Merge branch 'release-v1.3.0' into stable

2011-05-01 13:54:27 -07:00 · 2011-05-01 13:54:27 -07:00 · 1219610dc6
parent 78cee48c2d 07772e7eb7
commit 1219610dc6
13 changed files with 66 additions and 24 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@ -67,7 +67,7 @@ class AccountController < ApplicationController
        if token.save
          Mailer.deliver_lost_password(token)
          flash[:notice] = l(:notice_account_lost_email_sent)
-          redirect_to :action => 'login'
+          redirect_to :action => 'login', :back_url => home_url
          return
        end
      end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -274,6 +274,7 @@ class ApplicationController < ActionController::Base
      end
    end
    redirect_to default
+    false
  end
  
  def render_403(options={})
--- a/app/controllers/custom_fields_controller.rb
+++ b/app/controllers/custom_fields_controller.rb
@ -38,8 +38,9 @@ class CustomFieldsController < ApplicationController
      flash[:notice] = l(:notice_successful_create)
      call_hook(:controller_custom_fields_new_after_save, :params => params, :custom_field => @custom_field)
      redirect_to :action => 'index', :tab => @custom_field.class.name
+    else
+      @trackers = Tracker.find(:all, :order => 'position')
    end
-    @trackers = Tracker.find(:all, :order => 'position')
  end

  def edit
@ -48,8 +49,9 @@ class CustomFieldsController < ApplicationController
      flash[:notice] = l(:notice_successful_update)
      call_hook(:controller_custom_fields_edit_after_save, :params => params, :custom_field => @custom_field)
      redirect_to :action => 'index', :tab => @custom_field.class.name
+    else
+      @trackers = Tracker.find(:all, :order => 'position')
    end
-    @trackers = Tracker.find(:all, :order => 'position')
  end
  
  def destroy
--- a/app/controllers/enumerations_controller.rb
+++ b/app/controllers/enumerations_controller.rb
@ -75,10 +75,12 @@ class EnumerationsController < ApplicationController
      # No associated objects
      @enumeration.destroy
      redirect_to :action => 'index'
+      return
    elsif params[:reassign_to_id]
      if reassign_to = @enumeration.class.find_by_id(params[:reassign_to_id])
        @enumeration.destroy(reassign_to)
        redirect_to :action => 'index'
+        return
      end
    end
    @enumerations = @enumeration.class.find(:all) - [@enumeration]
--- a/app/controllers/issue_categories_controller.rb
+++ b/app/controllers/issue_categories_controller.rb
@ -65,10 +65,12 @@ class IssueCategoriesController < ApplicationController
      # No issue assigned to this category
      @category.destroy
      redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories'
+      return
    elsif params[:todo]
      reassign_to = @project.issue_categories.find_by_id(params[:reassign_to_id]) if params[:todo] == 'reassign'
      @category.destroy(reassign_to)
      redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories'
+      return
    end
    @categories = @project.issue_categories - [@category]
  end
--- a/app/controllers/roles_controller.rb
+++ b/app/controllers/roles_controller.rb
@ -38,9 +38,10 @@ class RolesController < ApplicationController
      end
      flash[:notice] = l(:notice_successful_create)
      redirect_to :action => 'index'
+    else
+      @permissions = @role.setable_permissions
+      @roles = Role.find :all, :order => 'builtin, position'
    end
-    @permissions = @role.setable_permissions
-    @roles = Role.find :all, :order => 'builtin, position'
  end

  def edit
@ -48,8 +49,9 @@ class RolesController < ApplicationController
    if request.post? and @role.update_attributes(params[:role])
      flash[:notice] = l(:notice_successful_update)
      redirect_to :action => 'index'
+    else
+      @permissions = @role.setable_permissions  
    end
-    @permissions = @role.setable_permissions
  end

  def destroy
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@ -36,16 +36,16 @@ class SettingsController < ApplicationController
      end
      flash[:notice] = l(:notice_successful_update)
      redirect_to :action => 'edit', :tab => params[:tab]
-      return
-    end
-    @options = {}
-    @options[:user_format] = User::USER_FORMATS.keys.collect {|f| [User.current.name(f), f.to_s] }
-    @deliveries = ActionMailer::Base.perform_deliveries
+    else
+      @options = {}
+      @options[:user_format] = User::USER_FORMATS.keys.collect {|f| [User.current.name(f), f.to_s] }
+      @deliveries = ActionMailer::Base.perform_deliveries

-    @guessed_host_and_path = request.host_with_port.dup
-    @guessed_host_and_path << ('/'+ Redmine::Utils.relative_url_root.gsub(%r{^\/}, '')) unless Redmine::Utils.relative_url_root.blank?
+      @guessed_host_and_path = request.host_with_port.dup
+      @guessed_host_and_path << ('/'+ Redmine::Utils.relative_url_root.gsub(%r{^\/}, '')) unless Redmine::Utils.relative_url_root.blank?
    
-    Redmine::Themes.rescan
+      Redmine::Themes.rescan
+    end
  end

  def plugin
@ -54,9 +54,10 @@ class SettingsController < ApplicationController
      Setting["plugin_#{@plugin.id}"] = params[:settings]
      flash[:notice] = l(:notice_successful_update)
      redirect_to :action => 'plugin', :id => @plugin.id
+    else
+      @partial = @plugin.settings[:partial]
+      @settings = Setting["plugin_#{@plugin.id}"]
    end
-    @partial = @plugin.settings[:partial]
-    @settings = Setting["plugin_#{@plugin.id}"]
  rescue Redmine::PluginNotFound
    render_404
  end
--- a/doc/CHANGELOG.rdoc
+++ b/doc/CHANGELOG.rdoc
@ -1,5 +1,11 @@
 = ChiliProject changelog

+== 2011-05-01 v1.3.0
+
+* Bug #309: The login screen after lost_password redirects back to lost_password after you login
+* Bug #347: Potential Security Vulnerability - Execution After Redirect
+* Bug #352: Errorpage should be modified
+
 == 2011-03-27 v1.2.0

 * Bug #209: Don't hardcode user viewable labels (like "Path to .git repository")
--- a/lib/redmine/version.rb
+++ b/lib/redmine/version.rb
@ -3,7 +3,7 @@ require 'rexml/document'
 module Redmine
  module VERSION #:nodoc:
    MAJOR = 1
-    MINOR = 2
+    MINOR = 3
    PATCH = 0 
    TINY  = PATCH # Redmine compat
    
--- a/public/404.html
+++ b/public/404.html
@ -1,7 +1,7 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
 <html>
-<title>redMine 404 error</title>
+<title>ChiliProject 404 error</title>
 <style>
 body{
 font-family: Trebuchet MS,Georgia,"Times New Roman",serif;
@ -20,4 +20,4 @@ font-size:0.8em;
  <p>The page you were trying to access doesn't exist or has been removed.</p>
  <p><a href="javascript:history.back()">Back</a></p>
 </body>
-</html>
+</html>
--- a/public/500.html
+++ b/public/500.html
@ -1,7 +1,7 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
 <html>
-<title>redMine 500 error</title>
+<title>ChiliProject 500 error</title>
 <style>
 body{
 font-family: Trebuchet MS,Georgia,"Times New Roman",serif;
@ -18,7 +18,9 @@ font-size:0.8em;
 <body>
  <h1>Internal error</h1>
  <p>An error occurred on the page you were trying to access.<br />
-  If you continue to experience problems please contact your redMine administrator for assistance.</p>
+  If you continue to experience problems please contact your ChiliProject administrator for assistance.</p>
+
+  <p>If you are the ChiliProject administrator, check your log files for details about the error.</p>
  <p><a href="javascript:history.back()">Back</a></p>
 </body>
-</html>
+</html>
--- a/test/functional/roles_controller_test.rb
+++ b/test/functional/roles_controller_test.rb
@ -22,7 +22,7 @@ require 'roles_controller'
 class RolesController; def rescue_action(e) raise e end; end

 class RolesControllerTest < ActionController::TestCase
-  fixtures :roles, :users, :members, :member_roles, :workflows
+  fixtures :roles, :users, :members, :member_roles, :workflows, :trackers
  
  def setup
    @controller = RolesController.new
--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@ -77,7 +77,7 @@ class AccountTest < ActionController::IntegrationTest
    assert_template "account/lost_password"
    
    post "account/lost_password", :mail => 'jSmith@somenet.foo'
-    assert_redirected_to "/login"
+    assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2F"
    
    token = Token.find(:first)
    assert_equal 'recovery', token.action
@ -143,6 +143,30 @@ class AccountTest < ActionController::IntegrationTest
    assert_redirected_to '/login'
    log_user('newuser', 'newpass')
  end
+
+  should_eventually "login after losing password should redirect back to home" do
+    visit "/login"
+    assert_response :success
+
+    click_link "Lost password"
+    assert_response :success
+
+    # Lost password form
+    fill_in "mail", :with => "admin@somenet.foo"
+    click_button "Submit"
+    
+    assert_response :success # back to login page
+    assert_equal "/login", current_path
+
+    fill_in "Login:", :with => 'admin'
+    fill_in "Password:", :with => 'test'
+    click_button "login"
+
+    assert_response :success
+    assert_equal "/", current_path
+    
+  end
+  
  
  if Object.const_defined?(:Mocha)