Commit 981ad7ba authored by jplang's avatar jplang

Fixed that user with permission can't remove a locked watcher (#21382).

git-svn-id: https://svn.redmine.org/redmine/trunk@14946 e93f8b46-1217-0410-a6f0-8f06a7374b81
parent f0ecc224
......@@ -62,12 +62,14 @@ class WatchersController < ApplicationController
end
def destroy
@watched.set_watcher(User.visible.find(params[:user_id]), false)
@watched.set_watcher(User.find(params[:user_id]), false)
respond_to do |format|
format.html { redirect_to :back }
format.js
format.api { render_api_ok }
end
rescue ActiveRecord::RecordNotFound
render_404
end
def autocomplete_for_user
......
......@@ -259,7 +259,7 @@ class WatchersControllerTest < ActionController::TestCase
assert response.body.blank?
end
def test_remove_watcher
def test_destroy
@request.session[:user_id] = 2
assert_difference('Watcher.count', -1) do
xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3'
......@@ -268,4 +268,26 @@ class WatchersControllerTest < ActionController::TestCase
end
assert !Issue.find(2).watched_by?(User.find(3))
end
def test_destroy_locked_user
user = User.find(3)
user.lock!
assert user.reload.locked?
@request.session[:user_id] = 2
assert_difference('Watcher.count', -1) do
xhr :delete, :destroy, :object_type => 'issue', :object_id => '2', :user_id => '3'
assert_response :success
assert_match /watchers/, response.body
end
assert !Issue.find(2).watched_by?(User.find(3))
end
def test_destroy_invalid_user_should_respond_with_404
@request.session[:user_id] = 2
assert_no_difference('Watcher.count') do
delete :destroy, :object_type => 'issue', :object_id => '2', :user_id => '999'
assert_response 404
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment