Make sure user can not watch what he is not allowed to view.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3170 e93f8b46-1217-0410-a6f0-8f06a7374b81

Make sure user can not watch what he is not allowed to view.
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3170 e93f8b46-1217-0410-a6f0-8f06a7374b81
9a452a5c · Jean-Philippe Lang · bb477a3a · 9a452a5c · 9a452a5c
Commit 9a452a5c authored Dec 13, 2009 by Jean-Philippe Lang
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 1 deletion

watchers_controller.rb app/controllers/watchers_controller.rb +5 -1

watchers_controller_test.rb test/functional/watchers_controller_test.rb +9 -0

No files found.
--- a/app/controllers/watchers_controller.rb
+++ b/app/controllers/watchers_controller.rb
@@ -25,7 +25,11 @@ class WatchersController < ApplicationController
         :render => { :nothing => true, :status => :method_not_allowed }
  
  def watch
-    set_watcher(User.current, true)
+    if @watched.respond_to?(:visible?) && !@watched.visible?(User.current)
+      render_403
+    else
+      set_watcher(User.current, true)
+    end
  end
  
  def unwatch

--- a/test/functional/watchers_controller_test.rb
+++ b/test/functional/watchers_controller_test.rb
@@ -47,6 +47,15 @@ class WatchersControllerTest < ActionController::TestCase
    end
    assert Issue.find(1).watched_by?(User.find(3))
  end
+  
+  def test_watch_should_be_denied_without_permission
+    Role.find(2).remove_permission! :view_issues
+    @request.session[:user_id] = 3
+    assert_no_difference('Watcher.count') do
+      xhr :post, :watch, :object_type => 'issue', :object_id => '1'
+      assert_response 403
+    end
+  end

  def test_watch_with_multiple_replacements
    @request.session[:user_id] = 3