From 9a452a5c351f4bffb80dee3df5a4fb6a3800ca17 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Sun, 13 Dec 2009 14:48:28 +0000
Subject: Make sure user can not watch what he is not allowed to view.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3170 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/watchers_controller.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb
index 694718e28..06e5802f6 100644
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -25,7 +25,11 @@ class WatchersController < ApplicationController
          :render => { :nothing => true, :status => :method_not_allowed }
   
   def watch
-    set_watcher(User.current, true)
+    if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
+      render_403
+    else
+      set_watcher(User.current, true)
+    end
   end
   
   def unwatch
-- 
cgit v1.2.3