From a37d10f57ac61452a796a4f51c918028882070b5 Mon Sep 17 00:00:00 2001 From: Reinier Balt Date: Wed, 18 Jul 2012 12:26:46 +0200 Subject: [PATCH] fix #1314. Fixed security issue too --- app/controllers/todos_controller.rb | 4 ++-- test/functional/todos_controller_test.rb | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/app/controllers/todos_controller.rb b/app/controllers/todos_controller.rb index 852c5d41..3f3c7f65 100644 --- a/app/controllers/todos_controller.rb +++ b/app/controllers/todos_controller.rb @@ -454,9 +454,9 @@ class TodosController < ApplicationController def change_context # change context if you drag a todo to another context - @todo = Todo.find_by_id(params[:id]) + @todo = current_user.todos.find_by_id(params[:id]) @original_item_context_id = @todo.context_id - @context = Context.find_by_id(params[:todo][:context_id]) + @context = current_user.contexts.find_by_id(params[:todo][:context_id]) @todo.context = @context @saved = @todo.save diff --git a/test/functional/todos_controller_test.rb b/test/functional/todos_controller_test.rb index 112d8cfe..ec36eb76 100644 --- a/test/functional/todos_controller_test.rb +++ b/test/functional/todos_controller_test.rb @@ -368,6 +368,21 @@ class TodosControllerTest < ActionController::TestCase assert todo.reload().active?, "todo should be active" end + def test_change_context_of_todo + # called by dragging a todo to another context container + login_as(:admin_user) + + todo = users(:admin_user).todos.active.first + context = users(:admin_user).contexts.first + + assert_not_equal todo.context.id, context.id + + xhr :post, :change_context, :id => todo.id, :todo=>{:context_id => context.id}, :_source_view=>"todo" + assert assigns['context_changed'], "context should have changed" + assert_equal todo.id, assigns['todo'].id, 'correct todo should have been found' + assert_equal context.id, todo.reload.context.id, 'context of todo should be changed' + end + ####### # feeds #######