Skip to content
Permalink
Browse files Browse the repository at this point in the history
Information leak in Atom feed (#21419).
Patch by Jens Krämer.

git-svn-id: http://svn.redmine.org/redmine/trunk@14913 e93f8b46-1217-0410-a6f0-8f06a7374b81
  • Loading branch information
jplang committed Dec 4, 2015
1 parent 12ede7d commit 7e423fb
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 2 deletions.
2 changes: 1 addition & 1 deletion app/views/journals/index.builder
Expand Up @@ -20,7 +20,7 @@ xml.feed "xmlns" => "http://www.w3.org/2005/Atom" do
end
xml.content "type" => "html" do
xml.text! '<ul>'
details_to_strings(change.details, false).each do |string|
details_to_strings(change.visible_details, false).each do |string|
xml.text! '<li>' + string + '</li>'
end
xml.text! '</ul>'
Expand Down
42 changes: 41 additions & 1 deletion test/functional/journals_controller_test.rb
Expand Up @@ -19,7 +19,7 @@

class JournalsControllerTest < ActionController::TestCase
fixtures :projects, :users, :members, :member_roles, :roles, :issues, :journals, :journal_details, :enabled_modules,
:trackers, :issue_statuses, :enumerations, :custom_fields, :custom_values, :custom_fields_projects
:trackers, :issue_statuses, :enumerations, :custom_fields, :custom_values, :custom_fields_projects, :projects_trackers

def setup
User.current = nil
Expand Down Expand Up @@ -51,6 +51,46 @@ def test_index_should_return_privates_notes_with_permission_only
assert_not_include journal, assigns(:journals)
end

def test_index_should_show_visible_custom_fields_only
Issue.destroy_all
field_attributes = {:field_format => 'string', :is_for_all => true, :is_filter => true, :trackers => Tracker.all}
@fields = []
@fields << (@field1 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 1', :visible => true)))
@fields << (@field2 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 2', :visible => false, :role_ids => [1, 2])))
@fields << (@field3 = IssueCustomField.create!(field_attributes.merge(:name => 'Field 3', :visible => false, :role_ids => [1, 3])))
@issue = Issue.generate!(
:author_id => 1,
:project_id => 1,
:tracker_id => 1,
:custom_field_values => {@field1.id => 'Value0', @field2.id => 'Value1', @field3.id => 'Value2'}
)
@issue.init_journal(User.find(1))
@issue.update_attribute :custom_field_values, {@field1.id => 'NewValue0', @field2.id => 'NewValue1', @field3.id => 'NewValue2'}


user_with_role_on_other_project = User.generate!
User.add_to_project(user_with_role_on_other_project, Project.find(2), Role.find(3))
users_to_test = {
User.find(1) => [@field1, @field2, @field3],
User.find(3) => [@field1, @field2],
user_with_role_on_other_project => [@field1], # should see field1 only on Project 1
User.generate! => [@field1],
User.anonymous => [@field1]
}

users_to_test.each do |user, visible_fields|
get :index, :format => 'atom', :key => user.rss_key
@fields.each_with_index do |field, i|
if visible_fields.include?(field)
assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 1 }, "User #{user.id} was not able to view #{field.name} in API"
else
assert_select "content[type=html]", { :text => /NewValue#{i}/, :count => 0 }, "User #{user.id} was able to view #{field.name} in API"
end
end
end

end

def test_diff_for_description_change
get :diff, :id => 3, :detail_id => 4
assert_response :success
Expand Down

0 comments on commit 7e423fb

Please sign in to comment.