From e7c0e16a3ff68681cb475fa382d843c0977a7c09 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Mon, 26 Jun 2017 20:41:12 +0000 Subject: [PATCH] Use regular #authorize method. git-svn-id: http://svn.redmine.org/redmine/trunk@16724 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/activities_controller.rb | 13 +------------ app/controllers/application_controller.rb | 10 +++++++++- app/controllers/search_controller.rb | 11 +---------- test/functional/search_controller_test.rb | 4 ++-- 4 files changed, 13 insertions(+), 25 deletions(-) diff --git a/app/controllers/activities_controller.rb b/app/controllers/activities_controller.rb index f82f0110a..a9650a6f0 100644 --- a/app/controllers/activities_controller.rb +++ b/app/controllers/activities_controller.rb @@ -17,7 +17,7 @@ class ActivitiesController < ApplicationController menu_item :activity - before_action :find_optional_project + before_action :find_optional_project_by_id, :authorize_global accept_rss_auth :index def index @@ -76,15 +76,4 @@ class ActivitiesController < ApplicationController rescue ActiveRecord::RecordNotFound render_404 end - - private - - # TODO: refactor, duplicated in projects_controller - def find_optional_project - return true unless params[:id] - @project = Project.find(params[:id]) - authorize - rescue ActiveRecord::RecordNotFound - render_404 - end end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1d42901f0..1b5a74da2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -285,8 +285,16 @@ class ApplicationController < ActionController::Base render_404 end + # Find project of id params[:id] if present + def find_optional_project_by_id + if params[:id].present? + @project = Project.find(params[:id]) + end + rescue ActiveRecord::RecordNotFound + render_404 + end + # Find a project based on params[:project_id] - # TODO: some subclasses override this, see about merging their logic def find_optional_project @project = Project.find(params[:project_id]) unless params[:project_id].blank? allowed = User.current.allowed_to?({:controller => params[:controller], :action => params[:action]}, @project, :global => true) diff --git a/app/controllers/search_controller.rb b/app/controllers/search_controller.rb index 36bae860a..2887db9a3 100644 --- a/app/controllers/search_controller.rb +++ b/app/controllers/search_controller.rb @@ -16,7 +16,7 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. class SearchController < ApplicationController - before_action :find_optional_project + before_action :find_optional_project_by_id, :authorize_global accept_api_auth :index def index @@ -87,13 +87,4 @@ class SearchController < ApplicationController format.api { @results ||= []; render :layout => false } end end - -private - def find_optional_project - return true unless params[:id] - @project = Project.find(params[:id]) - check_project_privacy - rescue ActiveRecord::RecordNotFound - render_404 - end end diff --git a/test/functional/search_controller_test.rb b/test/functional/search_controller_test.rb index 97075ea66..aace89a81 100644 --- a/test/functional/search_controller_test.rb +++ b/test/functional/search_controller_test.rb @@ -42,10 +42,10 @@ class SearchControllerTest < Redmine::ControllerTest assert_select '#search-results dt.project a', :text => /eCookbook/ end - def test_search_on_archived_project_should_return_404 + def test_search_on_archived_project_should_return_403 Project.find(3).archive get :index, :params => {:id => 3} - assert_response 404 + assert_response 403 end def test_search_on_invisible_project_by_user_should_be_denied