diff options
author | Phil Manavopoulos <phil.manavopoulos@bytemark.co.uk> | 2017-09-12 16:05:37 +0100 |
---|---|---|
committer | Phil Manavopoulos <phil.manavopoulos@bytemark.co.uk> | 2017-09-12 16:05:37 +0100 |
commit | 16d0196c7b8d9a18021a54f75a9652123350c1e6 (patch) | |
tree | a8a08d31fc31f1d4d482cac90204ca3961e11d83 /lib/mauve | |
parent | 464901c752385592b5d574191c8871034c011f50 (diff) |
Fix AJAX authentication
Diffstat (limited to 'lib/mauve')
-rw-r--r-- | lib/mauve/web_interface.rb | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/lib/mauve/web_interface.rb b/lib/mauve/web_interface.rb index 5fa1fb8..3bad868 100644 --- a/lib/mauve/web_interface.rb +++ b/lib/mauve/web_interface.rb @@ -123,11 +123,15 @@ EOF # Uh-oh.. Intruder alert! # ok_urls = %w(/ /login /logout) - no_redirect_urls = %w(/ajax) - unless ok_urls.include?(request.path_info) - flash['error'] = "You must be logged in to access that page." - redirect "/login?next_page=#{request.path_info}" unless no_redirect_urls.any?{|u| /^#{u}/ =~ request.path_info } + unless ok_urls.include?(request.path_info) + # No auth, so we need to stop the page loading + if request.xhr? # No redirecting for AJAX requests + halt 403, {'Content-Type' => 'text/plain'}, 'You must be logged in to access this page.' + else + flash['error'] = 'You must be logged in to access that page.' + redirect "/login?next_page=#{request.path_info}" + end end end end |