Commits

Anonymous committed 9b6d60f

Fixed that watchers delete links are escaped on the issue view (#10932).

  • Participants
  • Parent commits 7b44557

Comments (0)

Files changed (2)

File app/helpers/watchers_helper.rb

   # Returns a comma separated list of users watching the given object
   def watchers_list(object)
     remove_allowed = User.current.allowed_to?("delete_#{object.class.name.underscore}_watchers".to_sym, object.project)
+    content = ''.html_safe
     lis = object.watcher_users.collect do |user|
-      s = avatar(user, :size => "16").to_s + link_to_user(user, :class => 'user').to_s
+      s = ''.html_safe
+      s << avatar(user, :size => "16").to_s
+      s << link_to_user(user, :class => 'user')
       if remove_allowed
         url = {:controller => 'watchers',
                :action => 'destroy',
                :object_type => object.class.to_s.underscore,
                :object_id => object.id,
                :user_id => user}
-        s += ' ' + link_to_remote(image_tag('delete.png'),
+        s << ' '
+        s << link_to_remote(image_tag('delete.png'),
                                   {:url => url},
                                   :href => url_for(url),
                                   :style => "vertical-align: middle",
                                   :class => "delete")
       end
-      content_tag :li, s.html_safe
+      content << content_tag('li', s)
     end
-    (lis.empty? ? "" : "<ul>#{ lis.join("\n") }</ul>").html_safe
+    content.present? ? content_tag('ul', content) : content
   end
 
   def watchers_checkboxes(object, users, checked=nil)

File test/functional/issues_controller_test.rb

     assert_tag 'a', :attributes => {:href => "/projects/ecookbook/repository/revisions/3"}
   end
 
+  def test_show_should_display_watchers
+    @request.session[:user_id] = 2
+    Issue.find(1).add_watcher User.find(2)
+
+    get :show, :id => 1
+    assert_select 'div#watchers ul' do
+      assert_select 'li' do
+        assert_select 'a[href=/users/2]'
+        assert_select 'a img[alt=Delete]'
+      end
+    end
+  end
+
+  def test_show_should_display_watchers_with_gravatars
+    @request.session[:user_id] = 2
+    Issue.find(1).add_watcher User.find(2)
+
+    with_settings :gravatar_enabled => '1' do
+      get :show, :id => 1
+    end
+
+    assert_select 'div#watchers ul' do
+      assert_select 'li' do
+        assert_select 'img.gravatar'
+        assert_select 'a[href=/users/2]'
+        assert_select 'a img[alt=Delete]'
+      end
+    end
+  end
+  
   def test_show_with_multi_custom_field
     field = CustomField.find(1)
     field.update_attribute :multiple, true