Module: Lockdown::Frameworks::Rails::Controller::Lock
- Defined in:
- lib/lockdown/frameworks/rails/controller.rb
Overview
Locking methods
Constant Summary collapse
- @@http_auth_headers =
%w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
Instance Method Summary collapse
- #access_denied(e) ⇒ Object
- #authorized?(url, method = nil) ⇒ Boolean
- #check_request_authorization ⇒ Object
- #check_session_expiry ⇒ Object
- #configure_lockdown ⇒ Object
-
#get_auth_data ⇒ Object
gets BASIC auth info.
-
#login_from_basic_auth? ⇒ Boolean
Called from current_user.
- #path_allowed?(url) ⇒ Boolean
- #path_from_hash(hash) ⇒ Object
- #redirect_back_or_default(default) ⇒ Object
- #remote_url?(domain = nil) ⇒ Boolean
- #sent_from_uri ⇒ Object
- #set_current_user ⇒ Object
- #store_location ⇒ Object
Instance Method Details
#access_denied(e) ⇒ Object
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 87 def access_denied(e) RAILS_DEFAULT_LOGGER.info "Access denied: #{e}" if Lockdown::System.fetch(:logout_on_access_violation) reset_session end respond_to do |format| format.html do store_location redirect_to Lockdown::System.fetch(:access_denied_path) return end format.xml do headers["Status"] = "Unauthorized" headers["WWW-Authenticate"] = %(Basic realm="Web Password") render :text => e., :status => "401 Unauthorized" return end end end |
#authorized?(url, method = nil) ⇒ Boolean
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 63 def (url, method = nil) return false unless url return true if current_user_is_admin? method ||= (params[:method] || request.method) url_parts = URI::split(url.strip) url = url_parts[5] return true if path_allowed?(url) begin hash = ActionController::Routing::Routes.recognize_path(url, :method => method) return path_allowed?(path_from_hash(hash)) if hash rescue Exception # continue on end # Passing in different domain return remote_url?(url_parts[2]) end |
#check_request_authorization ⇒ Object
33 34 35 36 37 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 33 def unless (path_from_hash(params)) raise SecurityError, "Authorization failed for params #{params.inspect}" end end |
#check_session_expiry ⇒ Object
44 45 46 47 48 49 50 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 44 def check_session_expiry if session[:expiry_time] && session[:expiry_time] < Time.now nil_lockdown_values Lockdown::System.call(self, :session_timeout_method) end session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout) end |
#configure_lockdown ⇒ Object
20 21 22 23 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 20 def configure_lockdown check_session_expiry store_location end |
#get_auth_data ⇒ Object
gets BASIC auth info
137 138 139 140 141 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 137 def get_auth_data auth_key = @@http_auth_headers.detect { |h| request.env.has_key?(h) } auth_data = request.env[auth_key].to_s.split unless auth_key.blank? return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil] end |
#login_from_basic_auth? ⇒ Boolean
Called from current_user. Now, attempt to login by basic authentication information.
128 129 130 131 132 133 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 128 def login_from_basic_auth? username, passwd = get_auth_data if username && passwd set_session_user ::User.authenticate(username, passwd) end end |
#path_allowed?(url) ⇒ Boolean
39 40 41 42 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 39 def path_allowed?(url) session[:access_rights] ||= Lockdown::System.public_access session[:access_rights].include?(url) end |
#path_from_hash(hash) ⇒ Object
109 110 111 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 109 def path_from_hash(hash) hash[:controller].to_s + "/" + hash[:action].to_s end |
#redirect_back_or_default(default) ⇒ Object
118 119 120 121 122 123 124 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 118 def redirect_back_or_default(default) if session[:prevpage].nil? || session[:prevpage].blank? redirect_to(default) else redirect_to(session[:prevpage]) end end |
#remote_url?(domain = nil) ⇒ Boolean
113 114 115 116 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 113 def remote_url?(domain = nil) return false if domain.nil? || domain.strip.length == 0 request.host.downcase != domain.downcase end |
#sent_from_uri ⇒ Object
59 60 61 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 59 def sent_from_uri request.request_uri end |
#set_current_user ⇒ Object
25 26 27 28 29 30 31 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 25 def set_current_user login_from_basic_auth? unless logged_in? if logged_in? Thread.current[:who_did_it] = Lockdown::System. call(self, :who_did_it) end end |
#store_location ⇒ Object
52 53 54 55 56 57 |
# File 'lib/lockdown/frameworks/rails/controller.rb', line 52 def store_location if (request.method == :get) && (session[:thispage] != sent_from_uri) session[:prevpage] = session[:thispage] || '' session[:thispage] = sent_from_uri end end |