meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-12-21 16:01:14 +00:00
Code Issues Releases Wiki Activity

Security notification on password recovery is empty (#28302).

Browse Source 
Patch by Felix Schäfer.

git-svn-id: http://svn.redmine.org/redmine/trunk@17269 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2018-04-07 07:49:43 +00:00
parent 040f31d867
commit 0e362e84ab
5 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/account_controller.rb
View File

@ -87,7 +87,7 @@ class AccountController < ApplicationController
@user.must_change_passwd = false @user.must_change_passwd = false
if @user.save if @user.save
@token.destroy @token.destroy
Mailer.password_updated(@user) Mailer.password_updated(@user, { remote_ip: request.remote_ip })
flash[:notice] = l(:notice_account_password_updated) flash[:notice] = l(:notice_account_password_updated)
redirect_to signin_path redirect_to signin_path
return return

9
app/models/mailer.rb
View File

@ -311,7 +311,7 @@ class Mailer < ActionMailer::Base
end end
# Notifies user that his password was updated # Notifies user that his password was updated
def self.password_updated(user) def self.password_updated(user, options={})
# Don't send a notification to the dummy email address when changing the password # Don't send a notification to the dummy email address when changing the password
# of the default admin account which is required after the first login # of the default admin account which is required after the first login
# TODO: maybe not the best way to handle this # TODO: maybe not the best way to handle this
@ -320,6 +320,8 @@ class Mailer < ActionMailer::Base
security_notification(user, security_notification(user,
message: :mail_body_password_updated, message: :mail_body_password_updated,
title: :button_change_password, title: :button_change_password,
remote_ip: options[:remote_ip],
originator: user,
url: {controller: 'my', action: 'password'} url: {controller: 'my', action: 'password'}
).deliver ).deliver
end end
@ -333,7 +335,6 @@ class Mailer < ActionMailer::Base
end end
def security_notification(recipients, options={}) def security_notification(recipients, options={})
redmine_headers 'Sender' => User.current.login
@user = Array(recipients).detect{|r| r.is_a? User } @user = Array(recipients).detect{|r| r.is_a? User }
set_language_if_valid(@user.try :language) set_language_if_valid(@user.try :language)
@message = l(options[:message], @message = l(options[:message],
@ -341,7 +342,11 @@ class Mailer < ActionMailer::Base
value: options[:value] value: options[:value]
) )
@title = options[:title] && l(options[:title]) @title = options[:title] && l(options[:title])
@originator = options[:originator] || User.current
@remote_ip = options[:remote_ip] || @originator.remote_ip
@url = options[:url] && (options[:url].is_a?(Hash) ? url_for(options[:url]) : options[:url]) @url = options[:url] && (options[:url].is_a?(Hash) ? url_for(options[:url]) : options[:url])
redmine_headers 'Sender' => @originator.login
redmine_headers 'Url' => @url
mail :to => recipients, mail :to => recipients,
:subject => "[#{Setting.app_title}] #{l(:mail_subject_security_notification)}" :subject => "[#{Setting.app_title}] #{l(:mail_subject_security_notification)}"
end end

4
app/views/mailer/security_notification.html.erb
View File

@ -7,7 +7,7 @@
<%= content_tag :h1, @title -%> <%= content_tag :h1, @title -%>
<% end %></p> <% end %></p>
<p><%= l(:field_user) %>: <strong><%= User.current.login %></strong><br/> <p><%= l(:field_user) %>: <strong><%= @originator.login %></strong><br/>
<%= l(:field_remote_ip) %>: <strong><%= User.current.remote_ip %></strong><br/> <%= l(:field_remote_ip) %>: <strong><%= @remote_ip %></strong><br/>
<%= l(:label_date) %>: <strong><%= format_time Time.now, true, @user %></strong></p> <%= l(:label_date) %>: <strong><%= format_time Time.now, true, @user %></strong></p>

4
app/views/mailer/security_notification.text.erb
View File

@ -2,7 +2,7 @@
<%= @url || @title %> <%= @url || @title %>
<%= l(:field_user) %>: <%= User.current.login %> <%= l(:field_user) %>: <%= @originator.login %>
<%= l(:field_remote_ip) %>: <%= User.current.remote_ip %> <%= l(:field_remote_ip) %>: <%= @remote_ip %>
<%= l(:label_date) %>: <%= format_time Time.now, true, @user %> <%= l(:label_date) %>: <%= format_time Time.now, true, @user %>

17
test/unit/mailer_test.rb
View File

@ -721,6 +721,23 @@ class MailerTest < ActiveSupport::TestCase
end end
end end
def test_security_notification_with_overridden_originator_and_remote_ip
set_language_if_valid User.find(1).language
with_settings :emails_footer => "footer without link" do
User.current.remote_ip = '192.168.1.1'
assert Mailer.security_notification(User.find(1), message: :notice_account_password_updated, originator: User.find(2), remote_ip: '10.0.0.42').deliver
mail = last_email
assert_not_nil mail
assert_mail_body_match User.find(2).login, mail
assert_mail_body_match '10.0.0.42', mail
assert_mail_body_match I18n.t(:notice_account_password_updated), mail
assert_select_email do
assert_select "h1", false
assert_select "a", false
end
end
end
def test_security_notification_should_include_title def test_security_notification_should_include_title
set_language_if_valid User.find(2).language set_language_if_valid User.find(2).language
with_settings :emails_footer => "footer without link" do with_settings :emails_footer => "footer without link" do