Project

General

Profile

Download (4.68 KB)

Defect #28302 » 28302.patch

Felix Schäfer, 2018-03-06 22:17

View differences:

app/controllers/account_controller.rb
87 87 
          @user.must_change_passwd = false
88 88 
          if @user.save
89 89 
            @token.destroy
90 
            Mailer.password_updated(@user)
90 
            Mailer.password_updated(@user, { remote_ip: request.remote_ip })
91 91 
            flash[:notice] = l(:notice_account_password_updated)
92 92 
            redirect_to signin_path
93 93 
            return
app/models/mailer.rb
311 311 
  end
312 312 

  		




  313
  313
  
    
  # Notifies user that his password was updated

  		




  314
  
  
    
  def self.password_updated(user)

  		




  
  314
  
    
  def self.password_updated(user, options={})

  		




  315
  315
  
    
    # Don't send a notification to the dummy email address when changing the password

  		




  316
  316
  
    
    # of the default admin account which is required after the first login

  		




  317
  317
  
    
    # TODO: maybe not the best way to handle this

  		




  ......




  320
  320
  
    
    security_notification(user,

  		




  321
  321
  
    
      message: :mail_body_password_updated,

  		




  322
  322
  
    
      title: :button_change_password,

  		




  
  323
  
    
      remote_ip: options[:remote_ip],

  		




  
  324
  
    
      originator: user,

  		




  323
  325
  
    
      url: {controller: 'my', action: 'password'}

  		




  324
  326
  
    
    ).deliver

  		




  325
  327
  
    
  end

  		




  ......




  333
  335
  
    
  end

  		




  334
  336
  
    

  		




  335
  337
  
    
  def security_notification(recipients, options={})

  		




  336
  
  
    
    redmine_headers 'Sender' => User.current.login

  		




  337
  338
  
    
    @user = Array(recipients).detect{|r| r.is_a? User }

  		




  338
  339
  
    
    set_language_if_valid(@user.try :language)

  		




  339
  340
  
    
    @message = l(options[:message],

  		




  ......




  341
  342
  
    
      value: options[:value]

  		




  342
  343
  
    
    )

  		




  343
  344
  
    
    @title = options[:title] && l(options[:title])

  		




  
  345
  
    
    @originator = options[:originator] || User.current

  		




  
  346
  
    
    @remote_ip = options[:remote_ip] || @originator.remote_ip

  		




  344
  347
  
    
    @url = options[:url] && (options[:url].is_a?(Hash) ? url_for(options[:url]) : options[:url])

  		




  
  348
  
    
    redmine_headers 'Sender' => @originator.login

  		




  
  349
  
    
    redmine_headers 'Url' => @url

  		




  345
  350
  
    
    mail :to => recipients,

  		




  346
  351
  
    
      :subject => "[#{Setting.app_title}] #{l(:mail_subject_security_notification)}"

  		




  347
  352
  
    
  end

  		












  

    
      app/views/mailer/security_notification.html.erb
    
  





  7
  7
  
    
<%= content_tag :h1, @title -%>

  		




  8
  8
  
    
<% end %></p>

  		




  9
  9
  
    

  		




  10
  
  
    
<p><%= l(:field_user) %>: <strong><%= User.current.login %></strong><br/>

  		




  11
  
  
    
<%= l(:field_remote_ip) %>: <strong><%= User.current.remote_ip %></strong><br/>

  		




  
  10
  
    
<p><%= l(:field_user) %>: <strong><%= @originator.login %></strong><br/>

  		




  
  11
  
    
<%= l(:field_remote_ip) %>: <strong><%= @remote_ip %></strong><br/>

  		




  12
  12
  
    
<%= l(:label_date) %>: <strong><%= format_time Time.now, true, @user %></strong></p>

  		




  13
  13
  
    

  		












  

    
      app/views/mailer/security_notification.text.erb
    
  





  2
  2
  
    

  		




  3
  3
  
    
<%= @url || @title %>

  		




  4
  4
  
    

  		




  5
  
  
    
<%= l(:field_user) %>: <%= User.current.login %>

  		




  6
  
  
    
<%= l(:field_remote_ip) %>: <%= User.current.remote_ip %>

  		




  
  5
  
    
<%= l(:field_user) %>: <%= @originator.login %>

  		




  
  6
  
    
<%= l(:field_remote_ip) %>: <%= @remote_ip %>

  		




  7
  7
  
    
<%= l(:label_date) %>: <%= format_time Time.now, true, @user %>

  		




  8
  8
  
    

  		












  

    
      test/unit/mailer_test.rb
    
  





  721
  721
  
    
    end

  		




  722
  722
  
    
  end

  		




  723
  723
  
    

  		




  
  724
  
    
  def test_security_notification_with_overridden_originator_and_remote_ip

  		




  
  725
  
    
    set_language_if_valid User.find(1).language

  		




  
  726
  
    
    with_settings :emails_footer => "footer without link" do

  		




  
  727
  
    
      User.current.remote_ip = '192.168.1.1'

  		




  
  728
  
    
      assert Mailer.security_notification(User.find(1), message: :notice_account_password_updated, originator: User.find(2), remote_ip: '10.0.0.42').deliver

  		




  
  729
  
    
      mail = last_email

  		




  
  730
  
    
      assert_not_nil mail

  		




  
  731
  
    
      assert_mail_body_match User.find(2).login, mail

  		




  
  732
  
    
      assert_mail_body_match '10.0.0.42', mail

  		




  
  733
  
    
      assert_mail_body_match I18n.t(:notice_account_password_updated), mail

  		




  
  734
  
    
      assert_select_email do

  		




  
  735
  
    
        assert_select "h1", false

  		




  
  736
  
    
        assert_select "a", false

  		




  
  737
  
    
      end

  		




  
  738
  
    
    end

  		




  
  739
  
    
  end

  		




  
  740
  
    

  		




  724
  741
  
    
  def test_security_notification_should_include_title

  		




  725
  742
  
    
    set_language_if_valid User.find(2).language

  		




  726
  743
  
    
    with_settings :emails_footer => "footer without link" do

  		















  
    (1-1/1)