diff options
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | lib/mauve/web_interface.rb | 12 | ||||
| -rw-r--r-- | test/tc_mauve_web_interface.rb | 10 | ||||
| -rw-r--r-- | views/_navbar.haml | 2 |
4 files changed, 20 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog index a5a176b..e4d42d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,8 @@ mauvealert (3.16.0) UNRELEASED; urgency=medium into /etc/mauvealert/mauveserver.conf. (!2) * Changed supervision model to systemd. (!2) * Removed XMPP support. (!2) + * Make authentication work for AJAX requests (#22, !3) + * Change 'Events' nav item to load day list instead of calendar (#18, !3) -- Patrick J Cherry <patrick@bytemark.co.uk> Mon, 01 Aug 2017 14:37:32 +0100 diff --git a/lib/mauve/web_interface.rb b/lib/mauve/web_interface.rb index 5fa1fb8..3bad868 100644 --- a/lib/mauve/web_interface.rb +++ b/lib/mauve/web_interface.rb @@ -123,11 +123,15 @@ EOF # Uh-oh.. Intruder alert! # ok_urls = %w(/ /login /logout) - no_redirect_urls = %w(/ajax) - unless ok_urls.include?(request.path_info) - flash['error'] = "You must be logged in to access that page." - redirect "/login?next_page=#{request.path_info}" unless no_redirect_urls.any?{|u| /^#{u}/ =~ request.path_info } + unless ok_urls.include?(request.path_info) + # No auth, so we need to stop the page loading + if request.xhr? # No redirecting for AJAX requests + halt 403, {'Content-Type' => 'text/plain'}, 'You must be logged in to access this page.' + else + flash['error'] = 'You must be logged in to access that page.' + redirect "/login?next_page=#{request.path_info}" + end end end end diff --git a/test/tc_mauve_web_interface.rb b/test/tc_mauve_web_interface.rb index 54c9697..c93c25c 100644 --- a/test/tc_mauve_web_interface.rb +++ b/test/tc_mauve_web_interface.rb @@ -112,13 +112,21 @@ EOF assert last_response.body.include?("Mauve: Login") assert session['__FLASH__'].empty? - # Check we can access this page before logging in. + # Check we can't access this page before logging in. get '/alerts' assert(session['__FLASH__'].has_key?(:error),"The flash error wasn't set following forbidden access") follow_redirect! while last_response.redirect? assert_equal(403, last_response.status, "The HTTP status wasn't 403") assert last_response.body.include?("Mauve: Login") assert session['__FLASH__'].empty? + + # Check we can't access AJAX requests before logging in. + get '/ajax/alerts_table/raised/subject', {}, {:xhr => true} + refute(session['__FLASH__'].has_key?(:error), "The flash error shouldn't have been set from an AJAX call") + follow_redirect! while last_response.redirect? + assert_equal(403, last_response.status, "The HTTP status wasn't 403") + assert last_response.body.include?('You must be logged in to access this page') + assert session['__FLASH__'].empty? # # Try to falsify our login. diff --git a/views/_navbar.haml b/views/_navbar.haml index bd23308..840fa7e 100644 --- a/views/_navbar.haml +++ b/views/_navbar.haml @@ -16,7 +16,7 @@ %li{:class => [ request.path_info =~ /^\/search/ && "nav_selected"]} %a{:href => '/search'} Search %li{:class => [ request.path_info =~ /^\/events/ && "nav_selected"]} - %a{:href => '/events/calendar'} Events + %a{:href => '/events/list'} Events %li %a{:href => '/logout'} Log out %br |