aboutsummaryrefslogtreecommitdiff
path: root/lib/mauve
diff options
context:
space:
mode:
authorPhil Manavopoulos <phil.manavopoulos@bytemark.co.uk>2017-09-12 16:05:37 +0100
committerPhil Manavopoulos <phil.manavopoulos@bytemark.co.uk>2017-09-12 16:05:37 +0100
commit16d0196c7b8d9a18021a54f75a9652123350c1e6 (patch)
treea8a08d31fc31f1d4d482cac90204ca3961e11d83 /lib/mauve
parent464901c752385592b5d574191c8871034c011f50 (diff)
Fix AJAX authentication
Diffstat (limited to 'lib/mauve')
-rw-r--r--lib/mauve/web_interface.rb12
1 files changed, 8 insertions, 4 deletions
diff --git a/lib/mauve/web_interface.rb b/lib/mauve/web_interface.rb
index 5fa1fb8..3bad868 100644
--- a/lib/mauve/web_interface.rb
+++ b/lib/mauve/web_interface.rb
@@ -123,11 +123,15 @@ EOF
# Uh-oh.. Intruder alert!
#
ok_urls = %w(/ /login /logout)
- no_redirect_urls = %w(/ajax)
- unless ok_urls.include?(request.path_info)
- flash['error'] = "You must be logged in to access that page."
- redirect "/login?next_page=#{request.path_info}" unless no_redirect_urls.any?{|u| /^#{u}/ =~ request.path_info }
+ unless ok_urls.include?(request.path_info)
+ # No auth, so we need to stop the page loading
+ if request.xhr? # No redirecting for AJAX requests
+ halt 403, {'Content-Type' => 'text/plain'}, 'You must be logged in to access this page.'
+ else
+ flash['error'] = 'You must be logged in to access that page.'
+ redirect "/login?next_page=#{request.path_info}"
+ end
end
end
end