summaryrefslogtreecommitdiff
path: root/engines
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2014-06-03 01:12:17 -0700
committerelijah <elijah@riseup.net>2014-06-03 01:12:17 -0700
commit366ff2e7f5ecd44aab1cddfd0a7b73ab7b213e85 (patch)
tree90e0a5297565a84689760167c5891fde6c615d23 /engines
parent9f04e4c8e50f1dc5a7ff6f2e58974254731a6bc4 (diff)
tickets: fix bug that allow index of other users
Diffstat (limited to 'engines')
-rw-r--r--engines/support/app/controllers/tickets_controller.rb22
-rw-r--r--engines/support/test/functional/tickets_controller_test.rb15
2 files changed, 26 insertions, 11 deletions
diff --git a/engines/support/app/controllers/tickets_controller.rb b/engines/support/app/controllers/tickets_controller.rb
index fab26f3..1ccbd16 100644
--- a/engines/support/app/controllers/tickets_controller.rb
+++ b/engines/support/app/controllers/tickets_controller.rb
@@ -4,10 +4,10 @@ class TicketsController < ApplicationController
respond_to :html, :json
#has_scope :open, :type => boolean
+ before_filter :fetch_user
before_filter :require_login, :only => [:index]
before_filter :fetch_ticket, except: [:new, :create, :index]
- before_filter :require_ticket_access, except: [:new, :create, :index]
- before_filter :fetch_user
+ before_filter :require_ticket_access, except: [:new, :create]
before_filter :set_title
def new
@@ -129,14 +129,24 @@ class TicketsController < ApplicationController
end
def ticket_access?
- admin? or
- @ticket.created_by.blank? or
- current_user.id == @ticket.created_by
+ admin? or (
+ @ticket &&
+ @ticket.created_by.blank?
+ ) or (
+ @ticket &&
+ @ticket.created_by == current_user.id
+ ) or (
+ @ticket.nil? &&
+ @user &&
+ @user.id == current_user.id
+ )
end
def fetch_user
if params[:user_id]
@user = User.find(params[:user_id])
+ else
+ @user = current_user
end
end
@@ -146,7 +156,7 @@ class TicketsController < ApplicationController
def search_options(params)
params.merge(
:admin_status => params[:user_id] ? 'mine' : 'all',
- :user_id => @user ? @user.id : current_user.id,
+ :user_id => @user.id,
:is_admin => admin?
)
end
diff --git a/engines/support/test/functional/tickets_controller_test.rb b/engines/support/test/functional/tickets_controller_test.rb
index 1d074cc..ebaa3a4 100644
--- a/engines/support/test/functional/tickets_controller_test.rb
+++ b/engines/support/test/functional/tickets_controller_test.rb
@@ -45,8 +45,7 @@ class TicketsControllerTest < ActionController::TestCase
user = find_record :user
ticket = find_record :ticket, :created_by => user.id
get :show, :id => ticket.id
- assert_response :redirect
- assert_redirected_to login_url
+ assert_login_required
end
test "user tickets are visible to creator" do
@@ -57,13 +56,19 @@ class TicketsControllerTest < ActionController::TestCase
assert_response :success
end
- test "other users tickets are not visible" do
+ test "ticket of other user is not visible" do
other_user = find_record :user
ticket = find_record :ticket, :created_by => other_user.id
login
get :show, :id => ticket.id
- assert_response :redirect
- assert_redirected_to home_url
+ assert_access_denied
+ end
+
+ test "ticket list of other user is not visible" do
+ other_user = find_record :user
+ login
+ get :index, :user_id => other_user.id
+ assert_access_denied
end
test "should create unauthenticated ticket" do