From 25248d5255b9adced28160fba3b11f61d4eff189 Mon Sep 17 00:00:00 2001
From: Seb Bacon <seb.bacon@gmail.com>
Date: Wed, 27 Jun 2012 13:35:35 +0100
Subject: Don't allow non-superusers to access admin interface (eek!)  Fixes
 #515

---
 app/controllers/admin_controller.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'app/controllers/admin_controller.rb')

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 884d7e540..d8fda9c01 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -47,8 +47,6 @@ class AdminController < ApplicationController
         end
     end
 
-    private
-
     def authenticate
         if MySociety::Config.get('SKIP_ADMIN_AUTH', false)
             session[:using_admin] = 1
@@ -64,6 +62,11 @@ class AdminController < ApplicationController
                         if !@user.nil? && @user.admin_level == "super"
                             session[:using_admin] = 1
                             request.env['REMOTE_USER'] = @user.url_name
+                        else
+
+                            session[:using_admin] = nil
+                            session[:user_id] = nil
+                            self.authenticate
                         end
                     end
                 else
-- 
cgit v1.2.3