meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-12-19 15:01:14 +00:00
Code Issues Releases Wiki Activity

Use regular #authorize method.

Browse Source 
git-svn-id: http://svn.redmine.org/redmine/trunk@16724 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2017-06-26 20:41:12 +00:00
parent 339a6212ef
commit e7c0e16a3f
4 changed files with 13 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
app/controllers/activities_controller.rb
View File

@ -17,7 +17,7 @@
class ActivitiesController < ApplicationController class ActivitiesController < ApplicationController
menu_item :activity menu_item :activity
before_action :find_optional_project before_action :find_optional_project_by_id, :authorize_global
accept_rss_auth :index accept_rss_auth :index
def index def index
@ -76,15 +76,4 @@ class ActivitiesController < ApplicationController
rescue ActiveRecord::RecordNotFound rescue ActiveRecord::RecordNotFound
render_404 render_404
end end
private
# TODO: refactor, duplicated in projects_controller
def find_optional_project
return true unless params[:id]
@project = Project.find(params[:id])
authorize
rescue ActiveRecord::RecordNotFound
render_404
end
end end

10
app/controllers/application_controller.rb
View File

@ -285,8 +285,16 @@ class ApplicationController < ActionController::Base
render_404 render_404
end end
# Find project of id params[:id] if present
def find_optional_project_by_id
if params[:id].present?
@project = Project.find(params[:id])
end
rescue ActiveRecord::RecordNotFound
render_404
end
# Find a project based on params[:project_id] # Find a project based on params[:project_id]
# TODO: some subclasses override this, see about merging their logic
def find_optional_project def find_optional_project
@project = Project.find(params[:project_id]) unless params[:project_id].blank? @project = Project.find(params[:project_id]) unless params[:project_id].blank?
allowed = User.current.allowed_to?({:controller => params[:controller], :action => params[:action]}, @project, :global => true) allowed = User.current.allowed_to?({:controller => params[:controller], :action => params[:action]}, @project, :global => true)

11
app/controllers/search_controller.rb
View File

@ -16,7 +16,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
class SearchController < ApplicationController class SearchController < ApplicationController
before_action :find_optional_project before_action :find_optional_project_by_id, :authorize_global
accept_api_auth :index accept_api_auth :index
def index def index
@ -87,13 +87,4 @@ class SearchController < ApplicationController
format.api { @results ||= []; render :layout => false } format.api { @results ||= []; render :layout => false }
end end
end end
private
def find_optional_project
return true unless params[:id]
@project = Project.find(params[:id])
check_project_privacy
rescue ActiveRecord::RecordNotFound
render_404
end
end end

4
test/functional/search_controller_test.rb
View File

@ -42,10 +42,10 @@ class SearchControllerTest < Redmine::ControllerTest
assert_select '#search-results dt.project a', :text => /eCookbook/ assert_select '#search-results dt.project a', :text => /eCookbook/
end end
def test_search_on_archived_project_should_return_404 def test_search_on_archived_project_should_return_403
Project.find(3).archive Project.find(3).archive
get :index, :params => {:id => 3} get :index, :params => {:id => 3}
assert_response 404 assert_response 403
end end
def test_search_on_invisible_project_by_user_should_be_denied def test_search_on_invisible_project_by_user_should_be_denied