Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
d3462e71
Commit
d3462e71
authored
Apr 22, 2016
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix issue with impersonation
parent
80893cad
Changes
9
Hide whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
192 additions
and
69 deletions
+192
-69
app/controllers/admin/application_controller.rb
app/controllers/admin/application_controller.rb
+1
-7
app/controllers/admin/impersonation_controller.rb
app/controllers/admin/impersonation_controller.rb
+0
-38
app/controllers/admin/impersonations_controller.rb
app/controllers/admin/impersonations_controller.rb
+28
-0
app/controllers/admin/users_controller.rb
app/controllers/admin/users_controller.rb
+16
-0
app/views/layouts/header/_default.html.haml
app/views/layouts/header/_default.html.haml
+1
-1
config/routes.rb
config/routes.rb
+3
-3
spec/controllers/admin/impersonation_controller_spec.rb
spec/controllers/admin/impersonation_controller_spec.rb
+0
-19
spec/controllers/admin/impersonations_controller_spec.rb
spec/controllers/admin/impersonations_controller_spec.rb
+95
-0
spec/controllers/admin/users_controller_spec.rb
spec/controllers/admin/users_controller_spec.rb
+48
-1
No files found.
app/controllers/admin/application_controller.rb
View file @
d3462e71
...
@@ -6,12 +6,6 @@ class Admin::ApplicationController < ApplicationController
...
@@ -6,12 +6,6 @@ class Admin::ApplicationController < ApplicationController
layout
'admin'
layout
'admin'
def
authenticate_admin!
def
authenticate_admin!
return
render_404
unless
current_user
.
is_admin?
render_404
unless
current_user
.
is_admin?
end
def
authorize_impersonator!
if
session
[
:impersonator_id
]
User
.
find_by!
(
username:
session
[
:impersonator_id
]).
admin?
end
end
end
end
end
app/controllers/admin/impersonation_controller.rb
deleted
100644 → 0
View file @
80893cad
class
Admin::ImpersonationController
<
Admin
::
ApplicationController
skip_before_action
:authenticate_admin!
,
only: :destroy
before_action
:user
before_action
:authorize_impersonator!
def
create
if
@user
.
blocked?
flash
[
:alert
]
=
"You cannot impersonate a blocked user"
redirect_to
admin_user_path
(
@user
)
else
session
[
:impersonator_id
]
=
current_user
.
username
session
[
:impersonator_return_to
]
=
admin_user_path
(
@user
)
warden
.
set_user
(
user
,
scope:
'user'
)
flash
[
:alert
]
=
"You are impersonating
#{
user
.
username
}
."
redirect_to
root_path
end
end
def
destroy
redirect
=
session
[
:impersonator_return_to
]
warden
.
set_user
(
user
,
scope:
'user'
)
session
[
:impersonator_return_to
]
=
nil
session
[
:impersonator_id
]
=
nil
redirect_to
redirect
||
root_path
end
def
user
@user
||=
User
.
find_by!
(
username:
params
[
:id
]
||
session
[
:impersonator_id
])
end
end
app/controllers/admin/impersonations_controller.rb
0 → 100644
View file @
d3462e71
class
Admin::ImpersonationsController
<
Admin
::
ApplicationController
skip_before_action
:authenticate_admin!
before_action
:authenticate_impersonator!
def
destroy
redirect_path
=
admin_user_path
(
current_user
)
warden
.
set_user
(
impersonator
,
scope: :user
)
session
[
:impersonator_id
]
=
nil
redirect_to
redirect_path
end
private
def
user
@user
||=
User
.
find
(
params
[
:id
])
end
def
impersonator
@impersonator
||=
User
.
find
(
session
[
:impersonator_id
])
if
session
[
:impersonator_id
]
end
def
authenticate_impersonator!
render_404
unless
impersonator
&&
impersonator
.
is_admin?
&&
!
impersonator
.
blocked?
end
end
app/controllers/admin/users_controller.rb
View file @
d3462e71
...
@@ -31,6 +31,22 @@ class Admin::UsersController < Admin::ApplicationController
...
@@ -31,6 +31,22 @@ class Admin::UsersController < Admin::ApplicationController
user
user
end
end
def
impersonate
if
user
.
blocked?
flash
[
:alert
]
=
"You cannot impersonate a blocked user"
redirect_to
admin_user_path
(
user
)
else
session
[
:impersonator_id
]
=
current_user
.
id
warden
.
set_user
(
user
,
scope: :user
)
flash
[
:alert
]
=
"You are now impersonating
#{
user
.
username
}
"
redirect_to
root_path
end
end
def
block
def
block
if
user
.
block
if
user
.
block
redirect_back_or_admin_user
(
notice:
"Successfully blocked"
)
redirect_back_or_admin_user
(
notice:
"Successfully blocked"
)
...
...
app/views/layouts/header/_default.html.haml
View file @
d3462e71
...
@@ -15,7 +15,7 @@
...
@@ -15,7 +15,7 @@
-
if
current_user
-
if
current_user
-
if
session
[
:impersonator_id
]
-
if
session
[
:impersonator_id
]
%li
.impersonation
%li
.impersonation
=
link_to
stop_impersonation_admin_users
_path
,
method: :delete
,
title:
'Stop Impersonation'
,
data:
{
toggle:
'tooltip'
,
placement:
'bottom'
,
container:
'body'
}
do
=
link_to
admin_impersonation
_path
,
method: :delete
,
title:
'Stop Impersonation'
,
data:
{
toggle:
'tooltip'
,
placement:
'bottom'
,
container:
'body'
}
do
=
icon
(
'user-secret fw'
)
=
icon
(
'user-secret fw'
)
-
if
current_user
.
is_admin?
-
if
current_user
.
is_admin?
%li
%li
...
...
config/routes.rb
View file @
d3462e71
...
@@ -212,8 +212,6 @@ Rails.application.routes.draw do
...
@@ -212,8 +212,6 @@ Rails.application.routes.draw do
resources
:keys
,
only:
[
:show
,
:destroy
]
resources
:keys
,
only:
[
:show
,
:destroy
]
resources
:identities
,
except:
[
:show
]
resources
:identities
,
except:
[
:show
]
delete
'stop_impersonation'
=>
'impersonation#destroy'
,
on: :collection
member
do
member
do
get
:projects
get
:projects
get
:keys
get
:keys
...
@@ -223,12 +221,14 @@ Rails.application.routes.draw do
...
@@ -223,12 +221,14 @@ Rails.application.routes.draw do
put
:unblock
put
:unblock
put
:unlock
put
:unlock
put
:confirm
put
:confirm
post
'impersonate'
=>
'impersonation#create'
post
:impersonate
patch
:disable_two_factor
patch
:disable_two_factor
delete
'remove/:email_id'
,
action:
'remove_email'
,
as:
'remove_email'
delete
'remove/:email_id'
,
action:
'remove_email'
,
as:
'remove_email'
end
end
end
end
resource
:impersonation
,
only: :destroy
resources
:abuse_reports
,
only:
[
:index
,
:destroy
]
resources
:abuse_reports
,
only:
[
:index
,
:destroy
]
resources
:spam_logs
,
only:
[
:index
,
:destroy
]
resources
:spam_logs
,
only:
[
:index
,
:destroy
]
...
...
spec/controllers/admin/impersonation_controller_spec.rb
deleted
100644 → 0
View file @
80893cad
require
'spec_helper'
describe
Admin
::
ImpersonationController
do
let
(
:admin
)
{
create
(
:admin
)
}
before
do
sign_in
(
admin
)
end
describe
'CREATE #impersonation when blocked'
do
let
(
:blocked_user
)
{
create
(
:user
,
state: :blocked
)
}
it
'does not allow impersonation'
do
post
:create
,
id:
blocked_user
.
username
expect
(
flash
[
:alert
]).
to
eq
'You cannot impersonate a blocked user'
end
end
end
spec/controllers/admin/impersonations_controller_spec.rb
0 → 100644
View file @
d3462e71
require
'spec_helper'
describe
Admin
::
ImpersonationsController
do
let
(
:impersonator
)
{
create
(
:admin
)
}
let
(
:user
)
{
create
(
:user
)
}
describe
"DELETE destroy"
do
context
"when not signed in"
do
it
"redirects to the sign in page"
do
delete
:destroy
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
end
context
"when signed in"
do
before
do
sign_in
(
user
)
end
context
"when not impersonating"
do
it
"responds with status 404"
do
delete
:destroy
expect
(
response
.
status
).
to
eq
(
404
)
end
it
"doesn't sign us in"
do
delete
:destroy
expect
(
warden
.
user
).
to
eq
(
user
)
end
end
context
"when impersonating"
do
before
do
session
[
:impersonator_id
]
=
impersonator
.
id
end
context
"when the impersonator is not impersonator (anymore)"
do
before
do
impersonator
.
admin
=
false
impersonator
.
save
end
it
"responds with status 404"
do
delete
:destroy
expect
(
response
.
status
).
to
eq
(
404
)
end
it
"doesn't sign us in as the impersonator"
do
delete
:destroy
expect
(
warden
.
user
).
to
eq
(
user
)
end
end
context
"when the impersonator is admin"
do
context
"when the impersonator is blocked"
do
before
do
impersonator
.
block!
end
it
"responds with status 404"
do
delete
:destroy
expect
(
response
.
status
).
to
eq
(
404
)
end
it
"doesn't sign us in as the impersonator"
do
delete
:destroy
expect
(
warden
.
user
).
to
eq
(
user
)
end
end
context
"when the impersonator is not blocked"
do
it
"redirects to the impersonated user's page"
do
delete
:destroy
expect
(
response
).
to
redirect_to
(
admin_user_path
(
user
))
end
it
"signs us in as the impersonator"
do
delete
:destroy
expect
(
warden
.
user
).
to
eq
(
impersonator
)
end
end
end
end
end
end
end
spec/controllers/admin/users_controller_spec.rb
View file @
d3462e71
...
@@ -2,9 +2,10 @@ require 'spec_helper'
...
@@ -2,9 +2,10 @@ require 'spec_helper'
describe
Admin
::
UsersController
do
describe
Admin
::
UsersController
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:admin
)
{
create
(
:admin
)
}
before
do
before
do
sign_in
(
create
(
:admin
)
)
sign_in
(
admin
)
end
end
describe
'DELETE #user with projects'
do
describe
'DELETE #user with projects'
do
...
@@ -112,4 +113,50 @@ describe Admin::UsersController do
...
@@ -112,4 +113,50 @@ describe Admin::UsersController do
patch
:disable_two_factor
,
id:
user
.
to_param
patch
:disable_two_factor
,
id:
user
.
to_param
end
end
end
end
describe
"POST impersonate"
do
context
"when the user is blocked"
do
before
do
user
.
block!
end
it
"shows a notice"
do
post
:impersonate
,
id:
user
.
username
expect
(
flash
[
:alert
]).
to
eq
(
"You cannot impersonate a blocked user"
)
end
it
"doesn't sign us in as the user"
do
post
:impersonate
,
id:
user
.
username
expect
(
warden
.
user
).
to
eq
(
admin
)
end
end
context
"when the user is not blocked"
do
it
"stores the impersonator in the session"
do
post
:impersonate
,
id:
user
.
username
expect
(
session
[
:impersonator_id
]).
to
eq
(
admin
.
id
)
end
it
"signs us in as the user"
do
post
:impersonate
,
id:
user
.
username
expect
(
warden
.
user
).
to
eq
(
user
)
end
it
"redirects to root"
do
post
:impersonate
,
id:
user
.
username
expect
(
response
).
to
redirect_to
(
root_path
)
end
it
"shows a notice"
do
post
:impersonate
,
id:
user
.
username
expect
(
flash
[
:alert
]).
to
eq
(
"You are now impersonating
#{
user
.
username
}
"
)
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment