Commit cc3c6ad0 authored by Nihad Abbasov's avatar Nihad Abbasov

allow login via private token only for atom feeds

parent f8f6ff06
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
before_filter :authenticate_user! before_filter :authenticate_user!
before_filter :reject_blocked! before_filter :reject_blocked!
before_filter :set_current_user_for_mailer before_filter :set_current_user_for_mailer, :check_token_auth
protect_from_forgery protect_from_forgery
helper_method :abilities, :can? helper_method :abilities, :can?
...@@ -17,6 +17,13 @@ class ApplicationController < ActionController::Base ...@@ -17,6 +17,13 @@ class ApplicationController < ActionController::Base
protected protected
def check_token_auth
# Redirect to login page if not atom feed
if params[:private_token].present? && params[:format] != 'atom'
redirect_to new_user_session_path
end
end
def reject_blocked! def reject_blocked!
if current_user && current_user.blocked if current_user && current_user.blocked
sign_out current_user sign_out current_user
......
...@@ -28,6 +28,13 @@ describe "Projects" do ...@@ -28,6 +28,13 @@ describe "Projects" do
visit projects_path(:atom, :private_token => @user.private_token) visit projects_path(:atom, :private_token => @user.private_token)
page.body.should have_selector("feed title") page.body.should have_selector("feed title")
end end
it "should not render projects page via private token" do
logout
visit projects_path(:private_token => @user.private_token)
current_path.should == new_user_session_path
end
end end
describe "GET /projects/new" do describe "GET /projects/new" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment