diff --git a/app/controllers/dmsf_controller.rb b/app/controllers/dmsf_controller.rb
index f544efb1..69363975 100644
--- a/app/controllers/dmsf_controller.rb
+++ b/app/controllers/dmsf_controller.rb
@@ -546,7 +546,7 @@ class DmsfController < ApplicationController
end
def find_folder
- @folder = DmsfFolder.find params[:folder_id] if params[:folder_id].present?
+ @folder = DmsfFolder.find_by!(id: params[:folder_id], project_id: @project.id) if params[:folder_id].present?
rescue DmsfAccessError
render_403
rescue ActiveRecord::RecordNotFound
@@ -554,13 +554,10 @@ class DmsfController < ApplicationController
end
def find_folder_by_title
- # find by title has to be scoped to project
- project = Project.find(params[:id])
- @folder = DmsfFolder.find_by(title: params[:folder_title], project_id: project.id) if params[:folder_title].present?
- rescue DmsfAccessError
- render_403
- rescue ActiveRecord::RecordNotFound
- render_404
+ if !@folder && params[:folder_title].present?
+ @folder = DmsfFolder.find_by(title: params[:folder_title], project_id: @project.id)
+ render_404 unless @folder
+ end
end
def find_parent
diff --git a/test/functional/dmsf_controller_test.rb b/test/functional/dmsf_controller_test.rb
index a8c935fd..d899aa98 100644
--- a/test/functional/dmsf_controller_test.rb
+++ b/test/functional/dmsf_controller_test.rb
@@ -32,6 +32,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
@project.enable_module! :dmsf
@folder1 = DmsfFolder.find 1
@folder2 = DmsfFolder.find 2
+ @folder3 = DmsfFolder.find 3
@folder4 = DmsfFolder.find 4
@folder7 = DmsfFolder.find 7
@file1 = DmsfFile.find 1
@@ -63,6 +64,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
assert_kind_of Project, @project
assert_kind_of DmsfFolder, @folder1
assert_kind_of DmsfFolder, @folder2
+ assert_kind_of DmsfFolder, @folder3
assert_kind_of DmsfFolder, @folder4
assert_kind_of DmsfFolder, @folder7
assert_kind_of DmsfFile, @file1
@@ -129,7 +131,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
def test_delete_ok
# Empty and not locked folder
@role.add_permission! :folder_manipulation
- get :delete, :params => {:id => @project, :folder_id => @folder4.id, :commit => false}
+ get :delete, :params => {:id => @project, :folder_id => @folder1.id, :commit => false}
assert_response :redirect
end
@@ -145,9 +147,9 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
# Permissions OK
@request.env['HTTP_REFERER'] = trash_dmsf_path(:id => @project.id)
@role.add_permission! :folder_manipulation
- @folder4.deleted = 1
- @folder4.save
- get :restore, :params => {:id => @project, :folder_id => @folder4.id}
+ @folder1.deleted = 1
+ @folder1.save
+ get :restore, :params => {:id => @project, :folder_id => @folder1.id}
assert_response :redirect
end
@@ -225,6 +227,14 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
assert_equal 'text/csv', @response.content_type
end
+ def test_show_folder_doesnt_correspond_the_project
+ @role.add_permission! :view_dmsf_files
+ @role.add_permission! :view_dmsf_folders
+ # project1 X project2.folder3
+ get :show, :params => {:id => @project.id, :folder_id => @folder3.id}
+ assert_response :not_found
+ end
+
def test_new_forbidden
@role.remove_permission! :folder_manipulation
get :new, :params => {:id => @project, :parent_id => nil}
@@ -272,7 +282,7 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
:folders => [], :files => [@file1.id], :zipped_content => zip_file_path
}
}
- assert_redirected_to dmsf_folder_path(:id => @project)
+ assert_redirected_to dmsf_folder_path(id: @project)
assert !File.exist?(zip_file_path)
ensure
FileUtils.rm_rf(zip_file_path)
diff --git a/test/integration/rest_api/dmsf_folder_api_test.rb b/test/integration/rest_api/dmsf_folder_api_test.rb
index 7dc436a5..b1ffa1ae 100644
--- a/test/integration/rest_api/dmsf_folder_api_test.rb
+++ b/test/integration/rest_api/dmsf_folder_api_test.rb
@@ -65,7 +65,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api')
#curl -v -H "Content-Type: application/xml" -X GET -u ${1}:${2} http://localhost:3000/dmsf/files/17216.xml
- get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}"
+ get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}"
assert_response :success
assert_equal 'application/xml', @response.content_type
#
@@ -115,7 +115,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api')
#curl -v -H "Content-Type: application/xml" -X GET -u ${1}:${2} "http://localhost:3000/dmsf/files/17216.xml?limit=1&offset=1"
- get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&limit=1&offset=2"
+ get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&limit=1&offset=2"
assert_response :success
assert_equal 'application/xml', @response.content_type
#
@@ -151,7 +151,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
A folder created via REST API
}
- post "/projects/#{@project1.id}/dmsf/create.xml?key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
+ post "/projects/#{@project1.identifier}/dmsf/create.xml?key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :success
#
#
@@ -165,7 +165,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KEY" http://localhost:3000/projects/1/dmsf.json?folder_title=Updated%20title
- get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_title=#{@folder1.title}"
+ get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_title=#{@folder1.title}"
assert_response :success
assert_equal 'application/xml', @response.content_type
#
@@ -193,7 +193,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KEY" http://localhost:3000/projects/1/dmsf.json?folder_title=Updated%20title
- get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_title=xxx"
+ get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_title=xxx"
assert_response :not_found
end
@@ -201,7 +201,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KE" http://localhost:3000/projects/1/dmsf.json?folder_id=3
- get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_id=#{@folder1.id}"
+ get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_id=#{@folder1.id}"
assert_response :success
assert_equal 'application/xml', @response.content_type
#
@@ -229,7 +229,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :view_dmsf_folders
token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/json" -X GET -H "X-Redmine-API-Key: USERS_API_KE" http://localhost:3000/projects/1/dmsf.json?folder_id=3
- get "/projects/#{@project1.id}/dmsf.xml?key=#{token.value}&folder_id=99999999999"
+ get "/projects/#{@project1.identifier}/dmsf.xml?key=#{token.value}&folder_id=none"
assert_response :not_found
end
@@ -242,7 +242,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
rest_api
A folder updated via REST API
}
- post "/projects/#{@project1.id}/dmsf/save.xml?folder_id=1&key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
+ post "/projects/#{@project1.identifier}/dmsf/save.xml?folder_id=1&key=#{token.value}", :params => payload, :headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :success
#
#
@@ -257,7 +257,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
@role.add_permission! :folder_manipulation
token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
- delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
+ delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
:headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :success
@folder1.reload
@@ -268,16 +268,17 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
def test_delete_folder_no_permission
token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
- delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
+ delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
:headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :forbidden
end
def test_delete_folder_commit_yes
@role.add_permission! :folder_manipulation
+ assert !@folder1.locked?
token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
- delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}&commit=yes",
+ delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}&commit=yes",
:headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response :success
assert_nil DmsfFolder.find_by(id: @folder1.id)
@@ -290,7 +291,7 @@ class DmsfFolderApiTest < RedmineDmsf::Test::IntegrationTest
User.current = @jsmith
token = Token.create!(:user => @jsmith, :action => 'api')
# curl -v -H "Content-Type: application/xml" -X DELETE -u ${1}:${2} http://localhost:3000/projects/1/dmsf/delete.xml?folder_id=3
- delete "/projects/#{@project1.id}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
+ delete "/projects/#{@project1.identifier}/dmsf/delete.xml?key=#{token.value}&folder_id=#{@folder1.id}",
:headers => {'CONTENT_TYPE' => 'application/xml'}
assert_response 422
#