diff options
author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-03-20 07:09:20 +0000 |
---|---|---|
committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2016-03-20 07:09:20 +0000 |
commit | 4aef2735c878bf625527fea04dfefd16f714e896 (patch) | |
tree | 0be37503fc9d9cbcd5c4081a39c8f2e7834840b1 /test | |
parent | e1aa18b33388901d47476df4a68a1d25f27a9658 (diff) | |
download | redmine-4aef2735c878bf625527fea04dfefd16f714e896.tar.gz redmine-4aef2735c878bf625527fea04dfefd16f714e896.zip |
Send a security notification when users gain or loose admin (#21421).
Patch by Jan Schulz-Hofen.
git-svn-id: http://svn.redmine.org/redmine/trunk@15265 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'test')
-rw-r--r-- | test/functional/users_controller_test.rb | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index 86c92e937..7c22dedf2 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -280,6 +280,48 @@ class UsersControllerTest < ActionController::TestCase assert_select 'input#pref_no_self_notified[value="1"][checked=checked]' end + def test_create_admin_should_send_security_notification + ActionMailer::Base.deliveries.clear + post :create, + :user => { + :firstname => 'Edgar', + :lastname => 'Schmoe', + :login => 'eschmoe', + :password => 'secret123', + :password_confirmation => 'secret123', + :mail => 'eschmoe@example.foo', + :admin => '1' + } + + assert_not_nil (mail = ActionMailer::Base.deliveries.last) + assert_mail_body_match '0.0.0.0', mail + assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: 'eschmoe'), mail + assert_select_email do + assert_select 'a[href^=?]', 'http://localhost:3000/users', :text => 'Users' + end + + # All admins should receive this + User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| + assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } + end + end + + def test_create_non_admin_should_not_send_security_notification + ActionMailer::Base.deliveries.clear + post :create, + :user => { + :firstname => 'Edgar', + :lastname => 'Schmoe', + :login => 'eschmoe', + :password => 'secret123', + :password_confirmation => 'secret123', + :mail => 'eschmoe@example.foo', + :admin => '0' + } + assert_nil ActionMailer::Base.deliveries.last + end + + def test_edit get :edit, :id => 2 assert_response :success @@ -426,6 +468,92 @@ class UsersControllerTest < ActionController::TestCase assert_equal '1', user.pref[:no_self_notified] end + def test_update_assign_admin_should_send_security_notification + ActionMailer::Base.deliveries.clear + put :update, :id => 2, :user => { + :admin => 1 + } + + assert_not_nil (mail = ActionMailer::Base.deliveries.last) + assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: User.find(2).login), mail + + # All admins should receive this + User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| + assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } + end + end + + def test_update_unassign_admin_should_send_security_notification + user = User.find(2) + user.admin = true + user.save! + + ActionMailer::Base.deliveries.clear + put :update, :id => user.id, :user => { + :admin => 0 + } + + assert_not_nil (mail = ActionMailer::Base.deliveries.last) + assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: user.login), mail + + # All admins should receive this + User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| + assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } + end + end + + def test_update_lock_admin_should_send_security_notification + user = User.find(2) + user.admin = true + user.save! + + ActionMailer::Base.deliveries.clear + put :update, :id => 2, :user => { + :status => Principal::STATUS_LOCKED + } + + assert_not_nil (mail = ActionMailer::Base.deliveries.last) + assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: User.find(2).login), mail + + # All admins should receive this + User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| + assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } + end + + # if user is already locked, destroying should not send a second mail + # (for active admins see furtherbelow) + ActionMailer::Base.deliveries.clear + delete :destroy, :id => 1 + assert_nil ActionMailer::Base.deliveries.last + + end + + def test_update_unlock_admin_should_send_security_notification + user = User.find(5) # already locked + user.admin = true + user.save! + ActionMailer::Base.deliveries.clear + put :update, :id => user.id, :user => { + :status => Principal::STATUS_ACTIVE + } + + assert_not_nil (mail = ActionMailer::Base.deliveries.last) + assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: user.login), mail + + # All admins should receive this + User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| + assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } + end + end + + def test_update_admin_unrelated_property_should_not_send_security_notification + ActionMailer::Base.deliveries.clear + put :update, :id => 1, :user => { + :firstname => 'Jimmy' + } + assert_nil ActionMailer::Base.deliveries.last + end + def test_destroy assert_difference 'User.count', -1 do delete :destroy, :id => 2 @@ -449,4 +577,20 @@ class UsersControllerTest < ActionController::TestCase end assert_redirected_to '/users?name=foo' end + + def test_destroy_active_admin_should_send_security_notification + user = User.find(2) + user.admin = true + user.save! + ActionMailer::Base.deliveries.clear + delete :destroy, :id => user.id + + assert_not_nil (mail = ActionMailer::Base.deliveries.last) + assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: user.login), mail + + # All admins should receive this + User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| + assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } + end + end end |