From 2d8e4446debce721a21c967088248fb1b5730007 Mon Sep 17 00:00:00 2001
From: Jan Schulz-Hofen <jan@plan.io>
Date: Wed, 2 Dec 2015 18:43:25 +0800
Subject: [PATCH 6/7] Send a security notification when certain settings are
 changed

---
 app/models/setting.rb                       | 11 +++++++++
 config/settings.yml                         | 16 +++++++++++++
 test/functional/settings_controller_test.rb | 37 +++++++++++++++++++++++++++++
 test/unit/mailer_test.rb                    |  1 +
 4 files changed, 65 insertions(+)

diff --git a/app/models/setting.rb b/app/models/setting.rb
index 2574649..5c5b412 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -112,9 +112,20 @@ class Setting < ActiveRecord::Base
 
   def self.[]=(name, v)
     setting = find_or_default(name)
+    previous_value = setting.value
     setting.value = (v ? v : "")
     @cached_settings[name] = nil
     setting.save
+    if available_settings[setting.name]['security_notifications'] && setting.value != previous_value
+      User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
+        Mailer.security_notification(admin,
+          message: :mail_body_security_notification_change,
+          field: "setting_#{name}",
+          title: :label_settings,
+          url: {controller: 'settings', action: 'index'}
+        ).deliver
+      end
+    end
     setting.value
   end
 
diff --git a/config/settings.yml b/config/settings.yml
index 7180dac..b6eca58 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -27,19 +27,24 @@ welcome_text:
   default:
 login_required:
   default: 0
+  security_notifications: 1
 self_registration:
   default: '2'
+  security_notifications: 1
 lost_password:
   default: 1
+  security_notifications: 1
 unsubscribe:
   default: 1
 password_min_length:
   format: int
   default: 8
+  security_notifications: 1
 # Maximum password age in days
 password_max_age:
   format: int
   default: 0
+  security_notifications: 1
 # Maximum number of additional email addresses per user
 max_additional_emails:
   format: int
@@ -48,10 +53,12 @@ max_additional_emails:
 session_lifetime:
   format: int
   default: 0
+  security_notifications: 1
 # User session timeout in minutes
 session_timeout:
   format: int
   default: 0
+  security_notifications: 1
 attachment_max_size:
   format: int
   default: 5120
@@ -91,6 +98,7 @@ host_name:
   default: localhost:3000
 protocol:
   default: http
+  security_notifications: 1
 feeds_limit:
   format: int
   default: 15
@@ -114,12 +122,15 @@ enabled_scm:
   - Cvs
   - Bazaar
   - Git
+  security_notifications: 1
 autofetch_changesets:
   default: 1
 sys_api_enabled:
   default: 0
+  security_notifications: 1
 sys_api_key:
   default: ''
+  security_notifications: 1
 commit_cross_project_ref:
   default: 0
 commit_ref_keywords:
@@ -173,8 +184,10 @@ mail_handler_excluded_filenames:
   default: ''
 mail_handler_api_enabled:
   default: 0
+  security_notifications: 1
 mail_handler_api_key:
   default:
+  security_notifications: 1
 issue_list_default_columns:
   serialized: true
   default:
@@ -235,14 +248,17 @@ gravatar_enabled:
   default: 0
 openid:
   default: 0
+  security_notifications: 1
 gravatar_default:
   default: ''
 start_of_week:
   default: ''
 rest_api_enabled:
   default: 0
+  security_notifications: 1
 jsonp_enabled:
   default: 0
+  security_notifications: 1
 default_notification_option:
   default: 'only_my_events'
 emails_header:
diff --git a/test/functional/settings_controller_test.rb b/test/functional/settings_controller_test.rb
index de5fddd..8b334a3 100644
--- a/test/functional/settings_controller_test.rb
+++ b/test/functional/settings_controller_test.rb
@@ -136,6 +136,43 @@ class SettingsControllerTest < ActionController::TestCase
     ], Setting.commit_update_keywords)
   end
 
+  def test_post_edit_should_send_security_notification_for_notified_settings
+    ActionMailer::Base.deliveries.clear
+    post :edit, :settings => {
+      :login_required => 1
+    }
+
+    assert_not_nil (mail = ActionMailer::Base.deliveries.last)
+    assert_mail_body_match '0.0.0.0', mail
+    assert_mail_body_match I18n.t(:mail_body_security_notification_change, field: I18n.t(:setting_login_required)), mail
+    assert_select_email do
+      assert_select 'a[href^=?]', 'http://localhost:3000/settings', :text => 'Settings'
+    end
+    # All admins should receive this
+    User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
+      assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
+    end
+  end
+
+  def test_post_edit_should_not_send_security_notification_for_non_notified_settings
+    ActionMailer::Base.deliveries.clear
+    post :edit, :settings => {
+      :app_title => 'MineRed'
+    }
+
+    assert_nil (mail = ActionMailer::Base.deliveries.last)
+  end
+
+  def test_post_edit_should_not_send_security_notification_for_unchanged_settings
+    ActionMailer::Base.deliveries.clear
+    post :edit, :settings => {
+      :login_required => 0
+    }
+
+    assert_nil (mail = ActionMailer::Base.deliveries.last)
+  end
+
+
   def test_get_plugin_settings
     ActionController::Base.append_view_path(File.join(Rails.root, "test/fixtures/plugins"))
     Redmine::Plugin.register :foo do
diff --git a/test/unit/mailer_test.rb b/test/unit/mailer_test.rb
index 16b0bec..c9f4fe1 100644
--- a/test/unit/mailer_test.rb
+++ b/test/unit/mailer_test.rb
@@ -41,6 +41,7 @@ class MailerTest < ActiveSupport::TestCase
   def test_generated_links_in_emails
     Setting.host_name = 'mydomain.foo'
     Setting.protocol = 'https'
+    ActionMailer::Base.deliveries.clear
 
     journal = Journal.find(3)
     assert Mailer.deliver_issue_edit(journal)
-- 
2.4.0