aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPatrick J Cherry <patrick@bytemark.co.uk>2017-09-12 16:39:01 +0100
committerPatrick J Cherry <patrick@bytemark.co.uk>2017-09-12 16:39:01 +0100
commitd115cd9e58300ee8ab580e6d1d3d6e8d35cb8845 (patch)
treebc281a0b23153378579e24d0f10218069bb34faf
parent4eff930c3f01414bb454d7bcb5501827cb60289b (diff)
parent44636adb743dbe538a059a8dd34485a678018f0b (diff)
Merge branch '22-alerts-can-be-accessed-without-prior-authentication' into 'develop'
AJAX auth and navbar change Closes #22 and #18 See merge request !3
-rw-r--r--debian/changelog2
-rw-r--r--lib/mauve/web_interface.rb12
-rw-r--r--test/tc_mauve_web_interface.rb10
-rw-r--r--views/_navbar.haml2
4 files changed, 20 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog
index a5a176b..e4d42d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ mauvealert (3.16.0) UNRELEASED; urgency=medium
into /etc/mauvealert/mauveserver.conf. (!2)
* Changed supervision model to systemd. (!2)
* Removed XMPP support. (!2)
+ * Make authentication work for AJAX requests (#22, !3)
+ * Change 'Events' nav item to load day list instead of calendar (#18, !3)
-- Patrick J Cherry <patrick@bytemark.co.uk> Mon, 01 Aug 2017 14:37:32 +0100
diff --git a/lib/mauve/web_interface.rb b/lib/mauve/web_interface.rb
index 5fa1fb8..3bad868 100644
--- a/lib/mauve/web_interface.rb
+++ b/lib/mauve/web_interface.rb
@@ -123,11 +123,15 @@ EOF
# Uh-oh.. Intruder alert!
#
ok_urls = %w(/ /login /logout)
- no_redirect_urls = %w(/ajax)
- unless ok_urls.include?(request.path_info)
- flash['error'] = "You must be logged in to access that page."
- redirect "/login?next_page=#{request.path_info}" unless no_redirect_urls.any?{|u| /^#{u}/ =~ request.path_info }
+ unless ok_urls.include?(request.path_info)
+ # No auth, so we need to stop the page loading
+ if request.xhr? # No redirecting for AJAX requests
+ halt 403, {'Content-Type' => 'text/plain'}, 'You must be logged in to access this page.'
+ else
+ flash['error'] = 'You must be logged in to access that page.'
+ redirect "/login?next_page=#{request.path_info}"
+ end
end
end
end
diff --git a/test/tc_mauve_web_interface.rb b/test/tc_mauve_web_interface.rb
index 54c9697..c93c25c 100644
--- a/test/tc_mauve_web_interface.rb
+++ b/test/tc_mauve_web_interface.rb
@@ -112,13 +112,21 @@ EOF
assert last_response.body.include?("Mauve: Login")
assert session['__FLASH__'].empty?
- # Check we can access this page before logging in.
+ # Check we can't access this page before logging in.
get '/alerts'
assert(session['__FLASH__'].has_key?(:error),"The flash error wasn't set following forbidden access")
follow_redirect! while last_response.redirect?
assert_equal(403, last_response.status, "The HTTP status wasn't 403")
assert last_response.body.include?("Mauve: Login")
assert session['__FLASH__'].empty?
+
+ # Check we can't access AJAX requests before logging in.
+ get '/ajax/alerts_table/raised/subject', {}, {:xhr => true}
+ refute(session['__FLASH__'].has_key?(:error), "The flash error shouldn't have been set from an AJAX call")
+ follow_redirect! while last_response.redirect?
+ assert_equal(403, last_response.status, "The HTTP status wasn't 403")
+ assert last_response.body.include?('You must be logged in to access this page')
+ assert session['__FLASH__'].empty?
#
# Try to falsify our login.
diff --git a/views/_navbar.haml b/views/_navbar.haml
index bd23308..840fa7e 100644
--- a/views/_navbar.haml
+++ b/views/_navbar.haml
@@ -16,7 +16,7 @@
%li{:class => [ request.path_info =~ /^\/search/ && "nav_selected"]}
%a{:href => '/search'} Search
%li{:class => [ request.path_info =~ /^\/events/ && "nav_selected"]}
- %a{:href => '/events/calendar'} Events
+ %a{:href => '/events/list'} Events
%li
%a{:href => '/logout'} Log out
%br