fix #1314. Fixed security issue too

2026-02-12 18:34:22 +01:00 · 2012-07-18 12:26:46 +02:00 · 2012-07-18 12:26:46 +02:00 · a37d10f57a
commit a37d10f57a
parent 881c83292b
2 changed files with 17 additions and 2 deletions
--- a/app/controllers/todos_controller.rb
+++ b/app/controllers/todos_controller.rb
@ -454,9 +454,9 @@ class TodosController < ApplicationController

  def change_context
    # change context if you drag a todo to another context
-    @todo = Todo.find_by_id(params[:id])
+    @todo = current_user.todos.find_by_id(params[:id])
    @original_item_context_id = @todo.context_id
-    @context = Context.find_by_id(params[:todo][:context_id])
+    @context = current_user.contexts.find_by_id(params[:todo][:context_id])
    @todo.context = @context
    @saved = @todo.save

--- a/test/functional/todos_controller_test.rb
+++ b/test/functional/todos_controller_test.rb
@ -368,6 +368,21 @@ class TodosControllerTest < ActionController::TestCase
    assert todo.reload().active?, "todo should be active"
  end

+  def test_change_context_of_todo
+    # called by dragging a todo to another context container
+    login_as(:admin_user)
+    
+    todo = users(:admin_user).todos.active.first
+    context = users(:admin_user).contexts.first
+    
+    assert_not_equal todo.context.id, context.id
+    
+    xhr :post, :change_context, :id => todo.id, :todo=>{:context_id => context.id}, :_source_view=>"todo"
+    assert assigns['context_changed'], "context should have changed"
+    assert_equal todo.id, assigns['todo'].id, 'correct todo should have been found'
+    assert_equal context.id, todo.reload.context.id, 'context of todo should be changed'
+  end
+  
  #######
  # feeds
  #######