By restricting role changes to POST requests, which they should be
anyway, we get all the rails CSRF protection for free.
before_filter :require_valid_role
before_filter :not_in_role, :only => [:grant]
before_filter :in_role, :only => [:revoke]
before_filter :require_valid_role
before_filter :not_in_role, :only => [:grant]
before_filter :in_role, :only => [:revoke]
- around_filter :setup_nonce
def grant
@this_user.roles.create({
def grant
@this_user.roles.create({
redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] unless @this_user
end
redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] unless @this_user
end
- ##
- # the random nonce here which isn't predictable, making an CSRF
- # procedure much, much more difficult. setup the nonce. if the given
- # nonce matches the session nonce then yield into the actual method.
- # otherwise, just sets up the nonce for the form.
- def setup_nonce
- if params[:nonce] and params[:nonce] == session[:nonce]
- @nonce = params[:nonce]
- yield
- else
- @nonce = OAuth::Helper.generate_nonce
- session[:nonce] = @nonce
- render
- end
- end
-
##
# require that the given role is valid. the role is a URL
# parameter, so should always be present.
##
# require that the given role is valid. the role is a URL
# parameter, so should always be present.
<% UserRole::ALL_ROLES.each do |role| %>
<% if @user and @user.administrator? %>
<% if @this_user.has_role? role %>
<% UserRole::ALL_ROLES.each do |role| %>
<% if @user and @user.administrator? %>
<% if @this_user.has_role? role %>
- <%= link_to(image_tag("roles/#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.revoke.#{role}"), :title => t("user.view.role.revoke.#{role}")), :controller => 'user_roles', :action => 'revoke', :display_name => @this_user.display_name, :role => role) %>
+ <%= link_to image_tag("roles/#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.revoke.#{role}"), :title => t("user.view.role.revoke.#{role}")), revoke_role_path(:display_name => @this_user.display_name, :role => role), :method => :post, :confirm => t('user_role.revoke.are_you_sure', :name => @this_user.display_name, :role => role) %>
- <%= link_to(image_tag("roles/blank_#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.grant.#{role}"), :title => t("user.view.role.grant.#{role}")), :controller => 'user_roles', :action => 'grant', :display_name => @this_user.display_name, :role => role) %>
+ <%= link_to image_tag("roles/blank_#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.grant.#{role}"), :title => t("user.view.role.grant.#{role}")), grant_role_path(:display_name => @this_user.display_name, :role => role), :method => :post, :confirm => t('user_role.grant.are_you_sure', :name => @this_user.display_name, :role => role) %>
<% end %>
<% elsif @this_user.has_role? role %>
<%= image_tag("roles/#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.#{role}"), :title => t("user.view.role.#{role}")) %>
<% end %>
<% elsif @this_user.has_role? role %>
<%= image_tag("roles/#{role}.png", :size => "20x20", :border => 0, :alt => t("user.view.role.#{role}"), :title => t("user.view.role.#{role}")) %>
+++ /dev/null
-<%= form_tag request.fullpath do %>
-<%= hidden_field_tag 'nonce', @nonce %>
-<% @title = t('user_role.grant.heading') %>
-<h1><%= t('user_role.grant.heading') %></h1>
-<p><%= t('user_role.grant.are_you_sure', :name => params[:display_name], :role => params[:role]) %></p>
-<p><%= submit_tag t('user_role.grant.confirm') %></p>
-<% end %>
+++ /dev/null
-<%= form_tag request.fullpath do %>
-<%= hidden_field_tag 'nonce', @nonce %>
-<% @title = t('user_role.revoke.heading') %>
-<h1><%= t('user_role.revoke.heading') %></h1>
-<p><%= t('user_role.revoke.are_you_sure', :name => params[:display_name], :role => params[:role]) %></p>
-<p><%= submit_tag t'user_role.revoke.confirm' %></p>
-<% end %>
match '/oauth/test_request' => 'oauth#test_request', :as => :test_request
# roles and banning pages
match '/oauth/test_request' => 'oauth#test_request', :as => :test_request
# roles and banning pages
- match '/user/:display_name/role/:role/grant' => 'user_roles#grant', :via => [:get, :post]
- match '/user/:display_name/role/:role/revoke' => 'user_roles#revoke', :via => [:get, :post]
+ match '/user/:display_name/role/:role/grant' => 'user_roles#grant', :via => :post, :as => "grant_role"
+ match '/user/:display_name/role/:role/revoke' => 'user_roles#revoke', :via => :post, :as => "revoke_role"
match '/user/:display_name/blocks' => 'user_blocks#blocks_on', :via => :get
match '/user/:display_name/blocks_by' => 'user_blocks#blocks_by', :via => :get
match '/blocks/new/:display_name' => 'user_blocks#new', :via => :get, :as => "new_user_block"
match '/user/:display_name/blocks' => 'user_blocks#blocks_on', :via => :get
match '/user/:display_name/blocks_by' => 'user_blocks#blocks_by', :via => :get
match '/blocks/new/:display_name' => 'user_blocks#new', :via => :get, :as => "new_user_block"
CREATE TYPE format_enum AS ENUM (
'html',
CREATE TYPE format_enum AS ENUM (
'html',
##
# test all routes which lead to this controller
def test_routes
##
# test all routes which lead to this controller
def test_routes
- assert_routing(
- { :path => "/user/username/role/rolename/grant", :method => :get },
- { :controller => "user_roles", :action => "grant", :display_name => "username", :role => "rolename" }
- )
assert_routing(
{ :path => "/user/username/role/rolename/grant", :method => :post },
{ :controller => "user_roles", :action => "grant", :display_name => "username", :role => "rolename" }
)
assert_routing(
{ :path => "/user/username/role/rolename/grant", :method => :post },
{ :controller => "user_roles", :action => "grant", :display_name => "username", :role => "rolename" }
)
- assert_routing(
- { :path => "/user/username/role/rolename/revoke", :method => :get },
- { :controller => "user_roles", :action => "revoke", :display_name => "username", :role => "rolename" }
- )
assert_routing(
{ :path => "/user/username/role/rolename/revoke", :method => :post },
{ :controller => "user_roles", :action => "revoke", :display_name => "username", :role => "rolename" }
assert_routing(
{ :path => "/user/username/role/rolename/revoke", :method => :post },
{ :controller => "user_roles", :action => "revoke", :display_name => "username", :role => "rolename" }
check_fail(:revoke, :administrator_user, :moderator)
end
check_fail(:revoke, :administrator_user, :moderator)
end
def check_fail(action, user, role)
get '/login'
assert_response :redirect
def check_fail(action, user, role)
get '/login'
assert_response :redirect
follow_redirect!
assert_response :success
follow_redirect!
assert_response :success
- get "/user/#{users(:second_public_user).display_name}/role/#{role}/#{action}"
- assert_response :redirect
+ post "/user/#{users(:second_public_user).display_name}/role/#{role}/#{action}"
assert_redirected_to :controller => 'user', :action => 'view', :display_name => users(:second_public_user).display_name
reset!
assert_redirected_to :controller => 'user', :action => 'view', :display_name => users(:second_public_user).display_name
reset!
follow_redirect!
assert_response :success
follow_redirect!
assert_response :success
- get "/user/#{users(:second_public_user).display_name}/role/#{role}/#{action}"
- assert_response :success
- post "/user/#{users(:second_public_user).display_name}/role/#{role}/#{action}", {:confirm => "yes", :nonce => session[:nonce]}
- assert_response :redirect
+ post "/user/#{users(:second_public_user).display_name}/role/#{role}/#{action}"
assert_redirected_to :controller => 'user', :action => 'view', :display_name => users(:second_public_user).display_name
reset!
assert_redirected_to :controller => 'user', :action => 'view', :display_name => users(:second_public_user).display_name
reset!
projects / rails.git / commitdiff