diff options
| -rw-r--r-- | app/controllers/admin_user_controller.rb | 3 | ||||
| -rw-r--r-- | app/controllers/application_controller.rb | 12 | ||||
| -rw-r--r-- | app/controllers/user_controller.rb | 2 | ||||
| -rw-r--r-- | app/models/post_redirect.rb | 2 | ||||
| -rw-r--r-- | app/models/request_mailer.rb | 2 | ||||
| -rw-r--r-- | spec/controllers/admin_user_controller_spec.rb | 10 | ||||
| -rw-r--r-- | spec/integration/admin_spec.rb | 24 |
7 files changed, 37 insertions, 18 deletions
diff --git a/app/controllers/admin_user_controller.rb b/app/controllers/admin_user_controller.rb index b2c084739..249030537 100644 --- a/app/controllers/admin_user_controller.rb +++ b/app/controllers/admin_user_controller.rb @@ -74,10 +74,9 @@ class AdminUserController < AdminController def login_as @admin_user = User.find(params[:id]) # check user does exist - post_redirect = PostRedirect.new( :uri => main_url(user_url(@admin_user)), :user_id => @admin_user.id) + post_redirect = PostRedirect.new( :uri => main_url(user_url(@admin_user)), :user_id => @admin_user.id, :circumstance => "login_as" ) post_redirect.save! url = main_url(confirm_url(:email_token => post_redirect.email_token, :only_path => true)) - session[:user_id] = nil # Log out current (usually admin) user, so we get logged in as the other user redirect_to url end diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 434f12a49..0508abe76 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -151,8 +151,8 @@ class ApplicationController < ActionController::Base false end - # Called from test code, is a mimic of User.confirm, for use in following email - # links when in controller tests (since we don't have full integration tests that + # Called from test code, is a mimic of UserController.confirm, for use in following email + # links when in controller tests (though we also have full integration tests that # can work over multiple controllers) def test_code_redirect_by_email_token(token, controller_example_group) post_redirect = PostRedirect.find_by_email_token(token) @@ -224,15 +224,15 @@ class ApplicationController < ActionController::Base post_redirect = PostRedirect.new(:uri => request.request_uri, :post_params => params, :reason_params => reason_params) post_redirect.save! - # 'modal' controls whether the sign-in form will be displayed in the typical full-blown - # page or on its own, useful for pop-ups + # 'modal' controls whether the sign-in form will be displayed in the typical full-blown + # page or on its own, useful for pop-ups redirect_to signin_url(:token => post_redirect.token, :modal => params[:modal]) return false end return true end - def authenticated_as_user?(user, reason_params) + def authenticated_as_user?(user, reason_params) reason_params[:user_name] = user.name reason_params[:user_url] = show_user_url(:url_name => user.url_name) if session[:user_id] @@ -274,6 +274,8 @@ class ApplicationController < ActionController::Base # XXX what is the built in Ruby URI munging function that can do this # choice of & vs. ? more elegantly than this dumb if statement? if uri.include?("?") + # XXX This looks odd. What would a fragment identifier be doing server-side? + # But it also looks harmless, so I’ll leave it just in case. if uri.include?("#") uri.sub!("#", "&post_redirect=1#") else diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index 403cb9684..08726183e 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -182,7 +182,7 @@ class UserController < ApplicationController return end - if !User.stay_logged_in_on_redirect?(@user) + if !User.stay_logged_in_on_redirect?(@user) || post_redirect.circumstance == "login_as" @user = post_redirect.user @user.email_confirmed = true @user.save! diff --git a/app/models/post_redirect.rb b/app/models/post_redirect.rb index 59cc86799..c9a6229a4 100644 --- a/app/models/post_redirect.rb +++ b/app/models/post_redirect.rb @@ -39,7 +39,7 @@ class PostRedirect < ActiveRecord::Base self.post_params_yaml = params.to_yaml end def post_params - if self.post_params_yaml.nil? + if self.post_params_yaml.nil? return {} end YAML.load(self.post_params_yaml) diff --git a/app/models/request_mailer.rb b/app/models/request_mailer.rb index 83cce9045..177a39241 100644 --- a/app/models/request_mailer.rb +++ b/app/models/request_mailer.rb @@ -40,7 +40,7 @@ class RequestMailer < ApplicationMailer :filename => "original.eml", :transfer_encoding => '7bit', :content_disposition => 'inline' @body = { :info_request => info_request, - :contact_email => MySociety::Config.get("CONTACT_EMAIL", 'contact@localhost') + :contact_email => MySociety::Config.get("CONTACT_EMAIL", 'contact@localhost') } end diff --git a/spec/controllers/admin_user_controller_spec.rb b/spec/controllers/admin_user_controller_spec.rb index 60ac6969d..c2d645fd2 100644 --- a/spec/controllers/admin_user_controller_spec.rb +++ b/spec/controllers/admin_user_controller_spec.rb @@ -24,13 +24,7 @@ describe AdminUserController, "when administering users" do post_redirect = PostRedirect.get_last_post_redirect response.should redirect_to(:controller => 'user', :action => 'confirm', :email_token => post_redirect.email_token) end - - it "logs in as another user when already logged in as an admin" do - session[:user_id] = users(:admin_user).id - get :login_as, :id => users(:bob_smith_user).id - post_redirect = PostRedirect.get_last_post_redirect - response.should redirect_to(:controller => 'user', :action => 'confirm', :email_token => post_redirect.email_token) - session[:user_id].should be_nil - end + + # See also "allows an admin to log in as another user" in spec/integration/admin_spec.rb end diff --git a/spec/integration/admin_spec.rb b/spec/integration/admin_spec.rb new file mode 100644 index 000000000..7fecd60d2 --- /dev/null +++ b/spec/integration/admin_spec.rb @@ -0,0 +1,24 @@ +require File.expand_path(File.dirname(__FILE__) + '/../spec_helper') + +require "base64" + +describe "When administering the site" do + it "allows an admin to log in as another user" do + # First log in as Joe Admin + admin_user = users(:admin_user) + admin_user.email_confirmed = true + admin_user.save! + post_via_redirect "/profile/sign_in", :user_signin => {:email => admin_user.email, :password => "jonespassword"} + response.should be_success + + # Now fetch the "log in as" link to log in as Bob + basic_auth_login @request + admin_username = MySociety::Config.get('ADMIN_USERNAME') + admin_password = MySociety::Config.get('ADMIN_PASSWORD') + get_via_redirect "/admin/user/login_as/#{users(:bob_smith_user).id}", nil, { + "Authorization" => "Basic " + Base64.b64encode("#{admin_username}:#{admin_password}").strip + } + response.should be_success + session[:user_id].should == users(:bob_smith_user).id + end +end |