From 2ac1ae2a1d51084a0261d2962a148dec73fe9bb6 Mon Sep 17 00:00:00 2001
From: "karel.picman@lbcfree.net" <karel.picman@lbcfree.net>
Date: Tue, 11 May 2021 10:24:56 +0200
Subject: [PATCH] #1251 folder.project != project

---
 app/controllers/dmsf_controller.rb      | 6 +++++-
 test/functional/dmsf_controller_test.rb | 3 +--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/controllers/dmsf_controller.rb b/app/controllers/dmsf_controller.rb
index 7b0b42cd..c1522b81 100644
--- a/app/controllers/dmsf_controller.rb
+++ b/app/controllers/dmsf_controller.rb
@@ -47,7 +47,11 @@ class DmsfController < ApplicationController
   include DmsfQueriesHelper
 
   def permissions
-    render_403 unless DmsfFolder.permissions?(@folder, false)
+    if !DmsfFolder.permissions?(@folder, false)
+      render_403
+    elsif(@folder && (@folder.project != @project))
+      render_404
+    end
     true
   end
 
diff --git a/test/functional/dmsf_controller_test.rb b/test/functional/dmsf_controller_test.rb
index e5f28903..45e3f4bd 100644
--- a/test/functional/dmsf_controller_test.rb
+++ b/test/functional/dmsf_controller_test.rb
@@ -250,10 +250,9 @@ class DmsfControllerTest < RedmineDmsf::Test::TestCase
   end
 
   def test_show_folder_doesnt_correspond_the_project
-    # Despite the fact that project != @folder3.project
     assert @project1 != @folder3.project
     get :show, params: { id: @project1.id, folder_id: @folder3.id }
-    assert_response :success
+    assert_response :not_found
   end
 
   def test_new_forbidden