Require to enter project's identifier to confirm project deletion (#34417).

Patch by Jens Krämer.


git-svn-id: http://svn.redmine.org/redmine/trunk@20601 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/projects_controller.rb

@@ -275,7 +275,7 @@ class ProjectsController < ApplicationController
     end
 
     @project_to_destroy = @project
-    if api_request? || params[:confirm]
+    if api_request? || params[:confirm] == @project_to_destroy.identifier
       @project_to_destroy.destroy
       respond_to do |format|
         format.html do

app/views/projects/destroy.html.erb

@@ -12,9 +12,16 @@
           content_tag('strong', @project_to_destroy.descendants.collect{|p| p.to_s}.join(', '))).html_safe %>
 <% end %>
 </p>
+
 <p>
-  <label><%= check_box_tag 'confirm', 1 %> <%= l(:general_text_Yes) %></label>
+  <%= l :text_project_destroy_enter_identifier, identifier: @project_to_destroy.identifier %>
 </p>
+
+<p>
+  <label for="confirm"><%= l :field_identifier %></label>
+  <%= text_field_tag 'confirm' %>
+</p>
+
 </div>
 
 <p>

config/locales/de.yml

@@ -1371,3 +1371,4 @@ de:
   field_twofa_scheme: Two-factor authentication scheme
 
   text_user_destroy_confirmation: "Wollen Sie diesen Benutzer inklusive aller Referenzen darauf wirklich löschen? Dies kann nicht rückgängig gemacht werden. Oftmals ist es besser, einen Benutzer lediglich zu sperren. Geben Sie bitte zur Bestätigung den Login des Benutzers (%{login}) ein."
+  text_project_destroy_enter_identifier: "Zur Bestätigung bitte die Projektkennung (%{identifier}) eingeben."

config/locales/en.yml

@@ -1346,3 +1346,4 @@ en:
   twofa_backup_codes_already_shown: Backup codes cannot be shown again, please <a data-method="post" href="%{bc_path}">generate new backup codes</a> if required.
 
   text_user_destroy_confirmation: "Are you sure you want to delete this user and remove all references to them? This cannot be undone. Often, locking a user instead of deleting them is the better solution. To confirm, please enter their login (%{login}) below."
+  text_project_destroy_enter_identifier: "To confirm, please enter the project's identifier (%{identifier}) below."

test/functional/projects_controller_test.rb

@@ -1028,6 +1028,16 @@ class ProjectsControllerTest < Redmine::ControllerTest
     assert_select '.warning', :text => /Are you sure you want to delete this project/
   end
 
+  def test_destroy_leaf_project_with_wrong_confirmation_should_show_confirmation
+    @request.session[:user_id] = 1 # admin
+
+    assert_no_difference 'Project.count' do
+      delete(:destroy, :params => {:id => 2, :confirm => 'wrong'})
+      assert_response :success
+    end
+    assert_select '.warning', :text => /Are you sure you want to delete this project/
+  end
+
   def test_destroy_without_confirmation_should_show_confirmation_with_subprojects
     set_tmp_attachments_directory
     @request.session[:user_id] = 1 # admin
@@ -1051,7 +1061,7 @@ class ProjectsControllerTest < Redmine::ControllerTest
         :destroy,
         :params => {
           :id => 1,
-          :confirm => 1
+          :confirm => 'ecookbook'
         }
       )
       assert_redirected_to '/admin/projects'
@@ -1068,7 +1078,7 @@ class ProjectsControllerTest < Redmine::ControllerTest
         :destroy,
         :params => {
           :id => 2,
-          :confirm => 1
+          :confirm => 'onlinestore'
         }
       )
       assert_redirected_to '/projects'
@@ -1085,7 +1095,7 @@ class ProjectsControllerTest < Redmine::ControllerTest
         :destroy,
         :params => {
           :id => 1,
-          :confirm => 1
+          :confirm => 'ecookbook'
         }
       )
       assert_response 403