Commit cc3c6ad0ef3fed3451513f3f7f19e45ea0b77152
1 parent
f8f6ff06
Exists in
master
and in
4 other branches
allow login via private token only for atom feeds
Showing
2 changed files
with
16 additions
and
2 deletions
Show diff stats
app/controllers/application_controller.rb
| 1 | class ApplicationController < ActionController::Base | 1 | class ApplicationController < ActionController::Base |
| 2 | before_filter :authenticate_user! | 2 | before_filter :authenticate_user! |
| 3 | before_filter :reject_blocked! | 3 | before_filter :reject_blocked! |
| 4 | - before_filter :set_current_user_for_mailer | 4 | + before_filter :set_current_user_for_mailer, :check_token_auth |
| 5 | protect_from_forgery | 5 | protect_from_forgery |
| 6 | helper_method :abilities, :can? | 6 | helper_method :abilities, :can? |
| 7 | 7 | ||
| @@ -17,9 +17,16 @@ class ApplicationController < ActionController::Base | @@ -17,9 +17,16 @@ class ApplicationController < ActionController::Base | ||
| 17 | 17 | ||
| 18 | protected | 18 | protected |
| 19 | 19 | ||
| 20 | + def check_token_auth | ||
| 21 | + # Redirect to login page if not atom feed | ||
| 22 | + if params[:private_token].present? && params[:format] != 'atom' | ||
| 23 | + redirect_to new_user_session_path | ||
| 24 | + end | ||
| 25 | + end | ||
| 26 | + | ||
| 20 | def reject_blocked! | 27 | def reject_blocked! |
| 21 | if current_user && current_user.blocked | 28 | if current_user && current_user.blocked |
| 22 | - sign_out current_user | 29 | + sign_out current_user |
| 23 | flash[:alert] = "Your account was blocked" | 30 | flash[:alert] = "Your account was blocked" |
| 24 | redirect_to new_user_session_path | 31 | redirect_to new_user_session_path |
| 25 | end | 32 | end |
spec/requests/projects_spec.rb
| @@ -28,6 +28,13 @@ describe "Projects" do | @@ -28,6 +28,13 @@ describe "Projects" do | ||
| 28 | visit projects_path(:atom, :private_token => @user.private_token) | 28 | visit projects_path(:atom, :private_token => @user.private_token) |
| 29 | page.body.should have_selector("feed title") | 29 | page.body.should have_selector("feed title") |
| 30 | end | 30 | end |
| 31 | + | ||
| 32 | + it "should not render projects page via private token" do | ||
| 33 | + logout | ||
| 34 | + | ||
| 35 | + visit projects_path(:private_token => @user.private_token) | ||
| 36 | + current_path.should == new_user_session_path | ||
| 37 | + end | ||
| 31 | end | 38 | end |
| 32 | 39 | ||
| 33 | describe "GET /projects/new" do | 40 | describe "GET /projects/new" do |