From 732b3e5c430a83f72adb44dc621d48edb86f081f Mon Sep 17 00:00:00 2001
From: Seb Bacon <seb.bacon@gmail.com>
Date: Wed, 6 Jul 2011 12:00:26 +0100
Subject: fix up basic auth for admin settings: get credentials from config,
 cause default (where no config) to skip authorization completely, add tests
 for these

---
 app/controllers/admin_controller.rb | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'app/controllers/admin_controller.rb')

diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb
index 75658f6de..8598091d9 100644
--- a/app/controllers/admin_controller.rb
+++ b/app/controllers/admin_controller.rb
@@ -10,8 +10,7 @@ require 'fileutils'
 
 class AdminController < ApplicationController
     layout "admin"
-	before_filter :authenticate
-	USER_NAME, PASSWORD = "sadminiz", "w5x^H^<{J231s3"
+    before_filter :authenticate
     protect_from_forgery # See ActionController::RequestForgeryProtection for details
 
     # action to take if expecting an authenticity token and one isn't received
@@ -47,9 +46,13 @@ class AdminController < ApplicationController
     end
 	private
 	def authenticate
-	  authenticate_or_request_with_http_basic do |user_name, password|
-		user_name == USER_NAME && password == PASSWORD
-	  end
+            username = MySociety::Config.get('ADMIN_USERNAME', '')
+            password = MySociety::Config.get('ADMIN_PASSWORD', '')
+            if !(username && password).empty?
+                authenticate_or_request_with_http_basic do |user_name, password|
+                    user_name == username && password == password
+                end
+            end
 	end
 end
 
-- 
cgit v1.2.3