From 9a452a5c351f4bffb80dee3df5a4fb6a3800ca17 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Sun, 13 Dec 2009 14:48:28 +0000 Subject: [PATCH] Make sure user can not watch what he is not allowed to view. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3170 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/watchers_controller.rb | 6 +++++- test/functional/watchers_controller_test.rb | 9 +++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/app/controllers/watchers_controller.rb b/app/controllers/watchers_controller.rb index 694718e2..06e5802f 100644 --- a/app/controllers/watchers_controller.rb +++ b/app/controllers/watchers_controller.rb @@ -25,7 +25,11 @@ class WatchersController < ApplicationController :render => { :nothing => true, :status => :method_not_allowed } def watch - set_watcher(User.current, true) + if @watched.respond_to?(:visible?) && !@watched.visible?(User.current) + render_403 + else + set_watcher(User.current, true) + end end def unwatch diff --git a/test/functional/watchers_controller_test.rb b/test/functional/watchers_controller_test.rb index cf977887..01dee374 100644 --- a/test/functional/watchers_controller_test.rb +++ b/test/functional/watchers_controller_test.rb @@ -47,6 +47,15 @@ class WatchersControllerTest < ActionController::TestCase end assert Issue.find(1).watched_by?(User.find(3)) end + + def test_watch_should_be_denied_without_permission + Role.find(2).remove_permission! :view_issues + @request.session[:user_id] = 3 + assert_no_difference('Watcher.count') do + xhr :post, :watch, :object_type => 'issue', :object_id => '1' + assert_response 403 + end + end def test_watch_with_multiple_replacements @request.session[:user_id] = 3 -- 2.11.0