From 5c9f914e4a887b631c055af8a79938aae8c53752 Mon Sep 17 00:00:00 2001 From: Alexander Machehin Date: Wed, 30 May 2012 22:03:07 +0600 Subject: [PATCH] [refs #511] add issue index authorization --- app/controllers/projects/issues_controller.rb | 2 +- .../projects/issues_controller_spec.rb | 29 ++++++++++++++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/app/controllers/projects/issues_controller.rb b/app/controllers/projects/issues_controller.rb index b95743bdd..3d45c71a7 100644 --- a/app/controllers/projects/issues_controller.rb +++ b/app/controllers/projects/issues_controller.rb @@ -4,7 +4,7 @@ class Projects::IssuesController < Projects::BaseController before_filter :authenticate_user! skip_before_filter :authenticate_user!, :only => [:index, :show] if APP_CONFIG['anonymous_access'] load_resource :project - load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy, :new, :create] + load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy, :new, :create, :index] before_filter :load_and_authorize_label, :only => NON_RESTFUL_ACTION layout 'application' diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb index 4bb6f59b1..49a6e9b07 100644 --- a/spec/controllers/projects/issues_controller_spec.rb +++ b/spec/controllers/projects/issues_controller_spec.rb @@ -11,6 +11,12 @@ shared_examples_for 'issue user with project reader rights' do get :show, :owner_name => @project.owner.uname, :project_name => @project.name, :id => @issue.serial_id response.should render_template(:show) end + + it 'should be able to perform index action on hidden project' do + @project.update_attribute :visibility, 'hidden' + get :index, :owner_name => @project.owner.uname, :project_name => @project.name + response.should render_template(:index) + end end shared_examples_for 'issue user with project writer rights' do @@ -187,7 +193,22 @@ describe Projects::IssuesController do context 'for guest' do if APP_CONFIG['anonymous_access'] - it_should_behave_like 'issue user with project reader rights' + # it_should_behave_like 'issue user with project reader rights' + it 'should be able to perform index action' do + get :index, :owner_name => @project.owner.uname, :project_name => @project.name + response.should render_template(:index) + end + + it 'should be able to perform show action' do + get :show, :owner_name => @project.owner.uname, :project_name => @project.name, :id => @issue.serial_id + response.should render_template(:show) + end + + it 'should not be able to perform index action on hidden project' do + @project.update_attribute :visibility, 'hidden' + get :index, :owner_name => @project.owner.uname, :project_name => @project.name + response.should redirect_to(forbidden_path) + end else it 'should not be able to perform index action' do get :index, :owner_name => @project.owner.uname, :project_name => @project.name @@ -198,6 +219,12 @@ describe Projects::IssuesController do get :show, :owner_name => @project.owner.uname, :project_name => @project.name, :id => @issue.serial_id response.should redirect_to(new_user_session_path) end + + it 'should not be able to perform index action on hidden project' do + @project.update_attribute :visibility, 'hidden' + get :index, :owner_name => @project.owner.uname, :project_name => @project.name + response.should redirect_to(new_user_session_path) + end end it 'should not be able to perform create action' do