From 846e581732e291f8927d04a5b1b40fe8f2688885 Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Tue, 28 Feb 2017 13:08:07 -0800 Subject: use a magic default :global symbol instead of nil to make sure we mean the global permissions --- app/controllers/application_controller.rb | 2 +- app/controllers/groups_controller.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1c66c530cd2..9b381336fab 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -90,7 +90,7 @@ class ApplicationController < ActionController::Base current_application_settings.after_sign_out_path.presence || new_user_session_path end - def can?(object, action, subject) + def can?(object, action, subject = :global) Ability.allowed?(object, action, subject) end diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index 4663b6e7fc6..05f9ee1ee90 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -118,7 +118,7 @@ class GroupsController < Groups::ApplicationController end def authorize_create_group! - unless can?(current_user, :create_group, nil) + unless can?(current_user, :create_group) return render_404 end end -- cgit v1.2.1 From 0ea04cc5bfcc125875a6e0f46702389f0e2e19c0 Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Tue, 28 Feb 2017 13:19:52 -0800 Subject: use the policy stack to protect logins --- app/controllers/application_controller.rb | 2 +- app/controllers/concerns/authenticates_with_two_factor.rb | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 9b381336fab..b7ce081a5cd 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -67,7 +67,7 @@ class ApplicationController < ActionController::Base token_string = params[:private_token].presence || request.headers['PRIVATE-TOKEN'].presence user = User.find_by_authentication_token(token_string) || User.find_by_personal_access_token(token_string) - if user + if user && can?(user, :log_in) # Notice we are passing store false, so the user is not # actually stored in the session and a token is needed # for every request. If you want the token to work as a diff --git a/app/controllers/concerns/authenticates_with_two_factor.rb b/app/controllers/concerns/authenticates_with_two_factor.rb index 4c497711fc0..ea441b1736b 100644 --- a/app/controllers/concerns/authenticates_with_two_factor.rb +++ b/app/controllers/concerns/authenticates_with_two_factor.rb @@ -23,7 +23,7 @@ module AuthenticatesWithTwoFactor # # Returns nil def prompt_for_two_factor(user) - return locked_user_redirect(user) if user.access_locked? + return locked_user_redirect(user) unless user.can?(:log_in) session[:otp_user_id] = user.id setup_u2f_authentication(user) @@ -37,10 +37,9 @@ module AuthenticatesWithTwoFactor def authenticate_with_two_factor user = self.resource = find_user + return locked_user_redirect(user) unless user.can?(:log_in) - if user.access_locked? - locked_user_redirect(user) - elsif user_params[:otp_attempt].present? && session[:otp_user_id] + if user_params[:otp_attempt].present? && session[:otp_user_id] authenticate_with_two_factor_via_otp(user) elsif user_params[:device_response].present? && session[:otp_user_id] authenticate_with_two_factor_via_u2f(user) -- cgit v1.2.1 From dfe41c1556a5e31480a230e13033dd523ef51ba3 Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Tue, 28 Feb 2017 13:35:37 -0800 Subject: protect internal users from impersonation --- app/controllers/admin/users_controller.rb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'app/controllers') diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 7ffde71c3b1..7f86723b921 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -32,6 +32,10 @@ class Admin::UsersController < Admin::ApplicationController if user.blocked? flash[:alert] = "You cannot impersonate a blocked user" + redirect_to admin_user_path(user) + elsif user.internal? + flash[:alert] = "You cannot impersonate an internal user" + redirect_to admin_user_path(user) else session[:impersonator_id] = current_user.id -- cgit v1.2.1 From b88314f4ad955897dc737b6e9515b43dc9d97422 Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Tue, 7 Mar 2017 19:05:01 -0800 Subject: consolidate the error handling for #impersonate --- app/controllers/admin/users_controller.rb | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 7f86723b921..205cf0490ab 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -29,15 +29,7 @@ class Admin::UsersController < Admin::ApplicationController end def impersonate - if user.blocked? - flash[:alert] = "You cannot impersonate a blocked user" - - redirect_to admin_user_path(user) - elsif user.internal? - flash[:alert] = "You cannot impersonate an internal user" - - redirect_to admin_user_path(user) - else + if !can?(user, :log_in) session[:impersonator_id] = current_user.id warden.set_user(user, scope: :user) @@ -47,6 +39,17 @@ class Admin::UsersController < Admin::ApplicationController flash[:alert] = "You are now impersonating #{user.username}" redirect_to root_path + else + flash[:alert] = + if user.blocked? + "You cannot impersonate a blocked user" + elsif user.internal? + "You cannot impersonate an internal user" + else + "You cannot impersonate a user who cannot log in" + end + + redirect_to admin_user_path(user) end end -- cgit v1.2.1 From 66f204e0f0dd74df3409547bea2cec98c8947f2c Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Thu, 9 Mar 2017 12:02:56 -0800 Subject: get the logic right :X --- app/controllers/admin/users_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index 205cf0490ab..24504685e48 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -29,7 +29,7 @@ class Admin::UsersController < Admin::ApplicationController end def impersonate - if !can?(user, :log_in) + if can?(user, :log_in) session[:impersonator_id] = current_user.id warden.set_user(user, scope: :user) -- cgit v1.2.1