Vote #79618: Fix 403 error while adding new watchers when selected issues in context_menu from different projects - redmineorg-copy202205 - Redmine

編集操作

リンクをコピー

Vote #79618

未完了

Fix 403 error while adding new watchers when selected issues in context_menu from different projects

Admin Redmine さんが3年以上前に追加. 3年以上前に更新.

ステータス:

New

優先度:

通常

担当者:

カテゴリ:

Issues_2

対象バージョン:

Candidate for next minor release_33

開始日:

2022/05/09

期日:

進捗率:

予定工数:

Redmineorg_URL:

https://www.redmine.org/issues/29885

category_id:

version_id:

issue_org_id:

29885

author_id:

159089

assigned_to_id:

comments:

status_id:

tracker_id:

plus1:

affected_version:

closed_on:

affected_version_id:

ステータス-->[New]

引用

説明

Tested issue on trunk;
Steps to reproduce:
1) Select 2 or more issues from different projects
2) Open context menu
3) Select Watchers->New
4) Type some user name
5) In dev tools you will see 403 error;

journals

Can anyone review this patch?
--------------------------------------------------------------------------------
Andrey Lobanov (RedSoft) wrote:
> Can anyone review this patch?

Could you add a test to the patch?
--------------------------------------------------------------------------------
Confirmed the problem.
--------------------------------------------------------------------------------
I'm not able to reproduce the problem in order to review the patch.

I tried from the global issues page and each request made from contextual menu to add watchers to issues from different projects returned 200. Can someone add more detailed steps to reproduce the problem (maybe I do not understand something well)? or a test that fails on the current trunk?
--------------------------------------------------------------------------------
Marius BALTEANU wrote:
> I'm not able to reproduce the problem in order to review the patch.
>
> I tried from the global issues page and each request made from contextual menu to add watchers to issues from different projects returned 200. Can someone add more detailed steps to reproduce the problem (maybe I do not understand something well)? or a test that fails on the current trunk?

In order to reproduce this problem I needed to input a search keyword in "Search for user".
When entering the search keyword, the request parameter is *Parameters: {"object_type"=>"issue", "q"=>""}* .

<pre><code class="erb">

<%= javascript_tag "observeSearchfield('user_search', 'users_for_watcher', '#{ escape_javascript url_for(:controller => 'watchers',
:action => 'autocomplete_for_user',
:object_type => (watchables.present? ? watchables.first.class.name.underscore : nil),
:object_id => (watchables.present? && watchables.size == 1 ? watchables.first.id : nil),
:project_id => @project) }')" %>
</code></pre>

If there are multiple watchable and multiple watchable projects, both object_id and project_id will be nil.
Those parameters are required for WatchersController#find_project to work.
Because WatchersController#find_project does not work, ApplicationController#authorize returns an exception "Filter chain halted as: authorize rendered or redirected".

I have made several changes by reading the patch written by Andrey Lobanov (RedSoft).
I appreciate that you shared the patch.

Changes:
* Add tests
* Make multiple watchable values of object_id instead of project_ids
* Change the conditions of users_for_new_watcher to maintain the specification of #5159
--------------------------------------------------------------------------------