28302.patch

Felix Schäfer, 2018-03-06 22:17

Download (4.68 KB)

View differences:

app/controllers/account_controller.rb
87 87
          @user.must_change_passwd = false
88 88
          if @user.save
89 89
            @token.destroy
90
            Mailer.password_updated(@user)
90
            Mailer.password_updated(@user, { remote_ip: request.remote_ip })
91 91
            flash[:notice] = l(:notice_account_password_updated)
92 92
            redirect_to signin_path
93 93
            return
app/models/mailer.rb
311 311
  end
312 312

  
313 313
  # Notifies user that his password was updated
314
  def self.password_updated(user)
314
  def self.password_updated(user, options={})
315 315
    # Don't send a notification to the dummy email address when changing the password
316 316
    # of the default admin account which is required after the first login
317 317
    # TODO: maybe not the best way to handle this
......
320 320
    security_notification(user,
321 321
      message: :mail_body_password_updated,
322 322
      title: :button_change_password,
323
      remote_ip: options[:remote_ip],
324
      originator: user,
323 325
      url: {controller: 'my', action: 'password'}
324 326
    ).deliver
325 327
  end
......
333 335
  end
334 336

  
335 337
  def security_notification(recipients, options={})
336
    redmine_headers 'Sender' => User.current.login
337 338
    @user = Array(recipients).detect{|r| r.is_a? User }
338 339
    set_language_if_valid(@user.try :language)
339 340
    @message = l(options[:message],
......
341 342
      value: options[:value]
342 343
    )
343 344
    @title = options[:title] && l(options[:title])
345
    @originator = options[:originator] || User.current
346
    @remote_ip = options[:remote_ip] || @originator.remote_ip
344 347
    @url = options[:url] && (options[:url].is_a?(Hash) ? url_for(options[:url]) : options[:url])
348
    redmine_headers 'Sender' => @originator.login
349
    redmine_headers 'Url' => @url
345 350
    mail :to => recipients,
346 351
      :subject => "[#{Setting.app_title}] #{l(:mail_subject_security_notification)}"
347 352
  end
app/views/mailer/security_notification.html.erb
7 7
<%= content_tag :h1, @title -%>
8 8
<% end %></p>
9 9

  
10
<p><%= l(:field_user) %>: <strong><%= User.current.login %></strong><br/>
11
<%= l(:field_remote_ip) %>: <strong><%= User.current.remote_ip %></strong><br/>
10
<p><%= l(:field_user) %>: <strong><%= @originator.login %></strong><br/>
11
<%= l(:field_remote_ip) %>: <strong><%= @remote_ip %></strong><br/>
12 12
<%= l(:label_date) %>: <strong><%= format_time Time.now, true, @user %></strong></p>
13 13

  
app/views/mailer/security_notification.text.erb
2 2

  
3 3
<%= @url || @title %>
4 4

  
5
<%= l(:field_user) %>: <%= User.current.login %>
6
<%= l(:field_remote_ip) %>: <%= User.current.remote_ip %>
5
<%= l(:field_user) %>: <%= @originator.login %>
6
<%= l(:field_remote_ip) %>: <%= @remote_ip %>
7 7
<%= l(:label_date) %>: <%= format_time Time.now, true, @user %>
8 8

  
test/unit/mailer_test.rb
721 721
    end
722 722
  end
723 723

  
724
  def test_security_notification_with_overridden_originator_and_remote_ip
725
    set_language_if_valid User.find(1).language
726
    with_settings :emails_footer => "footer without link" do
727
      User.current.remote_ip = '192.168.1.1'
728
      assert Mailer.security_notification(User.find(1), message: :notice_account_password_updated, originator: User.find(2), remote_ip: '10.0.0.42').deliver
729
      mail = last_email
730
      assert_not_nil mail
731
      assert_mail_body_match User.find(2).login, mail
732
      assert_mail_body_match '10.0.0.42', mail
733
      assert_mail_body_match I18n.t(:notice_account_password_updated), mail
734
      assert_select_email do
735
        assert_select "h1", false
736
        assert_select "a", false
737
      end
738
    end
739
  end
740

  
724 741
  def test_security_notification_should_include_title
725 742
    set_language_if_valid User.find(2).language
726 743
    with_settings :emails_footer => "footer without link" do