Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-10 23:36:01 +01:00
Code Issues Packages Projects Releases Activity

Send a security notification when users gain or loose admin (#21421).

Browse Source 
Patch by Jan Schulz-Hofen.

git-svn-id: http://svn.redmine.org/redmine/trunk@15265 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang
2016-03-20 07:09:20 +00:00
parent e1aa18b333
commit 4aef2735c8
2 changed files with 174 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
test/functional/users_controller_test.rb
View File

@@ -280,6 +280,48 @@ class UsersControllerTest < ActionController::TestCase
assert_select 'input#pref_no_self_notified[value="1"][checked=checked]'
end
def test_create_admin_should_send_security_notification
ActionMailer::Base.deliveries.clear
post :create,
:user => {
:firstname => 'Edgar',
:lastname => 'Schmoe',
:login => 'eschmoe',
:password => 'secret123',
:password_confirmation => 'secret123',
:mail => 'eschmoe@example.foo',
:admin => '1'
}
assert_not_nil (mail = ActionMailer::Base.deliveries.last)
assert_mail_body_match '0.0.0.0', mail
assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: 'eschmoe'), mail
assert_select_email do
assert_select 'a[href^=?]', 'http://localhost:3000/users', :text => 'Users'
end
# All admins should receive this
User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
end
end
def test_create_non_admin_should_not_send_security_notification
ActionMailer::Base.deliveries.clear
post :create,
:user => {
:firstname => 'Edgar',
:lastname => 'Schmoe',
:login => 'eschmoe',
:password => 'secret123',
:password_confirmation => 'secret123',
:mail => 'eschmoe@example.foo',
:admin => '0'
}
assert_nil ActionMailer::Base.deliveries.last
end
def test_edit
get :edit, :id => 2
assert_response :success
@@ -426,6 +468,92 @@ class UsersControllerTest < ActionController::TestCase
assert_equal '1', user.pref[:no_self_notified]
end
def test_update_assign_admin_should_send_security_notification
ActionMailer::Base.deliveries.clear
put :update, :id => 2, :user => {
:admin => 1
}
assert_not_nil (mail = ActionMailer::Base.deliveries.last)
assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: User.find(2).login), mail
# All admins should receive this
User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
end
end
def test_update_unassign_admin_should_send_security_notification
user = User.find(2)
user.admin = true
user.save!
ActionMailer::Base.deliveries.clear
put :update, :id => user.id, :user => {
:admin => 0
}
assert_not_nil (mail = ActionMailer::Base.deliveries.last)
assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: user.login), mail
# All admins should receive this
User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
end
end
def test_update_lock_admin_should_send_security_notification
user = User.find(2)
user.admin = true
user.save!
ActionMailer::Base.deliveries.clear
put :update, :id => 2, :user => {
:status => Principal::STATUS_LOCKED
}
assert_not_nil (mail = ActionMailer::Base.deliveries.last)
assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: User.find(2).login), mail
# All admins should receive this
User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
end
# if user is already locked, destroying should not send a second mail
# (for active admins see furtherbelow)
ActionMailer::Base.deliveries.clear
delete :destroy, :id => 1
assert_nil ActionMailer::Base.deliveries.last
end
def test_update_unlock_admin_should_send_security_notification
user = User.find(5) # already locked
user.admin = true
user.save!
ActionMailer::Base.deliveries.clear
put :update, :id => user.id, :user => {
:status => Principal::STATUS_ACTIVE
}
assert_not_nil (mail = ActionMailer::Base.deliveries.last)
assert_mail_body_match I18n.t(:mail_body_security_notification_add, field: I18n.t(:field_admin), value: user.login), mail
# All admins should receive this
User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
end
end
def test_update_admin_unrelated_property_should_not_send_security_notification
ActionMailer::Base.deliveries.clear
put :update, :id => 1, :user => {
:firstname => 'Jimmy'
}
assert_nil ActionMailer::Base.deliveries.last
end
def test_destroy
assert_difference 'User.count', -1 do
delete :destroy, :id => 2
@@ -449,4 +577,20 @@ class UsersControllerTest < ActionController::TestCase
end
assert_redirected_to '/users?name=foo'
end
def test_destroy_active_admin_should_send_security_notification
user = User.find(2)
user.admin = true
user.save!
ActionMailer::Base.deliveries.clear
delete :destroy, :id => user.id
assert_not_nil (mail = ActionMailer::Base.deliveries.last)
assert_mail_body_match I18n.t(:mail_body_security_notification_remove, field: I18n.t(:field_admin), value: user.login), mail
# All admins should receive this
User.where(admin: true, status: Principal::STATUS_ACTIVE).each do |admin|
assert_not_nil ActionMailer::Base.deliveries.detect{|mail| [mail.bcc, mail.cc].flatten.include?(admin.mail) }
end
end
end