From 41c0d1e856602d66531f73f2f9efc1f0ea0d37a0 Mon Sep 17 00:00:00 2001
From: Alexander Machehin <alexander.machehin@gmail.com>
Date: Fri, 2 Mar 2012 22:52:15 +0600
Subject: [PATCH] [refs #194] fix security and tests

---
 app/controllers/issues_controller.rb       | 6 +++---
 spec/controllers/issues_controller_spec.rb | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index 2d3f13cf5..e6956c7bc 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -4,7 +4,7 @@ class IssuesController < ApplicationController
   before_filter :authenticate_user!
 
   load_and_authorize_resource :project, :except => NON_RESTFUL_ACTION
-  load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy]
+  load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy, :new, :create]
   before_filter :load_and_authorize_label, :only => NON_RESTFUL_ACTION
 
   layout 'application'
@@ -67,8 +67,8 @@ class IssuesController < ApplicationController
       status = 200 if @issue.save
       render action, :status => (status || 500), :layout => false
     else
-      @issue.title = params[:issue][:title]
-      @issue.body = params[:issue][:body]
+      @issue.title = params[:issue][:title] if params[:issue][:title]
+      @issue.body = params[:issue][:body] if params[:issue][:body]
       status = 200 if @issue.save
       render :nothing => true, :status => (status || 500), :layout => false
     end
diff --git a/spec/controllers/issues_controller_spec.rb b/spec/controllers/issues_controller_spec.rb
index 907bf98fa..eb2579ae6 100644
--- a/spec/controllers/issues_controller_spec.rb
+++ b/spec/controllers/issues_controller_spec.rb
@@ -27,7 +27,7 @@ end
 shared_examples_for 'user with issue update rights' do
   it 'should be able to perform update action' do
     put :update, {:id => @issue.serial_id}.merge(@update_params)
-    response.should redirect_to([@project, @issue])
+    response.code.should eq('200')
   end
 
   it 'should update issue title' do