Merged r3865 and r3866 from trunk.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/0.9-stable@3868 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/issues_controller.rb

@@ -149,7 +149,7 @@ class IssuesController < ApplicationController
     if request.get? || request.xhr?
       @issue.start_date ||= Date.today
     else
-      requested_status = IssueStatus.find_by_id(params[:issue][:status_id])
+      requested_status = IssueStatus.find_by_id(params[:issue][:status_id]) if params[:issue]
       # Check that the user is allowed to apply the requested status
       @issue.status = (@allowed_statuses.include? requested_status) ? requested_status : default_status
       call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })

app/controllers/members_controller.rb

@@ -38,6 +38,7 @@ class MembersController < ApplicationController
       format.js { 
         render(:update) {|page| 
           page.replace_html "tab-content-members", :partial => 'projects/settings/members'
+          page << 'hideOnLoad()'
           members.each {|member| page.visual_effect(:highlight, "member-#{member.id}") }
         }
       }
@@ -51,6 +52,7 @@ class MembersController < ApplicationController
         format.js { 
           render(:update) {|page| 
             page.replace_html "tab-content-members", :partial => 'projects/settings/members'
+            page << 'hideOnLoad()'
             page.visual_effect(:highlight, "member-#{@member.id}")
           }
         }
@@ -64,7 +66,11 @@ class MembersController < ApplicationController
     end
     respond_to do |format|
       format.html { redirect_to :controller => 'projects', :action => 'settings', :tab => 'members', :id => @project }
-      format.js { render(:update) {|page| page.replace_html "tab-content-members", :partial => 'projects/settings/members'} }
+      format.js { render(:update) {|page|
+          page.replace_html "tab-content-members", :partial => 'projects/settings/members'
+          page << 'hideOnLoad()'
+        }
+      }
     end
   end
   

app/controllers/projects_controller.rb

@@ -27,7 +27,7 @@ class ProjectsController < ApplicationController
   before_filter :authorize, :except => [ :index, :list, :add, :copy, :archive, :unarchive, :destroy, :activity ]
   before_filter :authorize_global, :only => :add
   before_filter :require_admin, :only => [ :copy, :archive, :unarchive, :destroy ]
-  accept_key_auth :activity
+  accept_key_auth :activity, :index
   
   after_filter :only => [:add, :edit, :archive, :unarchive, :destroy] do |controller|
     if controller.request.post?

app/controllers/versions_controller.rb

@@ -25,6 +25,9 @@ class VersionsController < ApplicationController
   helper :projects
   
   def show
+    @issues = @version.fixed_issues.visible.find(:all,
+      :include => [:status, :tracker, :priority],
+      :order => "#{Tracker.table_name}.position, #{Issue.table_name}.id")
   end
   
   def edit

app/helpers/repositories_helper.rb

@@ -52,17 +52,19 @@ module RepositoriesHelper
       else
         change
       end
-    end.compact
+   end.compact
     
     tree = { }
     changes.each do |change|
       p = tree
       dirs = change.path.to_s.split('/').select {|d| !d.blank?}
+      path = ''
       dirs.each do |dir|
+        path += '/' + dir
         p[:s] ||= {}
         p = p[:s]
-        p[dir] ||= {}
-        p = p[dir]
+        p[path] ||= {}
+        p = p[path]
       end
       p[:c] = change
     end
@@ -76,21 +78,26 @@ module RepositoriesHelper
     output = ''
     output << '<ul>'
     tree.keys.sort.each do |file|
-      s = !tree[file][:s].nil?
-      c = tree[file][:c]
-      
       style = 'change'
-      style << ' folder' if s
-      style << " change-#{c.action}" if c
-      
-      text = h(file)
-      unless c.nil?
+      text = File.basename(h(file))
+      if s = tree[file][:s]
+        style << ' folder'
+        path_param = to_path_param(@repository.relative_path(file))
+        text = link_to(text, :controller => 'repositories',
+                             :action => 'show',
+                             :id => @project,
+                             :path => path_param,
+                             :rev => @changeset.revision)
+        output << "<li class='#{style}'>#{text}</li>"
+        output << render_changes_tree(s)
+      elsif c = tree[file][:c]
+        style << " change-#{c.action}"
         path_param = to_path_param(@repository.relative_path(c.path))
         text = link_to(text, :controller => 'repositories',
                              :action => 'entry',
                              :id => @project,
                              :path => path_param,
-                             :rev => @changeset.revision) unless s || c.action == 'D'
+                             :rev => @changeset.revision) unless c.action == 'D'
         text << " - #{c.revision}" unless c.revision.blank?
         text << ' (' + link_to('diff', :controller => 'repositories',
                                        :action => 'diff',
@@ -98,9 +105,8 @@ module RepositoriesHelper
                                        :path => path_param,
                                        :rev => @changeset.revision) + ') ' if c.action == 'M'
         text << ' ' + content_tag('span', c.from_path, :class => 'copied-from') unless c.from_path.blank?
+        output << "<li class='#{style}'>#{text}</li>"
       end
-      output << "<li class='#{style}'>#{text}</li>"
-      output << render_changes_tree(tree[file][:s]) if s
     end
     output << '</ul>'
     output

app/models/mail_handler.rb

@@ -49,7 +49,7 @@ class MailHandler < ActionMailer::Base
       logger.info  "MailHandler: ignoring email from Redmine emission address [#{sender_email}]" if logger && logger.info
       return false
     end
-    @user = User.find_by_mail(sender_email)
+    @user = User.find_by_mail(sender_email) if sender_email.present?
     if @user && !@user.active?
       logger.info  "MailHandler: ignoring email from non-active user [#{@user.login}]" if logger && logger.info
       return false

app/views/issues/index.rhtml

@@ -10,7 +10,7 @@
 
 <% form_tag({ :controller => 'queries', :action => 'new' }, :id => 'query_form') do %>
     <%= hidden_field_tag('project_id', @project.to_param) if @project %>
-		<div id="query_form_content">
+		<div id="query_form_content" class="hide-when-print">
     <fieldset id="filters" class="collapsible <%= @query.new_record? ? "" : "collapsed" %>">
     	<legend onclick="toggleFieldset(this);"><%= l(:label_filter_plural) %></legend>
     	<div style="<%= @query.new_record? ? "" : "display: none;" %>">
@@ -33,7 +33,7 @@
 			</div>
 		</fieldset>
 		</div>
-    <p class="buttons">
+    <p class="buttons hide-when-print">
 
     <%= link_to_remote l(:button_apply), 
                        { :url => { :set_filter => 1 },

app/views/my/_sidebar.rhtml

@@ -17,10 +17,10 @@
 
 <% if Setting.rest_api_enabled? %>
 <h4><%= l(:label_api_access_key) %></h4>
-<p>
+<div>
   <%= link_to_function(l(:button_show), "$('api-access-key').toggle();")%>
   <pre id='api-access-key' class='autoscroll'><%= @user.api_key %></pre>
-</p>
+</div>
 <%= javascript_tag("$('api-access-key').hide();") %>
 <p>
 <% if @user.api_token %>

app/views/projects/index.rhtml

@@ -1,3 +1,7 @@
+<% content_for :header_tags do %>
+    <%= auto_discovery_link_tag(:atom, {:action => 'index', :format => 'atom', :key => User.current.rss_key}) %>
+<% end %>
+
 <div class="contextual">
     <%= link_to(l(:label_project_new), {:controller => 'projects', :action => 'add'}, :class => 'icon icon-add') + ' |' if User.current.allowed_to?(:add_project, nil, :global => true) %>
     <%= link_to(l(:label_issue_view_all), { :controller => 'issues' }) + ' |' if User.current.allowed_to?(:view_issues, nil, :global => true) %>

app/views/versions/show.rhtml

@@ -32,13 +32,10 @@
 <%= render :partial => 'versions/overview', :locals => {:version => @version} %>
 <%= render(:partial => "wiki/content", :locals => {:content => @version.wiki_page.content}) if @version.wiki_page %>
 
-<% issues = @version.fixed_issues.find(:all,
-                                       :include => [:status, :tracker, :priority],
-                                       :order => "#{Tracker.table_name}.position, #{Issue.table_name}.id") %>
-<% if issues.size > 0 %>
+<% if @issues.present? %>
 <fieldset class="related-issues"><legend><%= l(:label_related_issues) %></legend>
 <ul>
-<% issues.each do |issue| -%>
+<% @issues.each do |issue| -%>
     <li><%= link_to_issue(issue) %></li>
 <% end -%>
 </ul>

config/locales/fr.yml

@@ -812,10 +812,10 @@ fr:
   
   status_active: actif
   status_registered: enregistré
-  status_locked: vérouillé
+  status_locked: verrouillé
   
   version_status_open: ouvert
-  version_status_locked: vérouillé
+  version_status_locked: verrouillé
   version_status_closed: fermé
   
   text_select_mail_notifications: Actions pour lesquelles une notification par e-mail est envoyée

doc/CHANGELOG

@@ -8,6 +8,23 @@ http://www.redmine.org/
 
 Adds context menu to the roadmap issue lists
 
+== 2010-07-07 v0.9.6
+
+Fixed: Redmine.pm access by unauthorized users
+
+== 2010-06-24 v0.9.5
+
+Linkify folder names on revision view
+"fiters" and "options" should be hidden in print view via css
+Fixed: NoMethodError when no issue params are submitted
+Fixed: projects.atom with required authentication
+Fixed: External links not correctly displayed in Wiki TOC
+Fixed: Member role forms in project settings are not hidden after member added
+Fixed: pre can't be inside p
+Fixed: session cookie path does not respect RAILS_RELATIVE_URL_ROOT
+Fixed: mail handler fails when the from address is empty
+
+
 == 2010-05-01 v0.9.4
 
 Filters collapsed by default on issues index page for a saved query

doc/INSTALL

@@ -33,7 +33,7 @@ Optional:
 4. Generate a session store secret
    Redmine stores session data in cookies by default, which requires
    a secret to be generated. Run:
-   rake config/initializers/session_store.rb
+   rake generate_session_store
    
 5. Create the database structure. Under the application main directory:
    rake db:migrate RAILS_ENV="production"

doc/UPGRADING

@@ -12,12 +12,12 @@ http://www.redmine.org/
 2. Copy your database settings (RAILS_ROOT/config/database.yml)
    and SMTP settings (RAILS_ROOT/config/email.yml)
    into the new config directory
-   DO NOT REPLACE ANY OTHERS FILES.
+   DO NOT REPLACE OR EDIT ANY OTHER FILES.
 
 3. Generate a session store secret
    Redmine stores session data in cookies by default, which requires
    a secret to be generated. Run:
-   rake config/initializers/session_store.rb
+   rake generate_session_store
       
 4. Migrate your database (please make a backup before doing this):
    rake db:migrate RAILS_ENV="production"

extra/svn/Redmine.pm

@@ -227,9 +227,38 @@ sub authen_handler {
   }
 }
 
+# check if authentication is forced
+sub is_authentication_forced {
+  my $r = shift;
+
+  my $dbh = connect_database($r);
+  my $sth = $dbh->prepare(
+    "SELECT value FROM settings where settings.name = 'login_required';"
+  );
+
+  $sth->execute();
+  my $ret = 0;
+  if (my @row = $sth->fetchrow_array) {
+    if ($row[0] eq "1" || $row[0] eq "t") {
+      $ret = 1;
+    }
+  }
+  $sth->finish();
+  undef $sth;
+  
+  $dbh->disconnect();
+  undef $dbh;
+
+  $ret;
+}
+
 sub is_public_project {
     my $project_id = shift;
     my $r = shift;
+    
+    if (is_authentication_forced($r)) {
+      return 0;
+    }
 
     my $dbh = connect_database($r);
     my $sth = $dbh->prepare(
@@ -309,7 +338,9 @@ sub is_member {
                 bindpw  =>      $rowldap[4] ? $rowldap[4] : "",
                 filter  =>      "(".$rowldap[6]."=%s)"
             );
-            $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass));
+            my $method = $r->method;
+            $ret = 1 if ($ldap->authenticate($redmine_user, $redmine_pass) && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/));
+
           }
           $sthldap->finish();
           undef $sthldap;

lib/redmine/version.rb

@@ -4,7 +4,7 @@ module Redmine
   module VERSION #:nodoc:
     MAJOR = 0
     MINOR = 9
-    TINY  = 4
+    TINY  = 6
     
     # Branch values:
     # * official release: nil

lib/redmine/wiki_formatting/textile/formatter.rb

@@ -67,6 +67,11 @@ module Redmine
         def textile_p_withtoc(tag, atts, cite, content)
           # removes wiki links from the item
           toc_item = content.gsub(/(\[\[([^\]\|]*)(\|([^\]]*))?\]\])/) { $4 || $2 }
+          # sanitizes titles from links
+          # see redcloth3.rb, same as "#{pre}#{text}#{post}"
+          toc_item.gsub!(LINK_RE) { [$2, $4, $9].join }
+          # sanitizes image links from titles
+          toc_item.gsub!(IMAGE_RE) { [$5].join }
           # removes styles
           # eg. %{color:red}Triggers% => Triggers
           toc_item.gsub! %r[%\{[^\}]*\}([^%]+)%], '\\1'

lib/tasks/initializers.rake

@@ -17,6 +17,13 @@ file 'config/initializers/session_store.rb' do
 # you'll be exposed to dictionary attacks.
 ActionController::Base.session = {
   :session_key => '_redmine_session',
+  #
+  # Uncomment and edit the :session_path below if are hosting your Redmine
+  # at a suburi and don't want the top level path to access the cookies
+  #
+  # See: http://www.redmine.org/issues/3968
+  #
+  # :session_path => '/url_path_to/your/redmine/',
   :secret => '#{secret}'
 }
 EOF

public/javascripts/application.js

@@ -207,3 +207,12 @@ Ajax.Responders.register({
         }
     }
 });
+
+function hideOnLoad() {
+  $$('.hol').each(function(el) {
+  	el.hide();
+	});
+}
+
+Event.observe(window, 'load', hideOnLoad);
+

public/stylesheets/application.css

@@ -852,4 +852,5 @@ h2 img { vertical-align:middle; }
   #main { background: #fff; }
   #content { width: 99%; margin: 0; padding: 0; border: 0; background: #fff; overflow: visible !important;}
 	#wiki_add_attachment { display:none; }
+  .hide-when-print { display: none; }
 }

test/fixtures/mail_handler/ticket_by_empty_user.eml

@@ -0,0 +1,17 @@
+Return-Path: <john.doe@somenet.foo>
+Received: from osiris ([127.0.0.1])
+	by OSIRIS
+	with hMailServer ; Sun, 22 Jun 2008 12:28:07 +0200
+Message-ID: <000501c8d452$a95cd7e0$0a00a8c0@osiris>
+To: <redmine@somenet.foo>
+Subject: Ticket by unknown user
+Date: Sun, 22 Jun 2008 12:28:07 +0200
+MIME-Version: 1.0
+Content-Type: text/plain;
+	format=flowed;
+	charset="iso-8859-1";
+	reply-type=original
+Content-Transfer-Encoding: 7bit
+
+This is a ticket submitted by an unknown user.
+

test/functional/issues_controller_test.rb

@@ -649,6 +649,12 @@ class IssuesControllerTest < ActionController::TestCase
                                         :value => 'Value for field 2'}
   end
   
+  test "POST new with no issue params" do
+    @request.session[:user_id] = 2
+    post :new, :project_id => 1
+    assert_response :success
+  end
+
   def test_copy_routing
     assert_routing(
       {:method => :get, :path => '/projects/world_domination/issues/567/copy'},

test/unit/helpers/application_helper_test.rb

@@ -364,6 +364,10 @@ h2. Subtitle with %{color:red}red text%
 
 h1. Another title
 
+h2. An "Internet link":http://www.redmine.org/ inside subtitle
+
+h2. "Project Name !/attachments/1234/logo_small.gif! !/attachments/5678/logo_2.png!":/projects/projectname/issues
+
 RAW
 
     expected = '<ul class="toc">' +
@@ -372,8 +376,10 @@ RAW
                '<li class="heading2"><a href="#Subtitle-with-another-Wiki-link">Subtitle with another Wiki link</a></li>' + 
                '<li class="heading2"><a href="#Subtitle-with-red-text">Subtitle with red text</a></li>' +
                '<li class="heading1"><a href="#Another-title">Another title</a></li>' +
+               '<li class="heading2"><a href="#An-Internet-link-inside-subtitle">An Internet link inside subtitle</a></li>' +
+               '<li class="heading2"><a href="#Project-Name">Project Name</a></li>' +
                '</ul>'
-               
+
     assert textilizable(raw).gsub("\n", "").include?(expected)
   end
   

test/unit/mail_handler_test.rb

@@ -166,6 +166,15 @@ class MailHandlerTest < ActiveSupport::TestCase
       assert issue.author.anonymous?
     end
   end
+
+  def test_add_issue_by_anonymous_user_with_no_from_address
+    Role.anonymous.add_permission!(:add_issues)
+    assert_no_difference 'User.count' do
+      issue = submit_email('ticket_by_empty_user.eml', :issue => {:project => 'ecookbook'}, :unknown_user => 'accept')
+      assert issue.is_a?(Issue)
+      assert issue.author.anonymous?
+    end
+  end
   
   def test_add_issue_by_anonymous_user_on_private_project
     Role.anonymous.add_permission!(:add_issues)