0007-Send-a-security-notification-when-users-gain-or-loos.patch

Jan from Planio www.plan.io, 2015-12-13 08:36

Download (8.34 KB)

View differences:

app/models/user.rb
118 118
  before_create :set_mail_notification
119 119
  before_save   :generate_password_if_needed, :update_hashed_password
120 120
  before_destroy :remove_references_before_destroy
121
  after_save :update_notified_project_ids, :destroy_tokens
121
  after_save :update_notified_project_ids, :destroy_tokens, :deliver_security_notification
122
  after_destroy :deliver_security_notification
122 123
  scope :in_group, lambda {|group|
123 124
    group_id = group.is_a?(Group) ? group.id : group.to_i
......
831 832
    Redmine::Utils.random_hex(16)
832 833
  end
834
  # Send a security notification to all admins if the user has gained/lost admin privileges
835
  def deliver_security_notification
836
    options = {
837
      field: :field_admin,
838
      value: login,
839
      title: :label_user_plural,
840
      url: {controller: 'users', action: 'index'}
841
    }
842
    deliver = false
843
    if (admin? && id_changed? && active?) ||    # newly created admin
844
       (admin? && admin_changed? && active?) || # regular user became admin
845
       (admin? && status_changed? && active?)   # locked admin became active again
846

  
847
       deliver = true
848
       options[:message] = :mail_body_security_notification_add
849

  
850
    elsif (admin? && destroyed? && active?) ||      # active admin user was deleted
851
          (!admin? && admin_changed? && active?) || # admin is no longer admin
852
          (admin? && status_changed? && !active?)   # admin was locked
853

  
854
          deliver = true
855
          options[:message] = :mail_body_security_notification_remove
856
    end
857

  
858
    User.where(admin: true, status: Principal::STATUS_ACTIVE).each{|u| Mailer.security_notification(u, options).deliver} if deliver
859
  end
860

  
861

  
833 862
end
834 863
class AnonymousUser < User
test/functional/users_controller_test.rb
280 280
    assert_select 'input#pref_no_self_notified[value="1"][checked=checked]'
281 281
  end
282
  def test_create_admin_should_send_security_notification
283
    ActionMailer::Base.deliveries.clear
284
    post :create,
285
      :user => {
286
        :firstname => 'Edgar',
287
        :lastname => 'Schmoe',
288
        :login => 'eschmoe',
289
        :password => 'secret123',
290
        :password_confirmation => 'secret123',
291
        :mail => 'eschmoe@example.foo',
292
        :admin => '1'
293
      }
294

  
295
    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
296
    assert_mail_body_match '0.0.0.0', mail
297
    assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: 'eschmoe'), mail
298
    assert_select_email do
299
      assert_select 'a[href^=?]', 'http://localhost:3000/users', :text => 'Users'
300
    end
301

  
302
    # All admins should receive this
303
    User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
304
      assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
305
    end
306
  end
307

  
308
  def test_create_non_admin_should_not_send_security_notification
309
    ActionMailer::Base.deliveries.clear
310
    post :create,
311
      :user => {
312
        :firstname => 'Edgar',
313
        :lastname => 'Schmoe',
314
        :login => 'eschmoe',
315
        :password => 'secret123',
316
        :password_confirmation => 'secret123',
317
        :mail => 'eschmoe@example.foo',
318
        :admin => '0'
319
      }
320
    assert_nil ActionMailer::Base.deliveries.last
321
  end
322

  
323

  
282 324
  def test_edit
283 325
    get :edit, :id => 2
284 326
    assert_response :success
......
426 468
    assert_equal '1', user.pref[:no_self_notified]
427 469
  end
470
  def test_update_assign_admin_should_send_security_notification
471
    ActionMailer::Base.deliveries.clear
472
    put :update, :id => 2, :user => {
473
      :admin => 1
474
    }
475

  
476
    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
477
    assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: User.find(2).login), mail
478

  
479
    # All admins should receive this
480
    User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
481
      assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
482
    end
483
  end
484

  
485
  def test_update_unassign_admin_should_send_security_notification
486
    user = User.find(2)
487
    user.admin = true
488
    user.save!
489

  
490
    ActionMailer::Base.deliveries.clear
491
    put :update, :id => user.id, :user => {
492
      :admin => 0
493
    }
494

  
495
    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
496
    assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: user.login), mail
497

  
498
    # All admins should receive this
499
    User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
500
      assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
501
    end
502
  end
503

  
504
  def test_update_lock_admin_should_send_security_notification
505
    user = User.find(2)
506
    user.admin = true
507
    user.save!
508

  
509
    ActionMailer::Base.deliveries.clear
510
    put :update, :id => 2, :user => {
511
      :status => Principal::STATUS_LOCKED
512
    }
513

  
514
    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
515
    assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: User.find(2).login), mail
516

  
517
    # All admins should receive this
518
    User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
519
      assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
520
    end
521

  
522
    # if user is already locked, destroying should not send a second mail
523
    # (for active admins see furtherbelow)
524
    ActionMailer::Base.deliveries.clear
525
    delete :destroy, :id => 1
526
    assert_nil ActionMailer::Base.deliveries.last
527

  
528
  end
529

  
530
  def test_update_unlock_admin_should_send_security_notification
531
    user = User.find(5) # already locked
532
    user.admin = true
533
    user.save!
534
    ActionMailer::Base.deliveries.clear
535
    put :update, :id => user.id, :user => {
536
      :status => Principal::STATUS_ACTIVE
537
    }
538

  
539
    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
540
    assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: user.login), mail
541

  
542
    # All admins should receive this
543
    User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
544
      assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
545
    end
546
  end
547

  
548
  def test_update_admin_unrelated_property_should_not_send_security_notification
549
    ActionMailer::Base.deliveries.clear
550
    put :update, :id => 1, :user => {
551
      :firstname => 'Jimmy'
552
    }
553
    assert_nil ActionMailer::Base.deliveries.last
554
  end
555

  
428 556
  def test_destroy
429 557
    assert_difference 'User.count', -1 do
430 558
      delete :destroy, :id => 2
......
449 577
    end
450 578
    assert_redirected_to '/users?name=foo'
451 579
  end
580

  
581
  def test_destroy_active_admin_should_send_security_notification
582
    user = User.find(2)
583
    user.admin = true
584
    user.save!
585
    ActionMailer::Base.deliveries.clear
586
    delete :destroy, :id => user.id
587

  
588
    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
589
    assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: user.login), mail
590

  
591
    # All admins should receive this
592
    User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
593
      assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
594
    end
595
  end
452 596
end
453
-