From cc3c6ad0ef3fed3451513f3f7f19e45ea0b77152 Mon Sep 17 00:00:00 2001 From: Nihad Abbasov Date: Fri, 1 Jun 2012 06:56:28 -0700 Subject: [PATCH] allow login via private token only for atom feeds --- app/controllers/application_controller.rb | 11 +++++++++-- spec/requests/projects_spec.rb | 7 +++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a96c59b..56792f2 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,7 +1,7 @@ class ApplicationController < ActionController::Base before_filter :authenticate_user! before_filter :reject_blocked! - before_filter :set_current_user_for_mailer + before_filter :set_current_user_for_mailer, :check_token_auth protect_from_forgery helper_method :abilities, :can? @@ -17,9 +17,16 @@ class ApplicationController < ActionController::Base protected + def check_token_auth + # Redirect to login page if not atom feed + if params[:private_token].present? && params[:format] != 'atom' + redirect_to new_user_session_path + end + end + def reject_blocked! if current_user && current_user.blocked - sign_out current_user + sign_out current_user flash[:alert] = "Your account was blocked" redirect_to new_user_session_path end diff --git a/spec/requests/projects_spec.rb b/spec/requests/projects_spec.rb index bde0ab8..79c9495 100644 --- a/spec/requests/projects_spec.rb +++ b/spec/requests/projects_spec.rb @@ -28,6 +28,13 @@ describe "Projects" do visit projects_path(:atom, :private_token => @user.private_token) page.body.should have_selector("feed title") end + + it "should not render projects page via private token" do + logout + + visit projects_path(:private_token => @user.private_token) + current_path.should == new_user_session_path + end end describe "GET /projects/new" do -- libgit2 0.21.2