0001-Require-sudo-mode-for-actions-to-delete-contents.patch

Go MAEDA, 2020-03-07 08:11

Download (8.08 KB)

View differences:

app/controllers/attachments_controller.rb
25 25
  before_action :delete_authorize, :only => :destroy
26 26
  before_action :authorize_global, :only => :upload
27 27

  
28
  require_sudo_mode :destroy
29

  
28 30
  # Disable check for same origin requests for JS files, i.e. attachments with
29 31
  # MIME type text/javascript.
30 32
  skip_after_action :verify_same_origin_request, :only => :download
app/controllers/boards_controller.rb
22 22
  before_action :find_project_by_project_id, :find_board_if_available, :authorize
23 23
  accept_rss_auth :index, :show
24 24

  
25
  require_sudo_mode :destroy
26

  
25 27
  helper :sort
26 28
  include SortHelper
27 29
  helper :watchers
app/controllers/comments_controller.rb
24 24
  before_action :find_project_from_association
25 25
  before_action :authorize
26 26

  
27
  require_sudo_mode :destroy
28

  
27 29
  def create
28 30
    raise Unauthorized unless @news.commentable?
29 31

  
app/controllers/documents_controller.rb
25 25
  before_action :find_project_from_association, :except => [:index, :new, :create]
26 26
  before_action :authorize
27 27

  
28
  require_sudo_mode :destroy
29

  
28 30
  helper :attachments
29 31
  helper :custom_fields
30 32

  
app/controllers/issues_controller.rb
28 28
  accept_rss_auth :index, :show
29 29
  accept_api_auth :index, :show, :create, :update, :destroy
30 30

  
31
  require_sudo_mode :destroy
32

  
31 33
  rescue_from Query::StatementInvalid, :with => :query_statement_invalid
32 34

  
33 35
  helper :journals
app/controllers/messages_controller.rb
25 25
  before_action :find_message, :except => [:new, :preview]
26 26
  before_action :authorize, :except => [:preview, :edit, :destroy]
27 27

  
28
  require_sudo_mode :destroy
29

  
28 30
  helper :boards
29 31
  helper :watchers
30 32
  helper :attachments
app/controllers/news_controller.rb
28 28
  accept_rss_auth :index
29 29
  accept_api_auth :index, :show, :create, :update, :destroy
30 30

  
31
  require_sudo_mode :destroy
32

  
31 33
  helper :watchers
32 34
  helper :attachments
33 35

  
app/controllers/repositories_controller.rb
36 36
  before_action :authorize
37 37
  accept_rss_auth :revisions
38 38

  
39
  require_sudo_mode :destroy
40

  
39 41
  rescue_from Redmine::Scm::Adapters::CommandFailed, :with => :show_error_command_failed
40 42

  
41 43
  def new
app/controllers/timelog_controller.rb
33 33
  accept_rss_auth :index
34 34
  accept_api_auth :index, :show, :create, :update, :destroy
35 35

  
36
  require_sudo_mode :destroy
37

  
36 38
  rescue_from Query::StatementInvalid, :with => :query_statement_invalid
37 39

  
38 40
  helper :issues
app/controllers/versions_controller.rb
27 27

  
28 28
  accept_api_auth :index, :show, :create, :update, :destroy
29 29

  
30
  require_sudo_mode :destroy
31

  
30 32
  helper :custom_fields
31 33
  helper :projects
32 34

  
app/controllers/wiki_controller.rb
39 39
  before_action :find_attachments, :only => [:preview]
40 40
  accept_api_auth :index, :show, :update, :destroy
41 41

  
42
  require_sudo_mode :destroy, :destroy_version
43

  
42 44
  helper :attachments
43 45
  include AttachmentsHelper
44 46
  helper :watchers
app/controllers/wikis_controller.rb
21 21
  menu_item :settings
22 22
  before_action :find_project, :authorize
23 23

  
24
  require_sudo_mode :destroy, only: :post
25

  
24 26
  # Delete a project's wiki
25 27
  def destroy
26 28
    if request.post? && params[:confirm] && @project.wiki
test/integration/sudo_mode_test.rb
3 3
require File.expand_path('../../test_helper', __FILE__)
4 4

  
5 5
class SudoModeTest < Redmine::IntegrationTest
6
  fixtures :projects, :members, :member_roles, :roles, :users, :email_addresses
6
  fixtures :projects, :members, :member_roles, :roles, :users,
7
           :email_addresses, :trackers, :projects_trackers, :enabled_modules,
8
           :issue_statuses, :issues, :enumerations
7 9

  
8 10
  def setup
9 11
    Redmine::SudoMode.stubs(:enabled?).returns(true)
......
192 194
    end
193 195
  end
194 196

  
197
  def test_destroy_issue
198
    log_user 'dlopper', 'foo'
199
    expire_sudo_mode!
200
    delete '/issues/2'
201
    assert_response :success
202
    assert_select 'h2', 'Confirm your password to continue'
203
    assert_select 'form[action="/issues/2"]'
204
    assert_select '#flash_error', 0
205

  
206
    delete '/issues/2', :params => {:sudo_password => 'wrong'}
207
    assert_response :success
208
    assert_select 'h2', 'Confirm your password to continue'
209

  
210
    assert_difference 'Issue.count', -1 do
211
      delete '/issues/2', :params => {:sudo_password => 'foo'}
212
    end
213
  end
214

  
195 215
  private
196 216

  
197 217
  # sudo mode is active after sign, let it expire by advancing the time
198
-