From 4242d030f2c5574a140d38aa3d0ba5eb79f06656 Mon Sep 17 00:00:00 2001 From: Sebastian Schuster Date: Wed, 24 Apr 2013 14:19:48 +0200 Subject: [PATCH] Added before filter for version_controller patch to only allow setting of column in backlogs if the current project is not the version project (as is the case in shared versions) --- .../patches/version_controller_patch.rb | 15 +++++++ spec/controllers/versions_controller.rb | 40 +++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 spec/controllers/versions_controller.rb diff --git a/lib/open_project/backlogs/patches/version_controller_patch.rb b/lib/open_project/backlogs/patches/version_controller_patch.rb index bf566c6218..a66bd2ca64 100644 --- a/lib/open_project/backlogs/patches/version_controller_patch.rb +++ b/lib/open_project/backlogs/patches/version_controller_patch.rb @@ -15,6 +15,21 @@ module OpenProject::Backlogs::Patches::VersionsControllerPatch before_filter :add_project_to_version_settings_attributes, :only => [:update, :create] + before_filter :whitelist_update_params, :only => :update + + def whitelist_update_params + if @project != @version.project + #make sure only the version_settings_attributes (column=left|right|none) can be stored when + #current project does not equal the version project (which is valid in inherited versions) + if params[:version] and params[:version][:version_settings_attributes] + params[:version] = { :version_settings_attributes => params[:version][:version_settings_attributes] } + else + params[:version] = {} + end + end + end + + def find_project_and_version find_model_object if params[:project_id] diff --git a/spec/controllers/versions_controller.rb b/spec/controllers/versions_controller.rb new file mode 100644 index 0000000000..5b1607b039 --- /dev/null +++ b/spec/controllers/versions_controller.rb @@ -0,0 +1,40 @@ +require 'spec_helper' + +describe VersionsController do + before do + @controller.stub!(:authorize) + +#create a version assigned to a project + @version = FactoryGirl.create(:version) + @oldVersionName = @version.name + @newVersionName = "NewVersionName" +#create another project + @project = FactoryGirl.create(:project) +#todo is this necessary? +# @project.reload +#create params to update version + @params = {} + @params[:id] = @version.id + @params[:version] = { :name => @newVersionName } + end + + describe 'update' do + it 'does not allow to update versions from different projects' do + @params[:project_id] = @project.id + put 'update', @params + @version.reload + + response.should redirect_to :controller => '/projects', :action => 'settings', :tab => 'versions', :id => @project + @version.name.should == @oldVersionName + end + + it 'allows to update versions from the version project' do + @params[:project_id] = @version.project.id + put 'update', @params + @version.reload + + response.should redirect_to :controller => '/projects', :action => 'settings', :tab => 'versions', :id => @version.project + @version.name.should == @newVersionName + end + end +end \ No newline at end of file