Add permission check

Author: rbtgr

app/controllers/wiki_redirects_controller.rb

@@ -18,7 +18,7 @@
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 class WikiRedirectsController < ApplicationController
-  before_action :find_wiki_redirect
+  before_action :find_wiki_redirect, :authorize
 
   # /projects/{project_id}/wikis/redirects/{id}
   # /projects/project-a/wikis/redirects/222

config/routes.rb

@@ -191,13 +191,11 @@
         match 'preview', :via => [:post, :put, :patch]
         post 'protect'
         post 'add_attachment'
-
       end
       collection do
         get 'export'
         get 'date_index'
         post 'new'
-        # TODO: Move to member
       end
     end
     match 'wiki', :controller => 'wiki', :action => 'show', :via => :get

lib/redmine.rb

@@ -166,7 +166,7 @@
     map.permission :view_wiki_edits, {:wiki => [:history, :diff, :annotate]}, :read => true
     map.permission :export_wiki_pages, {:wiki => [:export]}, :read => true
     map.permission :edit_wiki_pages, :wiki => [:new, :edit, :update, :preview, :add_attachment], :attachments => :upload
-    map.permission :rename_wiki_pages, {:wiki => :rename}, :require => :member
+    map.permission :rename_wiki_pages, {:wiki => :rename, :wiki_redirects => :destroy}, :require => :member
     map.permission :delete_wiki_pages, {:wiki => [:destroy, :destroy_version]}, :require => :member
     map.permission :delete_wiki_pages_attachments, {}
     map.permission :protect_wiki_pages, {:wiki => :protect}, :require => :member

test/functional/wiki_redirects_controller_test.rb

@@ -26,7 +26,8 @@ class WikiRedirectsControllerTest < Redmine::ControllerTest
            :issues, :issue_statuses, :trackers
 
   def setup
-    User.current = User.find(1)
+    User.current = nil
+    @request.session[:user_id] = 1
   end
 
   def test_destroy
@@ -37,6 +38,20 @@ def test_destroy
     delete :destroy, params: { id: wiki_redirect.id, project_id: wiki_page.wiki.project_id, wiki_page_id: wiki_page.id }
 
     # WikiRedirectが消えていること
+    assert_response :success
     assert_not WikiRedirect.where(id: wiki_redirect.id).exists?
   end
+
+  def test_destroy_without_permission
+    @request.session[:user_id] = User.generate!.id
+
+    wiki_page = WikiPage.find(2)
+
+    wiki_redirect = WikiRedirect.create!(wiki_id: 1, title: 'Test', redirects_to: wiki_page.title, redirects_to_wiki_id: 1)
+
+    delete :destroy, params: { id: wiki_redirect.id, project_id: wiki_page.wiki.project_id, wiki_page_id: wiki_page.id }
+
+    assert_response :forbidden
+    assert WikiRedirect.where(id: wiki_redirect.id).exists?
+  end
 end