#1251 folder.project != project

2021-05-11 10:24:56 +02:00 · 2021-05-11 10:24:56 +02:00 · 2ac1ae2a1d
commit 2ac1ae2a1d
parent cc454515dc
2 changed files with 6 additions and 3 deletions
--- a/app/controllers/dmsf_controller.rb
+++ b/app/controllers/dmsf_controller.rb
@ -47,7 +47,11 @@ class DmsfController < ApplicationController
  include DmsfQueriesHelper

  def permissions
-    render_403 unless DmsfFolder.permissions?(@folder, false)
+    if !DmsfFolder.permissions?(@folder, false)
+      render_403
+    elsif(@folder && (@folder.project != @project))
+      render_404
+    end
    true
  end

--- a/test/functional/dmsf_controller_test.rb
+++ b/test/functional/dmsf_controller_test.rb
@ -250,10 +250,9 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
  end

  def test_show_folder_doesnt_correspond_the_project
-    # Despite the fact that project != @folder3.project
    assert @project1 != @folder3.project
    get :show, params: { id: @project1.id, folder_id: @folder3.id }
-    assert_response :success
+    assert_response :not_found
  end

  def test_new_forbidden