Added before filter for version_controller patch to only allow setting of column in backlogs

if the current project is not the version project (as is the case in shared versions)
pull/6827/head
Sebastian Schuster 12 years ago
parent 3918192190
commit 4242d030f2
  1. 15
      lib/open_project/backlogs/patches/version_controller_patch.rb
  2. 40
      spec/controllers/versions_controller.rb

@ -15,6 +15,21 @@ module OpenProject::Backlogs::Patches::VersionsControllerPatch
before_filter :add_project_to_version_settings_attributes, :only => [:update, :create]
before_filter :whitelist_update_params, :only => :update
def whitelist_update_params
if @project != @version.project
#make sure only the version_settings_attributes (column=left|right|none) can be stored when
#current project does not equal the version project (which is valid in inherited versions)
if params[:version] and params[:version][:version_settings_attributes]
params[:version] = { :version_settings_attributes => params[:version][:version_settings_attributes] }
else
params[:version] = {}
end
end
end
def find_project_and_version
find_model_object
if params[:project_id]

@ -0,0 +1,40 @@
require 'spec_helper'
describe VersionsController do
before do
@controller.stub!(:authorize)
#create a version assigned to a project
@version = FactoryGirl.create(:version)
@oldVersionName = @version.name
@newVersionName = "NewVersionName"
#create another project
@project = FactoryGirl.create(:project)
#todo is this necessary?
# @project.reload
#create params to update version
@params = {}
@params[:id] = @version.id
@params[:version] = { :name => @newVersionName }
end
describe 'update' do
it 'does not allow to update versions from different projects' do
@params[:project_id] = @project.id
put 'update', @params
@version.reload
response.should redirect_to :controller => '/projects', :action => 'settings', :tab => 'versions', :id => @project
@version.name.should == @oldVersionName
end
it 'allows to update versions from the version project' do
@params[:project_id] = @version.project.id
put 'update', @params
@version.reload
response.should redirect_to :controller => '/projects', :action => 'settings', :tab => 'versions', :id => @version.project
@version.name.should == @newVersionName
end
end
end
Loading…
Cancel
Save