diff options
| author | Patrick J Cherry <patrick@bytemark.co.uk> | 2017-09-12 16:39:01 +0100 |
|---|---|---|
| committer | Patrick J Cherry <patrick@bytemark.co.uk> | 2017-09-12 16:39:01 +0100 |
| commit | d115cd9e58300ee8ab580e6d1d3d6e8d35cb8845 (patch) | |
| tree | bc281a0b23153378579e24d0f10218069bb34faf | |
| parent | 4eff930c3f01414bb454d7bcb5501827cb60289b (diff) | |
| parent | 44636adb743dbe538a059a8dd34485a678018f0b (diff) | |
Merge branch '22-alerts-can-be-accessed-without-prior-authentication' into 'develop'
AJAX auth and navbar change
Closes #22 and #18
See merge request !3
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | lib/mauve/web_interface.rb | 12 | ||||
| -rw-r--r-- | test/tc_mauve_web_interface.rb | 10 | ||||
| -rw-r--r-- | views/_navbar.haml | 2 |
4 files changed, 20 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog index a5a176b..e4d42d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,8 @@ mauvealert (3.16.0) UNRELEASED; urgency=medium into /etc/mauvealert/mauveserver.conf. (!2) * Changed supervision model to systemd. (!2) * Removed XMPP support. (!2) + * Make authentication work for AJAX requests (#22, !3) + * Change 'Events' nav item to load day list instead of calendar (#18, !3) -- Patrick J Cherry <patrick@bytemark.co.uk> Mon, 01 Aug 2017 14:37:32 +0100 diff --git a/lib/mauve/web_interface.rb b/lib/mauve/web_interface.rb index 5fa1fb8..3bad868 100644 --- a/lib/mauve/web_interface.rb +++ b/lib/mauve/web_interface.rb @@ -123,11 +123,15 @@ EOF # Uh-oh.. Intruder alert! # ok_urls = %w(/ /login /logout) - no_redirect_urls = %w(/ajax) - unless ok_urls.include?(request.path_info) - flash['error'] = "You must be logged in to access that page." - redirect "/login?next_page=#{request.path_info}" unless no_redirect_urls.any?{|u| /^#{u}/ =~ request.path_info } + unless ok_urls.include?(request.path_info) + # No auth, so we need to stop the page loading + if request.xhr? # No redirecting for AJAX requests + halt 403, {'Content-Type' => 'text/plain'}, 'You must be logged in to access this page.' + else + flash['error'] = 'You must be logged in to access that page.' + redirect "/login?next_page=#{request.path_info}" + end end end end diff --git a/test/tc_mauve_web_interface.rb b/test/tc_mauve_web_interface.rb index 54c9697..c93c25c 100644 --- a/test/tc_mauve_web_interface.rb +++ b/test/tc_mauve_web_interface.rb @@ -112,13 +112,21 @@ EOF assert last_response.body.include?("Mauve: Login") assert session['__FLASH__'].empty? - # Check we can access this page before logging in. + # Check we can't access this page before logging in. get '/alerts' assert(session['__FLASH__'].has_key?(:error),"The flash error wasn't set following forbidden access") follow_redirect! while last_response.redirect? assert_equal(403, last_response.status, "The HTTP status wasn't 403") assert last_response.body.include?("Mauve: Login") assert session['__FLASH__'].empty? + + # Check we can't access AJAX requests before logging in. + get '/ajax/alerts_table/raised/subject', {}, {:xhr => true} + refute(session['__FLASH__'].has_key?(:error), "The flash error shouldn't have been set from an AJAX call") + follow_redirect! while last_response.redirect? + assert_equal(403, last_response.status, "The HTTP status wasn't 403") + assert last_response.body.include?('You must be logged in to access this page') + assert session['__FLASH__'].empty? # # Try to falsify our login. diff --git a/views/_navbar.haml b/views/_navbar.haml index bd23308..840fa7e 100644 --- a/views/_navbar.haml +++ b/views/_navbar.haml @@ -16,7 +16,7 @@ %li{:class => [ request.path_info =~ /^\/search/ && "nav_selected"]} %a{:href => '/search'} Search %li{:class => [ request.path_info =~ /^\/events/ && "nav_selected"]} - %a{:href => '/events/calendar'} Events + %a{:href => '/events/list'} Events %li %a{:href => '/logout'} Log out %br |