From 815ccb6618e265900f43c14a88c2ddcf8aa763f3 Mon Sep 17 00:00:00 2001 From: Jens Kraemer Date: Thu, 31 Aug 2023 13:33:39 +0800 Subject: [PATCH 1/3] require_admin on all global issue templates actions - for good measure and to prevent info leaks, i.e. on :orphaned_templates --- .../global_issue_templates_controller.rb | 2 +- .../global_issue_templates_controller_test.rb | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/app/controllers/global_issue_templates_controller.rb b/app/controllers/global_issue_templates_controller.rb index 0b6be4af..9cb3da5c 100644 --- a/app/controllers/global_issue_templates_controller.rb +++ b/app/controllers/global_issue_templates_controller.rb @@ -10,7 +10,7 @@ class GlobalIssueTemplatesController < ApplicationController menu_item :issues before_action :find_object, only: %i[show edit update destroy] before_action :find_project, only: %i[edit update] - before_action :require_admin, only: %i[index new show], excep: [:preview] + before_action :require_admin # # Action for global template : Admin right is required. diff --git a/test/functional/global_issue_templates_controller_test.rb b/test/functional/global_issue_templates_controller_test.rb index ddb9289e..5f702124 100644 --- a/test/functional/global_issue_templates_controller_test.rb +++ b/test/functional/global_issue_templates_controller_test.rb @@ -22,6 +22,33 @@ def test_get_index assert_response :success end + def test_should_require_admin + @request.session[:user_id] = 2 # Non-admin + + get :index + assert_response 403 + + get :new + assert_response 403 + + get :orphaned_templates + assert_response 403 + + get :show, params: { id: 2 } + assert_response 403 + + post :preview, params: { global_issue_template: { description: 'Test' } } + assert_response 403 + + post :create, params: { global_issue_template: { title: 'Global Template title', description: 'test'}} + assert_response 403 + + assert_no_difference 'GlobalIssueTemplate.count' do + delete :destroy, params: { id: 2 } + assert_response 403 + end + end + def test_get_index_should_sort_trackers_in_position_order [ ['Feature request', 1], From f17b5db66cdc3df0d22d387a7b131576ec5453a3 Mon Sep 17 00:00:00 2001 From: Jens Kraemer Date: Thu, 31 Aug 2023 13:53:47 +0800 Subject: [PATCH 2/3] removes unused edit action - no route points there and show essentially does what edit should do --- .../global_issue_templates_controller.rb | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/app/controllers/global_issue_templates_controller.rb b/app/controllers/global_issue_templates_controller.rb index 9cb3da5c..05d25689 100644 --- a/app/controllers/global_issue_templates_controller.rb +++ b/app/controllers/global_issue_templates_controller.rb @@ -8,8 +8,8 @@ class GlobalIssueTemplatesController < ApplicationController include IssueTemplatesHelper include IssueTemplatesCommon menu_item :issues - before_action :find_object, only: %i[show edit update destroy] - before_action :find_project, only: %i[edit update] + before_action :find_object, only: %i[show update destroy] + before_action :find_project, only: :update before_action :require_admin # @@ -62,21 +62,6 @@ def update save_and_flash(:notice_successful_update, :show) end - def edit - # Change from request.post to request.patch for Rails4. - return unless request.patch? || request.put? - - begin - @global_issue_template.safe_attributes = valid_params - rescue ActiveRecord::SerializationTypeMismatch - flash[:error] = I18n.t(:builtin_fields_should_be_valid_json, default: 'Please enter a valid JSON fotmat string.') - render render_form_params.merge(action: :show) - return - end - - save_and_flash(:notice_successful_update, :show) - end - def destroy unless @global_issue_template.destroy flash[:error] = l(:enabled_template_cannot_destroy) From b5983be542f5d4f6c2d2bab2e2b96f3b66f0a1d6 Mon Sep 17 00:00:00 2001 From: Jens Kraemer Date: Thu, 31 Aug 2023 15:40:49 +0800 Subject: [PATCH 3/3] global issue templates - use admin layout - also swaps h2 and contextual div in index view for consistency with the rest of Redmine --- app/controllers/global_issue_templates_controller.rb | 6 ++++-- app/views/global_issue_templates/index.html.erb | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/app/controllers/global_issue_templates_controller.rb b/app/controllers/global_issue_templates_controller.rb index 05d25689..ceda36be 100644 --- a/app/controllers/global_issue_templates_controller.rb +++ b/app/controllers/global_issue_templates_controller.rb @@ -2,12 +2,14 @@ # noinspection RubocopInspection class GlobalIssueTemplatesController < ApplicationController - layout 'base' + layout 'admin' + self.main_menu = false + menu_item :redmine_issue_templates + helper :issues helper :issue_templates include IssueTemplatesHelper include IssueTemplatesCommon - menu_item :issues before_action :find_object, only: %i[show update destroy] before_action :find_project, only: :update before_action :require_admin diff --git a/app/views/global_issue_templates/index.html.erb b/app/views/global_issue_templates/index.html.erb index fbcdf159..83322d59 100644 --- a/app/views/global_issue_templates/index.html.erb +++ b/app/views/global_issue_templates/index.html.erb @@ -1,4 +1,3 @@ -

<%=h "#{l(:global_issue_templates)}" %>

<%= render partial: 'common/nodata', locals: { trackers: trackers } %>
<%= link_to(l(:label_new_templates), @@ -10,6 +9,7 @@ { controller: 'settings', action: 'plugin', id: 'redmine_issue_templates' }, class: 'issue_template icon plugins') %>
+

<%=h "#{l(:global_issue_templates)}" %>

<% if template_map.blank? %>