Adds a configuration setting to enable sudo mode, disabled by default (#19851).

git-svn-id: http://svn.redmine.org/redmine/trunk@14336 e93f8b46-1217-0410-a6f0-8f06a7374b81

config/configuration.yml.example

@@ -170,6 +170,13 @@ default:
   # same secret token on each machine.
   #secret_token: 'change it to a long random string'
 
+  # Requires users to re-enter their password for sensitive actions (editing
+  # of account data, project memberships, application settings, user, group,
+  # role, auth source management and project deletion).
+  # Disabled by default.
+  #
+  #sudo_mode: true
+
   # Absolute path (e.g. /usr/bin/convert, c:/im/convert.exe) to
   # the ImageMagick's `convert` binary. Used to generate attachment thumbnails.
   #imagemagick_convert_command:

lib/redmine/sudo_mode.rb

@@ -202,7 +202,7 @@ module Redmine
     end
 
     def self.possible?
-      !disabled? && User.current.logged?
+      enabled? && User.current.logged?
     end
 
     # Turn off sudo mode (never require password entry).
@@ -215,10 +215,9 @@ module Redmine
       RequestStore.store[:sudo_mode_disabled] = nil
     end
 
-    def self.disabled?
-      !!RequestStore.store[:sudo_mode_disabled]
+    def self.enabled?
+      Redmine::Configuration['sudo_mode'] && !RequestStore.store[:sudo_mode_disabled]
     end
-
   end
 end
 

test/functional/auth_sources_controller_test.rb

@@ -22,7 +22,6 @@ class AuthSourcesControllerTest < ActionController::TestCase
 
   def setup
     @request.session[:user_id] = 1
-    Redmine::SudoMode.disable!
   end
 
   def test_index

test/functional/email_addresses_controller_test.rb

@@ -22,7 +22,6 @@ class EmailAddressesControllerTest < ActionController::TestCase
 
   def setup
     User.current = nil
-    Redmine::SudoMode.disable!
   end
 
   def test_index_with_no_additional_emails

test/functional/groups_controller_test.rb

@@ -22,7 +22,6 @@ class GroupsControllerTest < ActionController::TestCase
 
   def setup
     @request.session[:user_id] = 1
-    Redmine::SudoMode.disable!
   end
 
   def test_index

test/functional/members_controller_test.rb

@@ -23,7 +23,6 @@ class MembersControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 2
-    Redmine::SudoMode.disable!
   end
 
   def test_new

test/functional/my_controller_test.rb

@@ -23,7 +23,6 @@ class MyControllerTest < ActionController::TestCase
 
   def setup
     @request.session[:user_id] = 2
-    Redmine::SudoMode.disable!
   end
 
   def test_index

test/functional/projects_controller_test.rb

@@ -28,7 +28,6 @@ class ProjectsControllerTest < ActionController::TestCase
   def setup
     @request.session[:user_id] = nil
     Setting.default_language = 'en'
-    Redmine::SudoMode.disable!
   end
 
   def test_index_by_anonymous_should_not_show_private_projects

test/functional/roles_controller_test.rb

@@ -23,7 +23,6 @@ class RolesControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 1 # admin
-    Redmine::SudoMode.disable!
   end
 
   def test_index

test/functional/settings_controller_test.rb

@@ -24,7 +24,6 @@ class SettingsControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 1 # admin
-    Redmine::SudoMode.disable!
   end
 
   def test_index

test/functional/users_controller_test.rb

@@ -30,7 +30,6 @@ class UsersControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 1 # admin
-    Redmine::SudoMode.disable!
   end
 
   def test_index

test/integration/admin_test.rb

@@ -26,14 +26,6 @@ class AdminTest < Redmine::IntegrationTest
            :members,
            :enabled_modules
 
-  def setup
-    Redmine::SudoMode.enable!
-  end
-
-  def teardown
-    Redmine::SudoMode.disable!
-  end
-
   def test_add_user
     log_user("admin", "admin")
     get "/users/new"
@@ -44,15 +36,6 @@ class AdminTest < Redmine::IntegrationTest
                     :lastname => "Smith", :mail => "psmith@somenet.foo",
                     :language => "en", :password => "psmith09",
                     :password_confirmation => "psmith09" }
-    assert_response :success
-    assert_nil User.find_by_login("psmith")
-
-    post "/users",
-         :user => { :login => "psmith", :firstname => "Paul",
-                    :lastname => "Smith", :mail => "psmith@somenet.foo",
-                    :language => "en", :password => "psmith09",
-                    :password_confirmation => "psmith09" },
-         :sudo_password => 'admin'
 
     user = User.find_by_login("psmith")
     assert_kind_of User, user

test/integration/sudo_test.rb

@@ -4,11 +4,31 @@ class SudoTest < Redmine::IntegrationTest
   fixtures :projects, :members, :member_roles, :roles, :users
 
   def setup
-    Redmine::SudoMode.enable!
+    Redmine::SudoMode.stubs(:enabled?).returns(true)
   end
 
-  def teardown
-    Redmine::SudoMode.disable!
+  def test_add_user
+    log_user("admin", "admin")
+    get "/users/new"
+    assert_response :success
+    post "/users",
+         :user => { :login => "psmith", :firstname => "Paul",
+                    :lastname => "Smith", :mail => "psmith@somenet.foo",
+                    :language => "en", :password => "psmith09",
+                    :password_confirmation => "psmith09" }
+    assert_response :success
+    assert_nil User.find_by_login("psmith")
+
+    post "/users",
+         :user => { :login => "psmith", :firstname => "Paul",
+                    :lastname => "Smith", :mail => "psmith@somenet.foo",
+                    :language => "en", :password => "psmith09",
+                    :password_confirmation => "psmith09" },
+         :sudo_password => 'admin'
+    assert_response 302
+
+    user = User.find_by_login("psmith")
+    assert_kind_of User, user
   end
 
   def test_create_member_xhr

test/test_helper.rb

@@ -33,6 +33,8 @@ include ObjectHelpers
 require 'net/ldap'
 require 'mocha/setup'
 
+Redmine::SudoMode.disable!
+
 class ActionView::TestCase
   helper :application
   include ApplicationHelper