before_action :delete_authorize, :only => :destroy
before_action :authorize_global, :only => :upload
+ require_sudo_mode :destroy
+
# Disable check for same origin requests for JS files, i.e. attachments with
# MIME type text/javascript.
skip_after_action :verify_same_origin_request, :only => :download
before_action :find_project_by_project_id, :find_board_if_available, :authorize
accept_rss_auth :index, :show
+ require_sudo_mode :destroy
+
helper :sort
include SortHelper
helper :watchers
before_action :find_project_from_association
before_action :authorize
+ require_sudo_mode :destroy
+
def create
raise Unauthorized unless @news.commentable?
before_action :find_project_from_association, :except => [:index, :new, :create]
before_action :authorize
+ require_sudo_mode :destroy
+
helper :attachments
helper :custom_fields
accept_rss_auth :index, :show
accept_api_auth :index, :show, :create, :update, :destroy
+ require_sudo_mode :destroy
+
rescue_from Query::StatementInvalid, :with => :query_statement_invalid
helper :journals
before_action :find_message, :except => [:new, :preview]
before_action :authorize, :except => [:preview, :edit, :destroy]
+ require_sudo_mode :destroy
+
helper :boards
helper :watchers
helper :attachments
accept_rss_auth :index
accept_api_auth :index, :show, :create, :update, :destroy
+ require_sudo_mode :destroy
+
helper :watchers
helper :attachments
before_action :authorize
accept_rss_auth :revisions
+ require_sudo_mode :destroy
+
rescue_from Redmine::Scm::Adapters::CommandFailed, :with => :show_error_command_failed
def new
accept_rss_auth :index
accept_api_auth :index, :show, :create, :update, :destroy
+ require_sudo_mode :destroy
+
rescue_from Query::StatementInvalid, :with => :query_statement_invalid
helper :issues
accept_api_auth :index, :show, :create, :update, :destroy
+ require_sudo_mode :destroy
+
helper :custom_fields
helper :projects
before_action :find_attachments, :only => [:preview]
accept_api_auth :index, :show, :update, :destroy
+ require_sudo_mode :destroy, :destroy_version
+
helper :attachments
include AttachmentsHelper
helper :watchers
menu_item :settings
before_action :find_project, :authorize
+ require_sudo_mode :destroy, only: :post
+
# Delete a project's wiki
def destroy
if request.post? && params[:confirm] && @project.wiki
# Requires users to re-enter their password for sensitive actions (editing
# of account data, project memberships, application settings, user, group,
- # role, auth source management and project deletion). Disabled by default.
+ # role, auth source management, project deletion and deletion of contents
+ # such as issues, attachments and wiki pages). Disabled by default.
# Timeout is set in minutes.
#
#sudo_mode: true
require File.expand_path('../../test_helper', __FILE__)
class SudoModeTest < Redmine::IntegrationTest
- fixtures :projects, :members, :member_roles, :roles, :users, :email_addresses
+ fixtures :projects, :members, :member_roles, :roles, :users,
+ :email_addresses, :trackers, :projects_trackers, :enabled_modules,
+ :issue_statuses, :issues, :enumerations
def setup
Redmine::SudoMode.stubs(:enabled?).returns(true)
end
end
+ def test_destroy_issue
+ log_user 'dlopper', 'foo'
+ expire_sudo_mode!
+ delete '/issues/2'
+ assert_response :success
+ assert_select 'h2', 'Confirm your password to continue'
+ assert_select 'form[action="/issues/2"]'
+ assert_select '#flash_error', 0
+
+ delete '/issues/2', :params => {:sudo_password => 'wrong'}
+ assert_response :success
+ assert_select 'h2', 'Confirm your password to continue'
+
+ assert_difference 'Issue.count', -1 do
+ delete '/issues/2', :params => {:sudo_password => 'foo'}
+ end
+ end
+
private
# sudo mode is active after sign, let it expire by advancing the time
projects / redmine.git / commitdiff