diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb index f82f0110a..a9650a6f0 100644 --- a/app/controllers/activities_controller.rb +++ b/app/controllers/activities_controller.rb @@ -17,7 +17,7 @@ class ActivitiesController < ApplicationController menu_item :activity - before_action :find_optional_project + before_action :find_optional_project_by_id, :authorize_global accept_rss_auth :index def index @@ -76,15 +76,4 @@ class ActivitiesController < ApplicationController rescue ActiveRecord::RecordNotFound render_404 end - - private - - # TODO: refactor, duplicated in projects_controller - def find_optional_project - return true unless params[:id] - @project = Project.find(params[:id]) - authorize - rescue ActiveRecord::RecordNotFound - render_404 - end end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1d42901f0..1b5a74da2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -285,8 +285,16 @@ class ApplicationController < ActionController::Base render_404 end + # Find project of id params[:id] if present + def find_optional_project_by_id + if params[:id].present? + @project = Project.find(params[:id]) + end + rescue ActiveRecord::RecordNotFound + render_404 + end + # Find a project based on params[:project_id] - # TODO: some subclasses override this, see about merging their logic def find_optional_project @project = Project.find(params[:project_id]) unless params[:project_id].blank? allowed = User.current.allowed_to?({:controller => params[:controller], :action => params[:action]}, @project, :global => true) diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 36bae860a..2887db9a3 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -16,7 +16,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class SearchController < ApplicationController - before_action :find_optional_project + before_action :find_optional_project_by_id, :authorize_global accept_api_auth :index def index @@ -87,13 +87,4 @@ class SearchController < ApplicationController format.api { @results ||= []; render :layout => false } end end - -private - def find_optional_project - return true unless params[:id] - @project = Project.find(params[:id]) - check_project_privacy - rescue ActiveRecord::RecordNotFound - render_404 - end end diff --git a/test/functional/search_controller_test.rb b/test/functional/search_controller_test.rb index 97075ea66..aace89a81 100644 --- a/test/functional/search_controller_test.rb +++ b/test/functional/search_controller_test.rb @@ -42,10 +42,10 @@ class SearchControllerTest < Redmine::ControllerTest assert_select '#search-results dt.project a', :text => /eCookbook/ end - def test_search_on_archived_project_should_return_404 + def test_search_on_archived_project_should_return_403 Project.find(3).archive get :index, :params => {:id => 3} - assert_response 404 + assert_response 403 end def test_search_on_invisible_project_by_user_should_be_denied