From 57743c4145eadc4d702b7bd21eafbb30a15b48ca Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Mon, 8 Jul 2024 21:32:15 +0000 Subject: Permission check based on the type of @watchables@ (#40946). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch by Jens Krämer (@jkraemer). git-svn-id: https://svn.redmine.org/redmine/trunk@22915 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- test/functional/watchers_controller_test.rb | 35 +++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'test/functional') diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb index 65aad4e1f..ed3c25770 100644 --- a/test/functional/watchers_controller_test.rb +++ b/test/functional/watchers_controller_test.rb @@ -578,6 +578,41 @@ class WatchersControllerTest < Redmine::ControllerTest assert !wiki_page.watched_by?(user) end + def test_destroy_without_permission + @request.session[:user_id] = 2 + wiki_page = WikiPage.find(1) + user = User.find(1) + Role.find(1).remove_permission! :delete_wiki_page_watchers + + assert wiki_page.watched_by?(user) + assert_no_difference('Watcher.count') do + delete :destroy, :params => { + :object_type => 'wiki_page', :object_id => '1', :user_id => '1' + }, :xhr => true + assert_response 403 + end + wiki_page.reload + assert wiki_page.watched_by?(user) + end + + def test_create_without_permission + @request.session[:user_id] = 2 + wiki_page = WikiPage.find(1) + user = User.find(1) + Role.find(1).remove_permission! :add_wiki_page_watchers + Watcher.delete_all + + assert_not wiki_page.watched_by?(user) + assert_no_difference('Watcher.count') do + post :create, :params => { + :object_type => 'wiki_page', :object_id => '1', :user_id => '1' + }, :xhr => true + assert_response 403 + end + wiki_page.reload + assert_not wiki_page.watched_by?(user) + end + def test_destroy_locked_user user = User.find(3) user.lock! -- cgit v1.2.3