Don't allow non-superusers to access admin interface (eek!) Fixes #515

author: Seb Bacon <seb.bacon@gmail.com> 2012-06-27 13:35:35 +0100
committer: Seb Bacon <seb.bacon@gmail.com> 2012-06-27 13:35:35 +0100
commit: 25248d5255b9adced28160fba3b11f61d4eff189 (patch)
tree: 2db18f710b0375425e37a3598aad12fb12250c53 /app/controllers/admin_controller.rb
parent: db1a388f0a7b37cc0ceb3ca07b995b34dabdba58 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 884d7e540..d8fda9c01 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -47,8 +47,6 @@ class AdminController < ApplicationController
         end
     end
 
-    private
-
     def authenticate
         if MySociety::Config.get('SKIP_ADMIN_AUTH', false)
             session[:using_admin] = 1
@@ -64,6 +62,11 @@ class AdminController < ApplicationController
                         if !@user.nil? && @user.admin_level == "super"
                             session[:using_admin] = 1
                             request.env['REMOTE_USER'] = @user.url_name
+                        else
+
+                            session[:using_admin] = nil
+                            session[:user_id] = nil
+                            self.authenticate
                         end
                     end
                 else
author	Seb Bacon <seb.bacon@gmail.com>	2012-06-27 13:35:35 +0100
committer	Seb Bacon <seb.bacon@gmail.com>	2012-06-27 13:35:35 +0100
commit	25248d5255b9adced28160fba3b11f61d4eff189 (patch)
tree	2db18f710b0375425e37a3598aad12fb12250c53 /app/controllers/admin_controller.rb
parent	db1a388f0a7b37cc0ceb3ca07b995b34dabdba58 (diff)