fix #1194 by checking the project_id and context_id

2025-12-16 23:30:12 +01:00 · 2011-09-10 02:31:53 +02:00 · 2011-09-10 02:31:53 +02:00 · f5cabbf74d
commit f5cabbf74d
parent cdff38995c
2 changed files with 43 additions and 11 deletions
--- a/app/controllers/todos_controller.rb
+++ b/app/controllers/todos_controller.rb
@ -74,6 +74,9 @@ class TodosController < ApplicationController
        project = current_user.projects.find_or_create_by_name(p.project_name)
        @new_project_created = project.new_record_before_save?
        @todo.project_id = project.id
+      elsif !p.project_id.nil?
+        project = current_user.projects.find_by_id(p.project_id)
+        @todo.errors.add(:project, "unknown") if project.nil?
      end

      if p.context_specified_by_name?
@ -81,8 +84,12 @@ class TodosController < ApplicationController
        @new_context_created = context.new_record_before_save?
        @not_done_todos = [@todo] if @new_context_created
        @todo.context_id = context.id
+      elsif !p.context_id.nil?
+        context = current_user.contexts.find_by_id(p.context_id)
+        @todo.errors.add(:context, "unknown") if context.nil?
      end

+      if @saved
        @todo.starred= (params[:new_todo_starred]||"").include? "true"

        @todo.add_predecessor_list(predecessor_list)
@ -90,6 +97,7 @@ class TodosController < ApplicationController
        # Fix for #977 because AASM overrides @state on creation
        specified_state = @todo.state
        @saved = @todo.save
+      end

      @todo.update_state_from_project if @saved

@ -1457,10 +1465,18 @@ class TodosController < ApplicationController
      @params['project_name'].strip unless @params['project_name'].nil?
    end

+    def project_id
+      @attributes['project_id']
+    end
+
    def context_name
      @params['context_name'].strip unless @params['context_name'].nil?
    end

+    def context_id
+      @attributes['context_id']
+    end
+
    def tag_list
      @params['todo_tag_list']
    end
--- a/test/integration/todo_xml_api_test.rb
+++ b/test/integration/todo_xml_api_test.rb
@ -34,4 +34,20 @@ class TodoXmlApiTest < ActionController::IntegrationTest
    assert_no_tag :tag => "user_id"
  end

+  def test_post_create_todo_with_wrong_project_and_context_id
+    authenticated_post_xml_to_todo_create "<todo><description>this will fail</description><context_id type='integer'>-16</context_id><project_id type='integer'>-11</project_id></todo>"
+    assert_response 422
+  end
+
+  private
+
+  def authenticated_post_xml_to_todo_create(postdata = @@valid_postdata, user = users(:other_user).login, password = 'sesame')
+    authenticated_post_xml "/todos", user, password, postdata
+    assert_xml_select 'errors' do
+      assert_select 'error', 2, 'Project unknown'
+      assert_select 'error', 2, 'Context unknown'
+    end
+
+  end
+
 end