Require sudo mode for actions to delete contents (#33071).

Patch by Go MAEDA.


git-svn-id: http://svn.redmine.org/redmine/trunk@19569 e93f8b46-1217-0410-a6f0-8f06a7374b81

12 files changed, 24 insertions, 0 deletions

diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb
index db90b55da..62b5b58be 100644
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@@ -25,6 +25,8 @@ class AttachmentsController < ApplicationController
   before_action :delete_authorize, :only => :destroy
   before_action :authorize_global, :only => :upload
 
+  require_sudo_mode :destroy
+
   # Disable check for same origin requests for JS files, i.e. attachments with
   # MIME type text/javascript.
   skip_after_action :verify_same_origin_request, :only => :download
diff --git a/app/controllers/boards_controller.rb b/app/controllers/boards_controller.rb
index 86eb3d278..7b3931619 100644
--- a/app/controllers/boards_controller.rb
+++ b/app/controllers/boards_controller.rb
@@ -22,6 +22,8 @@ class BoardsController < ApplicationController
   before_action :find_project_by_project_id, :find_board_if_available, :authorize
   accept_rss_auth :index, :show
 
+  require_sudo_mode :destroy
+
   helper :sort
   include SortHelper
   helper :watchers
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index f0b9a9271..748cb1187 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -24,6 +24,8 @@ class CommentsController < ApplicationController
   before_action :find_project_from_association
   before_action :authorize
 
+  require_sudo_mode :destroy
+
   def create
     raise Unauthorized unless @news.commentable?
 
diff --git a/app/controllers/documents_controller.rb b/app/controllers/documents_controller.rb
index b9e2633cc..235a6e5f0 100644
--- a/app/controllers/documents_controller.rb
+++ b/app/controllers/documents_controller.rb
@@ -25,6 +25,8 @@ class DocumentsController < ApplicationController
   before_action :find_project_from_association, :except => [:index, :new, :create]
   before_action :authorize
 
+  require_sudo_mode :destroy
+
   helper :attachments
   helper :custom_fields
 
diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb
index 0d1acc95b..83dee63e5 100644
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -28,6 +28,8 @@ class IssuesController < ApplicationController
   accept_rss_auth :index, :show
   accept_api_auth :index, :show, :create, :update, :destroy
 
+  require_sudo_mode :destroy
+
   rescue_from Query::StatementInvalid, :with => :query_statement_invalid
 
   helper :journals
diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
index 69af02066..e36c05a95 100644
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@@ -25,6 +25,8 @@ class MessagesController < ApplicationController
   before_action :find_message, :except => [:new, :preview]
   before_action :authorize, :except => [:preview, :edit, :destroy]
 
+  require_sudo_mode :destroy
+
   helper :boards
   helper :watchers
   helper :attachments
diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb
index 511f10ddb..deecca692 100644
--- a/app/controllers/news_controller.rb
+++ b/app/controllers/news_controller.rb
@@ -28,6 +28,8 @@ class NewsController < ApplicationController
   accept_rss_auth :index
   accept_api_auth :index, :show, :create, :update, :destroy
 
+  require_sudo_mode :destroy
+
   helper :watchers
   helper :attachments
 
diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb
index 0da256953..81fe6c5a7 100644
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -36,6 +36,8 @@ class RepositoriesController < ApplicationController
   before_action :authorize
   accept_rss_auth :revisions
 
+  require_sudo_mode :destroy
+
   rescue_from Redmine::Scm::Adapters::CommandFailed, :with => :show_error_command_failed
 
   def new
diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb
index d304fe3b2..709c9aa94 100644
--- a/app/controllers/timelog_controller.rb
+++ b/app/controllers/timelog_controller.rb
@@ -33,6 +33,8 @@ class TimelogController < ApplicationController
   accept_rss_auth :index
   accept_api_auth :index, :show, :create, :update, :destroy
 
+  require_sudo_mode :destroy
+
   rescue_from Query::StatementInvalid, :with => :query_statement_invalid
 
   helper :issues
diff --git a/app/controllers/versions_controller.rb b/app/controllers/versions_controller.rb
index 16dd35c99..7554014f6 100644
--- a/app/controllers/versions_controller.rb
+++ b/app/controllers/versions_controller.rb
@@ -27,6 +27,8 @@ class VersionsController < ApplicationController
 
   accept_api_auth :index, :show, :create, :update, :destroy
 
+  require_sudo_mode :destroy
+
   helper :custom_fields
   helper :projects
 
diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb
index 527f0b821..a40563790 100644
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@@ -39,6 +39,8 @@ class WikiController < ApplicationController
   before_action :find_attachments, :only => [:preview]
   accept_api_auth :index, :show, :update, :destroy
 
+  require_sudo_mode :destroy, :destroy_version
+
   helper :attachments
   include AttachmentsHelper
   helper :watchers
diff --git a/app/controllers/wikis_controller.rb b/app/controllers/wikis_controller.rb
index edca739c6..fd52a09b1 100644
--- a/app/controllers/wikis_controller.rb
+++ b/app/controllers/wikis_controller.rb
@@ -21,6 +21,8 @@ class WikisController < ApplicationController
   menu_item :settings
   before_action :find_project, :authorize
 
+  require_sudo_mode :destroy, only: :post
+
   # Delete a project's wiki
   def destroy
     if request.post? && params[:confirm] && @project.wiki