From e4f2102b7670ed4b1d3b59d14333d9d458b231cb Mon Sep 17 00:00:00 2001
From: Jens Kraemer <jk@jkraemer.net>
Date: Wed, 9 Dec 2020 10:42:23 +0800
Subject: [PATCH 2/2] require to enter project's identifier to confirm project
 deletion

---
 app/controllers/projects_controller.rb      |  2 +-
 app/views/projects/destroy.html.erb         |  9 ++++++++-
 config/locales/de.yml                       |  1 +
 config/locales/en.yml                       |  1 +
 test/functional/projects_controller_test.rb | 16 +++++++++++++---
 5 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 934a934b5..de05fdb35 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -275,7 +275,7 @@ class ProjectsController < ApplicationController
     end
 
     @project_to_destroy = @project
-    if api_request? || params[:confirm]
+    if api_request? || params[:confirm] == @project_to_destroy.identifier
       @project_to_destroy.destroy
       respond_to do |format|
         format.html do
diff --git a/app/views/projects/destroy.html.erb b/app/views/projects/destroy.html.erb
index 15a54d1cc..f2c97449b 100644
--- a/app/views/projects/destroy.html.erb
+++ b/app/views/projects/destroy.html.erb
@@ -12,9 +12,16 @@
           content_tag('strong', @project_to_destroy.descendants.collect{|p| p.to_s}.join(', '))).html_safe %>
 <% end %>
 </p>
+
 <p>
-  <label><%= check_box_tag 'confirm', 1 %> <%= l(:general_text_Yes) %></label>
+  <%= l :text_project_destroy_enter_identifier, identifier: @project_to_destroy.identifier %>
 </p>
+
+<p>
+  <label for="confirm"><%= l :field_identifier %></label>
+  <%= text_field_tag 'confirm' %>
+</p>
+
 </div>
 
 <p>
diff --git a/config/locales/de.yml b/config/locales/de.yml
index 3b22f3fe1..7fa33a3dc 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -1371,3 +1371,4 @@ de:
   field_twofa_scheme: Two-factor authentication scheme
 
   text_user_destroy_confirmation: "Wollen Sie diesen Benutzer inklusive aller Referenzen darauf wirklich löschen? Dies kann nicht rückgängig gemacht werden. Oftmals ist es besser, einen Benutzer lediglich zu sperren. Geben Sie bitte zur Bestätigung den Login des Benutzers (%{login}) ein."
+  text_project_destroy_enter_identifier: "Zur Bestätigung bitte die Projektkennung (%{identifier}) eingeben."
diff --git a/config/locales/en.yml b/config/locales/en.yml
index b5899df75..b62305b9d 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -1346,3 +1346,4 @@ en:
   twofa_backup_codes_already_shown: Backup codes cannot be shown again, please <a data-method="post" href="%{bc_path}">generate new backup codes</a> if required.
 
   text_user_destroy_confirmation: "Are you sure you want to delete this user and remove all references to them? This cannot be undone. Often, locking a user instead of deleting them is the better solution. To confirm, please enter their login (%{login}) below."
+  text_project_destroy_enter_identifier: "To confirm, please enter the project's identifier (%{identifier}) below."
diff --git a/test/functional/projects_controller_test.rb b/test/functional/projects_controller_test.rb
index 8d20704de..c7329b2e5 100644
--- a/test/functional/projects_controller_test.rb
+++ b/test/functional/projects_controller_test.rb
@@ -1028,6 +1028,16 @@ class ProjectsControllerTest < Redmine::ControllerTest
     assert_select '.warning', :text => /Are you sure you want to delete this project/
   end
 
+  def test_destroy_leaf_project_with_wrong_confirmation_should_show_confirmation
+    @request.session[:user_id] = 1 # admin
+
+    assert_no_difference 'Project.count' do
+      delete(:destroy, :params => {:id => 2, :confirm => 'wrong'})
+      assert_response :success
+    end
+    assert_select '.warning', :text => /Are you sure you want to delete this project/
+  end
+
   def test_destroy_without_confirmation_should_show_confirmation_with_subprojects
     set_tmp_attachments_directory
     @request.session[:user_id] = 1 # admin
@@ -1051,7 +1061,7 @@ class ProjectsControllerTest < Redmine::ControllerTest
         :destroy,
         :params => {
           :id => 1,
-          :confirm => 1
+          :confirm => 'ecookbook'
         }
       )
       assert_redirected_to '/admin/projects'
@@ -1068,7 +1078,7 @@ class ProjectsControllerTest < Redmine::ControllerTest
         :destroy,
         :params => {
           :id => 2,
-          :confirm => 1
+          :confirm => 'onlinestore'
         }
       )
       assert_redirected_to '/projects'
@@ -1085,7 +1095,7 @@ class ProjectsControllerTest < Redmine::ControllerTest
         :destroy,
         :params => {
           :id => 1,
-          :confirm => 1
+          :confirm => 'ecookbook'
         }
       )
       assert_response 403
-- 
2.20.1