[Git][noosfero/noosfero][master] 2 commits: Require login for all pages when environment is private

Antonio Terceiro gitlab at gitlab.com
Fri Oct 2 09:55:53 BRT 2015 

Antonio Terceiro pushed to branch master at Noosfero / noosfero


Commits:
48f51755 by Larissa Reis at 2015-09-26T11:36:29Z
Require login for all pages when environment is private

  This fixes a bug in which some pages (eg. a profile page) were visible
  to unlogged users even if the environment has enabled "show content
  only to members".

  The problem happened because some controllers use `before_filter
  :login_required` so they can apply it to some specific methods,
  effectively overriding the one set in `application_controller`. That
  before filter set in `application_controller` is the one used to make
  the environment private when that feature is enabled, so when a
  controller overrides it, some methods are not required login even when
  the environment is private. So I fixed the problem by using a
  different `before_filter` to take care specifically of private
  environments.

  Now every page requires login when an environment is private, except
  the pages in `account_controller` necessary for login and signup.

- - - - -
89b2559c by Antonio Terceiro at 2015-10-02T12:55:34Z
Merge branch 'private-environment' into 'master'

Fixes pages that appear public even when environment is private

This fixes a bug in which some pages (eg. a profile page) were visible to unlogged users even if the environment has enabled "show content only to members". See commit message for explanation of what was done and why. Closes issue #124

See merge request !679
- - - - -


4 changed files:

- app/controllers/application_controller.rb
- app/controllers/public/account_controller.rb
- test/functional/account_controller_test.rb
- test/functional/profile_controller_test.rb


Changes:

=====================================
app/controllers/application_controller.rb
=====================================
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -9,11 +9,15 @@ class ApplicationController < ActionController::Base
   before_filter :allow_cross_domain_access
 
   before_filter :login_from_cookie
-  before_filter :login_required, :if => :private_environment?
+  before_filter :require_login_for_environment, :if => :private_environment?
 
   before_filter :verify_members_whitelist, :if => [:private_environment?, :user]
   before_filter :redirect_to_current_user
 
+  def require_login_for_environment
+    login_required
+  end
+
   def verify_members_whitelist
     render_access_denied unless user.is_admin? || environment.in_whitelist?(user)
   end


=====================================
app/controllers/public/account_controller.rb
=====================================
--- a/app/controllers/public/account_controller.rb
+++ b/app/controllers/public/account_controller.rb
@@ -2,7 +2,7 @@ class AccountController < ApplicationController
 
   no_design_blocks
 
-  before_filter :login_required, :only => [:activation_question, :accept_terms, :activate_enterprise, :change_password]
+  before_filter :login_required, :require_login_for_environment, :only => [:activation_question, :accept_terms, :activate_enterprise, :change_password]
   before_filter :redirect_if_logged_in, :only => [:login, :signup]
   before_filter :protect_from_bots, :only => :signup
 


=====================================
test/functional/account_controller_test.rb
=====================================
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -1046,4 +1046,15 @@ class AccountControllerTest < ActionController::TestCase
                                 :national_region_type_id => NationalRegionType::CITY,
                                 :parent_national_region_code => parent_region.national_region_code)
   end
+
+  should 'not lock users out of login if environment is restrict to members' do
+    Environment.default.enable(:restrict_to_members)
+    get :login
+    assert_response :success
+
+    post :login, :user => {:login => 'johndoe', :password => 'test'}
+    assert session[:user]
+    assert_response :redirect
+  end
+
 end


=====================================
test/functional/profile_controller_test.rb
=====================================
--- a/test/functional/profile_controller_test.rb
+++ b/test/functional/profile_controller_test.rb
@@ -1812,4 +1812,10 @@ class ProfileControllerTest < ActionController::TestCase
     assert @response.body.index("another_user") > @response.body.index("different_user")
   end
 
+  should 'redirect to login if environment is restrict to members' do
+    Environment.default.enable(:restrict_to_members)
+    get :index
+    assert_redirected_to :controller => 'account', :action => 'login'
+  end
+
 end



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/e51ebfd730a320854f9fd6813035b0847e21ab73...89b2559c511936a51e0c97a692b7d316d1f11a91
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20151002/2fbb6c81/attachment-0001.html>

More information about the Noosfero-dev mailing list