Deny access to repository commit author stats for unauthorized users

pull/412/head
Michael Frister 11 years ago committed by Christian Ratz
parent 4e0bd5acc8
commit a9d2520b00
  1. 3
      app/controllers/repositories_controller.rb
  2. 49
      spec/controllers/repositories_controller_spec.rb
  3. 6
      test/functional/repositories_controller_test.rb

@ -211,6 +211,9 @@ class RepositoriesController < ApplicationController
when "commits_per_month"
data = graph_commits_per_month(@repository)
when "commits_per_author"
unless current_user.allowed_to_in_project?(:view_commit_author_statistics, @project)
return deny_access
end
data = graph_commits_per_author(@repository)
end
if data

@ -0,0 +1,49 @@
#-- copyright
# OpenProject is a project management system.
#
# Copyright (C) 2012-2013 the OpenProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# See doc/COPYRIGHT.rdoc for more details.
#++
require 'spec_helper'
describe RepositoriesController do
describe 'commits per author graph' do
let(:project) { FactoryGirl.create(:project) }
let(:user) { FactoryGirl.create(:user, :member_in_project => project,
:member_through_role => role) }
let(:repository) { FactoryGirl.create(:repository, :project => project) }
before do
Setting.stub(:enabled_scm).and_return(['Filesystem'])
repository # ensure repository is created after stubbing the setting
User.stub(:current).and_return(user)
get :graph, :id => project.id, :graph => 'commits_per_author'
end
context 'requested by an authorized user' do
let(:role) { FactoryGirl.create(:role, :permissions => [:browse_repository,
:view_commit_author_statistics]) }
it 'should be successful' do
response.should be_success
end
it 'should have the right content type' do
response.content_type.should == 'image/svg+xml'
end
end
context 'requested by an unauthorized user' do
let(:role) { FactoryGirl.create(:role, :permissions => [:browse_repository]) }
it 'should return 403' do
response.code.should == '403'
end
end
end
end

@ -58,12 +58,6 @@ class RepositoriesControllerTest < ActionController::TestCase
assert_equal 'image/svg+xml', @response.content_type
end
def test_graph_commits_per_author
get :graph, :id => 1, :graph => 'commits_per_author'
assert_response :success
assert_equal 'image/svg+xml', @response.content_type
end
def test_committers
@request.session[:user_id] = 2
# add a commit with an unknown user

Loading…
Cancel
Save