Merge branch 'master' into unstable

Conflicts: doc/CHANGELOG.rdoc

Merge branch 'master' into unstable
Conflicts: doc/CHANGELOG.rdoc
bdc7325a · Eric Davis · 614bad89 · 9d13deee · bdc7325a · bdc7325a
Commit bdc7325a authored May 01, 2011 by Eric Davis
13 changed files
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -66,7 +66,7 @@ class AccountController < ApplicationController
        if token.save
          Mailer.deliver_lost_password(token)
          flash[:notice] = l(:notice_account_lost_email_sent)
-          redirect_to :action => 'login'
+          redirect_to :action => 'login', :back_url => home_url
          return
        end
      end

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -275,6 +275,7 @@ class ApplicationController < ActionController::Base
      end
    end
    redirect_to default
+    false
  end
  def render_403(options={})

--- a/app/controllers/custom_fields_controller.rb
+++ b/app/controllers/custom_fields_controller.rb
@@ -38,8 +38,9 @@ class CustomFieldsController < ApplicationController
      flash[:notice] = l(:notice_successful_create)
      call_hook(:controller_custom_fields_new_after_save, :params => params, :custom_field => @custom_field)
      redirect_to :action => 'index', :tab => @custom_field.class.name
+    else
+      @trackers = Tracker.find(:all, :order => 'position')
    end
-    @trackers = Tracker.find(:all, :order => 'position')
  end
  def edit
@@ -48,8 +49,9 @@ class CustomFieldsController < ApplicationController
      flash[:notice] = l(:notice_successful_update)
      call_hook(:controller_custom_fields_edit_after_save, :params => params, :custom_field => @custom_field)
      redirect_to :action => 'index', :tab => @custom_field.class.name
+    else
+      @trackers = Tracker.find(:all, :order => 'position')
    end
-    @trackers = Tracker.find(:all, :order => 'position')
  end
  def destroy

--- a/app/controllers/enumerations_controller.rb
+++ b/app/controllers/enumerations_controller.rb
@@ -74,10 +74,12 @@ class EnumerationsController < ApplicationController
      # No associated objects
      @enumeration.destroy
      redirect_to :action => 'index'
+      return
    elsif params[:reassign_to_id]
      if reassign_to = @enumeration.class.find_by_id(params[:reassign_to_id])
        @enumeration.destroy(reassign_to)
        redirect_to :action => 'index'
+        return
      end
    end
    @enumerations = @enumeration.class.find(:all) - [@enumeration]

--- a/app/controllers/issue_categories_controller.rb
+++ b/app/controllers/issue_categories_controller.rb
@@ -65,10 +65,12 @@ class IssueCategoriesController < ApplicationController
      # No issue assigned to this category
      @category.destroy
      redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories'
+      return
    elsif params[:todo]
      reassign_to = @project.issue_categories.find_by_id(params[:reassign_to_id]) if params[:todo] == 'reassign'
      @category.destroy(reassign_to)
      redirect_to :controller => 'projects', :action => 'settings', :id => @project, :tab => 'categories'
+      return
    end
    @categories = @project.issue_categories - [@category]
  end

--- a/app/controllers/roles_controller.rb
+++ b/app/controllers/roles_controller.rb
@@ -38,9 +38,10 @@ class RolesController < ApplicationController
      end
      flash[:notice] = l(:notice_successful_create)
      redirect_to :action => 'index'
+    else
+      @permissions = @role.setable_permissions
+      @roles = Role.find :all, :order => 'builtin, position'
    end
-    @permissions = @role.setable_permissions
-    @roles = Role.find :all, :order => 'builtin, position'
  end
  def edit
@@ -48,8 +49,9 @@ class RolesController < ApplicationController
    if request.post? and @role.update_attributes(params[:role])
      flash[:notice] = l(:notice_successful_update)
      redirect_to :action => 'index'
+    else
+      @permissions = @role.setable_permissions  
    end
-    @permissions = @role.setable_permissions
  end
  def destroy

--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -36,16 +36,16 @@ class SettingsController < ApplicationController
      end
      flash[:notice] = l(:notice_successful_update)
      redirect_to :action => 'edit', :tab => params[:tab]
-      return
+    else
-    end
+      @options = {}
-    @options = {}
+      @options[:user_format] = User::USER_FORMATS.keys.collect {|f| [User.current.name(f), f.to_s] }
-    @options[:user_format] = User::USER_FORMATS.keys.collect {|f| [User.current.name(f), f.to_s] }
+      @deliveries = ActionMailer::Base.perform_deliveries
-    @deliveries = ActionMailer::Base.perform_deliveries
-    @guessed_host_and_path = request.host_with_port.dup
+      @guessed_host_and_path = request.host_with_port.dup
-    @guessed_host_and_path << ('/'+ Redmine::Utils.relative_url_root.gsub(%r{^\/}, '')) unless Redmine::Utils.relative_url_root.blank?
+      @guessed_host_and_path << ('/'+ Redmine::Utils.relative_url_root.gsub(%r{^\/}, '')) unless Redmine::Utils.relative_url_root.blank?
-    Redmine::Themes.rescan
+      Redmine::Themes.rescan
+    end
  end
  def plugin
@@ -54,9 +54,10 @@ class SettingsController < ApplicationController
      Setting["plugin_#{@plugin.id}"] = params[:settings]
      flash[:notice] = l(:notice_successful_update)
      redirect_to :action => 'plugin', :id => @plugin.id
+    else
+      @partial = @plugin.settings[:partial]
+      @settings = Setting["plugin_#{@plugin.id}"]
    end
-    @partial = @plugin.settings[:partial]
-    @settings = Setting["plugin_#{@plugin.id}"]
  rescue Redmine::PluginNotFound
    render_404
  end

--- a/doc/CHANGELOG.rdoc
+++ b/doc/CHANGELOG.rdoc
@@ -19,6 +19,12 @@
 * Patch #7598: Extensible MailHandler
 * Patch #7795: Internal server error at journals#index with custom fields
+== 2011-05-01 v1.3.0
+* Bug #309: The login screen after lost_password redirects back to lost_password after you login
+* Bug #347: Potential Security Vulnerability - Execution After Redirect
+* Bug #352: Errorpage should be modified
 == 2011-03-27 v1.2.0
 * Bug #209: Don't hardcode user viewable labels (like "Path to .git repository")

--- a/lib/redmine/version.rb
+++ b/lib/redmine/version.rb
@@ -3,7 +3,7 @@ require 'rexml/document'
 module Redmine
  module VERSION #:nodoc:
    MAJOR = 1
-    MINOR = 2
+    MINOR = 3
    PATCH = 0 
    TINY  = PATCH # Redmine compat

--- a/public/404.html
+++ b/public/404.html
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
 <html>
-<title>redMine 404 error</title>
+<title>ChiliProject 404 error</title>
 <style>
 body{
 font-family: Trebuchet MS,Georgia,"Times New Roman",serif;
@@ -20,4 +20,4 @@ font-size:0.8em;
  <p>The page you were trying to access doesn't exist or has been removed.</p>
  <p><a href="javascript:history.back()">Back</a></p>
 </body>
 </html>
\ No newline at end of file
--- a/public/500.html
+++ b/public/500.html
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
 <html>
-<title>redMine 500 error</title>
+<title>ChiliProject 500 error</title>
 <style>
 body{
 font-family: Trebuchet MS,Georgia,"Times New Roman",serif;
@@ -18,7 +18,9 @@ font-size:0.8em;
 <body>
  <h1>Internal error</h1>
  <p>An error occurred on the page you were trying to access.<br />
-  If you continue to experience problems please contact your redMine administrator for assistance.</p>
+  If you continue to experience problems please contact your ChiliProject administrator for assistance.</p>
+  <p>If you are the ChiliProject administrator, check your log files for details about the error.</p>
  <p><a href="javascript:history.back()">Back</a></p>
 </body>
 </html>
\ No newline at end of file
--- a/test/functional/roles_controller_test.rb
+++ b/test/functional/roles_controller_test.rb
@@ -22,7 +22,7 @@ require 'roles_controller'
 class RolesController; def rescue_action(e) raise e end; end
 class RolesControllerTest < ActionController::TestCase
-  fixtures :roles, :users, :members, :member_roles, :workflows
+  fixtures :roles, :users, :members, :member_roles, :workflows, :trackers
  def setup
    @controller = RolesController.new

--- a/test/integration/account_test.rb
+++ b/test/integration/account_test.rb
@@ -77,7 +77,7 @@ class AccountTest < ActionController::IntegrationTest
    assert_template "account/lost_password"
    post "account/lost_password", :mail => 'jSmith@somenet.foo'
-    assert_redirected_to "/login"
+    assert_redirected_to "/login?back_url=http%3A%2F%2Fwww.example.com%2F"
    token = Token.find(:first)
    assert_equal 'recovery', token.action
@@ -143,6 +143,30 @@ class AccountTest < ActionController::IntegrationTest
    assert_redirected_to '/login'
    log_user('newuser', 'newpass')
  end
+  should_eventually "login after losing password should redirect back to home" do
+    visit "/login"
+    assert_response :success
+    click_link "Lost password"
+    assert_response :success
+    # Lost password form
+    fill_in "mail", :with => "admin@somenet.foo"
+    click_button "Submit"
+    assert_response :success # back to login page
+    assert_equal "/login", current_path
+    fill_in "Login:", :with => 'admin'
+    fill_in "Password:", :with => 'test'
+    click_button "login"
+    assert_response :success
+    assert_equal "/", current_path
+  end
  if Object.const_defined?(:Mocha)