From 8cb68ee8a1928bc9fd6f6d44937b3a8ea84b1f43 Mon Sep 17 00:00:00 2001 From: Phil Manavopoulos Date: Tue, 12 Sep 2017 15:53:55 +0100 Subject: Add test to assert that AJAX calls are also authenticated --- test/tc_mauve_web_interface.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/test/tc_mauve_web_interface.rb b/test/tc_mauve_web_interface.rb index 54c9697..d2817d5 100644 --- a/test/tc_mauve_web_interface.rb +++ b/test/tc_mauve_web_interface.rb @@ -112,13 +112,21 @@ EOF assert last_response.body.include?("Mauve: Login") assert session['__FLASH__'].empty? - # Check we can access this page before logging in. + # Check we can't access this page before logging in. get '/alerts' assert(session['__FLASH__'].has_key?(:error),"The flash error wasn't set following forbidden access") follow_redirect! while last_response.redirect? assert_equal(403, last_response.status, "The HTTP status wasn't 403") assert last_response.body.include?("Mauve: Login") assert session['__FLASH__'].empty? + + # Check we can't access AJAX requests before logging in. + get '/ajax/alerts_table/raised/subject' + refute(session['__FLASH__'].has_key?(:error), "The flash error shouldn't have been set from an AJAX call") + follow_redirect! while last_response.redirect? + assert_equal(403, last_response.status, "The HTTP status wasn't 403") + assert last_response.body.include?('You must be logged in to access this page') + assert session['__FLASH__'].empty? # # Try to falsify our login. -- cgit v1.2.1 From 464901c752385592b5d574191c8871034c011f50 Mon Sep 17 00:00:00 2001 From: Phil Manavopoulos Date: Tue, 12 Sep 2017 16:01:18 +0100 Subject: Correctly make AJAX request in test --- test/tc_mauve_web_interface.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/tc_mauve_web_interface.rb b/test/tc_mauve_web_interface.rb index d2817d5..c93c25c 100644 --- a/test/tc_mauve_web_interface.rb +++ b/test/tc_mauve_web_interface.rb @@ -121,7 +121,7 @@ EOF assert session['__FLASH__'].empty? # Check we can't access AJAX requests before logging in. - get '/ajax/alerts_table/raised/subject' + get '/ajax/alerts_table/raised/subject', {}, {:xhr => true} refute(session['__FLASH__'].has_key?(:error), "The flash error shouldn't have been set from an AJAX call") follow_redirect! while last_response.redirect? assert_equal(403, last_response.status, "The HTTP status wasn't 403") -- cgit v1.2.1 From 16d0196c7b8d9a18021a54f75a9652123350c1e6 Mon Sep 17 00:00:00 2001 From: Phil Manavopoulos Date: Tue, 12 Sep 2017 16:05:37 +0100 Subject: Fix AJAX authentication --- lib/mauve/web_interface.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/mauve/web_interface.rb b/lib/mauve/web_interface.rb index 5fa1fb8..3bad868 100644 --- a/lib/mauve/web_interface.rb +++ b/lib/mauve/web_interface.rb @@ -123,11 +123,15 @@ EOF # Uh-oh.. Intruder alert! # ok_urls = %w(/ /login /logout) - no_redirect_urls = %w(/ajax) - unless ok_urls.include?(request.path_info) - flash['error'] = "You must be logged in to access that page." - redirect "/login?next_page=#{request.path_info}" unless no_redirect_urls.any?{|u| /^#{u}/ =~ request.path_info } + unless ok_urls.include?(request.path_info) + # No auth, so we need to stop the page loading + if request.xhr? # No redirecting for AJAX requests + halt 403, {'Content-Type' => 'text/plain'}, 'You must be logged in to access this page.' + else + flash['error'] = 'You must be logged in to access that page.' + redirect "/login?next_page=#{request.path_info}" + end end end end -- cgit v1.2.1 From 4120c885aa2f9d614ce6119afb1e6c68f91353c4 Mon Sep 17 00:00:00 2001 From: Phil Manavopoulos Date: Tue, 12 Sep 2017 16:27:39 +0100 Subject: Events tab to link to list instead of calendar, calendar takes too long to load --- views/_navbar.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/views/_navbar.haml b/views/_navbar.haml index bd23308..840fa7e 100644 --- a/views/_navbar.haml +++ b/views/_navbar.haml @@ -16,7 +16,7 @@ %li{:class => [ request.path_info =~ /^\/search/ && "nav_selected"]} %a{:href => '/search'} Search %li{:class => [ request.path_info =~ /^\/events/ && "nav_selected"]} - %a{:href => '/events/calendar'} Events + %a{:href => '/events/list'} Events %li %a{:href => '/logout'} Log out %br -- cgit v1.2.1 From 936433a8e3330021abaf6543d79b055d23565d99 Mon Sep 17 00:00:00 2001 From: Phil Manavopoulos Date: Tue, 12 Sep 2017 16:28:35 +0100 Subject: Update changelog --- debian/changelog | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/changelog b/debian/changelog index a5a176b..aced497 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,7 @@ mauvealert (3.16.0) UNRELEASED; urgency=medium into /etc/mauvealert/mauveserver.conf. (!2) * Changed supervision model to systemd. (!2) * Removed XMPP support. (!2) + * Change 'Events' nav item to load day list instead of calendar (#18, !4) -- Patrick J Cherry Mon, 01 Aug 2017 14:37:32 +0100 -- cgit v1.2.1 From 44636adb743dbe538a059a8dd34485a678018f0b Mon Sep 17 00:00:00 2001 From: Phil Manavopoulos Date: Tue, 12 Sep 2017 16:30:37 +0100 Subject: Update changelog --- debian/changelog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index aced497..e4d42d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,7 +6,8 @@ mauvealert (3.16.0) UNRELEASED; urgency=medium into /etc/mauvealert/mauveserver.conf. (!2) * Changed supervision model to systemd. (!2) * Removed XMPP support. (!2) - * Change 'Events' nav item to load day list instead of calendar (#18, !4) + * Make authentication work for AJAX requests (#22, !3) + * Change 'Events' nav item to load day list instead of calendar (#18, !3) -- Patrick J Cherry Mon, 01 Aug 2017 14:37:32 +0100 -- cgit v1.2.1