Feature #33071 » 0001-Require-sudo-mode-for-actions-to-delete-contents.patch
| app/controllers/attachments_controller.rb | ||
|---|---|---|
| 25 | 25 |
before_action :delete_authorize, :only => :destroy |
| 26 | 26 |
before_action :authorize_global, :only => :upload |
| 27 | 27 | |
| 28 |
require_sudo_mode :destroy |
|
| 29 | ||
| 28 | 30 |
# Disable check for same origin requests for JS files, i.e. attachments with |
| 29 | 31 |
# MIME type text/javascript. |
| 30 | 32 |
skip_after_action :verify_same_origin_request, :only => :download |
| app/controllers/boards_controller.rb | ||
|---|---|---|
| 22 | 22 |
before_action :find_project_by_project_id, :find_board_if_available, :authorize |
| 23 | 23 |
accept_rss_auth :index, :show |
| 24 | 24 | |
| 25 |
require_sudo_mode :destroy |
|
| 26 | ||
| 25 | 27 |
helper :sort |
| 26 | 28 |
include SortHelper |
| 27 | 29 |
helper :watchers |
| app/controllers/comments_controller.rb | ||
|---|---|---|
| 24 | 24 |
before_action :find_project_from_association |
| 25 | 25 |
before_action :authorize |
| 26 | 26 | |
| 27 |
require_sudo_mode :destroy |
|
| 28 | ||
| 27 | 29 |
def create |
| 28 | 30 |
raise Unauthorized unless @news.commentable? |
| 29 | 31 | |
| app/controllers/documents_controller.rb | ||
|---|---|---|
| 25 | 25 |
before_action :find_project_from_association, :except => [:index, :new, :create] |
| 26 | 26 |
before_action :authorize |
| 27 | 27 | |
| 28 |
require_sudo_mode :destroy |
|
| 29 | ||
| 28 | 30 |
helper :attachments |
| 29 | 31 |
helper :custom_fields |
| 30 | 32 | |
| app/controllers/issues_controller.rb | ||
|---|---|---|
| 28 | 28 |
accept_rss_auth :index, :show |
| 29 | 29 |
accept_api_auth :index, :show, :create, :update, :destroy |
| 30 | 30 | |
| 31 |
require_sudo_mode :destroy |
|
| 32 | ||
| 31 | 33 |
rescue_from Query::StatementInvalid, :with => :query_statement_invalid |
| 32 | 34 | |
| 33 | 35 |
helper :journals |
| app/controllers/messages_controller.rb | ||
|---|---|---|
| 25 | 25 |
before_action :find_message, :except => [:new, :preview] |
| 26 | 26 |
before_action :authorize, :except => [:preview, :edit, :destroy] |
| 27 | 27 | |
| 28 |
require_sudo_mode :destroy |
|
| 29 | ||
| 28 | 30 |
helper :boards |
| 29 | 31 |
helper :watchers |
| 30 | 32 |
helper :attachments |
| app/controllers/news_controller.rb | ||
|---|---|---|
| 28 | 28 |
accept_rss_auth :index |
| 29 | 29 |
accept_api_auth :index, :show, :create, :update, :destroy |
| 30 | 30 | |
| 31 |
require_sudo_mode :destroy |
|
| 32 | ||
| 31 | 33 |
helper :watchers |
| 32 | 34 |
helper :attachments |
| 33 | 35 | |
| app/controllers/repositories_controller.rb | ||
|---|---|---|
| 36 | 36 |
before_action :authorize |
| 37 | 37 |
accept_rss_auth :revisions |
| 38 | 38 | |
| 39 |
require_sudo_mode :destroy |
|
| 40 | ||
| 39 | 41 |
rescue_from Redmine::Scm::Adapters::CommandFailed, :with => :show_error_command_failed |
| 40 | 42 | |
| 41 | 43 |
def new |
| app/controllers/timelog_controller.rb | ||
|---|---|---|
| 33 | 33 |
accept_rss_auth :index |
| 34 | 34 |
accept_api_auth :index, :show, :create, :update, :destroy |
| 35 | 35 | |
| 36 |
require_sudo_mode :destroy |
|
| 37 | ||
| 36 | 38 |
rescue_from Query::StatementInvalid, :with => :query_statement_invalid |
| 37 | 39 | |
| 38 | 40 |
helper :issues |
| app/controllers/versions_controller.rb | ||
|---|---|---|
| 27 | 27 | |
| 28 | 28 |
accept_api_auth :index, :show, :create, :update, :destroy |
| 29 | 29 | |
| 30 |
require_sudo_mode :destroy |
|
| 31 | ||
| 30 | 32 |
helper :custom_fields |
| 31 | 33 |
helper :projects |
| 32 | 34 | |
| app/controllers/wiki_controller.rb | ||
|---|---|---|
| 39 | 39 |
before_action :find_attachments, :only => [:preview] |
| 40 | 40 |
accept_api_auth :index, :show, :update, :destroy |
| 41 | 41 | |
| 42 |
require_sudo_mode :destroy, :destroy_version |
|
| 43 | ||
| 42 | 44 |
helper :attachments |
| 43 | 45 |
include AttachmentsHelper |
| 44 | 46 |
helper :watchers |
| app/controllers/wikis_controller.rb | ||
|---|---|---|
| 21 | 21 |
menu_item :settings |
| 22 | 22 |
before_action :find_project, :authorize |
| 23 | 23 | |
| 24 |
require_sudo_mode :destroy, only: :post |
|
| 25 | ||
| 24 | 26 |
# Delete a project's wiki |
| 25 | 27 |
def destroy |
| 26 | 28 |
if request.post? && params[:confirm] && @project.wiki |
| test/integration/sudo_mode_test.rb | ||
|---|---|---|
| 3 | 3 |
require File.expand_path('../../test_helper', __FILE__)
|
| 4 | 4 | |
| 5 | 5 |
class SudoModeTest < Redmine::IntegrationTest |
| 6 |
fixtures :projects, :members, :member_roles, :roles, :users, :email_addresses |
|
| 6 |
fixtures :projects, :members, :member_roles, :roles, :users, |
|
| 7 |
:email_addresses, :trackers, :projects_trackers, :enabled_modules, |
|
| 8 |
:issue_statuses, :issues, :enumerations |
|
| 7 | 9 | |
| 8 | 10 |
def setup |
| 9 | 11 |
Redmine::SudoMode.stubs(:enabled?).returns(true) |
| ... | ... | |
| 192 | 194 |
end |
| 193 | 195 |
end |
| 194 | 196 | |
| 197 |
def test_destroy_issue |
|
| 198 |
log_user 'dlopper', 'foo' |
|
| 199 |
expire_sudo_mode! |
|
| 200 |
delete '/issues/2' |
|
| 201 |
assert_response :success |
|
| 202 |
assert_select 'h2', 'Confirm your password to continue' |
|
| 203 |
assert_select 'form[action="/issues/2"]' |
|
| 204 |
assert_select '#flash_error', 0 |
|
| 205 | ||
| 206 |
delete '/issues/2', :params => {:sudo_password => 'wrong'}
|
|
| 207 |
assert_response :success |
|
| 208 |
assert_select 'h2', 'Confirm your password to continue' |
|
| 209 | ||
| 210 |
assert_difference 'Issue.count', -1 do |
|
| 211 |
delete '/issues/2', :params => {:sudo_password => 'foo'}
|
|
| 212 |
end |
|
| 213 |
end |
|
| 214 | ||
| 195 | 215 |
private |
| 196 | 216 | |
| 197 | 217 |
# sudo mode is active after sign, let it expire by advancing the time |
- « Previous
- 1
- 2
- 3
- 4
- Next »
