From f5f5a5f64f2952340083c1286e0e0e8b35ca2931 Mon Sep 17 00:00:00 2001 From: Eric Davis Date: Mon, 1 Mar 2010 18:29:18 +0000 Subject: [PATCH] Verify issues are updated by HTTP PUT only. Regression from r3486. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3520 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/issues_controller.rb | 4 +++- test/functional/issues_controller_test.rb | 14 ++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb index 6fd4f25076..7be137e8b1 100644 --- a/app/controllers/issues_controller.rb +++ b/app/controllers/issues_controller.rb @@ -50,7 +50,9 @@ class IssuesController < ApplicationController verify :method => [:post, :delete], :only => :destroy, :render => { :nothing => true, :status => :method_not_allowed } - + + verify :method => :put, :only => :update, :render => {:nothing => true, :status => :method_not_allowed } + def index retrieve_query sort_init(@query.sort_criteria.empty? ? [['id', 'desc']] : @query.sort_criteria) diff --git a/test/functional/issues_controller_test.rb b/test/functional/issues_controller_test.rb index fd9177a458..06f70c0a6e 100644 --- a/test/functional/issues_controller_test.rb +++ b/test/functional/issues_controller_test.rb @@ -657,6 +657,20 @@ class IssuesControllerTest < ActionController::TestCase assert_select_rjs :show, "update" end + def test_update_using_invalid_http_verbs + @request.session[:user_id] = 2 + subject = 'Updated by an invalid http verb' + + get :update, :id => 1, :issue => {:subject => subject} + assert_not_equal subject, Issue.find(1).subject + + post :update, :id => 1, :issue => {:subject => subject} + assert_not_equal subject, Issue.find(1).subject + + delete :update, :id => 1, :issue => {:subject => subject} + assert_not_equal subject, Issue.find(1).subject + end + def test_put_update_without_custom_fields_param @request.session[:user_id] = 2 ActionMailer::Base.deliveries.clear