diff options
-rw-r--r-- | app/controllers/admin_controller.rb | 14 | ||||
-rw-r--r-- | spec/controllers/admin_public_body_controller_spec.rb | 19 | ||||
-rw-r--r-- | spec/spec_helper.rb | 6 |
3 files changed, 31 insertions, 8 deletions
diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index 655670b5a..0bfbcd3d1 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -45,13 +45,17 @@ class AdminController < ApplicationController end end private + def authenticate - username = MySociety::Config.get('ADMIN_USERNAME', '') - password = MySociety::Config.get('ADMIN_PASSWORD', '') - if !username.empty? && !password.empty? + config_username = MySociety::Config.get('ADMIN_USERNAME', '') + config_password = MySociety::Config.get('ADMIN_PASSWORD', '') + if !config_username.empty? && !config_password.empty? authenticate_or_request_with_http_basic do |user_name, password| - user_name == username && password == password - session[:using_admin] = 1 + if user_name == config_username && password == config_password + session[:using_admin] = 1 + else + request_http_basic_authentication + end end else session[:using_admin] = 1 diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb index 53db4f412..0a90cd64b 100644 --- a/spec/controllers/admin_public_body_controller_spec.rb +++ b/spec/controllers/admin_public_body_controller_spec.rb @@ -52,6 +52,12 @@ describe AdminPublicBodyController, "when administering public bodies" do get :show, :id => 2 session[:using_admin].should == 1 end +end + +describe AdminPublicBodyController, "when administering public bodies and paying attention to authentication" do + + integrate_views + fixtures :public_bodies, :public_body_translations it "disallows non-authenticated users to do anything" do @request.env["HTTP_AUTHORIZATION"] = "" @@ -82,6 +88,19 @@ describe AdminPublicBodyController, "when administering public bodies" do PublicBody.count.should == 1 session[:using_admin].should == 1 end + it "forces authorisation when password and username set" do + config = MySociety::Config.load_default() + config['ADMIN_USERNAME'] = 'biz' + config['ADMIN_PASSWORD'] = 'fuz' + @request.env["HTTP_AUTHORIZATION"] = "" + PublicBody.count.should == 2 + basic_auth_login(@request, "baduser", "badpassword") + post :destroy, { :id => 3 } + response.code.should == "401" + PublicBody.count.should == 2 + session[:using_admin].should == nil + end + end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 2ddf839da..ffe48c731 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -113,9 +113,9 @@ def validate_as_body(html) "<html><head><title>Test</title></head><body>#{html}</body></html>") end -def basic_auth_login(request) - username = MySociety::Config.get('ADMIN_USERNAME') - password = MySociety::Config.get('ADMIN_PASSWORD') +def basic_auth_login(request, username = nil, password = nil) + username = MySociety::Config.get('ADMIN_USERNAME') if username.nil? + password = MySociety::Config.get('ADMIN_PASSWORD') if password.nil? request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64::encode64("#{username}:#{password}") end |