allow login via private token only for atom feeds

cc3c6ad0 · Nihad Abbasov · f8f6ff06 · cc3c6ad0 · cc3c6ad0
Commit cc3c6ad0 authored Jun 01, 2012 by Nihad Abbasov
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 2 deletions

app/controllers/application_controller.rb app/controllers/application_controller.rb +9 -2

spec/requests/projects_spec.rb spec/requests/projects_spec.rb +7 -0

No files found.
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
 class ApplicationController < ActionController::Base
  before_filter :authenticate_user!
  before_filter :reject_blocked!
-  before_filter :set_current_user_for_mailer
+  before_filter :set_current_user_for_mailer, :check_token_auth
  protect_from_forgery
  helper_method :abilities, :can?

@@ -17,9 +17,16 @@ class ApplicationController < ActionController::Base

  protected

+  def check_token_auth
+    # Redirect to login page if not atom feed
+    if params[:private_token].present? && params[:format] != 'atom'
+      redirect_to new_user_session_path
+    end
+  end
+
  def reject_blocked!
    if current_user && current_user.blocked
-      sign_out current_user 
+      sign_out current_user
      flash[:alert] = "Your account was blocked"
      redirect_to new_user_session_path
    end

--- a/spec/requests/projects_spec.rb
+++ b/spec/requests/projects_spec.rb
@@ -28,6 +28,13 @@ describe "Projects" do
      visit projects_path(:atom, :private_token => @user.private_token)
      page.body.should have_selector("feed title")
    end
+
+    it "should not render projects page via private token" do
+      logout
+
+      visit projects_path(:private_token => @user.private_token)
+      current_path.should == new_user_session_path
+    end
  end

  describe "GET /projects/new" do