From 555acea7804e6a93b133fe7398f490cb083c05b2 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Thu, 2 Mar 2023 04:32:34 +0000
Subject: Check if the user has the permission to add notes or edit an issue
 when adding an issue attachments (#38297).

Patch by Holger Just.


git-svn-id: https://svn.redmine.org/redmine/trunk@22122 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 test/integration/issues_test.rb | 74 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)

(limited to 'test/integration')

diff --git a/test/integration/issues_test.rb b/test/integration/issues_test.rb
index c9f5c3537..fe9cb19d0 100644
--- a/test/integration/issues_test.rb
+++ b/test/integration/issues_test.rb
@@ -140,6 +140,80 @@ class IssuesTest < Redmine::IntegrationTest
     assert_equal 0, Issue.find(1).attachments.length
   end
 
+  def test_edit_add_attachment_form
+    log_user('jsmith', 'jsmith')
+    role = Role.find(1)
+
+    role.add_permission! :edit_issues
+    role.remove_permission! :edit_own_issues
+    role.remove_permission! :add_issue_notes
+
+    get '/issues/1'
+    assert_response :success
+    assert_select 'div#new-attachments', 1
+
+    get '/issues/1/edit'
+    assert_response :success
+    assert_select 'div#new-attachments', 1
+
+    role.remove_permission! :edit_issues
+    role.add_permission! :edit_own_issues
+    role.remove_permission! :add_issue_notes
+
+    get '/issues/1'
+    assert_response :success
+    assert_select 'div#new-attachments', 1
+
+    get '/issues/1/edit'
+    assert_response :success
+    assert_select 'div#new-attachments', 1
+
+    role.remove_permission! :edit_issues
+    role.remove_permission! :edit_own_issues
+    role.add_permission! :add_issue_notes
+
+    get '/issues/1'
+    assert_response :success
+    assert_select 'div#new-attachments', 1
+
+    get '/issues/1/edit'
+    assert_response :success
+    assert_select 'div#new-attachments', 1
+  end
+
+  def test_edit_check_permission_for_add_attachment
+    log_user('jsmith', 'jsmith')
+    role = Role.find(1)
+
+    role.remove_permission! :edit_issues
+    role.remove_permission! :edit_own_issues
+    role.add_permission! :add_issue_notes
+
+    role.permissions_all_trackers = {'view_issues' => '0', 'add_issue_notes' => '0' }
+    role.permissions_tracker_ids = {'view_issues' => ['1'], 'add_issue_notes' => ['2'] }
+    role.save!
+
+    assert_no_difference 'Attachment.count' do
+      put(
+        '/issues/1',
+        :params => {
+          :issue => {:notes => 'Some notes'},
+          :attachments => {
+            '1' => {
+              'file' => uploaded_test_file('testfile.txt', 'text/plain'),
+              'description' => 'This is an attachment'
+            }
+          }
+        }
+      )
+    end
+    assert_redirected_to '/issues/1'
+
+    follow_redirect!
+    assert_response :success
+    assert_select '.flash', '1 file(s) could not be saved.'
+  end
+
   def test_next_and_previous_links_should_be_displayed_after_query_grouped_and_sorted_by_version
     with_settings :default_language => 'en' do
       get '/projects/ecookbook/issues?set_filter=1&group_by=fixed_version&sort=priority:desc,fixed_version,id'
-- 
cgit v1.2.3