diff options
| -rw-r--r-- | app/controllers/watchers_controller.rb | 6 | ||||
| -rw-r--r-- | test/functional/watchers_controller_test.rb | 9 |
2 files changed, 14 insertions, 1 deletions
diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb index 694718e28..06e5802f6 100644 --- a/app/controllers/watchers_controller.rb +++ b/app/controllers/watchers_controller.rb @@ -25,7 +25,11 @@ class WatchersController < ApplicationController :render => { :nothing => true, :status => :method_not_allowed } def watch - set_watcher(User.current, true) + if @watched.respond_to?(:visible?) && !@watched.visible?(User.current) + render_403 + else + set_watcher(User.current, true) + end end def unwatch diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb index cf977887e..01dee3747 100644 --- a/test/functional/watchers_controller_test.rb +++ b/test/functional/watchers_controller_test.rb @@ -47,6 +47,15 @@ class WatchersControllerTest < ActionController::TestCase end assert Issue.find(1).watched_by?(User.find(3)) end + + def test_watch_should_be_denied_without_permission + Role.find(2).remove_permission! :view_issues + @request.session[:user_id] = 3 + assert_no_difference('Watcher.count') do + xhr :post, :watch, :object_type => 'issue', :object_id => '1' + assert_response 403 + end + end def test_watch_with_multiple_replacements @request.session[:user_id] = 3 |