Commit a3f46c1e85203cfb8cdf8f630bf0bcabc767e4d6

Authored by Antonio Terceiro
2 parents 58156aa7 e47daca2

Merge branch 'fix_plugin_admin' into 'master'

Fix access to plugin administration pages

Users can access plugin administration pages (e.g. /admin/plugin/vote) even if they aren't environment administrators.

This MR create a new base controller for plugins that protects by default against improper access for these pages.

See merge request !417
app/controllers/admin/plugin_admin_controller.rb 0 → 100644
... ... @@ -0,0 +1,5 @@
  1 +class PluginAdminController < AdminController
  2 +
  3 + protect 'edit_environment_features', :environment
  4 +
  5 +end
... ...
plugins/anti_spam/controllers/anti_spam_plugin_admin_controller.rb
1   -class AntiSpamPluginAdminController < AdminController
  1 +class AntiSpamPluginAdminController < PluginAdminController
2 2 append_view_path File.join(File.dirname(__FILE__) + '/../views')
3 3  
4 4 def index
... ...
plugins/foo/controllers/admin/foo_plugin_admin_bar_controller.rb
1   -class FooPluginAdminBarController < AdminController
  1 +class FooPluginAdminBarController < PluginAdminController
2 2 end
3 3  
... ...
plugins/ldap/controllers/ldap_plugin_admin_controller.rb
1   -class LdapPluginAdminController < AdminController
  1 +class LdapPluginAdminController < PluginAdminController
2 2  
3 3 append_view_path File.join(File.dirname(__FILE__) + '/../views')
4 4  
... ...
plugins/piwik/controllers/piwik_plugin_admin_controller.rb
1   -class PiwikPluginAdminController < AdminController
  1 +class PiwikPluginAdminController < PluginAdminController
2 2  
3 3 append_view_path File.join(File.dirname(__FILE__) + '/../views')
4 4  
... ...
plugins/vote/controllers/vote_plugin_admin_controller.rb
1   -class VotePluginAdminController < AdminController
  1 +class VotePluginAdminController < PluginAdminController
2 2  
3 3 def index
4 4 settings = params[:settings]
... ...
plugins/vote/test/functional/vote_plugin_admin_controller_test.rb
... ... @@ -8,7 +8,7 @@ class VotePluginAdminControllerTest &lt; ActionController::TestCase
8 8  
9 9 def setup
10 10 @environment = Environment.default
11   - @profile = create_user('profile').person
  11 + @profile = create_user_with_permission('profile', 'edit_environment_features', Environment.default)
12 12 login_as(@profile.identifier)
13 13 end
14 14  
... ...
test/functional/plugin_admin_controller_test.rb 0 → 100644
... ... @@ -0,0 +1,25 @@
  1 +require File.dirname(__FILE__) + '/../test_helper'
  2 +
  3 +class PluginAdminController
  4 + def index
  5 + render :text => 'ok'
  6 + end
  7 +end
  8 +
  9 +class PluginAdminControllerTest < ActionController::TestCase
  10 +
  11 + should 'allow user with the required permission to access plugin administration page' do
  12 + create_user_with_permission('testuser', 'edit_environment_features', Environment.default)
  13 + login_as('testuser')
  14 + get :index
  15 + assert_response :success
  16 + end
  17 +
  18 + should 'forbid access to users that did not have the required permission' do
  19 + create_user('testuser')
  20 + login_as('testuser')
  21 + get :index
  22 + assert_response :forbidden
  23 + end
  24 +
  25 +end
... ...