Sha256: cb10d6c1368eaacb839828c91b9f1ad94542be5ff739f150be276cce829ac6cb
Contents?: true
Size: 1.57 KB
Versions: 9
Compression:
Stored size: 1.57 KB
Contents
module Scrivito
class WebserviceController < ActionController::Base
helper :scrivito
rescue_from ApplicationError, ClientError, ResourceNotFound do |error|
@error = error
@timestamp = Time.zone.now
render 'scrivito/webservice/error', formats: :json, status: error.http_code
end
before_action :verify_authenticity_token_for_every_request
before_action :authorize
private
# similar to Rails' verify_authenticity_token, but also protects GET and HEAD
def verify_authenticity_token_for_every_request
# don't check in test environment
return unless protect_against_forgery?
unless valid_authenticity_token?(session, request.headers['X-CSRF-Token'])
raise ActionController::InvalidAuthenticityToken
end
end
def authorize
render_forbidden unless allow_access?
end
def editing_context
EditingContextMiddleware.from_request(request)
end
def scrivito_user
editing_context.editor
end
# If +true+, allow access to ObjsController, else deny access.
# See {Scrivito::Configuration.editing_auth} for details.
# @return [Boolean]
def allow_access?
scrivito_user.present?
end
def can_user_access_workspace?(verb, workspace)
scrivito_user.can?(verb, workspace)
end
def authorize_workspace_access(verb, workspace)
can_user_access_workspace?(verb, workspace) ? yield : render_forbidden
end
def render_forbidden
render plain: 'Forbidden', status: 403
end
def can_user_read_workspace?(workspace)
can_user_access_workspace?(:read, workspace)
end
helper_method :can_user_read_workspace?
end
end
Version data entries
9 entries across 9 versions & 1 rubygems