| @@ -123,7 +123,8 class User < Principal | |||||
| 123 | before_create :set_mail_notification |
|
123 | before_create :set_mail_notification | |
| 124 | before_save :generate_password_if_needed, :update_hashed_password |
|
124 | before_save :generate_password_if_needed, :update_hashed_password | |
| 125 | before_destroy :remove_references_before_destroy |
|
125 | before_destroy :remove_references_before_destroy | |
| 126 | after_save :update_notified_project_ids, :destroy_tokens |
|
126 | after_save :update_notified_project_ids, :destroy_tokens, :deliver_security_notification | |
|
|
127 | after_destroy :deliver_security_notification | |||
| 127 |
|
128 | |||
| 128 | scope :in_group, lambda {|group| |
|
129 | scope :in_group, lambda {|group| | |
| 129 | group_id = group.is_a?(Group) ? group.id : group.to_i |
|
130 | group_id = group.is_a?(Group) ? group.id : group.to_i | |
| @@ -835,6 +836,34 class User < Principal | |||||
| 835 | def self.generate_salt |
|
836 | def self.generate_salt | |
| 836 | Redmine::Utils.random_hex(16) |
|
837 | Redmine::Utils.random_hex(16) | |
| 837 | end |
|
838 | end | |
|
|
839 | # Send a security notification to all admins if the user has gained/lost admin privileges | |||
|
|
840 | def deliver_security_notification | |||
|
|
841 | options = { | |||
|
|
842 | field: :field_admin, | |||
|
|
843 | value: login, | |||
|
|
844 | title: :label_user_plural, | |||
|
|
845 | url: {controller: 'users', action: 'index'} | |||
|
|
846 | } | |||
|
|
847 | deliver = false | |||
|
|
848 | if (admin? && id_changed? && active?) || # newly created admin | |||
|
|
849 | (admin? && admin_changed? && active?) || # regular user became admin | |||
|
|
850 | (admin? && status_changed? && active?) # locked admin became active again | |||
|
|
851 | ||||
|
|
852 | deliver = true | |||
|
|
853 | options[:message] = :mail_body_security_notification_add | |||
|
|
854 | ||||
|
|
855 | elsif (admin? && destroyed? && active?) || # active admin user was deleted | |||
|
|
856 | (!admin? && admin_changed? && active?) || # admin is no longer admin | |||
|
|
857 | (admin? && status_changed? && !active?) # admin was locked | |||
|
|
858 | ||||
|
|
859 | deliver = true | |||
|
|
860 | options[:message] = :mail_body_security_notification_remove | |||
|
|
861 | end | |||
|
|
862 | ||||
|
|
863 | User.where(admin: true, status: Principal::STATUS_ACTIVE).each{|u| Mailer.security_notification(u, options).deliver} if deliver | |||
|
|
864 | end | |||
|
|
865 | ||||
|
|
866 | ||||
| 838 |
|
867 | |||
| 839 | end |
|
868 | end | |
| 840 |
|
869 | |||
| @@ -280,6 +280,48 class UsersControllerTest < ActionController::TestCase | |||||
| 280 | assert_select 'input#pref_no_self_notified[value="1"][checked=checked]' |
|
280 | assert_select 'input#pref_no_self_notified[value="1"][checked=checked]' | |
| 281 | end |
|
281 | end | |
| 282 |
|
282 | |||
|
|
283 | def test_create_admin_should_send_security_notification | |||
|
|
284 | ActionMailer::Base.deliveries.clear | |||
|
|
285 | post :create, | |||
|
|
286 | :user => { | |||
|
|
287 | :firstname => 'Edgar', | |||
|
|
288 | :lastname => 'Schmoe', | |||
|
|
289 | :login => 'eschmoe', | |||
|
|
290 | :password => 'secret123', | |||
|
|
291 | :password_confirmation => 'secret123', | |||
|
|
292 | :mail => 'eschmoe@example.foo', | |||
|
|
293 | :admin => '1' | |||
|
|
294 | } | |||
|
|
295 | ||||
|
|
296 | assert_not_nil (mail = ActionMailer::Base.deliveries.last) | |||
|
|
297 | assert_mail_body_match '0.0.0.0', mail | |||
|
|
298 | assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: 'eschmoe'), mail | |||
|
|
299 | assert_select_email do | |||
|
|
300 | assert_select 'a[href^=?]', 'http://localhost:3000/users', :text => 'Users' | |||
|
|
301 | end | |||
|
|
302 | ||||
|
|
303 | # All admins should receive this | |||
|
|
304 | User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| | |||
|
|
305 | assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } | |||
|
|
306 | end | |||
|
|
307 | end | |||
|
|
308 | ||||
|
|
309 | def test_create_non_admin_should_not_send_security_notification | |||
|
|
310 | ActionMailer::Base.deliveries.clear | |||
|
|
311 | post :create, | |||
|
|
312 | :user => { | |||
|
|
313 | :firstname => 'Edgar', | |||
|
|
314 | :lastname => 'Schmoe', | |||
|
|
315 | :login => 'eschmoe', | |||
|
|
316 | :password => 'secret123', | |||
|
|
317 | :password_confirmation => 'secret123', | |||
|
|
318 | :mail => 'eschmoe@example.foo', | |||
|
|
319 | :admin => '0' | |||
|
|
320 | } | |||
|
|
321 | assert_nil ActionMailer::Base.deliveries.last | |||
|
|
322 | end | |||
|
|
323 | ||||
|
|
324 | ||||
| 283 | def test_edit |
|
325 | def test_edit | |
| 284 | get :edit, :id => 2 |
|
326 | get :edit, :id => 2 | |
| 285 | assert_response :success |
|
327 | assert_response :success | |
| @@ -426,6 +468,92 class UsersControllerTest < ActionController::TestCase | |||||
| 426 | assert_equal '1', user.pref[:no_self_notified] |
|
468 | assert_equal '1', user.pref[:no_self_notified] | |
| 427 | end |
|
469 | end | |
| 428 |
|
470 | |||
|
|
471 | def test_update_assign_admin_should_send_security_notification | |||
|
|
472 | ActionMailer::Base.deliveries.clear | |||
|
|
473 | put :update, :id => 2, :user => { | |||
|
|
474 | :admin => 1 | |||
|
|
475 | } | |||
|
|
476 | ||||
|
|
477 | assert_not_nil (mail = ActionMailer::Base.deliveries.last) | |||
|
|
478 | assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: User.find(2).login), mail | |||
|
|
479 | ||||
|
|
480 | # All admins should receive this | |||
|
|
481 | User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| | |||
|
|
482 | assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } | |||
|
|
483 | end | |||
|
|
484 | end | |||
|
|
485 | ||||
|
|
486 | def test_update_unassign_admin_should_send_security_notification | |||
|
|
487 | user = User.find(2) | |||
|
|
488 | user.admin = true | |||
|
|
489 | user.save! | |||
|
|
490 | ||||
|
|
491 | ActionMailer::Base.deliveries.clear | |||
|
|
492 | put :update, :id => user.id, :user => { | |||
|
|
493 | :admin => 0 | |||
|
|
494 | } | |||
|
|
495 | ||||
|
|
496 | assert_not_nil (mail = ActionMailer::Base.deliveries.last) | |||
|
|
497 | assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: user.login), mail | |||
|
|
498 | ||||
|
|
499 | # All admins should receive this | |||
|
|
500 | User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| | |||
|
|
501 | assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } | |||
|
|
502 | end | |||
|
|
503 | end | |||
|
|
504 | ||||
|
|
505 | def test_update_lock_admin_should_send_security_notification | |||
|
|
506 | user = User.find(2) | |||
|
|
507 | user.admin = true | |||
|
|
508 | user.save! | |||
|
|
509 | ||||
|
|
510 | ActionMailer::Base.deliveries.clear | |||
|
|
511 | put :update, :id => 2, :user => { | |||
|
|
512 | :status => Principal::STATUS_LOCKED | |||
|
|
513 | } | |||
|
|
514 | ||||
|
|
515 | assert_not_nil (mail = ActionMailer::Base.deliveries.last) | |||
|
|
516 | assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: User.find(2).login), mail | |||
|
|
517 | ||||
|
|
518 | # All admins should receive this | |||
|
|
519 | User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| | |||
|
|
520 | assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } | |||
|
|
521 | end | |||
|
|
522 | ||||
|
|
523 | # if user is already locked, destroying should not send a second mail | |||
|
|
524 | # (for active admins see furtherbelow) | |||
|
|
525 | ActionMailer::Base.deliveries.clear | |||
|
|
526 | delete :destroy, :id => 1 | |||
|
|
527 | assert_nil ActionMailer::Base.deliveries.last | |||
|
|
528 | ||||
|
|
529 | end | |||
|
|
530 | ||||
|
|
531 | def test_update_unlock_admin_should_send_security_notification | |||
|
|
532 | user = User.find(5) # already locked | |||
|
|
533 | user.admin = true | |||
|
|
534 | user.save! | |||
|
|
535 | ActionMailer::Base.deliveries.clear | |||
|
|
536 | put :update, :id => user.id, :user => { | |||
|
|
537 | :status => Principal::STATUS_ACTIVE | |||
|
|
538 | } | |||
|
|
539 | ||||
|
|
540 | assert_not_nil (mail = ActionMailer::Base.deliveries.last) | |||
|
|
541 | assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: user.login), mail | |||
|
|
542 | ||||
|
|
543 | # All admins should receive this | |||
|
|
544 | User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| | |||
|
|
545 | assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } | |||
|
|
546 | end | |||
|
|
547 | end | |||
|
|
548 | ||||
|
|
549 | def test_update_admin_unrelated_property_should_not_send_security_notification | |||
|
|
550 | ActionMailer::Base.deliveries.clear | |||
|
|
551 | put :update, :id => 1, :user => { | |||
|
|
552 | :firstname => 'Jimmy' | |||
|
|
553 | } | |||
|
|
554 | assert_nil ActionMailer::Base.deliveries.last | |||
|
|
555 | end | |||
|
|
556 | ||||
| 429 | def test_destroy |
|
557 | def test_destroy | |
| 430 | assert_difference 'User.count', -1 do |
|
558 | assert_difference 'User.count', -1 do | |
| 431 | delete :destroy, :id => 2 |
|
559 | delete :destroy, :id => 2 | |
| @@ -449,4 +577,20 class UsersControllerTest < ActionController::TestCase | |||||
| 449 | end |
|
577 | end | |
| 450 | assert_redirected_to '/users?name=foo' |
|
578 | assert_redirected_to '/users?name=foo' | |
| 451 | end |
|
579 | end | |
|
|
580 | ||||
|
|
581 | def test_destroy_active_admin_should_send_security_notification | |||
|
|
582 | user = User.find(2) | |||
|
|
583 | user.admin = true | |||
|
|
584 | user.save! | |||
|
|
585 | ActionMailer::Base.deliveries.clear | |||
|
|
586 | delete :destroy, :id => user.id | |||
|
|
587 | ||||
|
|
588 | assert_not_nil (mail = ActionMailer::Base.deliveries.last) | |||
|
|
589 | assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: user.login), mail | |||
|
|
590 | ||||
|
|
591 | # All admins should receive this | |||
|
|
592 | User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin| | |||
|
|
593 | assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) } | |||
|
|
594 | end | |||
|
|
595 | end | |||
| 452 | end |
|
596 | end | |
General Comments 0
You need to be logged in to leave comments.
Login now