Commit abdd1da1 authored by azul's avatar azul
Browse files

use ExceptionsApp for 401 and 403 aswell

parent 57f927bf
......@@ -42,14 +42,14 @@ module Common::Application::RescueErrors
rescue_from ActiveRecord::RecordInvalid, with: :render_error
rescue_from CrabgrassException, with: :render_error
rescue_from GreenClothHeadingError, with: :render_error
rescue_from AuthenticationRequired, with: :render_authentication_required
rescue_from PermissionDenied, with: :render_permission_denied
rescue_from ActionController::InvalidAuthenticityToken, with: :render_csrf_error
# Use the ExceptionApp with ExceptionsController for these:
# ( this is the default for errors that do not inherit from
# one of the above)
rescue_from ErrorNotFound, with: :raise
rescue_from AuthenticationRequired, with: :raise
rescue_from PermissionDenied, with: :raise
#helper_method :rescues_path
#alias_method_chain :rescue_action_locally, :js
......@@ -111,33 +111,6 @@ module Common::Application::RescueErrors
render template: 'account/csrf_error', layout: 'notice'
end
#
# show a permission denied page, or prompt for login
#
def render_permission_denied(exception)
log_exception(exception)
respond_to do |format|
format.html do
render_auth_error_html(exception)
end
format.js do
render_error_js(exception, status: 401)
end
format.xml do
headers["Status"] = "Unauthorized"
headers["WWW-Authenticate"] = %(Basic realm="Web Password")
render text: "Could not authenticate you", status: '401 Unauthorized'
end
end
end
#
# show the login screen
#
def render_authentication_required(exception)
render_permission_denied(exception)
end
#
# tries to automatically render the most appropriate thing.
# for ajax, no problem, we render some rjs.
......@@ -251,18 +224,6 @@ module Common::Application::RescueErrors
end
end
def render_auth_error_html(exception)
alert_message exception, :later
if logged_in?
# fyi, this template will eat the alert_message
render template: 'error/permission_denied', layout: 'notice'
else
# request.path does not keep query params. But we need them in some cases.
after_login = url_for params.merge(only_path: true)
redirect_to root_path(redirect: after_login)
end
end
def render_error_js(exception=nil, options={})
error exception if exception.present?
log_exception(exception)
......
.col-lg-center.margin-top
.inline_message_list
= inline_alert_messages
......@@ -5,6 +5,7 @@
-# tab focus.
-#
- redirect_url = params.present? && url_for(params.merge(only_path: true))
.login_form
= form_tag(login_path, id: "entry") do
......@@ -13,7 +14,9 @@
= :cookie_disabled_warning.t
%div
%label(for = 'login')= :login_name.t
%span= link_to(:signup_link.t, new_account_path(redirect: params[:redirect]), class: 'nofocus')
%span= link_to :signup_link.t,
new_account_path(redirect: redirect_url),
class: 'nofocus'
= text_field_tag 'login', params['login'], id: 'login', tabindex: 1, class: 'form-control'
%div.password
%label(for = 'password')= :login_password.t
......@@ -22,6 +25,4 @@
%div.buttons
%input{ type: 'submit', value: :login_button.t, tabindex: 3, class: 'btn btn-primary' }
%div
- if params[:redirect]
= hidden_field_tag 'redirect', params[:redirect]
= javascript_tag "Form.focusFirstElement('entry');"
......@@ -64,11 +64,14 @@ module Crabgrass
# store fragments on disk, we might have a lot of them.
config.action_controller.cache_store = :file_store, CACHE_DIRECTORY
# add our custom 404 error class
# add our custom error classes
config.action_dispatch.rescue_responses.merge!(
'ErrorNotFound' => :not_found,
'WikiExtension::Sections::SectionNotFoundError' => :not_found
'WikiExtension::Sections::SectionNotFoundError' => :not_found,
'PermissionDenied' => :forbidden,
'AuthenticationRequired' => :unauthorized
)
# Make Active Record use UTC-base instead of local time
config.time_zone = 'UTC'
config.active_record.default_timezone = :utc
......
......@@ -8,11 +8,15 @@ en:
title:
# %{thing} is optional here. Please make sure the string works without it.
not_found: "%{thing} Not Found"
unauthorized: "Login Required"
forbidden: "Permission Denied"
# optional - falls back to translation of not_found
group:
not_found: Group Not Found
description:
not_found: Sorry, we could not find what you were looking for.
unauthorized: "Please login to perform that action."
forbidden: "Sorry. You do not have the ability to perform that action."
# optional - falls back to exception.description.not_found
group:
not_found: Sorry, we could not find the group you were looking for.
......@@ -12,7 +12,7 @@ module Crabgrass
def render_with_exceptions_controller(env)
status = env["PATH_INFO"][1..-1]
return unless status == '404'
return unless ['401', '403', '404'].include? status
ExceptionsController.action(:show).call(env)
rescue Exception => controller_error
$stderr.puts error_log(controller_error)
......
......@@ -5,8 +5,9 @@ class AssetsControllerTest < ActionController::TestCase
def test_get_permissions
ImageAsset.any_instance.stubs(:public?).returns(false)
asset = FactoryGirl.create :image_asset
get :show, id: asset.id, path: asset.basename
assert_login_required
assert_permission_denied do
get :show, id: asset.id, path: asset.basename
end
end
def test_get_with_escaped_chars
......
......@@ -7,9 +7,9 @@ class Groups::DirectoryControllerTest < ActionController::TestCase
end
def test_index_requires_login
get :index
assert_response :redirect
assert_redirected_to '/?redirect=%2Fnetworks%2Fdirectory'
assert_login_required do
get :index
end
end
def test_index
......
require_relative '../../test_helper'
require 'test_helper'
class Groups::GroupsControllerTest < ActionController::TestCase
......@@ -7,8 +7,9 @@ class Groups::GroupsControllerTest < ActionController::TestCase
end
def test_new_group_requires_login
get :new
assert_login_required
assert_login_required do
get :new
end
end
def test_choose_group_type
......
......@@ -19,17 +19,19 @@ class Groups::SettingsControllerTest < ActionController::TestCase
end
def test_not_logged_in
get :show, group_id: @group.to_param
assert_response 302
assert_login_required do
get :show, group_id: @group.to_param
end
end
def test_not_a_member
stranger = FactoryGirl.create(:user)
login_as stranger
assert_permission :may_admin_group?, false do
get :show, group_id: @group.to_param
assert_permission_denied do
get :show, group_id: @group.to_param
end
end
assert_select '.inline_message_list'
end
def test_member_can_see_private
......
......@@ -8,8 +8,9 @@ class Me::DestroysControllerTest < ActionController::TestCase
end
def test_not_logged_in
get :show
assert_login_required
assert_login_required do
get :show
end
end
def test_update
......
......@@ -7,8 +7,9 @@ class Me::PasswordsControllerTest < ActionController::TestCase
end
def test_not_logged_in
get :edit
assert_login_required
assert_login_required do
get :edit
end
end
def test_edit
......
......@@ -7,8 +7,9 @@ class Me::PermissionsControllerTest < ActionController::TestCase
end
def test_not_logged_in
get :index
assert_login_required
assert_login_required do
get :index
end
end
def test_default_list
......
......@@ -7,8 +7,9 @@ class Me::SettingsControllerTest < ActionController::TestCase
end
def test_not_logged_in
get :show
assert_login_required
assert_login_required do
get :show
end
end
def test_show
......
......@@ -45,9 +45,10 @@ class Pages::AssetsControllerTest < ActionController::TestCase
@page.save!
login_as :red
assert_no_difference '@page.assets.count' do
post :create, page_id: @page.id,
asset: {uploaded_data: upload_data('photo.jpg')}
assert_permission_denied
assert_permission_denied do
post :create, page_id: @page.id,
asset: {uploaded_data: upload_data('photo.jpg')}
end
end
end
......
......@@ -38,7 +38,9 @@ class Pages::ParticipationsControllerTest < ActionController::TestCase
@upart.access = :view
@upart.save
assert_no_difference 'PageHistory.count' do
xhr :post, :update, page_id: @page, id: @upart, access: :admin
assert_permission_denied do
xhr :post, :update, page_id: @page, id: @upart, access: :admin
end
end
assert_equal :view, @upart.reload.access_sym
end
......
......@@ -3,20 +3,27 @@ require File.dirname(__FILE__) + '/../test_helper'
class SessionControllerTest < ActionController::TestCase
fixtures :users, :groups, :sites, :tokens
def test_should_login_and_redirect
def test_login_screen
get :login
assert_response :success
end
def test_should_login_and_redirect
referer = 'http://test.host/bla'
@request.env["HTTP_REFERER"] = referer
post :login, login: 'quentin', password: 'quentin'
assert session[:user]
assert_response :redirect
assert_redirected_to '/me'
assert_redirected_to referer
end
def test_should_fail_login_and_not_redirect
referer = 'http://test.host/bla'
@request.env["HTTP_REFERER"] = referer
post :login, login: 'quentin', password: 'bad password'
assert_nil session[:user]
assert_response :success
assert_response :redirect
assert_redirected_to referer
end
def test_should_logout
......@@ -26,22 +33,17 @@ class SessionControllerTest < ActionController::TestCase
assert_response :redirect
end
def test_illegal_hash_redirect
post :login, redirect: {controller: :pages, action: :destroy, id: 123}, login: "quentin", password: "quentin"
assert_response :redirect
assert_redirected_to '/me'
end
def test_legal_redirect
def test_ignores_redirect_param
post :login, redirect: "blabla", login: "quentin", password: "quentin"
assert_response :redirect
assert_redirected_to "blabla"
assert_redirected_to "/"
end
def test_illegal_offsite_redirect
post :login, redirect: "http://blabla.com/track_me", login: "quentin", password: "quentin"
@request.env["HTTP_REFERER"] = "http://blabla.com/track_me"
post :login, login: "quentin", password: "quentin"
assert_response :redirect
assert_redirected_to "/me"
assert_redirected_to "/"
end
# def test_should_remember_me
......
......@@ -32,9 +32,9 @@ class Wikis::LocksControllerTest < ActionController::TestCase
end
def test_cannot_destroy_locks_when_logged_out
xhr :delete, :destroy, wiki_id: @wiki
assert_response 401
assert_equal :document, @wiki.reload.section_edited_by(@user)
assert_raises AuthenticationRequired do
xhr :delete, :destroy, wiki_id: @wiki
end
end
def test_breaking_lock
......
......@@ -103,9 +103,10 @@ class Wikis::WikisControllerTest < ActionController::TestCase
@wiki = create_profile_wiki(true)
@group.grant_access! public: :view
assert_permission(:may_show_wiki?, false) do
xhr :get, :show, id: @wiki.id
assert_permission_denied do
xhr :get, :show, id: @wiki.id
end
end
assert_permission_denied
end
##
......
......@@ -12,9 +12,8 @@ module FunctionalTestHelper
assert message_text(errors).grep("Permission Denied")
end
def assert_login_required
assert_response :redirect
assert_redirected_to root_path(redirect: @request.path)
def assert_login_required(&block)
assert_raises AuthenticationRequired, &block
end
NOT_FOUND_ERRORS = [
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment