Commit 8be9006e authored by jplang's avatar jplang

Fixed: private queries should not be accessible to other users (#8729).

git-svn-id: https://svn.redmine.org/redmine/trunk@6163 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent 851d28b2
......@@ -18,6 +18,8 @@
require 'uri'
require 'cgi'
class Unauthorized < Exception; end
class ApplicationController < ActionController::Base
include Redmine::I18n
......@@ -41,6 +43,7 @@ class ApplicationController < ActionController::Base
protect_from_forgery
rescue_from ActionController::InvalidAuthenticityToken, :with => :invalid_authenticity_token
rescue_from ::Unauthorized, :with => :deny_access
include Redmine::Search::Controller
include Redmine::MenuManager::MenuController
......
......@@ -70,6 +70,7 @@ module QueriesHelper
cond = "project_id IS NULL"
cond << " OR project_id = #{@project.id}" if @project
@query = Query.find(params[:query_id], :conditions => cond)
raise ::Unauthorized unless @query.visible?
@query.project = @project
session[:query] = {:id => @query.id, :project_id => @query.project_id}
sort_clear
......
......@@ -165,6 +165,11 @@ class Query < ActiveRecord::Base
["o", "c", "!*", "*", "t", "w"].include? operator_for(field)
end if filters
end
# Returns true if the query is visible to +user+ or the current user.
def visible?(user=User.current)
self.is_public? || self.user_id == user.id
end
def editable_by?(user)
return false unless user
......
......@@ -18,9 +18,6 @@
require File.expand_path('../../test_helper', __FILE__)
require 'issues_controller'
# Re-raise errors caught by the controller.
class IssuesController; def rescue_action(e) raise e end; end
class IssuesControllerTest < ActionController::TestCase
fixtures :projects,
:users,
......@@ -193,6 +190,30 @@ class IssuesControllerTest < ActionController::TestCase
assert_not_nil assigns(:issues)
assert_not_nil assigns(:issue_count_by_group)
end
def test_private_query_should_not_be_available_to_other_users
q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
@request.session[:user_id] = 3
get :index, :query_id => q.id
assert_response 403
end
def test_private_query_should_be_available_to_its_user
q = Query.create!(:name => "private", :user => User.find(2), :is_public => false, :project => nil)
@request.session[:user_id] = 2
get :index, :query_id => q.id
assert_response :success
end
def test_public_query_should_be_available_to_other_users
q = Query.create!(:name => "private", :user => User.find(2), :is_public => true, :project => nil)
@request.session[:user_id] = 3
get :index, :query_id => q.id
assert_response :success
end
def test_index_sort_by_field_not_included_in_columns
Setting.issue_list_default_columns = %w(subject author)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment