Merge pull request #512 from warpc/511-issues_authorization

[refs #511] add missing issues index action authorization
This commit is contained in:
Vladimir Sharshov 2012-05-31 04:35:04 -07:00
commit fb08dec51f
2 changed files with 29 additions and 2 deletions

View File

@ -4,7 +4,7 @@ class Projects::IssuesController < Projects::BaseController
before_filter :authenticate_user!
skip_before_filter :authenticate_user!, :only => [:index, :show] if APP_CONFIG['anonymous_access']
load_resource :project
load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy, :new, :create]
load_and_authorize_resource :issue, :through => :project, :find_by => :serial_id, :only => [:show, :edit, :update, :destroy, :new, :create, :index]
before_filter :load_and_authorize_label, :only => NON_RESTFUL_ACTION
layout 'application'

View File

@ -11,6 +11,12 @@ shared_examples_for 'issue user with project reader rights' do
get :show, :owner_name => @project.owner.uname, :project_name => @project.name, :id => @issue.serial_id
response.should render_template(:show)
end
it 'should be able to perform index action on hidden project' do
@project.update_attribute :visibility, 'hidden'
get :index, :owner_name => @project.owner.uname, :project_name => @project.name
response.should render_template(:index)
end
end
shared_examples_for 'issue user with project writer rights' do
@ -187,7 +193,22 @@ describe Projects::IssuesController do
context 'for guest' do
if APP_CONFIG['anonymous_access']
it_should_behave_like 'issue user with project reader rights'
# it_should_behave_like 'issue user with project reader rights'
it 'should be able to perform index action' do
get :index, :owner_name => @project.owner.uname, :project_name => @project.name
response.should render_template(:index)
end
it 'should be able to perform show action' do
get :show, :owner_name => @project.owner.uname, :project_name => @project.name, :id => @issue.serial_id
response.should render_template(:show)
end
it 'should not be able to perform index action on hidden project' do
@project.update_attribute :visibility, 'hidden'
get :index, :owner_name => @project.owner.uname, :project_name => @project.name
response.should redirect_to(forbidden_path)
end
else
it 'should not be able to perform index action' do
get :index, :owner_name => @project.owner.uname, :project_name => @project.name
@ -198,6 +219,12 @@ describe Projects::IssuesController do
get :show, :owner_name => @project.owner.uname, :project_name => @project.name, :id => @issue.serial_id
response.should redirect_to(new_user_session_path)
end
it 'should not be able to perform index action on hidden project' do
@project.update_attribute :visibility, 'hidden'
get :index, :owner_name => @project.owner.uname, :project_name => @project.name
response.should redirect_to(new_user_session_path)
end
end
it 'should not be able to perform create action' do