aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--app/controllers/admin_controller.rb14
-rw-r--r--spec/controllers/admin_public_body_controller_spec.rb19
-rw-r--r--spec/spec_helper.rb6
3 files changed, 31 insertions, 8 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 655670b5a..0bfbcd3d1 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -45,13 +45,17 @@ class AdminController < ApplicationController
end
end
private
+
def authenticate
- username = MySociety::Config.get('ADMIN_USERNAME', '')
- password = MySociety::Config.get('ADMIN_PASSWORD', '')
- if !username.empty? && !password.empty?
+ config_username = MySociety::Config.get('ADMIN_USERNAME', '')
+ config_password = MySociety::Config.get('ADMIN_PASSWORD', '')
+ if !config_username.empty? && !config_password.empty?
authenticate_or_request_with_http_basic do |user_name, password|
- user_name == username && password == password
- session[:using_admin] = 1
+ if user_name == config_username && password == config_password
+ session[:using_admin] = 1
+ else
+ request_http_basic_authentication
+ end
end
else
session[:using_admin] = 1
diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb
index 53db4f412..0a90cd64b 100644
--- a/spec/controllers/admin_public_body_controller_spec.rb
+++ b/spec/controllers/admin_public_body_controller_spec.rb
@@ -52,6 +52,12 @@ describe AdminPublicBodyController, "when administering public bodies" do
get :show, :id => 2
session[:using_admin].should == 1
end
+end
+
+describe AdminPublicBodyController, "when administering public bodies and paying attention to authentication" do
+
+ integrate_views
+ fixtures :public_bodies, :public_body_translations
it "disallows non-authenticated users to do anything" do
@request.env["HTTP_AUTHORIZATION"] = ""
@@ -82,6 +88,19 @@ describe AdminPublicBodyController, "when administering public bodies" do
PublicBody.count.should == 1
session[:using_admin].should == 1
end
+ it "forces authorisation when password and username set" do
+ config = MySociety::Config.load_default()
+ config['ADMIN_USERNAME'] = 'biz'
+ config['ADMIN_PASSWORD'] = 'fuz'
+ @request.env["HTTP_AUTHORIZATION"] = ""
+ PublicBody.count.should == 2
+ basic_auth_login(@request, "baduser", "badpassword")
+ post :destroy, { :id => 3 }
+ response.code.should == "401"
+ PublicBody.count.should == 2
+ session[:using_admin].should == nil
+ end
+
end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 2ddf839da..ffe48c731 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -113,9 +113,9 @@ def validate_as_body(html)
"<html><head><title>Test</title></head><body>#{html}</body></html>")
end
-def basic_auth_login(request)
- username = MySociety::Config.get('ADMIN_USERNAME')
- password = MySociety::Config.get('ADMIN_PASSWORD')
+def basic_auth_login(request, username = nil, password = nil)
+ username = MySociety::Config.get('ADMIN_USERNAME') if username.nil?
+ password = MySociety::Config.get('ADMIN_PASSWORD') if password.nil?
request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64::encode64("#{username}:#{password}")
end