From 10994e902779aba086f58a75abfbaf7fe10eb2f2 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Tue, 27 Jan 2009 19:33:03 +0000
Subject: [PATCH] Fixed: users should not be able to add relations with issues
 they're not allowed to view (#2589).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2323 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/issue_relations_controller.rb |  3 ++
 app/models/issue_relation.rb                  |  2 ++
 .../issue_relations_controller_test.rb        | 36 +++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/app/controllers/issue_relations_controller.rb b/app/controllers/issue_relations_controller.rb
index 2ca3f0d68..8a41c3830 100644
--- a/app/controllers/issue_relations_controller.rb
+++ b/app/controllers/issue_relations_controller.rb
@@ -21,6 +21,9 @@ class IssueRelationsController < ApplicationController
   def new
     @relation = IssueRelation.new(params[:relation])
     @relation.issue_from = @issue
+    if params[:relation] && !params[:relation][:issue_to_id].blank?
+      @relation.issue_to = Issue.visible.find_by_id(params[:relation][:issue_to_id])
+    end
     @relation.save if request.post?
     respond_to do |format|
       format.html { redirect_to :controller => 'issues', :action => 'show', :id => @issue }
diff --git a/app/models/issue_relation.rb b/app/models/issue_relation.rb
index 49329e0bb..13e14cccc 100644
--- a/app/models/issue_relation.rb
+++ b/app/models/issue_relation.rb
@@ -35,6 +35,8 @@ class IssueRelation < ActiveRecord::Base
   validates_numericality_of :delay, :allow_nil => true
   validates_uniqueness_of :issue_to_id, :scope => :issue_from_id
   
+  attr_protected :issue_from_id, :issue_to_id
+  
   def validate
     if issue_from && issue_to
       errors.add :issue_to_id, :activerecord_error_invalid if issue_from_id == issue_to_id
diff --git a/test/functional/issue_relations_controller_test.rb b/test/functional/issue_relations_controller_test.rb
index 69464c5f5..dc64a004e 100644
--- a/test/functional/issue_relations_controller_test.rb
+++ b/test/functional/issue_relations_controller_test.rb
@@ -6,6 +6,23 @@ class IssueRelationsController; def rescue_action(e) raise e end; end
 
 
 class IssueRelationsControllerTest < Test::Unit::TestCase
+  fixtures :projects,
+           :users,
+           :roles,
+           :members,
+           :issues,
+           :issue_statuses,
+           :enabled_modules,
+           :enumerations,
+           :trackers
+  
+  def setup
+    @controller = IssueRelationsController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    User.current = nil
+  end
+  
   def test_new_routing
     assert_routing(
       {:method => :post, :path => '/issues/1/relations'},
@@ -19,4 +36,23 @@ class IssueRelationsControllerTest < Test::Unit::TestCase
       {:method => :post, :path => '/issues/1/relations/23/destroy'}
     )
   end
+  
+  def test_new
+    assert_difference 'IssueRelation.count' do
+      @request.session[:user_id] = 3
+      post :new, :issue_id => 1, 
+                 :relation => {:issue_to_id => '2', :relation_type => 'relates', :delay => ''}
+    end
+  end
+  
+  def test_should_create_relations_with_visible_issues_only
+    Setting.cross_project_issue_relations = '1'
+    assert_nil Issue.visible(User.find(3)).find_by_id(4)
+    
+    assert_no_difference 'IssueRelation.count' do
+      @request.session[:user_id] = 3
+      post :new, :issue_id => 1, 
+                 :relation => {:issue_to_id => '4', :relation_type => 'relates', :delay => ''}
+    end
+  end
 end
-- 
GitLab