14 files changed, 35 insertions, 33 deletions

diff --git a/config/configuration.yml.example b/config/configuration.yml.example
index e6a8c6e20..1ce65e31d 100644
--- a/config/configuration.yml.example
+++ b/config/configuration.yml.example
@@ -170,6 +170,13 @@ default:
   # same secret token on each machine.
   #secret_token: 'change it to a long random string'
 
+  # Requires users to re-enter their password for sensitive actions (editing
+  # of account data, project memberships, application settings, user, group,
+  # role, auth source management and project deletion).
+  # Disabled by default.
+  #
+  #sudo_mode: true
+
   # Absolute path (e.g. /usr/bin/convert, c:/im/convert.exe) to
   # the ImageMagick's `convert` binary. Used to generate attachment thumbnails.
   #imagemagick_convert_command:
diff --git a/lib/redmine/sudo_mode.rb b/lib/redmine/sudo_mode.rb
index 3197fe11b..afbbba5eb 100644
--- a/lib/redmine/sudo_mode.rb
+++ b/lib/redmine/sudo_mode.rb
@@ -202,7 +202,7 @@ module Redmine
     end
 
     def self.possible?
-      !disabled? && User.current.logged?
+      enabled? && User.current.logged?
     end
 
     # Turn off sudo mode (never require password entry).
@@ -215,10 +215,9 @@ module Redmine
       RequestStore.store[:sudo_mode_disabled] = nil
     end
 
-    def self.disabled?
-      !!RequestStore.store[:sudo_mode_disabled]
+    def self.enabled?
+      Redmine::Configuration['sudo_mode'] && !RequestStore.store[:sudo_mode_disabled]
     end
-
   end
 end
 
diff --git a/test/functional/auth_sources_controller_test.rb b/test/functional/auth_sources_controller_test.rb
index 580624ec0..7e15ee8a3 100644
--- a/test/functional/auth_sources_controller_test.rb
+++ b/test/functional/auth_sources_controller_test.rb
@@ -22,7 +22,6 @@ class AuthSourcesControllerTest < ActionController::TestCase
 
   def setup
     @request.session[:user_id] = 1
-    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/functional/email_addresses_controller_test.rb b/test/functional/email_addresses_controller_test.rb
index 88bad24e7..7c52d9c1d 100644
--- a/test/functional/email_addresses_controller_test.rb
+++ b/test/functional/email_addresses_controller_test.rb
@@ -22,7 +22,6 @@ class EmailAddressesControllerTest < ActionController::TestCase
 
   def setup
     User.current = nil
-    Redmine::SudoMode.disable!
   end
 
   def test_index_with_no_additional_emails
diff --git a/test/functional/groups_controller_test.rb b/test/functional/groups_controller_test.rb
index c928e24a3..7bce2af56 100644
--- a/test/functional/groups_controller_test.rb
+++ b/test/functional/groups_controller_test.rb
@@ -22,7 +22,6 @@ class GroupsControllerTest < ActionController::TestCase
 
   def setup
     @request.session[:user_id] = 1
-    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/functional/members_controller_test.rb b/test/functional/members_controller_test.rb
index 197158c35..5bad28745 100644
--- a/test/functional/members_controller_test.rb
+++ b/test/functional/members_controller_test.rb
@@ -23,7 +23,6 @@ class MembersControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 2
-    Redmine::SudoMode.disable!
   end
 
   def test_new
diff --git a/test/functional/my_controller_test.rb b/test/functional/my_controller_test.rb
index c2eee6e73..5a7b33940 100644
--- a/test/functional/my_controller_test.rb
+++ b/test/functional/my_controller_test.rb
@@ -23,7 +23,6 @@ class MyControllerTest < ActionController::TestCase
 
   def setup
     @request.session[:user_id] = 2
-    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb
index 1bfa20040..2efb98ccd 100644
--- a/test/functional/projects_controller_test.rb
+++ b/test/functional/projects_controller_test.rb
@@ -28,7 +28,6 @@ class ProjectsControllerTest < ActionController::TestCase
   def setup
     @request.session[:user_id] = nil
     Setting.default_language = 'en'
-    Redmine::SudoMode.disable!
   end
 
   def test_index_by_anonymous_should_not_show_private_projects
diff --git a/test/functional/roles_controller_test.rb b/test/functional/roles_controller_test.rb
index 21073f832..b5c80f2e9 100644
--- a/test/functional/roles_controller_test.rb
+++ b/test/functional/roles_controller_test.rb
@@ -23,7 +23,6 @@ class RolesControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 1 # admin
-    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/functional/settings_controller_test.rb b/test/functional/settings_controller_test.rb
index aeefa8f98..de5fddd8a 100644
--- a/test/functional/settings_controller_test.rb
+++ b/test/functional/settings_controller_test.rb
@@ -24,7 +24,6 @@ class SettingsControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 1 # admin
-    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index d6d18dc19..b34c80945 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -30,7 +30,6 @@ class UsersControllerTest < ActionController::TestCase
   def setup
     User.current = nil
     @request.session[:user_id] = 1 # admin
-    Redmine::SudoMode.disable!
   end
 
   def test_index
diff --git a/test/integration/admin_test.rb b/test/integration/admin_test.rb
index ef95cc9df..402d0ed3a 100644
--- a/test/integration/admin_test.rb
+++ b/test/integration/admin_test.rb
@@ -26,14 +26,6 @@ class AdminTest < Redmine::IntegrationTest
            :members,
            :enabled_modules
 
-  def setup
-    Redmine::SudoMode.enable!
-  end
-
-  def teardown
-    Redmine::SudoMode.disable!
-  end
-
   def test_add_user
     log_user("admin", "admin")
     get "/users/new"
@@ -44,15 +36,6 @@ class AdminTest < Redmine::IntegrationTest
                     :lastname => "Smith", :mail => "psmith@somenet.foo",
                     :language => "en", :password => "psmith09",
                     :password_confirmation => "psmith09" }
-    assert_response :success
-    assert_nil User.find_by_login("psmith")
-
-    post "/users",
-         :user => { :login => "psmith", :firstname => "Paul",
-                    :lastname => "Smith", :mail => "psmith@somenet.foo",
-                    :language => "en", :password => "psmith09",
-                    :password_confirmation => "psmith09" },
-         :sudo_password => 'admin'
 
     user = User.find_by_login("psmith")
     assert_kind_of User, user
diff --git a/test/integration/sudo_test.rb b/test/integration/sudo_test.rb
index 13ccd0b96..3bccd84a2 100644
--- a/test/integration/sudo_test.rb
+++ b/test/integration/sudo_test.rb
@@ -4,11 +4,31 @@ class SudoTest < Redmine::IntegrationTest
   fixtures :projects, :members, :member_roles, :roles, :users
 
   def setup
-    Redmine::SudoMode.enable!
+    Redmine::SudoMode.stubs(:enabled?).returns(true)
   end
 
-  def teardown
-    Redmine::SudoMode.disable!
+  def test_add_user
+    log_user("admin", "admin")
+    get "/users/new"
+    assert_response :success
+    post "/users",
+         :user => { :login => "psmith", :firstname => "Paul",
+                    :lastname => "Smith", :mail => "psmith@somenet.foo",
+                    :language => "en", :password => "psmith09",
+                    :password_confirmation => "psmith09" }
+    assert_response :success
+    assert_nil User.find_by_login("psmith")
+
+    post "/users",
+         :user => { :login => "psmith", :firstname => "Paul",
+                    :lastname => "Smith", :mail => "psmith@somenet.foo",
+                    :language => "en", :password => "psmith09",
+                    :password_confirmation => "psmith09" },
+         :sudo_password => 'admin'
+    assert_response 302
+
+    user = User.find_by_login("psmith")
+    assert_kind_of User, user
   end
 
   def test_create_member_xhr
diff --git a/test/test_helper.rb b/test/test_helper.rb
index d163c10b2..be4e68e18 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -33,6 +33,8 @@ include ObjectHelpers
 require 'net/ldap'
 require 'mocha/setup'
 
+Redmine::SudoMode.disable!
+
 class ActionView::TestCase
   helper :application
   include ApplicationHelper