Fixes #16850 - Added record of password change to audit log

theforeman · Dec 13, 2016 · 1b564ff · 1b564ff
1 parent d575bdd
commit 1b564ff
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 0 deletions.
diff --git a/app/helpers/audits_helper.rb b/app/helpers/audits_helper.rb
@@ -46,6 +46,8 @@ def details(audit)
         next if change.nil? || change.to_s.empty?
         if name == 'template'
           (_("Provisioning Template content changed %s") % (link_to 'view diff', audit_path(audit))).html_safe if audit_template? audit
+        elsif name == "password_changed"
+          name = _("Password has been changed")
         elsif name == "owner_id" || name == "owner_type"
           _("Owner changed to %s") % (audit.revision.owner rescue _('N/A'))
         elsif name == 'global_status'

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -16,7 +16,9 @@ class User < ActiveRecord::Base
 
   validates_lengths_from_database :except => [:firstname, :lastname, :format, :mail, :login]
   attr_accessor :password, :password_confirmation, :current_password
+  attr_reader :password_changed
   after_save :ensure_default_role
+  after_save :unset_password_changed
   before_destroy EnsureNotUsedBy.new([:direct_hosts, :hosts]), :ensure_hidden_users_are_not_deleted, :ensure_last_admin_is_not_deleted
 
   belongs_to :auth_source
@@ -88,6 +90,7 @@ def self.name_format
   before_validation :verify_current_password, :if => Proc.new {|user| user == User.current},
                     :unless => Proc.new {|user| user.password.empty?}
   before_validation :prepare_password, :normalize_mail
+  before_validation :set_password_changed, :if => Proc.new { |user| user.manage_password? && user.password.present? }
   before_save       :set_lower_login
 
   after_create :welcome_mail
@@ -447,6 +450,19 @@ def self.try_to_auto_create_user(login, password)
     user
   end
 
+  def password_changed_changed?
+    changed.include?('password_changed')
+  end
+
+  def set_password_changed
+    @password_changed = true
+    attribute_will_change!('password_changed')
+  end
+
+  def unset_password_changed
+    @password_changed = false
+  end
+
   private
 
   def prepare_password

diff --git a/test/models/user_test.rb b/test/models/user_test.rb
@@ -320,6 +320,62 @@ def setup_user(operation)
     assert_includes record.errors.keys, :admin
   end
 
+  test "audit of password change should be saved only once, second time audited changes should not contain password_changed" do
+    user = FactoryGirl.create(:user)
+    user = User.find_by_id(user.id) #to clear the value of user.password
+    as_admin do
+      user.password = "newpassword"
+      assert_valid user
+      assert user.password_changed_changed?
+      assert user.password_changed
+      assert_includes user.changed, "password_changed"
+      assert user.save
+      #testing after_save
+      refute user.password_changed_changed?
+      refute user.password_changed
+      refute_includes user.changed, "password_changed"
+    end
+  end
+
+  test "audit of password change should be saved" do
+    user = FactoryGirl.create(:user)
+    user = User.find_by_id(user.id) #to clear the value of user.password
+    as_admin do
+      user.password = "newpassword"
+      assert_valid user
+      assert user.password_changed_changed?
+      assert user.password_changed
+      assert_includes user.changed, "password_changed"
+    end
+  end
+
+  test "audit of password change should not be saved - due to no password change" do
+    user = FactoryGirl.create(:user)
+    user = User.find_by_id(user.id) #to clear the value of user.password
+    as_admin do
+      user.firstname = "Johnny"
+      assert_valid user
+      refute user.password_changed_changed?
+      refute user.password_changed
+      refute_includes user.changed, "password_changed"
+    end
+  end
+
+  test "audit of name change sholud contain only firstname and not password_changed" do
+    user = FactoryGirl.create(:user)
+    user = User.find_by_id(user.id) #to clear the value of user.password
+    as_admin do
+      user.firstname = "Johnny"
+      assert_valid user
+      assert_includes user.changed, "firstname"
+      refute user.password_changed_changed?
+      refute user.password_changed
+      refute_includes user.changed, "password_changed"
+      assert user.save
+      assert_includes Audit.last.audited_changes, "firstname"
+    end
+  end
+
   test "user can save user if he does not change roles" do
     setup_user "edit"
     record = users(:two)