From 16d0196c7b8d9a18021a54f75a9652123350c1e6 Mon Sep 17 00:00:00 2001
From: Phil Manavopoulos <phil.manavopoulos@bytemark.co.uk>
Date: Tue, 12 Sep 2017 16:05:37 +0100
Subject: Fix AJAX authentication

---
 lib/mauve/web_interface.rb | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/mauve/web_interface.rb b/lib/mauve/web_interface.rb
index 5fa1fb8..3bad868 100644
--- a/lib/mauve/web_interface.rb
+++ b/lib/mauve/web_interface.rb
@@ -123,11 +123,15 @@ EOF
         # Uh-oh.. Intruder alert!
         #
         ok_urls = %w(/ /login /logout)
-        no_redirect_urls = %w(/ajax)
 
-        unless ok_urls.include?(request.path_info) 
-          flash['error'] = "You must be logged in to access that page."
-          redirect "/login?next_page=#{request.path_info}" unless no_redirect_urls.any?{|u| /^#{u}/ =~ request.path_info }
+        unless ok_urls.include?(request.path_info)
+          # No auth, so we need to stop the page loading
+          if request.xhr? # No redirecting for AJAX requests
+            halt 403, {'Content-Type' => 'text/plain'}, 'You must be logged in to access this page.'
+          else
+            flash['error'] = 'You must be logged in to access that page.'
+            redirect "/login?next_page=#{request.path_info}"
+          end
         end
       end      
     end
-- 
cgit v1.2.1