Patch by Go MAEDA. git-svn-id: http://svn.redmine.org/redmine/trunk@19569 e93f8b46-1217-0410-a6f0-8f06a7374b81tags/4.2.0
@@ -25,6 +25,8 @@ class AttachmentsController < ApplicationController | |||
before_action :delete_authorize, :only => :destroy | |||
before_action :authorize_global, :only => :upload | |||
require_sudo_mode :destroy | |||
# Disable check for same origin requests for JS files, i.e. attachments with | |||
# MIME type text/javascript. | |||
skip_after_action :verify_same_origin_request, :only => :download |
@@ -22,6 +22,8 @@ class BoardsController < ApplicationController | |||
before_action :find_project_by_project_id, :find_board_if_available, :authorize | |||
accept_rss_auth :index, :show | |||
require_sudo_mode :destroy | |||
helper :sort | |||
include SortHelper | |||
helper :watchers |
@@ -24,6 +24,8 @@ class CommentsController < ApplicationController | |||
before_action :find_project_from_association | |||
before_action :authorize | |||
require_sudo_mode :destroy | |||
def create | |||
raise Unauthorized unless @news.commentable? | |||
@@ -25,6 +25,8 @@ class DocumentsController < ApplicationController | |||
before_action :find_project_from_association, :except => [:index, :new, :create] | |||
before_action :authorize | |||
require_sudo_mode :destroy | |||
helper :attachments | |||
helper :custom_fields | |||
@@ -28,6 +28,8 @@ class IssuesController < ApplicationController | |||
accept_rss_auth :index, :show | |||
accept_api_auth :index, :show, :create, :update, :destroy | |||
require_sudo_mode :destroy | |||
rescue_from Query::StatementInvalid, :with => :query_statement_invalid | |||
helper :journals |
@@ -25,6 +25,8 @@ class MessagesController < ApplicationController | |||
before_action :find_message, :except => [:new, :preview] | |||
before_action :authorize, :except => [:preview, :edit, :destroy] | |||
require_sudo_mode :destroy | |||
helper :boards | |||
helper :watchers | |||
helper :attachments |
@@ -28,6 +28,8 @@ class NewsController < ApplicationController | |||
accept_rss_auth :index | |||
accept_api_auth :index, :show, :create, :update, :destroy | |||
require_sudo_mode :destroy | |||
helper :watchers | |||
helper :attachments | |||
@@ -36,6 +36,8 @@ class RepositoriesController < ApplicationController | |||
before_action :authorize | |||
accept_rss_auth :revisions | |||
require_sudo_mode :destroy | |||
rescue_from Redmine::Scm::Adapters::CommandFailed, :with => :show_error_command_failed | |||
def new |
@@ -33,6 +33,8 @@ class TimelogController < ApplicationController | |||
accept_rss_auth :index | |||
accept_api_auth :index, :show, :create, :update, :destroy | |||
require_sudo_mode :destroy | |||
rescue_from Query::StatementInvalid, :with => :query_statement_invalid | |||
helper :issues |
@@ -27,6 +27,8 @@ class VersionsController < ApplicationController | |||
accept_api_auth :index, :show, :create, :update, :destroy | |||
require_sudo_mode :destroy | |||
helper :custom_fields | |||
helper :projects | |||
@@ -39,6 +39,8 @@ class WikiController < ApplicationController | |||
before_action :find_attachments, :only => [:preview] | |||
accept_api_auth :index, :show, :update, :destroy | |||
require_sudo_mode :destroy, :destroy_version | |||
helper :attachments | |||
include AttachmentsHelper | |||
helper :watchers |
@@ -21,6 +21,8 @@ class WikisController < ApplicationController | |||
menu_item :settings | |||
before_action :find_project, :authorize | |||
require_sudo_mode :destroy, only: :post | |||
# Delete a project's wiki | |||
def destroy | |||
if request.post? && params[:confirm] && @project.wiki |
@@ -169,7 +169,8 @@ default: | |||
# Requires users to re-enter their password for sensitive actions (editing | |||
# of account data, project memberships, application settings, user, group, | |||
# role, auth source management and project deletion). Disabled by default. | |||
# role, auth source management, project deletion and deletion of contents | |||
# such as issues, attachments and wiki pages). Disabled by default. | |||
# Timeout is set in minutes. | |||
# | |||
#sudo_mode: true |
@@ -3,7 +3,9 @@ | |||
require File.expand_path('../../test_helper', __FILE__) | |||
class SudoModeTest < Redmine::IntegrationTest | |||
fixtures :projects, :members, :member_roles, :roles, :users, :email_addresses | |||
fixtures :projects, :members, :member_roles, :roles, :users, | |||
:email_addresses, :trackers, :projects_trackers, :enabled_modules, | |||
:issue_statuses, :issues, :enumerations | |||
def setup | |||
Redmine::SudoMode.stubs(:enabled?).returns(true) | |||
@@ -192,6 +194,24 @@ class SudoModeTest < Redmine::IntegrationTest | |||
end | |||
end | |||
def test_destroy_issue | |||
log_user 'dlopper', 'foo' | |||
expire_sudo_mode! | |||
delete '/issues/2' | |||
assert_response :success | |||
assert_select 'h2', 'Confirm your password to continue' | |||
assert_select 'form[action="/issues/2"]' | |||
assert_select '#flash_error', 0 | |||
delete '/issues/2', :params => {:sudo_password => 'wrong'} | |||
assert_response :success | |||
assert_select 'h2', 'Confirm your password to continue' | |||
assert_difference 'Issue.count', -1 do | |||
delete '/issues/2', :params => {:sudo_password => 'foo'} | |||
end | |||
end | |||
private | |||
# sudo mode is active after sign, let it expire by advancing the time |