diff options
| author | Seb Bacon <seb.bacon@gmail.com> | 2011-07-27 15:27:22 +0100 |
|---|---|---|
| committer | Seb Bacon <seb.bacon@gmail.com> | 2011-07-27 15:28:58 +0100 |
| commit | 44ffca31030651ca9d816cfd7d0784d0652c4ee5 (patch) | |
| tree | 6fc1a8dd5ff33947584f0e32b6d676f14860e386 | |
| parent | cace286e2d92ad50c4253c5765055e9da4da3871 (diff) | |
Don't treat CSRF tokens as optional session data for administrators (they're needed to allow them to edit anything! Fixes #95
(Also change wording of test namess to match usual rspec convention)
| -rw-r--r-- | app/controllers/admin_controller.rb | 3 | ||||
| -rw-r--r-- | spec/controllers/admin_public_body_controller_spec.rb | 16 | ||||
| -rw-r--r-- | spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb | 8 |
3 files changed, 23 insertions, 4 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 375c19529..655670b5a 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -51,7 +51,10 @@ class AdminController < ApplicationController if !username.empty? && !password.empty? authenticate_or_request_with_http_basic do |user_name, password| user_name == username && password == password + session[:using_admin] = 1 end + else + session[:using_admin] = 1 end end end diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb index 3a768686d..6b88fe39d 100644 --- a/spec/controllers/admin_public_body_controller_spec.rb +++ b/spec/controllers/admin_public_body_controller_spec.rb @@ -42,21 +42,27 @@ describe AdminPublicBodyController, "when administering public bodies" do pb.name.should == "Renamed" end - it "destroy a public body" do + it "destroys a public body" do PublicBody.count.should == 2 post :destroy, { :id => 3 } PublicBody.count.should == 1 end - it "don't allow non-authenticated users to do anything" do + it "sets a using_admin flag" do + get :show, :id => 2 + session[:using_admin].should == 1 + end + + it "disallows non-authenticated users to do anything" do @request.env["HTTP_AUTHORIZATION"] = "" PublicBody.count.should == 2 post :destroy, { :id => 3 } response.code.should == "401" PublicBody.count.should == 2 + session[:using_admin].should == nil end - it "when no username/password set, skip admin authorisation" do + it "skips admin authorisation when no username/password set" do config = MySociety::Config.load_default() config['ADMIN_USERNAME'] = '' config['ADMIN_PASSWORD'] = '' @@ -64,8 +70,9 @@ describe AdminPublicBodyController, "when administering public bodies" do PublicBody.count.should == 2 post :destroy, { :id => 3 } PublicBody.count.should == 1 + session[:using_admin].should == 1 end - it "when no username set, skip admin authorisation" do + it "skips admin authorisation when no username set" do config = MySociety::Config.load_default() config['ADMIN_USERNAME'] = '' config['ADMIN_PASSWORD'] = 'fuz' @@ -73,6 +80,7 @@ describe AdminPublicBodyController, "when administering public bodies" do PublicBody.count.should == 2 post :destroy, { :id => 3 } PublicBody.count.should == 1 + session[:using_admin].should == 1 end diff --git a/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb b/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb index 1d71d680f..1cf5e3d25 100644 --- a/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb +++ b/spec/lib/whatdotheyknow/strip_empty_sessions_spec.rb @@ -50,6 +50,14 @@ describe WhatDoTheyKnow::StripEmptySessions do response = make_response(@session_data, application_response_headers) response.headers['Set-Cookie'].should == "" end + + it 'should not strip the session cookie setting for admins' do + @session_data[:using_admin] = 1 + application_response_headers = { 'Content-Type' => 'text/html', + 'Set-Cookie' => 'mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly'} + response = make_response(@session_data, application_response_headers) + response.headers['Set-Cookie'].should == "mykey=f274c61a35320c52d45e9f8d7d4e2649; path=/; HttpOnly" + end it 'should strip the session cookie setting header (but no other cookie setting header) if there is more than one' do application_response_headers = { 'Content-Type' => 'text/html', |