Defect #40121 ยป fix_invalid_cross_origin_request_exception.patch
| app/controllers/application_controller.rb | ||
|---|---|---|
| 64 | 64 | |
| 65 | 65 |
rescue_from ::Unauthorized, :with => :deny_access |
| 66 | 66 |
rescue_from ::ActionView::MissingTemplate, :with => :missing_template |
| 67 |
rescue_from ActionController::InvalidCrossOriginRequest, with: :render_unauthorized |
|
| 67 | 68 | |
| 68 | 69 |
include Redmine::Search::Controller |
| 69 | 70 |
include Redmine::MenuManager::MenuController |
| ... | ... | |
| 563 | 564 |
end |
| 564 | 565 |
end |
| 565 | 566 | |
| 567 |
def render_unauthorized |
|
| 568 |
@project = nil |
|
| 569 |
render_error({:message => :notice_not_authorized, :status => 403})
|
|
| 570 |
return false |
|
| 571 |
end |
|
| 572 | ||
| 566 | 573 |
def render_403(options={})
|
| 567 | 574 |
@project = nil |
| 568 | 575 |
render_error({:message => :notice_not_authorized, :status => 403}.merge(options))
|
| test/functional/projects_controller_test.rb | ||
|---|---|---|
| 333 | 333 |
assert_equal 'text/javascript', response.media_type |
| 334 | 334 |
end |
| 335 | 335 | |
| 336 |
def test_requesting_protected_javascript_should_rescue_invalid_cross_origin_request |
|
| 337 |
assert_nothing_raised do |
|
| 338 |
get( |
|
| 339 |
:autocomplete, |
|
| 340 |
:params => {
|
|
| 341 |
:format => 'js' |
|
| 342 |
} |
|
| 343 |
) |
|
| 344 |
assert_response :forbidden |
|
| 345 |
end |
|
| 346 |
end |
|
| 347 | ||
| 336 | 348 |
test "#index by non-admin user with view_time_entries permission should show overall spent time link" do |
| 337 | 349 |
@request.session[:user_id] = 3 |
| 338 | 350 |
get :index |