From 3f43279b7fcd9e8c5259096c45b80df8cf7a1d45 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Mon, 14 May 2012 08:49:10 +0100 Subject: Improve administrative user account support: * Allow users with `super` admin level to use the administrative interface. * Allow bootstrapping these users with an Emergency User over HTTP Basic Auth * Introduce new `SKIP_ADMIN_AUTH` setting to allow all admin auth to be bypassed (used by mySociety) --- .../admin_public_body_controller_spec.rb | 41 ++++++++++++++-------- 1 file changed, 27 insertions(+), 14 deletions(-) (limited to 'spec/controllers/admin_public_body_controller_spec.rb') diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb index 1e82a0ba4..2fa893a93 100644 --- a/spec/controllers/admin_public_body_controller_spec.rb +++ b/spec/controllers/admin_public_body_controller_spec.rb @@ -84,15 +84,14 @@ describe AdminPublicBodyController, "when administering public bodies and paying @request.env["HTTP_AUTHORIZATION"] = "" n = PublicBody.count post :destroy, { :id => 3 } - response.code.should == "401" + response.should redirect_to(:controller=>'user', :action=>'signin', :token=>PostRedirect.get_last_post_redirect.token) PublicBody.count.should == n session[:using_admin].should == nil end - it "skips admin authorisation when no username/password set" do + it "skips admin authorisation when SKIP_ADMIN_AUTH set" do config = MySociety::Config.load_default() - config['ADMIN_USERNAME'] = '' - config['ADMIN_PASSWORD'] = '' + config['SKIP_ADMIN_AUTH'] = true @request.env["HTTP_AUTHORIZATION"] = "" n = PublicBody.count @@ -101,30 +100,44 @@ describe AdminPublicBodyController, "when administering public bodies and paying session[:using_admin].should == 1 end - it "skips admin authorisation when no username set" do + it "doesn't let people with bad credentials log in" do config = MySociety::Config.load_default() - config['ADMIN_USERNAME'] = '' + config['SKIP_ADMIN_AUTH'] = false + config['ADMIN_USERNAME'] = 'biz' config['ADMIN_PASSWORD'] = 'fuz' @request.env["HTTP_AUTHORIZATION"] = "" - n = PublicBody.count + basic_auth_login(@request, "baduser", "badpassword") post :destroy, { :id => public_bodies(:forlorn_public_body).id } - PublicBody.count.should == n - 1 - session[:using_admin].should == 1 + response.should redirect_to(:controller=>'user', :action=>'signin', :token=>PostRedirect.get_last_post_redirect.token) + PublicBody.count.should == n + session[:using_admin].should == nil end - it "forces authorisation when password and username set" do + + it "allows people with good credentials log in using HTTP Basic Auth" do config = MySociety::Config.load_default() + config['SKIP_ADMIN_AUTH'] = false config['ADMIN_USERNAME'] = 'biz' config['ADMIN_PASSWORD'] = 'fuz' @request.env["HTTP_AUTHORIZATION"] = "" n = PublicBody.count - basic_auth_login(@request, "baduser", "badpassword") + basic_auth_login(@request, "biz", "fuz") + post :show, { :id => public_bodies(:humpadink_public_body).id, :emergency => 1} + session[:using_admin].should == 1 + n = PublicBody.count post :destroy, { :id => public_bodies(:forlorn_public_body).id } - response.code.should == "401" - PublicBody.count.should == n - session[:using_admin].should == nil + session[:using_admin].should == 1 + PublicBody.count.should == n - 1 end + it "allows superusers to do stuff" do + session[:user_id] = users(:admin_user).id + @request.env["HTTP_AUTHORIZATION"] = "" + n = PublicBody.count + post :destroy, { :id => public_bodies(:forlorn_public_body).id } + PublicBody.count.should == n - 1 + session[:using_admin].should == 1 + end end -- cgit v1.2.3 From 4d9eedc980364d52fba20ac77bb5729868d2d564 Mon Sep 17 00:00:00 2001 From: Seb Bacon Date: Tue, 15 May 2012 10:30:27 +0100 Subject: Fix test breakage introduced in 8d78cb8844549dc901cd901371be6ec604fb7f68 --- .../admin_public_body_controller_spec.rb | 25 ++++++++++------------ 1 file changed, 11 insertions(+), 14 deletions(-) (limited to 'spec/controllers/admin_public_body_controller_spec.rb') diff --git a/spec/controllers/admin_public_body_controller_spec.rb b/spec/controllers/admin_public_body_controller_spec.rb index 2fa893a93..171cb21b5 100644 --- a/spec/controllers/admin_public_body_controller_spec.rb +++ b/spec/controllers/admin_public_body_controller_spec.rb @@ -4,10 +4,6 @@ describe AdminPublicBodyController, "when administering public bodies" do integrate_views before do - username = MySociety::Config.get('ADMIN_USERNAME', '') - password = MySociety::Config.get('ADMIN_PASSWORD', '') - basic_auth_login @request - @old_filters = ActionController::Routing::Routes.filters ActionController::Routing::Routes.filters = RoutingFilter::Chain.new end @@ -80,6 +76,17 @@ describe AdminPublicBodyController, "when administering public bodies and paying integrate_views + before do + config = MySociety::Config.load_default() + config['SKIP_ADMIN_AUTH'] = false + basic_auth_login @request + end + after do + config = MySociety::Config.load_default() + config['SKIP_ADMIN_AUTH'] = true + end + + it "disallows non-authenticated users to do anything" do @request.env["HTTP_AUTHORIZATION"] = "" n = PublicBody.count @@ -145,12 +152,6 @@ end describe AdminPublicBodyController, "when administering public bodies with i18n" do integrate_views - before do - username = MySociety::Config.get('ADMIN_USERNAME', '') - password = MySociety::Config.get('ADMIN_PASSWORD', '') - basic_auth_login @request - end - it "shows the index page" do get :index end @@ -214,10 +215,6 @@ describe AdminPublicBodyController, "when creating public bodies with i18n" do integrate_views before do - username = MySociety::Config.get('ADMIN_USERNAME', '') - password = MySociety::Config.get('ADMIN_PASSWORD', '') - basic_auth_login @request - @old_filters = ActionController::Routing::Routes.filters ActionController::Routing::Routes.filters = RoutingFilter::Chain.new end -- cgit v1.2.3