[refs #194] fix security and tests

2012-03-02 22:52:15 +06:00 · 2012-03-02 22:52:15 +06:00 · 41c0d1e856
parent 2f0981c12f
commit 41c0d1e856
2 changed files with 4 additions and 4 deletions
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@ -4,7 +4,7 @@ class IssuesController < ApplicationController
  before_filter :authenticate_user!
  load_and_authorize_resource :project, :except => NON_RESTFUL_ACTION
-  load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy]
+  load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy, :new, :create]
  before_filter :load_and_authorize_label, :only => NON_RESTFUL_ACTION
  layout 'application'
@ -67,8 +67,8 @@ class IssuesController < ApplicationController
      status = 200 if @issue.save
      render action, :status => (status || 500), :layout => false
    else
-      @issue.title = params[:issue][:title]
+      @issue.title = params[:issue][:title] if params[:issue][:title]
-      @issue.body = params[:issue][:body]
+      @issue.body = params[:issue][:body] if params[:issue][:body]
      status = 200 if @issue.save
      render :nothing => true, :status => (status || 500), :layout => false
    end
--- a/spec/controllers/issues_controller_spec.rb
+++ b/spec/controllers/issues_controller_spec.rb
@ -27,7 +27,7 @@ end
 shared_examples_for 'user with issue update rights' do
  it 'should be able to perform update action' do
    put :update, {:id => @issue.serial_id}.merge(@update_params)
-    response.should redirect_to([@project, @issue])
+    response.code.should eq('200')
  end
  it 'should update issue title' do