Merge branch 'fix_plugin_admin' into 'master'

Fix access to plugin administration pages Users can access plugin administration pages (e.g. /admin/plugin/vote) even if they aren't environment administrators. This MR create a new base controller for plugins that protects by default against improper access for these pages. See merge request !417

Merge branch 'fix_plugin_admin' into 'master'
Fix access to plugin administration pages Users can access plugin administration pages (e.g. /admin/plugin/vote) even if they aren't environment administrators. This MR create a new base controller for plugins that protects by default against improper access for these pages. See merge request !417
Antonio Terceiro
2 parents 58156aa7 e47daca2
Showing 8 changed files with 36 additions and 6 deletions Show diff stats
app/controllers/admin/plugin_admin_controller.rb
plugins/anti_spam/controllers/anti_spam_plugin_admin_controller.rb
plugins/foo/controllers/admin/foo_plugin_admin_bar_controller.rb
plugins/ldap/controllers/ldap_plugin_admin_controller.rb
plugins/piwik/controllers/piwik_plugin_admin_controller.rb
plugins/vote/controllers/vote_plugin_admin_controller.rb
plugins/vote/test/functional/vote_plugin_admin_controller_test.rb
test/functional/plugin_admin_controller_test.rb
@@ -0,0 +1,5 @@
+class PluginAdminController < AdminController
+
+  protect 'edit_environment_features', :environment
+
+end
-class AntiSpamPluginAdminController < AdminController
+class AntiSpamPluginAdminController < PluginAdminController
   append_view_path File.join(File.dirname(__FILE__) + '/../views')
   def index
-class FooPluginAdminBarController < AdminController
+class FooPluginAdminBarController < PluginAdminController
 end
-class LdapPluginAdminController < AdminController
+class LdapPluginAdminController < PluginAdminController
   append_view_path File.join(File.dirname(__FILE__) + '/../views')
-class PiwikPluginAdminController < AdminController
+class PiwikPluginAdminController < PluginAdminController
   append_view_path File.join(File.dirname(__FILE__) + '/../views')
-class VotePluginAdminController < AdminController
+class VotePluginAdminController < PluginAdminController
   def index
     settings = params[:settings]
@@ -8,7 +8,7 @@ class VotePluginAdminControllerTest &lt; ActionController::TestCase
   def setup
     @environment = Environment.default
-    @profile = create_user('profile').person
+    @profile = create_user_with_permission('profile', 'edit_environment_features', Environment.default)
     login_as(@profile.identifier)
   end
@@ -0,0 +1,25 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class PluginAdminController
+  def index
+    render :text => 'ok'
+  end
+end
+
+class PluginAdminControllerTest < ActionController::TestCase
+
+  should 'allow user with the required permission to access plugin administration page' do
+    create_user_with_permission('testuser', 'edit_environment_features', Environment.default)
+    login_as('testuser')
+    get :index
+    assert_response :success
+  end
+
+  should 'forbid access to users that did not have the required permission' do
+    create_user('testuser')
+    login_as('testuser')
+    get :index
+    assert_response :forbidden
+  end
+
+end
@@ -0,0 +1,5 @@		@@ -0,0 +1,5 @@
	1	+class PluginAdminController < AdminController
	2	+
	3	+ protect 'edit_environment_features', :environment
	4	+
	5	+end
1	-class AntiSpamPluginAdminController < AdminController	1	+class AntiSpamPluginAdminController < PluginAdminController
2	append_view_path File.join(File.dirname(__FILE__) + '/../views')	2	append_view_path File.join(File.dirname(__FILE__) + '/../views')
3		3
4	def index	4	def index
1	-class FooPluginAdminBarController < AdminController	1	+class FooPluginAdminBarController < PluginAdminController
2	end	2	end
3		3
1	-class LdapPluginAdminController < AdminController	1	+class LdapPluginAdminController < PluginAdminController
2		2
3	append_view_path File.join(File.dirname(__FILE__) + '/../views')	3	append_view_path File.join(File.dirname(__FILE__) + '/../views')
4		4
1	-class PiwikPluginAdminController < AdminController	1	+class PiwikPluginAdminController < PluginAdminController
2		2
3	append_view_path File.join(File.dirname(__FILE__) + '/../views')	3	append_view_path File.join(File.dirname(__FILE__) + '/../views')
4		4
1	-class VotePluginAdminController < AdminController	1	+class VotePluginAdminController < PluginAdminController
2		2
3	def index	3	def index
4	settings = params[:settings]	4	settings = params[:settings]
	@@ -8,7 +8,7 @@ class VotePluginAdminControllerTest < ActionController::TestCase		@@ -8,7 +8,7 @@ class VotePluginAdminControllerTest < ActionController::TestCase
8		8
9	def setup	9	def setup
10	@environment = Environment.default	10	@environment = Environment.default
11	- @profile = create_user('profile').person	11	+ @profile = create_user_with_permission('profile', 'edit_environment_features', Environment.default)
12	login_as(@profile.identifier)	12	login_as(@profile.identifier)
13	end	13	end
14		14
@@ -0,0 +1,25 @@		@@ -0,0 +1,25 @@
	1	+require File.dirname(__FILE__) + '/../test_helper'
	2	+
	3	+class PluginAdminController
	4	+ def index
	5	+ render :text => 'ok'
	6	+ end
	7	+end
	8	+
	9	+class PluginAdminControllerTest < ActionController::TestCase
	10	+
	11	+ should 'allow user with the required permission to access plugin administration page' do
	12	+ create_user_with_permission('testuser', 'edit_environment_features', Environment.default)
	13	+ login_as('testuser')
	14	+ get :index
	15	+ assert_response :success
	16	+ end
	17	+
	18	+ should 'forbid access to users that did not have the required permission' do
	19	+ create_user('testuser')
	20	+ login_as('testuser')
	21	+ get :index
	22	+ assert_response :forbidden
	23	+ end
	24	+
	25	+end