Require password re-entry for sensitive actions (#19851).

Patch by Jens Krämer.

git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81

10 files changed, 22 insertions, 0 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e1bc6a97f..5949f47b6 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -59,6 +59,8 @@ class ApplicationController < ActionController::Base
   include Redmine::MenuManager::MenuController
   helper Redmine::MenuManager::MenuHelper
 
+  include Redmine::SudoMode::Controller
+
   def session_expiration
     if session[:user_id]
       if session_expired? && !try_to_autologin
diff --git a/app/controllers/auth_sources_controller.rb b/app/controllers/auth_sources_controller.rb
index d50a097cc..c8af474a8 100644
--- a/app/controllers/auth_sources_controller.rb
+++ b/app/controllers/auth_sources_controller.rb
@@ -21,6 +21,7 @@ class AuthSourcesController < ApplicationController
 
   before_filter :require_admin
   before_filter :find_auth_source, :only => [:edit, :update, :test_connection, :destroy]
+  require_sudo_mode :update, :destroy
 
   def index
     @auth_source_pages, @auth_sources = paginate AuthSource, :per_page => 25
diff --git a/app/controllers/email_addresses_controller.rb b/app/controllers/email_addresses_controller.rb
index 373be00a0..1c1b39d3a 100644
--- a/app/controllers/email_addresses_controller.rb
+++ b/app/controllers/email_addresses_controller.rb
@@ -18,6 +18,7 @@
 class EmailAddressesController < ApplicationController
   before_filter :find_user, :require_admin_or_current_user
   before_filter :find_email_address, :only => [:update, :destroy]
+  require_sudo_mode :create, :update, :destroy
 
   def index
     @addresses = @user.email_addresses.order(:id).where(:is_default => false).to_a
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index a85b88b3b..825e8b857 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -22,6 +22,8 @@ class GroupsController < ApplicationController
   before_filter :find_group, :except => [:index, :new, :create]
   accept_api_auth :index, :show, :create, :update, :destroy, :add_users, :remove_user
 
+  require_sudo_mode :add_users, :remove_user, :create, :update, :destroy, :edit_membership, :destroy_membership
+
   helper :custom_fields
   helper :principal_memberships
 
diff --git a/app/controllers/members_controller.rb b/app/controllers/members_controller.rb
index 0f1f53f8e..dbf7a5bec 100644
--- a/app/controllers/members_controller.rb
+++ b/app/controllers/members_controller.rb
@@ -23,6 +23,8 @@ class MembersController < ApplicationController
   before_filter :authorize
   accept_api_auth :index, :show, :create, :update, :destroy
 
+  require_sudo_mode :create, :update, :destroy
+
   def index
     scope = @project.memberships.active
     @offset, @limit = api_offset_and_limit
diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb
index 982541db1..1f744a936 100644
--- a/app/controllers/my_controller.rb
+++ b/app/controllers/my_controller.rb
@@ -20,6 +20,9 @@ class MyController < ApplicationController
   # let user change user's password when user has to
   skip_before_filter :check_password_change, :only => :password
 
+  require_sudo_mode :account, only: :post
+  require_sudo_mode :reset_rss_key, :reset_api_key, :show_api_key, :destroy
+
   helper :issues
   helper :users
   helper :custom_fields
@@ -123,6 +126,10 @@ class MyController < ApplicationController
     redirect_to my_account_path
   end
 
+  def show_api_key
+    @user = User.current
+  end
+
   # Create a new API key
   def reset_api_key
     if request.post?
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 71007f383..60af3719d 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -25,6 +25,7 @@ class ProjectsController < ApplicationController
   before_filter :require_admin, :only => [ :copy, :archive, :unarchive, :destroy ]
   accept_rss_auth :index
   accept_api_auth :index, :show, :create, :update, :destroy
+  require_sudo_mode :destroy
 
   after_filter :only => [:create, :edit, :update, :archive, :unarchive, :destroy] do |controller|
     if controller.request.post?
diff --git a/app/controllers/roles_controller.rb b/app/controllers/roles_controller.rb
index bef24829b..33229cbe0 100644
--- a/app/controllers/roles_controller.rb
+++ b/app/controllers/roles_controller.rb
@@ -23,6 +23,8 @@ class RolesController < ApplicationController
   before_filter :find_role, :only => [:show, :edit, :update, :destroy]
   accept_api_auth :index, :show
 
+  require_sudo_mode :create, :update, :destroy
+
   def index
     respond_to do |format|
       format.html {
diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index 9b36d7bf7..5ca5d1dab 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -23,6 +23,8 @@ class SettingsController < ApplicationController
 
   before_filter :require_admin
 
+  require_sudo_mode :index, :edit, :plugin
+
   def index
     edit
     render :action => 'edit'
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index f52c44a97..9ce80111a 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -28,6 +28,8 @@ class UsersController < ApplicationController
   include CustomFieldsHelper
   helper :principal_memberships
 
+  require_sudo_mode :create, :update, :destroy
+
   def index
     sort_init 'login', 'asc'
     sort_update %w(login firstname lastname admin created_on last_login_on)