From 09d8525fa882628cd2402893f6ac4fd637663f31 Mon Sep 17 00:00:00 2001
From: Jan Schulz-Hofen <jan@plan.io>
Date: Sun, 13 Dec 2015 15:01:31 +0700
Subject: [PATCH] Allow overriding of originator and remote_ip causing a security
 notification and use these overrides in lost password procedure (where no
 real session is initiated)

---
 app/controllers/account_controller.rb           |  2 ++
 app/models/mailer.rb                            |  4 +++-
 app/views/mailer/security_notification.html.erb |  4 ++--
 app/views/mailer/security_notification.text.erb |  4 ++--
 test/unit/mailer_test.rb                        | 17 +++++++++++++++++
 5 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 6c2d5b0..d4f96a7 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -77,6 +77,8 @@ class AccountController < ApplicationController
             message: :mail_body_security_notification_change,
             field: :field_password,
             title: :button_change_password,
+            remote_ip: request.remote_ip,
+            originator: @user,
             url: {controller: 'my', action: 'password'}
           ).deliver
           flash[:notice] = l(:notice_account_password_updated)
diff --git a/app/models/mailer.rb b/app/models/mailer.rb
index a803a35..2348502 100644
--- a/app/models/mailer.rb
+++ b/app/models/mailer.rb
@@ -319,7 +319,6 @@ class Mailer < ActionMailer::Base
   end
 
   def security_notification(recipients, options={})
-    redmine_headers 'Sender' => User.current.login
     @user = Array(recipients).detect{|r| r.is_a? User }
     set_language_if_valid(@user.try :language)
     @message = l(options[:message],
@@ -327,7 +326,10 @@ class Mailer < ActionMailer::Base
       value: options[:value]
     )
     @title = options[:title] && l(options[:title])
+    @originator = options[:originator] || User.current
+    @remote_ip = options[:remote_ip] || @originator.remote_ip
     @url = options[:url] && (options[:url].is_a?(Hash) ? url_for(options[:url]) : options[:url])
+    redmine_headers 'Sender' => @originator.login
     mail :to => recipients,
       :subject => l(:mail_subject_security_notification)
   end
diff --git a/app/views/mailer/security_notification.html.erb b/app/views/mailer/security_notification.html.erb
index 53bf0a0..ff9006b 100644
--- a/app/views/mailer/security_notification.html.erb
+++ b/app/views/mailer/security_notification.html.erb
@@ -7,7 +7,7 @@
 <%= content_tag :h1, @title -%>
 <% end %></p>
 
-<p><%= l(:field_user) %>: <strong><%= User.current.login %></strong><br/>
-<%= l(:field_remote_ip) %>: <strong><%= User.current.remote_ip %></strong><br/>
+<p><%= l(:field_user) %>: <strong><%= @originator.login %></strong><br/>
+<%= l(:field_remote_ip) %>: <strong><%= @remote_ip %></strong><br/>
 <%= l(:label_date) %>: <strong><%= format_time Time.now, true, @user %></strong></p>
 
diff --git a/app/views/mailer/security_notification.text.erb b/app/views/mailer/security_notification.text.erb
index 17fd6ef..0ed733d 100644
--- a/app/views/mailer/security_notification.text.erb
+++ b/app/views/mailer/security_notification.text.erb
@@ -2,7 +2,7 @@
 
 <%= @url || @title %>
 
-<%= l(:field_user) %>: <%= User.current.login %>
-<%= l(:field_remote_ip) %>: <%= User.current.remote_ip %>
+<%= l(:field_user) %>: <%= @originator.login %>
+<%= l(:field_remote_ip) %>: <%= @remote_ip %>
 <%= l(:label_date) %>: <%= format_time Time.now, true, @user %>
 
diff --git a/test/unit/mailer_test.rb b/test/unit/mailer_test.rb
index c9f4fe1..7b42761 100644
--- a/test/unit/mailer_test.rb
+++ b/test/unit/mailer_test.rb
@@ -683,6 +683,23 @@ class MailerTest < ActiveSupport::TestCase
     end
   end
 
+  def test_security_notification_with_overridden_originator_and_remote_ip
+    set_language_if_valid User.find(1).language
+    with_settings :emails_footer => "footer without link" do
+      User.current.remote_ip = '192.168.1.1'
+      assert Mailer.security_notification(User.find(1), message: :notice_account_password_updated, originator: User.find(2), remote_ip: '10.0.0.42').deliver
+      mail = last_email
+      assert_not_nil mail
+      assert_mail_body_match User.find(2).login, mail
+      assert_mail_body_match '10.0.0.42', mail
+      assert_mail_body_match I18n.t(:notice_account_password_updated), mail
+      assert_select_email do
+        assert_select "h1", false
+        assert_select "a", false
+      end
+    end
+  end
+
   def test_security_notification_should_include_title
     set_language_if_valid User.find(2).language
     with_settings :emails_footer => "footer without link" do
-- 
2.4.0