diff options
| author | Seb Bacon <seb.bacon@gmail.com> | 2011-07-26 17:19:14 +0100 |
|---|---|---|
| committer | Seb Bacon <seb.bacon@gmail.com> | 2011-07-27 08:50:27 +0100 |
| commit | 67829b434b56b60fa281b8a147003d86e28c074a (patch) | |
| tree | 32c1f929a1c523e5bd844048c20e6a0fadf65f0e | |
| parent | 51dbaf3e40f4da6219633e50cc59aefb04366000 (diff) | |
Authentication should only apply to admin interface when *both* email *and* password are unset
| -rw-r--r-- | app/controllers/admin_controller.rb | 2 | ||||
| -rw-r--r-- | spec/controllers/admin_public_body_controller_spec.rb | 9 |
2 files changed, 10 insertions, 1 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 8598091d9..375c19529 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -48,7 +48,7 @@ class AdminController < ApplicationController def authenticate username = MySociety::Config.get('ADMIN_USERNAME', '') password = MySociety::Config.get('ADMIN_PASSWORD', '') - if !(username && password).empty? + if !username.empty? && !password.empty? authenticate_or_request_with_http_basic do |user_name, password| user_name == username && password == password end diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb index cb622dabd..3a768686d 100644 --- a/spec/controllers/admin_public_body_controller_spec.rb +++ b/spec/controllers/admin_public_body_controller_spec.rb @@ -65,6 +65,15 @@ describe AdminPublicBodyController, "when administering public bodies" do post :destroy, { :id => 3 } PublicBody.count.should == 1 end + it "when no username set, skip admin authorisation" do + config = MySociety::Config.load_default() + config['ADMIN_USERNAME'] = '' + config['ADMIN_PASSWORD'] = 'fuz' + @request.env["HTTP_AUTHORIZATION"] = "" + PublicBody.count.should == 2 + post :destroy, { :id => 3 } + PublicBody.count.should == 1 + end end |