[Git][noosfero/noosfero][master] 2 commits: Require login for all pages when environment is private
Antonio Terceiro
gitlab at gitlab.com
Fri Oct 2 09:55:53 BRT 2015
Antonio Terceiro pushed to branch master at Noosfero / noosfero
Commits:
48f51755 by Larissa Reis at 2015-09-26T11:36:29Z
Require login for all pages when environment is private
This fixes a bug in which some pages (eg. a profile page) were visible
to unlogged users even if the environment has enabled "show content
only to members".
The problem happened because some controllers use `before_filter
:login_required` so they can apply it to some specific methods,
effectively overriding the one set in `application_controller`. That
before filter set in `application_controller` is the one used to make
the environment private when that feature is enabled, so when a
controller overrides it, some methods are not required login even when
the environment is private. So I fixed the problem by using a
different `before_filter` to take care specifically of private
environments.
Now every page requires login when an environment is private, except
the pages in `account_controller` necessary for login and signup.
- - - - -
89b2559c by Antonio Terceiro at 2015-10-02T12:55:34Z
Merge branch 'private-environment' into 'master'
Fixes pages that appear public even when environment is private
This fixes a bug in which some pages (eg. a profile page) were visible to unlogged users even if the environment has enabled "show content only to members". See commit message for explanation of what was done and why. Closes issue #124
See merge request !679
- - - - -
4 changed files:
- app/controllers/application_controller.rb
- app/controllers/public/account_controller.rb
- test/functional/account_controller_test.rb
- test/functional/profile_controller_test.rb
Changes:
=====================================
app/controllers/application_controller.rb
=====================================
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -9,11 +9,15 @@ class ApplicationController < ActionController::Base
before_filter :allow_cross_domain_access
before_filter :login_from_cookie
- before_filter :login_required, :if => :private_environment?
+ before_filter :require_login_for_environment, :if => :private_environment?
before_filter :verify_members_whitelist, :if => [:private_environment?, :user]
before_filter :redirect_to_current_user
+ def require_login_for_environment
+ login_required
+ end
+
def verify_members_whitelist
render_access_denied unless user.is_admin? || environment.in_whitelist?(user)
end
=====================================
app/controllers/public/account_controller.rb
=====================================
--- a/app/controllers/public/account_controller.rb
+++ b/app/controllers/public/account_controller.rb
@@ -2,7 +2,7 @@ class AccountController < ApplicationController
no_design_blocks
- before_filter :login_required, :only => [:activation_question, :accept_terms, :activate_enterprise, :change_password]
+ before_filter :login_required, :require_login_for_environment, :only => [:activation_question, :accept_terms, :activate_enterprise, :change_password]
before_filter :redirect_if_logged_in, :only => [:login, :signup]
before_filter :protect_from_bots, :only => :signup
=====================================
test/functional/account_controller_test.rb
=====================================
--- a/test/functional/account_controller_test.rb
+++ b/test/functional/account_controller_test.rb
@@ -1046,4 +1046,15 @@ class AccountControllerTest < ActionController::TestCase
:national_region_type_id => NationalRegionType::CITY,
:parent_national_region_code => parent_region.national_region_code)
end
+
+ should 'not lock users out of login if environment is restrict to members' do
+ Environment.default.enable(:restrict_to_members)
+ get :login
+ assert_response :success
+
+ post :login, :user => {:login => 'johndoe', :password => 'test'}
+ assert session[:user]
+ assert_response :redirect
+ end
+
end
=====================================
test/functional/profile_controller_test.rb
=====================================
--- a/test/functional/profile_controller_test.rb
+++ b/test/functional/profile_controller_test.rb
@@ -1812,4 +1812,10 @@ class ProfileControllerTest < ActionController::TestCase
assert @response.body.index("another_user") > @response.body.index("different_user")
end
+ should 'redirect to login if environment is restrict to members' do
+ Environment.default.enable(:restrict_to_members)
+ get :index
+ assert_redirected_to :controller => 'account', :action => 'login'
+ end
+
end
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/e51ebfd730a320854f9fd6813035b0847e21ab73...89b2559c511936a51e0c97a692b7d316d1f11a91
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20151002/2fbb6c81/attachment-0001.html>
More information about the Noosfero-dev
mailing list