From 93211bcbcd134c29e70635fe9be3a008df0a5882 Mon Sep 17 00:00:00 2001 From: MAEDA Go Date: Sun, 1 Mar 2020 16:03:40 +0900 Subject: [PATCH] Require sudo mode for deleting contents --- app/controllers/attachments_controller.rb | 2 ++ app/controllers/boards_controller.rb | 2 ++ app/controllers/comments_controller.rb | 2 ++ app/controllers/documents_controller.rb | 2 ++ app/controllers/issues_controller.rb | 2 ++ app/controllers/messages_controller.rb | 2 ++ app/controllers/news_controller.rb | 2 ++ app/controllers/repositories_controller.rb | 2 ++ app/controllers/timelog_controller.rb | 2 ++ app/controllers/versions_controller.rb | 2 ++ app/controllers/wiki_controller.rb | 2 ++ app/controllers/wikis_controller.rb | 2 ++ 12 files changed, 24 insertions(+) diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb index 4a880793e..11a4de4de 100644 --- a/app/controllers/attachments_controller.rb +++ b/app/controllers/attachments_controller.rb @@ -25,6 +25,8 @@ class AttachmentsController < ApplicationController before_action :delete_authorize, :only => :destroy before_action :authorize_global, :only => :upload + require_sudo_mode :destroy + # Disable check for same origin requests for JS files, i.e. attachments with # MIME type text/javascript. skip_after_action :verify_same_origin_request, :only => :download diff --git a/app/controllers/boards_controller.rb b/app/controllers/boards_controller.rb index bcafadaf5..e8e98835d 100644 --- a/app/controllers/boards_controller.rb +++ b/app/controllers/boards_controller.rb @@ -22,6 +22,8 @@ class BoardsController < ApplicationController before_action :find_project_by_project_id, :find_board_if_available, :authorize accept_rss_auth :index, :show + require_sudo_mode :destroy + helper :sort include SortHelper helper :watchers diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 5d7d664c5..68d44168f 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -24,6 +24,8 @@ class CommentsController < ApplicationController before_action :find_project_from_association before_action :authorize + require_sudo_mode :destroy + def create raise Unauthorized unless @news.commentable? diff --git a/app/controllers/documents_controller.rb b/app/controllers/documents_controller.rb index 6facd7b14..a242773d8 100644 --- a/app/controllers/documents_controller.rb +++ b/app/controllers/documents_controller.rb @@ -25,6 +25,8 @@ class DocumentsController < ApplicationController before_action :find_project_from_association, :except => [:index, :new, :create] before_action :authorize + require_sudo_mode :destroy + helper :attachments helper :custom_fields diff --git a/app/controllers/issues_controller.rb b/app/controllers/issues_controller.rb index 4565ec031..a4aea5475 100644 --- a/app/controllers/issues_controller.rb +++ b/app/controllers/issues_controller.rb @@ -28,6 +28,8 @@ class IssuesController < ApplicationController accept_rss_auth :index, :show accept_api_auth :index, :show, :create, :update, :destroy + require_sudo_mode :destroy + rescue_from Query::StatementInvalid, :with => :query_statement_invalid helper :journals diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index 2a0e341b6..b57db2162 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -25,6 +25,8 @@ class MessagesController < ApplicationController before_action :find_message, :except => [:new, :preview] before_action :authorize, :except => [:preview, :edit, :destroy] + require_sudo_mode :destroy + helper :boards helper :watchers helper :attachments diff --git a/app/controllers/news_controller.rb b/app/controllers/news_controller.rb index 5d63f449a..6e068d5e2 100644 --- a/app/controllers/news_controller.rb +++ b/app/controllers/news_controller.rb @@ -28,6 +28,8 @@ class NewsController < ApplicationController accept_rss_auth :index accept_api_auth :index, :show, :create, :update, :destroy + require_sudo_mode :destroy + helper :watchers helper :attachments diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 8350b4d48..6ec40701e 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -36,6 +36,8 @@ class RepositoriesController < ApplicationController before_action :authorize accept_rss_auth :revisions + require_sudo_mode :destroy + rescue_from Redmine::Scm::Adapters::CommandFailed, :with => :show_error_command_failed def new diff --git a/app/controllers/timelog_controller.rb b/app/controllers/timelog_controller.rb index 4c4e7df79..13d552e17 100644 --- a/app/controllers/timelog_controller.rb +++ b/app/controllers/timelog_controller.rb @@ -33,6 +33,8 @@ class TimelogController < ApplicationController accept_rss_auth :index accept_api_auth :index, :show, :create, :update, :destroy + require_sudo_mode :destroy + rescue_from Query::StatementInvalid, :with => :query_statement_invalid helper :issues diff --git a/app/controllers/versions_controller.rb b/app/controllers/versions_controller.rb index 15c24a884..dd5a4501a 100644 --- a/app/controllers/versions_controller.rb +++ b/app/controllers/versions_controller.rb @@ -27,6 +27,8 @@ class VersionsController < ApplicationController accept_api_auth :index, :show, :create, :update, :destroy + require_sudo_mode :destroy + helper :custom_fields helper :projects diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb index 423f94f98..93f852040 100644 --- a/app/controllers/wiki_controller.rb +++ b/app/controllers/wiki_controller.rb @@ -39,6 +39,8 @@ class WikiController < ApplicationController before_action :find_attachments, :only => [:preview] accept_api_auth :index, :show, :update, :destroy + require_sudo_mode :destroy, :destroy_version + helper :attachments include AttachmentsHelper helper :watchers diff --git a/app/controllers/wikis_controller.rb b/app/controllers/wikis_controller.rb index 3c1637e62..d7d443729 100644 --- a/app/controllers/wikis_controller.rb +++ b/app/controllers/wikis_controller.rb @@ -21,6 +21,8 @@ class WikisController < ApplicationController menu_item :settings before_action :find_project, :authorize + require_sudo_mode :destroy, only: :post + # Delete a project's wiki def destroy if request.post? && params[:confirm] && @project.wiki -- 2.21.1 (Apple Git-122.3)