4 files changed, 126 insertions, 0 deletions

diff --git a/test/functional/account_controller_test.rb b/test/functional/account_controller_test.rb
index f308c935f..d623081a3 100644
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -400,6 +400,7 @@ class AccountControllerTest < ActionController::TestCase
   end
 
   def test_post_lost_password_with_token_should_change_the_user_password
+    ActionMailer::Base.deliveries.clear
     user = User.find(2)
     token = Token.create!(:action => 'recovery', :user => user)
 
@@ -408,6 +409,10 @@ class AccountControllerTest < ActionController::TestCase
     user.reload
     assert user.check_password?('newpass123')
     assert_nil Token.find_by_id(token.id), "Token was not deleted"
+    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
+    assert_select_email do
+      assert_select 'a[href^=?]', 'http://localhost:3000/my/password', :text => 'Change password'
+    end
   end
 
   def test_post_lost_password_with_token_for_non_active_user_should_fail
diff --git a/test/functional/email_addresses_controller_test.rb b/test/functional/email_addresses_controller_test.rb
index 7c52d9c1d..3d2d6dea2 100644
--- a/test/functional/email_addresses_controller_test.rb
+++ b/test/functional/email_addresses_controller_test.rb
@@ -92,6 +92,22 @@ class EmailAddressesControllerTest < ActionController::TestCase
     end
   end
 
+  def test_create_should_send_security_notification
+    @request.session[:user_id] = 2
+    ActionMailer::Base.deliveries.clear
+    post :create, :user_id => 2, :email_address => {:address => 'something@example.fr'}
+
+    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
+    assert_mail_body_match '0.0.0.0', mail
+    assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_mail), value: 'something@example.fr'), mail
+    assert_select_email do
+      assert_select 'a[href^=?]', 'http://localhost:3000/my/account', :text => 'My account'
+    end
+    # The old email address should be notified about a new address for security purposes
+    assert [mail.bcc, mail.cc].flatten.include?(User.find(2).mail)
+    assert [mail.bcc, mail.cc].flatten.include?('something@example.fr')
+  end
+
   def test_update
     @request.session[:user_id] = 2
     email = EmailAddress.create!(:user_id => 2, :address => 'another@somenet.foo')
@@ -112,6 +128,21 @@ class EmailAddressesControllerTest < ActionController::TestCase
     assert_equal false, email.reload.notify
   end
 
+  def test_update_should_send_security_notification
+    @request.session[:user_id] = 2
+    email = EmailAddress.create!(:user_id => 2, :address => 'another@somenet.foo')
+
+    ActionMailer::Base.deliveries.clear
+    xhr :put, :update, :user_id => 2, :id => email.id, :notify => '0'
+
+    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
+    assert_mail_body_match I18n.t(:mail_body_security_notification_notify_disabled, value: 'another@somenet.foo'), mail
+
+    # The changed address should be notified for security purposes
+    assert [mail.bcc, mail.cc].flatten.include?('another@somenet.foo')
+  end
+
+
   def test_destroy
     @request.session[:user_id] = 2
     email = EmailAddress.create!(:user_id => 2, :address => 'another@somenet.foo')
@@ -141,4 +172,18 @@ class EmailAddressesControllerTest < ActionController::TestCase
       assert_response 404
     end
   end
+
+  def test_destroy_should_send_security_notification
+    @request.session[:user_id] = 2
+    email = EmailAddress.create!(:user_id => 2, :address => 'another@somenet.foo')
+
+    ActionMailer::Base.deliveries.clear
+    xhr :delete, :destroy, :user_id => 2, :id => email.id
+
+    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
+    assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_mail), value: 'another@somenet.foo'), mail
+
+    # The removed address should be notified for security purposes
+    assert [mail.bcc, mail.cc].flatten.include?('another@somenet.foo')
+  end
 end
diff --git a/test/functional/my_controller_test.rb b/test/functional/my_controller_test.rb
index 92ee24781..4f3f2e247 100644
--- a/test/functional/my_controller_test.rb
+++ b/test/functional/my_controller_test.rb
@@ -117,6 +117,24 @@ class MyControllerTest < ActionController::TestCase
     assert user.groups.empty?
   end
 
+  def test_update_account_should_send_security_notification
+    ActionMailer::Base.deliveries.clear
+    post :account,
+      :user => {
+        :mail => 'foobar@example.com'
+      }
+
+    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
+    assert_mail_body_match '0.0.0.0', mail
+    assert_mail_body_match I18n.t(:mail_body_security_notification_change_to, field: I18n.t(:field_mail), value: 'foobar@example.com'), mail
+    assert_select_email do
+      assert_select 'a[href^=?]', 'http://localhost:3000/my/account', :text => 'My account'
+    end
+    # The old email address should be notified about the change for security purposes
+    assert [mail.bcc, mail.cc].flatten.include?(User.find(2).mail)
+    assert [mail.bcc, mail.cc].flatten.include?('foobar@example.com')
+  end
+
   def test_my_account_should_show_destroy_link
     get :account
     assert_select 'a[href="/my/account/destroy"]'
@@ -193,6 +211,19 @@ class MyControllerTest < ActionController::TestCase
     assert_redirected_to '/my/account'
   end
 
+  def test_change_password_should_send_security_notification
+    ActionMailer::Base.deliveries.clear
+    post :password, :password => 'jsmith',
+                    :new_password => 'secret123',
+                    :new_password_confirmation => 'secret123'
+
+    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
+    assert_mail_body_no_match 'secret123', mail # just to be sure: pw should never be sent!
+    assert_select_email do
+      assert_select 'a[href^=?]', 'http://localhost:3000/my/password', :text => 'Change password'
+    end
+  end
+
   def test_page_layout
     get :page_layout
     assert_response :success
diff --git a/test/unit/mailer_test.rb b/test/unit/mailer_test.rb
index 8de5bfe56..9ee179400 100644
--- a/test/unit/mailer_test.rb
+++ b/test/unit/mailer_test.rb
@@ -666,6 +666,51 @@ class MailerTest < ActiveSupport::TestCase
     end
   end
 
+  def test_security_notification
+    set_language_if_valid User.find(1).language
+    with_settings :emails_footer => "footer without link" do
+      User.current.remote_ip = '192.168.1.1'
+      assert Mailer.security_notification(User.find(1), message: :notice_account_password_updated).deliver
+      mail = last_email
+      assert_not_nil mail
+      assert_mail_body_match '192.168.1.1', mail
+      assert_mail_body_match I18n.t(:notice_account_password_updated), mail
+      assert_select_email do
+        assert_select "h1", false
+        assert_select "a", false
+      end
+    end
+  end
+
+  def test_security_notification_should_include_title
+    set_language_if_valid User.find(2).language
+    with_settings :emails_footer => "footer without link" do
+      assert Mailer.security_notification(User.find(2),
+        message: :notice_account_password_updated,
+        title: :label_my_account
+      ).deliver
+      assert_select_email do
+        assert_select "a", false
+        assert_select "h1", :text => I18n.t(:label_my_account)
+      end
+    end
+  end
+
+  def test_security_notification_should_include_link
+    set_language_if_valid User.find(3).language
+    with_settings :emails_footer => "footer without link" do
+      assert Mailer.security_notification(User.find(3),
+      message: :notice_account_password_updated,
+      title: :label_my_account,
+      url: {controller: 'my', action: 'account'}
+      ).deliver
+      assert_select_email do
+        assert_select "h1", false
+        assert_select 'a[href=?]', 'http://mydomain.foo/my/account', :text => I18n.t(:label_my_account)
+      end
+    end
+  end
+
   def test_mailer_should_not_change_locale
     # Set current language to italian
     set_language_if_valid 'it'