Require sudo mode for actions to delete contents (#33071).

Patch by Go MAEDA.


git-svn-id: http://svn.redmine.org/redmine/trunk@19569 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/attachments_controller.rb

@@ -25,6 +25,8 @@ class AttachmentsController < ApplicationController
   before_action :delete_authorize, :only => :destroy
   before_action :authorize_global, :only => :upload
 
+  require_sudo_mode :destroy
+
   # Disable check for same origin requests for JS files, i.e. attachments with
   # MIME type text/javascript.
   skip_after_action :verify_same_origin_request, :only => :download

app/controllers/boards_controller.rb

@@ -22,6 +22,8 @@ class BoardsController < ApplicationController
   before_action :find_project_by_project_id, :find_board_if_available, :authorize
   accept_rss_auth :index, :show
 
+  require_sudo_mode :destroy
+
   helper :sort
   include SortHelper
   helper :watchers

app/controllers/comments_controller.rb

@@ -24,6 +24,8 @@ class CommentsController < ApplicationController
   before_action :find_project_from_association
   before_action :authorize
 
+  require_sudo_mode :destroy
+
   def create
     raise Unauthorized unless @news.commentable?
 

app/controllers/documents_controller.rb

@@ -25,6 +25,8 @@ class DocumentsController < ApplicationController
   before_action :find_project_from_association, :except => [:index, :new, :create]
   before_action :authorize
 
+  require_sudo_mode :destroy
+
   helper :attachments
   helper :custom_fields
 

app/controllers/issues_controller.rb

@@ -28,6 +28,8 @@ class IssuesController < ApplicationController
   accept_rss_auth :index, :show
   accept_api_auth :index, :show, :create, :update, :destroy
 
+  require_sudo_mode :destroy
+
   rescue_from Query::StatementInvalid, :with => :query_statement_invalid
 
   helper :journals

app/controllers/messages_controller.rb

@@ -25,6 +25,8 @@ class MessagesController < ApplicationController
   before_action :find_message, :except => [:new, :preview]
   before_action :authorize, :except => [:preview, :edit, :destroy]
 
+  require_sudo_mode :destroy
+
   helper :boards
   helper :watchers
   helper :attachments

app/controllers/news_controller.rb

@@ -28,6 +28,8 @@ class NewsController < ApplicationController
   accept_rss_auth :index
   accept_api_auth :index, :show, :create, :update, :destroy
 
+  require_sudo_mode :destroy
+
   helper :watchers
   helper :attachments
 

app/controllers/repositories_controller.rb

@@ -36,6 +36,8 @@ class RepositoriesController < ApplicationController
   before_action :authorize
   accept_rss_auth :revisions
 
+  require_sudo_mode :destroy
+
   rescue_from Redmine::Scm::Adapters::CommandFailed, :with => :show_error_command_failed
 
   def new

app/controllers/timelog_controller.rb

@@ -33,6 +33,8 @@ class TimelogController < ApplicationController
   accept_rss_auth :index
   accept_api_auth :index, :show, :create, :update, :destroy
 
+  require_sudo_mode :destroy
+
   rescue_from Query::StatementInvalid, :with => :query_statement_invalid
 
   helper :issues

app/controllers/versions_controller.rb

@@ -27,6 +27,8 @@ class VersionsController < ApplicationController
 
   accept_api_auth :index, :show, :create, :update, :destroy
 
+  require_sudo_mode :destroy
+
   helper :custom_fields
   helper :projects
 

app/controllers/wiki_controller.rb

@@ -39,6 +39,8 @@ class WikiController < ApplicationController
   before_action :find_attachments, :only => [:preview]
   accept_api_auth :index, :show, :update, :destroy
 
+  require_sudo_mode :destroy, :destroy_version
+
   helper :attachments
   include AttachmentsHelper
   helper :watchers

app/controllers/wikis_controller.rb

@@ -21,6 +21,8 @@ class WikisController < ApplicationController
   menu_item :settings
   before_action :find_project, :authorize
 
+  require_sudo_mode :destroy, only: :post
+
   # Delete a project's wiki
   def destroy
     if request.post? && params[:confirm] && @project.wiki