diff options
| author | Seb Bacon <seb.bacon@gmail.com> | 2012-06-27 13:35:35 +0100 |
|---|---|---|
| committer | Seb Bacon <seb.bacon@gmail.com> | 2012-06-27 13:35:35 +0100 |
| commit | 25248d5255b9adced28160fba3b11f61d4eff189 (patch) | |
| tree | 2db18f710b0375425e37a3598aad12fb12250c53 | |
| parent | db1a388f0a7b37cc0ceb3ca07b995b34dabdba58 (diff) | |
Don't allow non-superusers to access admin interface (eek!) Fixes #515
| -rw-r--r-- | app/controllers/admin_controller.rb | 7 | ||||
| -rw-r--r-- | spec/controllers/admin_public_body_controller_spec.rb | 10 |
2 files changed, 14 insertions, 3 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 884d7e540..d8fda9c01 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -47,8 +47,6 @@ class AdminController < ApplicationController end end - private - def authenticate if MySociety::Config.get('SKIP_ADMIN_AUTH', false) session[:using_admin] = 1 @@ -64,6 +62,11 @@ class AdminController < ApplicationController if !@user.nil? && @user.admin_level == "super" session[:using_admin] = 1 request.env['REMOTE_USER'] = @user.url_name + else + + session[:using_admin] = nil + session[:user_id] = nil + self.authenticate end end else diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb index 171cb21b5..55a6649b2 100644 --- a/spec/controllers/admin_public_body_controller_spec.rb +++ b/spec/controllers/admin_public_body_controller_spec.rb @@ -146,7 +146,15 @@ describe AdminPublicBodyController, "when administering public bodies and paying session[:using_admin].should == 1 end - + it "doesn't allow non-superusers to do stuff" do + session[:user_id] = users(:robin_user).id + @request.env["HTTP_AUTHORIZATION"] = "" + n = PublicBody.count + post :destroy, { :id => public_bodies(:forlorn_public_body).id } + response.should redirect_to(:controller=>'user', :action=>'signin', :token=>PostRedirect.get_last_post_redirect.token) + PublicBody.count.should == n + session[:using_admin].should == nil + end end describe AdminPublicBodyController, "when administering public bodies with i18n" do |