fix #1194 by checking the project_id and context_id

app/controllers/todos_controller.rb

@@ -74,6 +74,9 @@ class TodosController < ApplicationController
         project = current_user.projects.find_or_create_by_name(p.project_name)
         @new_project_created = project.new_record_before_save?
         @todo.project_id = project.id
+      elsif !p.project_id.nil?
+        project = current_user.projects.find_by_id(p.project_id)
+        @todo.errors.add(:project, "unknown") if project.nil?
       end
 
       if p.context_specified_by_name?
@@ -81,15 +84,20 @@ class TodosController < ApplicationController
         @new_context_created = context.new_record_before_save?
         @not_done_todos = [@todo] if @new_context_created
         @todo.context_id = context.id
+      elsif !p.context_id.nil?
+        context = current_user.contexts.find_by_id(p.context_id)
+        @todo.errors.add(:context, "unknown") if context.nil?
       end
 
-      @todo.starred= (params[:new_todo_starred]||"").include? "true"
+      if @saved
+        @todo.starred= (params[:new_todo_starred]||"").include? "true"
 
-      @todo.add_predecessor_list(predecessor_list)
+        @todo.add_predecessor_list(predecessor_list)
 
-      # Fix for #977 because AASM overrides @state on creation
-      specified_state = @todo.state
-      @saved = @todo.save
+        # Fix for #977 because AASM overrides @state on creation
+        specified_state = @todo.state
+        @saved = @todo.save
+      end
 
       @todo.update_state_from_project if @saved
 
@@ -1457,10 +1465,18 @@ class TodosController < ApplicationController
       @params['project_name'].strip unless @params['project_name'].nil?
     end
 
+    def project_id
+      @attributes['project_id']
+    end
+
     def context_name
       @params['context_name'].strip unless @params['context_name'].nil?
     end
 
+    def context_id
+      @attributes['context_id']
+    end
+
     def tag_list
       @params['todo_tag_list']
     end

test/integration/todo_xml_api_test.rb

@@ -3,18 +3,18 @@ require 'todos_controller'
 
 class TodoXmlApiTest < ActionController::IntegrationTest
   fixtures :users, :contexts, :preferences, :todos
-  
+
   def setup
     assert_test_environment_ok
     @user = users(:other_user)
     @password = 'sesame'
   end
-  
+
   def test_get_tickler_succeeds
     authenticated_get_xml "/tickler", @user.login, @password, {}
     assert_response 200
   end
-  
+
   def test_get_tickler_needs_authentication
     get '/tickler.xml', {}, {}
     assert_response 401
@@ -22,16 +22,32 @@ class TodoXmlApiTest < ActionController::IntegrationTest
     get "/tickler", {}, {'AUTHORIZATION' => "Basic " + Base64.encode64("wrong:wrong"),'ACCEPT' => 'application/xml'}
     assert_response 401
   end
-  
+
   def test_get_tickler_returns_all_deferred_todos
     number = @user.todos.deferred.count
     authenticated_get_xml "/tickler", @user.login, @password, {}
     assert_tag :tag => "todos", :children => { :count => number, :only => { :tag => "todo" } }
   end
-  
+
   def test_get_tickler_omits_user_id
     authenticated_get_xml "/tickler", @user.login, @password, {}
     assert_no_tag :tag => "user_id"
   end
-  
+
+  def test_post_create_todo_with_wrong_project_and_context_id
+    authenticated_post_xml_to_todo_create "<todo><description>this will fail</description><context_id type='integer'>-16</context_id><project_id type='integer'>-11</project_id></todo>"
+    assert_response 422
+  end
+
+  private
+
+  def authenticated_post_xml_to_todo_create(postdata = @@valid_postdata, user = users(:other_user).login, password = 'sesame')
+    authenticated_post_xml "/todos", user, password, postdata
+    assert_xml_select 'errors' do
+      assert_select 'error', 2, 'Project unknown'
+      assert_select 'error', 2, 'Context unknown'
+    end
+
+  end
+
 end