Require explicit confirmation before deleting a user (#34417).

Patch by Jens Krämer.


git-svn-id: http://svn.redmine.org/redmine/trunk@20600 e93f8b46-1217-0410-a6f0-8f06a7374b81

2 files changed, 21 insertions, 1 deletions

diff --git a/app/views/users/destroy.html.erb b/app/views/users/destroy.html.erb
new file mode 100644
index 000000000..6478519b1
--- /dev/null
+++ b/app/views/users/destroy.html.erb
@@ -0,0 +1,20 @@
+<%= title l(:label_confirmation) %>
+
+<%= form_tag user_path(@user), method: :delete do %>
+<div class="warning">
+  <p><strong><%= @user.name %> (<%= @user.login %>)</strong></p>
+
+  <p><%= l :text_user_destroy_confirmation, login: @user.login %></p>
+
+  <p>
+    <label for="confirm"><%= l :field_login %></label>
+    <%= text_field_tag 'confirm' %>
+  </p>
+</div>
+
+<p>
+  <%= submit_tag l(:button_delete) %>
+  <%= submit_tag l(:button_lock), name: 'lock' unless @user.locked? %>
+  <%= link_to l(:button_cancel), users_path %>
+</p>
+<% end %>
diff --git a/app/views/users/index.html.erb b/app/views/users/index.html.erb
index b92df96f1..7987d3b99 100644
--- a/app/views/users/index.html.erb
+++ b/app/views/users/index.html.erb
@@ -53,7 +53,7 @@
   <td class="last_login_on"><%= format_time(user.last_login_on) unless user.last_login_on.nil? %></td>
     <td class="buttons">
       <%= change_status_link(user) %>
-      <%= delete_link user_path(user, :back_url => request.original_fullpath) unless User.current == user %>
+      <%= delete_link user_path(user, :back_url => request.original_fullpath), :data => {} unless User.current == user %>
     </td>
   </tr>
 <% end -%>