lib/lockdown/frameworks/rails/controller.rb in revo-lockdown-0.9.6 vs lib/lockdown/frameworks/rails/controller.rb in revo-lockdown-1.6.2
- old
+ new
@@ -2,41 +2,43 @@
module Frameworks
module Rails
module Controller
def available_actions(klass)
- if klass.respond_to?(:action_methods)
- klass.action_methods
- else
- klass.public_instance_methods - klass.hidden_actions
- end
+ klass.action_methods
end
def controller_name(klass)
klass.controller_name
end
# Locking methods
module Lock
+
def configure_lockdown
+ Lockdown.maybe_parse_init
check_session_expiry
store_location
end
+ # Basic auth functionality needs to be reworked as
+ # Lockdown doesn't provide authentication functionality.
def set_current_user
- login_from_basic_auth? unless logged_in?
+ #login_from_basic_auth? unless logged_in?
if logged_in?
Thread.current[:who_did_it] = Lockdown::System.
call(self, :who_did_it)
end
end
def check_request_authorization
unless authorized?(path_from_hash(params))
- raise SecurityError, "Authorization failed for params #{params.inspect}"
+ raise SecurityError, "Authorization failed! \nparams: #{params.inspect}\nsession: #{session.inspect}"
end
end
+
+ protected
def path_allowed?(url)
session[:access_rights] ||= Lockdown::System.public_access
session[:access_rights].include?(url)
end
@@ -59,35 +61,45 @@
def sent_from_uri
request.request_uri
end
def authorized?(url, method = nil)
+ # Reset access unless caching?
+ add_lockdown_session_values unless Lockdown.caching?
+
return false unless url
return true if current_user_is_admin?
method ||= (params[:method] || request.method)
url_parts = URI::split(url.strip)
- url = url_parts[5]
+ path = url_parts[5]
- return true if path_allowed?(url)
+ return true if path_allowed?(path)
begin
- hash = ActionController::Routing::Routes.recognize_path(url, :method => method)
+ hash = ActionController::Routing::Routes.recognize_path(path, :method => method)
return path_allowed?(path_from_hash(hash)) if hash
- rescue Exception
+ rescue Exception => e
# continue on
end
+ # Mailto link
+ return true if url =~ /^mailto:/
+
+ # Public file
+ file = File.join(RAILS_ROOT, 'public', url)
+ return true if File.exists?(file)
+
# Passing in different domain
return remote_url?(url_parts[2])
end
- def access_denied(e)
+ def ld_access_denied(e)
- RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"
+ Lockdown.logger.info "Access denied: #{e}"
if Lockdown::System.fetch(:logout_on_access_violation)
reset_session
end
respond_to do |format|