redmine/test/integration/sudo_mode_test.rb

require File.expand_path('../../test_helper', __FILE__)

class SudoModeTest < Redmine::IntegrationTest
  fixtures :projects, :members, :member_roles, :roles, :users, :email_addresses

  def setup
    Redmine::SudoMode.stubs(:enabled?).returns(true)
  end

  def test_sudo_mode_should_be_active_after_login
    log_user("admin", "admin")
    get "/users/new"
    assert_response :success
    post "/users",
         :user => { :login => "psmith", :firstname => "Paul",
                    :lastname => "Smith", :mail => "psmith@somenet.foo",
                    :language => "en", :password => "psmith09",
                    :password_confirmation => "psmith09" }
    assert_response 302

    user = User.find_by_login("psmith")
    assert_kind_of User, user
  end

  def test_add_user
    log_user("admin", "admin")
    expire_sudo_mode!
    get "/users/new"
    assert_response :success
    post "/users",
         :user => { :login => "psmith", :firstname => "Paul",
                    :lastname => "Smith", :mail => "psmith@somenet.foo",
                    :language => "en", :password => "psmith09",
                    :password_confirmation => "psmith09" }
    assert_response :success
    assert_nil User.find_by_login("psmith")

    assert_select 'input[name=?][value=?]', 'user[login]', 'psmith'
    assert_select 'input[name=?][value=?]', 'user[firstname]', 'Paul'

    post "/users",
         :user => { :login => "psmith", :firstname => "Paul",
                    :lastname => "Smith", :mail => "psmith@somenet.foo",
                    :language => "en", :password => "psmith09",
                    :password_confirmation => "psmith09" },
         :sudo_password => 'admin'
    assert_response 302

    user = User.find_by_login("psmith")
    assert_kind_of User, user
  end

  def test_create_member_xhr
    log_user 'admin', 'admin'
    expire_sudo_mode!
    get '/projects/ecookbook/settings/members'
    assert_response :success

    assert_no_difference 'Member.count' do
      xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}
    end

    assert_no_difference 'Member.count' do
      xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''
    end

    assert_no_difference 'Member.count' do
      xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'
    end

    assert_difference 'Member.count' do
      xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'
    end
    assert User.find(7).member_of?(Project.find(1))
  end

  def test_create_member
    log_user 'admin', 'admin'
    expire_sudo_mode!
    get '/projects/ecookbook/settings/members'
    assert_response :success

    assert_no_difference 'Member.count' do
      post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}
    end

    assert_no_difference 'Member.count' do
      post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''
    end

    assert_no_difference 'Member.count' do
      post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'
    end

    assert_difference 'Member.count' do
      post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'
    end

    assert_redirected_to '/projects/ecookbook/settings/members'
    assert User.find(7).member_of?(Project.find(1))
  end

  def test_create_role
    log_user 'admin', 'admin'
    expire_sudo_mode!
    get '/roles'
    assert_response :success

    get '/roles/new'
    assert_response :success

    post '/roles', role: { }
    assert_response :success
    assert_select 'h2', 'Confirm your password to continue'
    assert_select 'form[action="/roles"]'
    assert assigns(:sudo_form).errors.blank?

    post '/roles', role: { name: 'new role', issues_visibility: 'all' }
    assert_response :success
    assert_select 'h2', 'Confirm your password to continue'
    assert_select 'form[action="/roles"]'
    assert_match /"new role"/, response.body
    assert assigns(:sudo_form).errors.blank?

    post '/roles', role: { name: 'new role', issues_visibility: 'all' }, sudo_password: 'wrong'
    assert_response :success
    assert_select 'h2', 'Confirm your password to continue'
    assert_select 'form[action="/roles"]'
    assert_match /"new role"/, response.body
    assert assigns(:sudo_form).errors[:password].present?

    assert_difference 'Role.count' do
      post '/roles', role: { name: 'new role', issues_visibility: 'all', assignable: '1', permissions: %w(view_calendar) }, sudo_password: 'admin'
    end
    assert_redirected_to '/roles'
  end

  def test_update_email_address
    log_user 'jsmith', 'jsmith'
    expire_sudo_mode!
    get '/my/account'
    assert_response :success
    post '/my/account', user: { mail: 'newmail@test.com' }
    assert_response :success
    assert_select 'h2', 'Confirm your password to continue'
    assert_select 'form[action="/my/account"]'
    assert_match /"newmail@test\.com"/, response.body
    assert assigns(:sudo_form).errors.blank?

    # wrong password
    post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'wrong'
    assert_response :success
    assert_select 'h2', 'Confirm your password to continue'
    assert_select 'form[action="/my/account"]'
    assert_match /"newmail@test\.com"/, response.body
    assert assigns(:sudo_form).errors[:password].present?

    # correct password
    post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'jsmith'
    assert_redirected_to '/my/account'
    assert_equal 'newmail@test.com', User.find_by_login('jsmith').mail

    # sudo mode should now be active and not require password again
    post '/my/account', user: { mail: 'even.newer.mail@test.com' }
    assert_redirected_to '/my/account'
    assert_equal 'even.newer.mail@test.com', User.find_by_login('jsmith').mail
  end

  def test_sudo_mode_should_skip_api_requests
    with_settings :rest_api_enabled => '1' do
      assert_difference('User.count') do
        post '/users.json', {
          :user => {
            :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',
            :mail => 'foo@example.net', :password => 'secret123',
            :mail_notification => 'only_assigned'}
          },
          credentials('admin')
  
        assert_response :created
      end
    end
  end

  private

  # sudo mode is active after sign, let it expire by advancing the time
  def expire_sudo_mode!
    travel_to 20.minutes.from_now
  end
end
Require password re-entry for sensitive actions (#19851). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 20:41:10 +02:00			`require File.expand_path('../../test_helper', __FILE__)`

Adds a UI test (#19851). git-svn-id: http://svn.redmine.org/redmine/trunk@14345 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 22:42:33 +02:00			`class SudoModeTest < Redmine::IntegrationTest`
			`fixtures :projects, :members, :member_roles, :roles, :users, :email_addresses`
Require password re-entry for sensitive actions (#19851). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 20:41:10 +02:00
			`def setup`
Adds a configuration setting to enable sudo mode, disabled by default (#19851). git-svn-id: http://svn.redmine.org/redmine/trunk@14336 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 21:42:49 +02:00			`Redmine::SudoMode.stubs(:enabled?).returns(true)`
Require password re-entry for sensitive actions (#19851). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 20:41:10 +02:00			`end`

Activate sudo mode after password based login (#20589). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14635 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-10-01 19:07:06 +02:00			`def test_sudo_mode_should_be_active_after_login`
			`log_user("admin", "admin")`
			`get "/users/new"`
			`assert_response :success`
			`post "/users",`
			`:user => { :login => "psmith", :firstname => "Paul",`
			`:lastname => "Smith", :mail => "psmith@somenet.foo",`
			`:language => "en", :password => "psmith09",`
			`:password_confirmation => "psmith09" }`
			`assert_response 302`

			`user = User.find_by_login("psmith")`
			`assert_kind_of User, user`
			`end`

Adds a configuration setting to enable sudo mode, disabled by default (#19851). git-svn-id: http://svn.redmine.org/redmine/trunk@14336 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 21:42:49 +02:00			`def test_add_user`
			`log_user("admin", "admin")`
Activate sudo mode after password based login (#20589). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14635 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-10-01 19:07:06 +02:00			`expire_sudo_mode!`
Adds a configuration setting to enable sudo mode, disabled by default (#19851). git-svn-id: http://svn.redmine.org/redmine/trunk@14336 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 21:42:49 +02:00			`get "/users/new"`
			`assert_response :success`
			`post "/users",`
			`:user => { :login => "psmith", :firstname => "Paul",`
			`:lastname => "Smith", :mail => "psmith@somenet.foo",`
			`:language => "en", :password => "psmith09",`
			`:password_confirmation => "psmith09" }`
			`assert_response :success`
			`assert_nil User.find_by_login("psmith")`

Tests that submitted data is present in the sudo form (#19851). git-svn-id: http://svn.redmine.org/redmine/trunk@14344 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 22:25:55 +02:00			`assert_select 'input[name=?][value=?]', 'user[login]', 'psmith'`
			`assert_select 'input[name=?][value=?]', 'user[firstname]', 'Paul'`

Adds a configuration setting to enable sudo mode, disabled by default (#19851). git-svn-id: http://svn.redmine.org/redmine/trunk@14336 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 21:42:49 +02:00			`post "/users",`
			`:user => { :login => "psmith", :firstname => "Paul",`
			`:lastname => "Smith", :mail => "psmith@somenet.foo",`
			`:language => "en", :password => "psmith09",`
			`:password_confirmation => "psmith09" },`
			`:sudo_password => 'admin'`
			`assert_response 302`

			`user = User.find_by_login("psmith")`
			`assert_kind_of User, user`
Require password re-entry for sensitive actions (#19851). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 20:41:10 +02:00			`end`

			`def test_create_member_xhr`
			`log_user 'admin', 'admin'`
Activate sudo mode after password based login (#20589). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14635 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-10-01 19:07:06 +02:00			`expire_sudo_mode!`
Require password re-entry for sensitive actions (#19851). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 20:41:10 +02:00			`get '/projects/ecookbook/settings/members'`
			`assert_response :success`

			`assert_no_difference 'Member.count' do`
			`xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}`
			`end`

			`assert_no_difference 'Member.count' do`
			`xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''`
			`end`

			`assert_no_difference 'Member.count' do`
			`xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'`
			`end`

			`assert_difference 'Member.count' do`
			`xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'`
			`end`
			`assert User.find(7).member_of?(Project.find(1))`
			`end`

			`def test_create_member`
			`log_user 'admin', 'admin'`
Activate sudo mode after password based login (#20589). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14635 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-10-01 19:07:06 +02:00			`expire_sudo_mode!`
Require password re-entry for sensitive actions (#19851). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 20:41:10 +02:00			`get '/projects/ecookbook/settings/members'`
			`assert_response :success`

			`assert_no_difference 'Member.count' do`
			`post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}`
			`end`

			`assert_no_difference 'Member.count' do`
			`post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''`
			`end`

			`assert_no_difference 'Member.count' do`
			`post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'`
			`end`

			`assert_difference 'Member.count' do`
			`post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'`
			`end`

			`assert_redirected_to '/projects/ecookbook/settings/members'`
			`assert User.find(7).member_of?(Project.find(1))`
			`end`

			`def test_create_role`
			`log_user 'admin', 'admin'`
Activate sudo mode after password based login (#20589). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14635 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-10-01 19:07:06 +02:00			`expire_sudo_mode!`
Require password re-entry for sensitive actions (#19851). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 20:41:10 +02:00			`get '/roles'`
			`assert_response :success`

			`get '/roles/new'`
			`assert_response :success`

			`post '/roles', role: { }`
			`assert_response :success`
			`assert_select 'h2', 'Confirm your password to continue'`
			`assert_select 'form[action="/roles"]'`
			`assert assigns(:sudo_form).errors.blank?`

			`post '/roles', role: { name: 'new role', issues_visibility: 'all' }`
			`assert_response :success`
			`assert_select 'h2', 'Confirm your password to continue'`
			`assert_select 'form[action="/roles"]'`
			`assert_match /"new role"/, response.body`
			`assert assigns(:sudo_form).errors.blank?`

			`post '/roles', role: { name: 'new role', issues_visibility: 'all' }, sudo_password: 'wrong'`
			`assert_response :success`
			`assert_select 'h2', 'Confirm your password to continue'`
			`assert_select 'form[action="/roles"]'`
			`assert_match /"new role"/, response.body`
			`assert assigns(:sudo_form).errors[:password].present?`

			`assert_difference 'Role.count' do`
			`post '/roles', role: { name: 'new role', issues_visibility: 'all', assignable: '1', permissions: %w(view_calendar) }, sudo_password: 'admin'`
			`end`
			`assert_redirected_to '/roles'`
			`end`

			`def test_update_email_address`
			`log_user 'jsmith', 'jsmith'`
Activate sudo mode after password based login (#20589). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14635 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-10-01 19:07:06 +02:00			`expire_sudo_mode!`
Require password re-entry for sensitive actions (#19851). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 20:41:10 +02:00			`get '/my/account'`
			`assert_response :success`
			`post '/my/account', user: { mail: 'newmail@test.com' }`
			`assert_response :success`
			`assert_select 'h2', 'Confirm your password to continue'`
			`assert_select 'form[action="/my/account"]'`
			`assert_match /"newmail@test\.com"/, response.body`
			`assert assigns(:sudo_form).errors.blank?`

			`# wrong password`
			`post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'wrong'`
			`assert_response :success`
			`assert_select 'h2', 'Confirm your password to continue'`
			`assert_select 'form[action="/my/account"]'`
			`assert_match /"newmail@test\.com"/, response.body`
			`assert assigns(:sudo_form).errors[:password].present?`

			`# correct password`
			`post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'jsmith'`
			`assert_redirected_to '/my/account'`
			`assert_equal 'newmail@test.com', User.find_by_login('jsmith').mail`

			`# sudo mode should now be active and not require password again`
			`post '/my/account', user: { mail: 'even.newer.mail@test.com' }`
			`assert_redirected_to '/my/account'`
			`assert_equal 'even.newer.mail@test.com', User.find_by_login('jsmith').mail`
			`end`

Don't use SudoMode.disable! to skip API requests (#19851). git-svn-id: http://svn.redmine.org/redmine/trunk@14338 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 21:51:24 +02:00			`def test_sudo_mode_should_skip_api_requests`
			`with_settings :rest_api_enabled => '1' do`
			`assert_difference('User.count') do`
			`post '/users.json', {`
			`:user => {`
			`:login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',`
			`:mail => 'foo@example.net', :password => 'secret123',`
			`:mail_notification => 'only_assigned'}`
			`},`
			`credentials('admin')`

			`assert_response :created`
			`end`
			`end`
			`end`
Activate sudo mode after password based login (#20589). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14635 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-10-01 19:07:06 +02:00
			`private`

			`# sudo mode is active after sign, let it expire by advancing the time`
			`def expire_sudo_mode!`
			`travel_to 20.minutes.from_now`
			`end`
Require password re-entry for sensitive actions (#19851). Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81 2015-06-19 20:41:10 +02:00			`end`