Creating a wiki page named "Sidebar" without proper permission raises an exception (#23700).

git-svn-id: http://svn.redmine.org/redmine/trunk@15749 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-12-19 23:11:12 +00:00 · 2016-08-30 19:21:42 +00:00 · 2016-08-30 19:21:42 +00:00 · 650a64cb00
commit 650a64cb00
parent 0925ce756c
2 changed files with 12 additions and 1 deletions
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@ -62,10 +62,12 @@ class WikiController < ApplicationController

  def new
    @page = WikiPage.new(:wiki => @wiki, :title => params[:title])
-    unless User.current.allowed_to?(:edit_wiki_pages, @project) && editable?
+    unless User.current.allowed_to?(:edit_wiki_pages, @project)
      render_403
+      return
    end
    if request.post?
+      @page.title = '' unless editable?
      @page.validate
      if @page.errors[:title].blank?
        path = project_wiki_page_path(@project, @page.title)
--- a/test/functional/wiki_controller_test.rb
+++ b/test/functional/wiki_controller_test.rb
@ -216,6 +216,15 @@ class WikiControllerTest < Redmine::ControllerTest
    assert_select_error 'Title has already been taken'
  end

+  def test_post_new_with_protected_title_should_display_errors
+    Role.find(1).remove_permission!(:protect_wiki_pages)
+    @request.session[:user_id] = 2
+
+    post :new, :params => {:project_id => 'ecookbook', :title => 'Sidebar'}
+    assert_response :success
+    assert_select_error /Title/
+  end
+
  def test_post_new_xhr_with_invalid_title_should_display_errors
    @request.session[:user_id] = 2