Module: Lockdown::Frameworks::Rails::Controller::Lock

Defined in:

lib/lockdown/frameworks/rails/controller.rb

Overview

Locking methods

Constant Summary

@@http_auth_headers =

%w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)

Instance Method Summary

• #access_denied(e) ⇒ Object
• #authorized?(url, method = nil) ⇒ Boolean
• #check_request_authorization ⇒ Object
• #check_session_expiry ⇒ Object
• #configure_lockdown ⇒ Object
• #get_auth_data ⇒ Object

  gets BASIC auth info.

• #login_from_basic_auth? ⇒ Boolean

  Called from current_user.

• #path_allowed?(url) ⇒ Boolean
• #path_from_hash(hash) ⇒ Object
• #redirect_back_or_default(default) ⇒ Object
• #remote_url?(domain = nil) ⇒ Boolean
• #sent_from_uri ⇒ Object
• #set_current_user ⇒ Object
• #store_location ⇒ Object

Instance Method Details

#access_denied(e) ⇒ Object

# File 'lib/lockdown/frameworks/rails/controller.rb', line 87

def access_denied(e)

  RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"

  if Lockdown::System.fetch(:logout_on_access_violation)
    reset_session
  end
  respond_to do |format|
    format.html do
      store_location
      redirect_to Lockdown::System.fetch(:access_denied_path)
      return
    end
    format.xml do
      headers["Status"] = "Unauthorized"
      headers["WWW-Authenticate"] = %(Basic realm="Web Password")
      render :text => e.message, :status => "401 Unauthorized"
      return
    end
  end
end

#authorized?(url, method = nil) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/lockdown/frameworks/rails/controller.rb', line 63

def authorized?(url, method = nil)
  return false unless url

  return true if current_user_is_admin?

  method ||= (params[:method] || request.method)

  url_parts = URI::split(url.strip)

  url = url_parts[5]

  return true if path_allowed?(url)

  begin
    hash = ActionController::Routing::Routes.recognize_path(url, :method => method)
    return path_allowed?(path_from_hash(hash)) if hash
  rescue Exception
    # continue on
  end

  # Passing in different domain
  return remote_url?(url_parts[2])
end

#check_request_authorization ⇒ Object

# File 'lib/lockdown/frameworks/rails/controller.rb', line 33

def check_request_authorization
  unless authorized?(path_from_hash(params))
    raise SecurityError, "Authorization failed for params #{params.inspect}"
  end
end

#check_session_expiry ⇒ Object

# File 'lib/lockdown/frameworks/rails/controller.rb', line 44

def check_session_expiry
  if session[:expiry_time] && session[:expiry_time] < Time.now
    nil_lockdown_values
    Lockdown::System.call(self, :session_timeout_method)
  end
  session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
end

#configure_lockdown ⇒ Object

# File 'lib/lockdown/frameworks/rails/controller.rb', line 20

def configure_lockdown
  check_session_expiry
  store_location
end

#get_auth_data ⇒ Object

gets BASIC auth info

# File 'lib/lockdown/frameworks/rails/controller.rb', line 137

def get_auth_data
  auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
  auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
  return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil] 
end

#login_from_basic_auth? ⇒ Boolean

Called from current_user. Now, attempt to login by basic authentication information.

Returns:

• (Boolean)

# File 'lib/lockdown/frameworks/rails/controller.rb', line 128

def login_from_basic_auth?
  username, passwd = get_auth_data
  if username && passwd
    set_session_user ::User.authenticate(username, passwd)
  end
end

#path_allowed?(url) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/lockdown/frameworks/rails/controller.rb', line 39

def path_allowed?(url)
  session[:access_rights] ||= Lockdown::System.public_access
  session[:access_rights].include?(url)
end

#path_from_hash(hash) ⇒ Object

# File 'lib/lockdown/frameworks/rails/controller.rb', line 109

def path_from_hash(hash)
  hash[:controller].to_s + "/" + hash[:action].to_s
end

#redirect_back_or_default(default) ⇒ Object

# File 'lib/lockdown/frameworks/rails/controller.rb', line 118

def redirect_back_or_default(default)
  if session[:prevpage].nil? || session[:prevpage].blank?
    redirect_to(default) 
  else
    redirect_to(session[:prevpage])
  end
end

#remote_url?(domain = nil) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/lockdown/frameworks/rails/controller.rb', line 113

def remote_url?(domain = nil)
  return false if domain.nil? || domain.strip.length == 0
  request.host.downcase != domain.downcase
end

#sent_from_uri ⇒ Object

# File 'lib/lockdown/frameworks/rails/controller.rb', line 59

def sent_from_uri
  request.request_uri
end

#set_current_user ⇒ Object

# File 'lib/lockdown/frameworks/rails/controller.rb', line 25

def set_current_user
  login_from_basic_auth? unless logged_in?
  if logged_in?
    Thread.current[:who_did_it] = Lockdown::System.
      call(self, :who_did_it)
  end
end

#store_location ⇒ Object

# File 'lib/lockdown/frameworks/rails/controller.rb', line 52

def store_location
  if (request.method == :get) && (session[:thispage] != sent_from_uri)
    session[:prevpage] = session[:thispage] || ''
    session[:thispage] = sent_from_uri
  end
end