Commit cc3c6ad0ef3fed3451513f3f7f19e45ea0b77152
1 parent
f8f6ff06
Exists in
master
and in
4 other branches
allow login via private token only for atom feeds
Showing
2 changed files
with
16 additions
and
2 deletions
Show diff stats
app/controllers/application_controller.rb
| 1 | 1 | class ApplicationController < ActionController::Base |
| 2 | 2 | before_filter :authenticate_user! |
| 3 | 3 | before_filter :reject_blocked! |
| 4 | - before_filter :set_current_user_for_mailer | |
| 4 | + before_filter :set_current_user_for_mailer, :check_token_auth | |
| 5 | 5 | protect_from_forgery |
| 6 | 6 | helper_method :abilities, :can? |
| 7 | 7 | |
| ... | ... | @@ -17,9 +17,16 @@ class ApplicationController < ActionController::Base |
| 17 | 17 | |
| 18 | 18 | protected |
| 19 | 19 | |
| 20 | + def check_token_auth | |
| 21 | + # Redirect to login page if not atom feed | |
| 22 | + if params[:private_token].present? && params[:format] != 'atom' | |
| 23 | + redirect_to new_user_session_path | |
| 24 | + end | |
| 25 | + end | |
| 26 | + | |
| 20 | 27 | def reject_blocked! |
| 21 | 28 | if current_user && current_user.blocked |
| 22 | - sign_out current_user | |
| 29 | + sign_out current_user | |
| 23 | 30 | flash[:alert] = "Your account was blocked" |
| 24 | 31 | redirect_to new_user_session_path |
| 25 | 32 | end | ... | ... |
spec/requests/projects_spec.rb
| ... | ... | @@ -28,6 +28,13 @@ describe "Projects" do |
| 28 | 28 | visit projects_path(:atom, :private_token => @user.private_token) |
| 29 | 29 | page.body.should have_selector("feed title") |
| 30 | 30 | end |
| 31 | + | |
| 32 | + it "should not render projects page via private token" do | |
| 33 | + logout | |
| 34 | + | |
| 35 | + visit projects_path(:private_token => @user.private_token) | |
| 36 | + current_path.should == new_user_session_path | |
| 37 | + end | |
| 31 | 38 | end |
| 32 | 39 | |
| 33 | 40 | describe "GET /projects/new" do | ... | ... |