4 files changed, 53 insertions, 10 deletions

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 75658f6de..8598091d9 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -10,8 +10,7 @@ require 'fileutils'
 
 class AdminController < ApplicationController
     layout "admin"
-	before_filter :authenticate
-	USER_NAME, PASSWORD = "sadminiz", "w5x^H^<{J231s3"
+    before_filter :authenticate
     protect_from_forgery # See ActionController::RequestForgeryProtection for details
 
     # action to take if expecting an authenticity token and one isn't received
@@ -47,9 +46,13 @@ class AdminController < ApplicationController
     end
 	private
 	def authenticate
-	  authenticate_or_request_with_http_basic do |user_name, password|
-		user_name == USER_NAME && password == PASSWORD
-	  end
+            username = MySociety::Config.get('ADMIN_USERNAME', '')
+            password = MySociety::Config.get('ADMIN_PASSWORD', '')
+            if !(username && password).empty?
+                authenticate_or_request_with_http_basic do |user_name, password|
+                    user_name == username && password == password
+                end
+            end
 	end
 end
 
diff --git a/config/general-example b/config/general-example
index a3d1aed2a..fd8925278 100644
--- a/config/general-example
+++ b/config/general-example
@@ -36,8 +36,13 @@ define('OPTION_INCOMING_EMAIL_SECRET', 'xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx'
 define('OPTION_BLACKHOLE_PREFIX', 'do-not-reply-to-this-address'); // used as envelope from at the incoming email domain for cases where we don't care about failure
 
 // Administration
+// To completely skip admin authentication, set these to empty strings
+define('OPTION_ADMIN_USERNAME', 'adminxxxx');
+define('OPTION_ADMIN_PASSWORD', 'passwordx');
+
 define('OPTION_CONTACT_EMAIL', 'admin@localhost');
 define('OPTION_ADMIN_BASE_URL', '/admin/');
+
 // Where /stylesheets sits under for admin pages. See asset_host in 
 // config/environment.rb. Can be full domain or relative path (not an absolute path beginning with /).
 define('OPTION_ADMIN_PUBLIC_URL', ''); 
@@ -56,6 +61,7 @@ define('OPTION_RECAPTCHA_PRIVATE_KEY', 'x');
 
 // Locales we wish to support in this app
 define('OPTION_AVAILABLE_LOCALES', 'en es');
+define('DEFAULT_LOCALE', 'en');
 
 // example searches for the home page, semicolon delimited
 define('OPTION_FRONTPAGE_SEARCH_EXAMPLES', 'Geraldine Quango; Department for Humpadinking');
diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb
index a32c27dd9..9eabb2f8e 100644
--- a/spec/controllers/admin_public_body_controller_spec.rb
+++ b/spec/controllers/admin_public_body_controller_spec.rb
@@ -3,7 +3,14 @@ require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
 describe AdminPublicBodyController, "when administering public bodies" do
     integrate_views
     fixtures :public_bodies, :public_body_translations
-  
+
+    before do
+        username = MySociety::Config.get('ADMIN_USERNAME', '')
+        password = MySociety::Config.get('ADMIN_PASSWORD', '')
+        basic_auth_login @request
+    end
+
+
     it "shows the index page" do
         get :index
     end
@@ -40,14 +47,18 @@ describe AdminPublicBodyController, "when administering public bodies" do
         post :destroy, { :id => 3 }
         PublicBody.count.should == 1
     end
-
-
 end
 
 describe AdminPublicBodyController, "when administering public bodies with i18n" do
     integrate_views
     fixtures :public_bodies, :public_body_translations
   
+    before do
+        username = MySociety::Config.get('ADMIN_USERNAME', '')
+        password = MySociety::Config.get('ADMIN_PASSWORD', '')
+        basic_auth_login @request
+    end
+
     it "shows the index page" do
         get :index
     end
@@ -95,5 +106,23 @@ describe AdminPublicBodyController, "when administering public bodies with i18n"
         PublicBody.count.should == 1
     end
 
+    it "don't allow non-authenticated users to do anything" do
+        @request.env["HTTP_AUTHORIZATION"] = ""
+        PublicBody.count.should == 2
+        post :destroy, { :id => 3 }
+        response.code.should == "401"
+        PublicBody.count.should == 2
+    end
+
+    it "when no username/password set, skip admin authorisation" do
+        config = MySociety::Config.load_default()
+        config['ADMIN_USERNAME'] = ''
+        config['ADMIN_PASSWORD'] = ''
+        @request.env["HTTP_AUTHORIZATION"] = ""
+        PublicBody.count.should == 2
+        post :destroy, { :id => 3 }
+        PublicBody.count.should == 1
+    end
+
 
 end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index ceb566680..56b1fd92a 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -5,6 +5,11 @@ require File.expand_path(File.join(File.dirname(__FILE__),'..','config','environ
 require 'spec/autorun'
 require 'spec/rails'
 
+# set a default username and password so we can test 
+config = MySociety::Config.load_default()
+config['ADMIN_USERNAME'] = 'foo'
+config['ADMIN_PASSWORD'] = 'baz'
+
 # Uncomment the next line to use webrat's matchers
 #require 'webrat/integrations/rspec-rails'
 
@@ -104,8 +109,8 @@ def validate_as_body(html)
 end
 
 def basic_auth_login(request)
-    username = MySociety::Config.get('ADMIN_USERNAME', '')
-    password = MySociety::Config.get('ADMIN_PASSWORD', '')
+    username = MySociety::Config.get('ADMIN_USERNAME')
+    password = MySociety::Config.get('ADMIN_PASSWORD')
     request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64::encode64("#{username}:#{password}")
 end