BigW Consortium Gitlab

Commit cc3c6ad0 by Nihad Abbasov

allow login via private token only for atom feeds

parent f8f6ff06
class ApplicationController < ActionController::Base
before_filter :authenticate_user!
before_filter :reject_blocked!
before_filter :set_current_user_for_mailer
before_filter :set_current_user_for_mailer, :check_token_auth
protect_from_forgery
helper_method :abilities, :can?
......@@ -17,9 +17,16 @@ class ApplicationController < ActionController::Base
protected
def check_token_auth
# Redirect to login page if not atom feed
if params[:private_token].present? && params[:format] != 'atom'
redirect_to new_user_session_path
end
end
def reject_blocked!
if current_user && current_user.blocked
sign_out current_user
sign_out current_user
flash[:alert] = "Your account was blocked"
redirect_to new_user_session_path
end
......
......@@ -28,6 +28,13 @@ describe "Projects" do
visit projects_path(:atom, :private_token => @user.private_token)
page.body.should have_selector("feed title")
end
it "should not render projects page via private token" do
logout
visit projects_path(:private_token => @user.private_token)
current_path.should == new_user_session_path
end
end
describe "GET /projects/new" do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment