :object_id => '3'
- }
- )
- assert_response 403
- end
-
def test_download_all_with_maximum_bulk_download_size_larger_than_attachments
with_settings :bulk_download_max_size => 0 do
@request.session[:user_id] = 2
diff --git a/test/integration/attachments_test.rb b/test/integration/attachments_test.rb
index ab07f3a31..197eda6aa 100644
--- a/test/integration/attachments_test.rb
+++ b/test/integration/attachments_test.rb
@@ -25,9 +25,7 @@ class AttachmentsTest < Redmine::IntegrationTest
:roles, :members, :member_roles,
:trackers, :projects_trackers,
:issues, :issue_statuses, :enumerations,
- :attachments,
- :wiki_content_versions, :wiki_contents, :wiki_pages,
- :journals, :journal_details
+ :attachments
def test_upload_should_set_default_content_type
log_user('jsmith', 'jsmith')
@@ -225,54 +223,6 @@ class AttachmentsTest < Redmine::IntegrationTest
set_tmp_attachments_directory
end
- def test_download_all_with_wrong_container_type
- set_tmp_attachments_directory
-
- # make the attachment readable
- assert a = Attachment.find(3)
- FileUtils.mkdir_p File.dirname(a.diskfile)
- (File.open(a.diskfile, 'wb') << 'test').close
-
- # there is no 'download all' for WikiContentVersions
- with_settings :login_required => '0' do
- get "/attachments/wiki_content_versions/7/download"
- assert_response :not_found
- end
- with_settings :login_required => '1' do
- get "/attachments/wiki_content_versions/7/download"
- assert_response :not_found
- end
- end
-
- def test_download_all_for_journal_should_check_visibility
- set_tmp_attachments_directory
- Project.find(1).update_column :is_public, false
-
- # make the attachment readable
- assert a = Attachment.find(4)
- FileUtils.mkdir_p File.dirname(a.diskfile)
- (File.open(a.diskfile, 'wb') << 'test').close
-
- with_settings :login_required => '0' do
- get "/attachments/journals/3/download"
- assert_response 403
- end
- with_settings :login_required => '1' do
- get "/attachments/journals/3/download"
- assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
- end
-
- Project.find(1).update_column :is_public, true
- with_settings :login_required => '0' do
- get "/attachments/journals/3/download"
- assert_response :success
- end
- with_settings :login_required => '1' do
- get "/attachments/journals/3/download"
- assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2Fattachments%2Fjournals%2F3%2Fdownload"
- end
- end
-
private
def ajax_upload(filename, content, attachment_id=1)