Require password re-entry for sensitive actions (#19851).

Patch by Jens Krämer. git-svn-id: http://svn.redmine.org/redmine/trunk@14333 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-06-19 18:41:10 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2015-06-19 18:41:10 +0000
commit: d6f389658b9e83d7a5d74c57fc46a203a5a88591 (patch)
tree: 534fd5f3520833e1c1c2bb2105971ce86008b991 /test
parent: 3811ff5d95bd848f457c9d29a162ce83f12fe3ac (diff)
download: redmine-d6f389658b9e83d7a5d74c57fc46a203a5a88591.tar.gz
redmine-d6f389658b9e83d7a5d74c57fc46a203a5a88591.zip
11 files changed, 158 insertions, 0 deletions
diff --git a/test/functional/auth_sources_controller_test.rb b/test/functional/auth_sources_controller_test.rb
index 7e15ee8a3..580624ec0 100644
--- a/test/functional/auth_sources_controller_test.rb
+++ b/test/functional/auth_sources_controller_test.rb
@@ -22,6 +22,7 @@ class AuthSourcesControllerTest < ActionController::TestCase
 
   def setup
     @request.session[:user_id] = 1
+    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/functional/email_addresses_controller_test.rb b/test/functional/email_addresses_controller_test.rb
index 7c52d9c1d..88bad24e7 100644
--- a/test/functional/email_addresses_controller_test.rb
+++ b/test/functional/email_addresses_controller_test.rb
@@ -22,6 +22,7 @@ class EmailAddressesControllerTest < ActionController::TestCase
 
   def setup
     User.current = nil
+    Redmine::SudoMode.disable!
   end
 
   def test_index_with_no_additional_emails
diff --git a/test/functional/groups_controller_test.rb b/test/functional/groups_controller_test.rb
index 7bce2af56..c928e24a3 100644
--- a/test/functional/groups_controller_test.rb
+++ b/test/functional/groups_controller_test.rb
@@ -22,6 +22,7 @@ class GroupsControllerTest < ActionController::TestCase
 
   def setup
     @request.session[:user_id] = 1
+    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/functional/members_controller_test.rb b/test/functional/members_controller_test.rb
index 5bad28745..197158c35 100644
--- a/test/functional/members_controller_test.rb
+++ b/test/functional/members_controller_test.rb
@@ -23,6 +23,7 @@ class MembersControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 2
+    Redmine::SudoMode.disable!
   end
 
   def test_new
diff --git a/test/functional/my_controller_test.rb b/test/functional/my_controller_test.rb
index 65190e611..c2eee6e73 100644
--- a/test/functional/my_controller_test.rb
+++ b/test/functional/my_controller_test.rb
@@ -23,6 +23,7 @@ class MyControllerTest < ActionController::TestCase
 
   def setup
     @request.session[:user_id] = 2
+    Redmine::SudoMode.disable!
   end
 
   def test_index
@@ -253,6 +254,12 @@ class MyControllerTest < ActionController::TestCase
     assert_redirected_to '/my/account'
   end
 
+  def test_show_api_key
+    get :show_api_key
+    assert_response :success
+    assert_select 'pre', User.find(2).api_key
+  end
+
   def test_reset_api_key_with_existing_key
     @previous_token_value = User.find(2).api_key # Will generate one if it's missing
     post :reset_api_key
diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb
index 2efb98ccd..1bfa20040 100644
--- a/test/functional/projects_controller_test.rb
+++ b/test/functional/projects_controller_test.rb
@@ -28,6 +28,7 @@ class ProjectsControllerTest < ActionController::TestCase
   def setup
     @request.session[:user_id] = nil
     Setting.default_language = 'en'
+    Redmine::SudoMode.disable!
   end
 
   def test_index_by_anonymous_should_not_show_private_projects
diff --git a/test/functional/roles_controller_test.rb b/test/functional/roles_controller_test.rb
index b5c80f2e9..21073f832 100644
--- a/test/functional/roles_controller_test.rb
+++ b/test/functional/roles_controller_test.rb
@@ -23,6 +23,7 @@ class RolesControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 1 # admin
+    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/functional/settings_controller_test.rb b/test/functional/settings_controller_test.rb
index de5fddd8a..aeefa8f98 100644
--- a/test/functional/settings_controller_test.rb
+++ b/test/functional/settings_controller_test.rb
@@ -24,6 +24,7 @@ class SettingsControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 1 # admin
+    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index b34c80945..d6d18dc19 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -30,6 +30,7 @@ class UsersControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 1 # admin
+    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/integration/admin_test.rb b/test/integration/admin_test.rb
index 402d0ed3a..ef95cc9df 100644
--- a/test/integration/admin_test.rb
+++ b/test/integration/admin_test.rb
@@ -26,6 +26,14 @@ class AdminTest < Redmine::IntegrationTest
            :members,
            :enabled_modules
 
+  def setup
+    Redmine::SudoMode.enable!
+  end
+
+  def teardown
+    Redmine::SudoMode.disable!
+  end
+
   def test_add_user
     log_user("admin", "admin")
     get "/users/new"
@@ -36,6 +44,15 @@ class AdminTest < Redmine::IntegrationTest
                     :lastname => "Smith", :mail => "psmith@somenet.foo",
                     :language => "en", :password => "psmith09",
                     :password_confirmation => "psmith09" }
+    assert_response :success
+    assert_nil User.find_by_login("psmith")
+
+    post "/users",
+         :user => { :login => "psmith", :firstname => "Paul",
+                    :lastname => "Smith", :mail => "psmith@somenet.foo",
+                    :language => "en", :password => "psmith09",
+                    :password_confirmation => "psmith09" },
+         :sudo_password => 'admin'
 
     user = User.find_by_login("psmith")
     assert_kind_of User, user
diff --git a/test/integration/sudo_test.rb b/test/integration/sudo_test.rb
new file mode 100644
index 000000000..13ccd0b96
--- /dev/null
+++ b/test/integration/sudo_test.rb
@@ -0,0 +1,126 @@
+require File.expand_path('../../test_helper', __FILE__)
+
+class SudoTest < Redmine::IntegrationTest
+  fixtures :projects, :members, :member_roles, :roles, :users
+
+  def setup
+    Redmine::SudoMode.enable!
+  end
+
+  def teardown
+    Redmine::SudoMode.disable!
+  end
+
+  def test_create_member_xhr
+    log_user 'admin', 'admin'
+    get '/projects/ecookbook/settings/members'
+    assert_response :success
+
+    assert_no_difference 'Member.count' do
+      xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}
+    end
+
+    assert_no_difference 'Member.count' do
+      xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''
+    end
+
+    assert_no_difference 'Member.count' do
+      xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'
+    end
+
+    assert_difference 'Member.count' do
+      xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'
+    end
+    assert User.find(7).member_of?(Project.find(1))
+  end
+
+  def test_create_member
+    log_user 'admin', 'admin'
+    get '/projects/ecookbook/settings/members'
+    assert_response :success
+
+    assert_no_difference 'Member.count' do
+      post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}
+    end
+
+    assert_no_difference 'Member.count' do
+      post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''
+    end
+
+    assert_no_difference 'Member.count' do
+      post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'
+    end
+
+    assert_difference 'Member.count' do
+      post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'
+    end
+
+    assert_redirected_to '/projects/ecookbook/settings/members'
+    assert User.find(7).member_of?(Project.find(1))
+  end
+
+  def test_create_role
+    log_user 'admin', 'admin'
+    get '/roles'
+    assert_response :success
+
+    get '/roles/new'
+    assert_response :success
+
+    post '/roles', role: { }
+    assert_response :success
+    assert_select 'h2', 'Confirm your password to continue'
+    assert_select 'form[action="/roles"]'
+    assert assigns(:sudo_form).errors.blank?
+
+    post '/roles', role: { name: 'new role', issues_visibility: 'all' }
+    assert_response :success
+    assert_select 'h2', 'Confirm your password to continue'
+    assert_select 'form[action="/roles"]'
+    assert_match /"new role"/, response.body
+    assert assigns(:sudo_form).errors.blank?
+
+    post '/roles', role: { name: 'new role', issues_visibility: 'all' }, sudo_password: 'wrong'
+    assert_response :success
+    assert_select 'h2', 'Confirm your password to continue'
+    assert_select 'form[action="/roles"]'
+    assert_match /"new role"/, response.body
+    assert assigns(:sudo_form).errors[:password].present?
+
+    assert_difference 'Role.count' do
+      post '/roles', role: { name: 'new role', issues_visibility: 'all', assignable: '1', permissions: %w(view_calendar) }, sudo_password: 'admin'
+    end
+    assert_redirected_to '/roles'
+  end
+
+  def test_update_email_address
+    log_user 'jsmith', 'jsmith'
+    get '/my/account'
+    assert_response :success
+    post '/my/account', user: { mail: 'newmail@test.com' }
+    assert_response :success
+    assert_select 'h2', 'Confirm your password to continue'
+    assert_select 'form[action="/my/account"]'
+    assert_match /"newmail@test\.com"/, response.body
+    assert assigns(:sudo_form).errors.blank?
+
+    # wrong password
+    post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'wrong'
+    assert_response :success
+    assert_select 'h2', 'Confirm your password to continue'
+    assert_select 'form[action="/my/account"]'
+    assert_match /"newmail@test\.com"/, response.body
+    assert assigns(:sudo_form).errors[:password].present?
+
+    # correct password
+    post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'jsmith'
+    assert_redirected_to '/my/account'
+    assert_equal 'newmail@test.com', User.find_by_login('jsmith').mail
+
+    # sudo mode should now be active and not require password again
+    post '/my/account', user: { mail: 'even.newer.mail@test.com' }
+    assert_redirected_to '/my/account'
+    assert_equal 'even.newer.mail@test.com', User.find_by_login('jsmith').mail
+  end
+
+end
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-06-19 18:41:10 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2015-06-19 18:41:10 +0000
commit	d6f389658b9e83d7a5d74c57fc46a203a5a88591 (patch)
tree	534fd5f3520833e1c1c2bb2105971ce86008b991 /test
parent	3811ff5d95bd848f457c9d29a162ce83f12fe3ac (diff)
download	redmine-d6f389658b9e83d7a5d74c57fc46a203a5a88591.tar.gz redmine-d6f389658b9e83d7a5d74c57fc46a203a5a88591.zip