summaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
Diffstat (limited to 'test')
-rw-r--r--test/functional/issues_controller_test.rb11
-rw-r--r--test/functional/messages_controller_test.rb11
-rw-r--r--test/functional/watchers_controller_test.rb60
-rw-r--r--test/functional/wiki_controller_test.rb11
-rw-r--r--test/unit/issue_test.rb20
5 files changed, 110 insertions, 3 deletions
diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb
index db45bb287..7501843cf 100644
--- a/test/functional/issues_controller_test.rb
+++ b/test/functional/issues_controller_test.rb
@@ -2733,6 +2733,17 @@ class IssuesControllerTest < Redmine::ControllerTest
end
end
+ def test_show_should_not_display_watchers_without_permission
+ @request.session[:user_id] = 2
+ Role.find(1).remove_permission! :view_issue_watchers
+ issue = Issue.find(1)
+ issue.add_watcher User.find(2)
+ issue.add_watcher Group.find(10)
+ get(:show, :params => {:id => 1})
+ assert_select 'div#watchers ul', 0
+ assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0}
+ end
+
def test_show_should_display_watchers_with_gravatars
@request.session[:user_id] = 2
issue = Issue.find(1)
diff --git a/test/functional/messages_controller_test.rb b/test/functional/messages_controller_test.rb
index 85f45f1d7..317c779a2 100644
--- a/test/functional/messages_controller_test.rb
+++ b/test/functional/messages_controller_test.rb
@@ -114,6 +114,17 @@ class MessagesControllerTest < Redmine::ControllerTest
end
end
+ def test_show_should_not_display_watchers_without_permission
+ @request.session[:user_id] = 2
+ Role.find(1).remove_permission! :view_message_watchers
+ message = Message.find(1)
+ message.add_watcher User.find(2)
+ message.add_watcher Group.find(10)
+ get(:show, :params => {:board_id => 1, :id => 1})
+ assert_select 'div#watchers ul', 0
+ assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0}
+ end
+
def test_get_new
@request.session[:user_id] = 2
get(:new, :params => {:board_id => 1})
diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb
index 369d30b5b..67f4a4736 100644
--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@@ -211,6 +211,25 @@ class WatchersControllerTest < Redmine::ControllerTest
)
end
+ def test_new_without_view_watchers_permission
+ @request.session[:user_id] = 2
+ Role.find(1).remove_permission! :view_issue_watchers
+ get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true
+ assert_response :success
+ assert_match %r{name=\\"watcher\[user_ids\]\[\]\\" value=\\"2\\"}, response.body
+ # User should not be able to reverse engineer that User 3 is watching the issue already
+ assert_match %r{name=\\"watcher\[user_ids\]\[\]\\" value=\\"3\\"}, response.body
+ end
+
+ def test_new_dont_show_self_when_watching_without_view_watchers_permission
+ @request.session[:user_id] = 2
+ Role.find(1).remove_permission! :view_issue_watchers
+ Issue.find(2).add_watcher(User.find(2))
+ get :new, :params => {:object_type => 'issue', :object_id => '2'}, :xhr => true
+ assert_response :success
+ assert_no_match %r{name=\\"watcher\[user_ids\]\[\]\\" value=\\"2\\"}, response.body
+ end
+
def test_create_as_html
@request.session[:user_id] = 2
assert_difference('Watcher.count') do
@@ -458,11 +477,11 @@ class WatchersControllerTest < Redmine::ControllerTest
assert_response :success
- # All users from two projects eCookbook (7) and Private child of eCookbook (9)
- assert_select 'input', :count => 5
+ # All users from two projects eCookbook (7) and Private child of eCookbook
+ # (9) who can see both issues
+ assert_select 'input', :count => 4
assert_select 'input[name=?][value="1"]', 'watcher[user_ids][]'
assert_select 'input[name=?][value="2"]', 'watcher[user_ids][]'
- assert_select 'input[name=?][value="3"]', 'watcher[user_ids][]'
assert_select 'input[name=?][value="8"]', 'watcher[user_ids][]'
assert_select 'input[name=?][value="10"]', 'watcher[user_ids][]'
end
@@ -559,6 +578,41 @@ class WatchersControllerTest < Redmine::ControllerTest
assert !wiki_page.watched_by?(user)
end
+ def test_destroy_without_permission
+ @request.session[:user_id] = 2
+ wiki_page = WikiPage.find(1)
+ user = User.find(1)
+ Role.find(1).remove_permission! :delete_wiki_page_watchers
+
+ assert wiki_page.watched_by?(user)
+ assert_no_difference('Watcher.count') do
+ delete :destroy, :params => {
+ :object_type => 'wiki_page', :object_id => '1', :user_id => '1'
+ }, :xhr => true
+ assert_response :forbidden
+ end
+ wiki_page.reload
+ assert wiki_page.watched_by?(user)
+ end
+
+ def test_create_without_permission
+ @request.session[:user_id] = 2
+ wiki_page = WikiPage.find(1)
+ user = User.find(1)
+ Role.find(1).remove_permission! :add_wiki_page_watchers
+ Watcher.delete_all
+
+ assert_not wiki_page.watched_by?(user)
+ assert_no_difference('Watcher.count') do
+ post :create, :params => {
+ :object_type => 'wiki_page', :object_id => '1', :user_id => '1'
+ }, :xhr => true
+ assert_response :forbidden
+ end
+ wiki_page.reload
+ assert_not wiki_page.watched_by?(user)
+ end
+
def test_destroy_locked_user
user = User.find(3)
user.lock!
diff --git a/test/functional/wiki_controller_test.rb b/test/functional/wiki_controller_test.rb
index 1e1d98f32..ad5d34b58 100644
--- a/test/functional/wiki_controller_test.rb
+++ b/test/functional/wiki_controller_test.rb
@@ -150,6 +150,17 @@ class WikiControllerTest < Redmine::ControllerTest
end
end
+ def test_show_should_not_display_watchers_without_permission
+ @request.session[:user_id] = 2
+ Role.find(1).remove_permission! :view_wiki_page_watchers
+ page = Project.find(1).wiki.find_page('Another_page')
+ page.add_watcher User.find(2)
+ page.add_watcher Group.find(10)
+ get(:show, :params => {:project_id => 1, :id => 'Another_page'})
+ assert_select 'div#watchers ul', 0
+ assert_select 'h3', {text: /Watchers \(\d*\)/, count: 0}
+ end
+
def test_show_should_display_section_edit_links
with_settings :text_formatting => 'textile' do
@request.session[:user_id] = 2
diff --git a/test/unit/issue_test.rb b/test/unit/issue_test.rb
index 571b7ef3b..631f2614f 100644
--- a/test/unit/issue_test.rb
+++ b/test/unit/issue_test.rb
@@ -1498,6 +1498,8 @@ class IssueTest < ActiveSupport::TestCase
user2 = User.find(3)
issue = Issue.find(8)
+ User.current = user
+
Watcher.create!(:user => user, :watchable => issue)
Watcher.create!(:user => user2, :watchable => issue)
@@ -1511,6 +1513,24 @@ class IssueTest < ActiveSupport::TestCase
assert !issue.watched_by?(user2)
end
+ def test_copy_should_not_copy_watchers_without_permission
+ user = User.find(2)
+ user2 = User.find(3)
+ issue = Issue.find(8)
+
+ Role.find(1).remove_permission! :view_issue_watchers
+ User.current = user
+
+ Watcher.create!(:user => user, :watchable => issue)
+ Watcher.create!(:user => user2, :watchable => issue)
+
+ issue = Issue.new.copy_from(8)
+
+ assert issue.save
+ assert issue.watched_by?(user)
+ assert !issue.watched_by?(user2)
+ end
+
def test_copy_should_clear_subtasks_target_version_if_locked_or_closed
version = Version.new(:project => Project.find(1), :name => '2.1')
version.save!
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-20 20:34:03 +0000