fortress 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +27 -0
- data/lib/fortress/configuration.rb +10 -0
- data/lib/fortress/controller.rb +27 -13
- data/lib/fortress/controller_interface.rb +23 -6
- data/lib/fortress/mechanism.rb +16 -12
- data/lib/fortress/version.rb +1 -1
- data/spec/fortress/external_controllers_spec.rb +5 -0
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3228b2df9776560d0160ae736f3f4decbd2ef0ec
|
4
|
+
data.tar.gz: 07a6e8228daa35591a4085a9894aca112a0ccc74
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: eec57ac7d0927ebbf9e52606ed0c9cadf6fd71f4ff9491851fd776503c97f2ab8489ec5269d293490807c8efe1686c1285cd23cb4f191b225337df4dc11066f6
|
7
|
+
data.tar.gz: a79e1f069fe5507ac33128edfa9cde2d4bc5401c06a93f51acecb850e955c0669103d1e719214711a1e8354d64b009b6bc1b75fee63630b74702ce6947f013f9
|
data/README.md
CHANGED
@@ -35,6 +35,21 @@ After having installed the gem, and started the server, all the routes are
|
|
35
35
|
closed. At this moment your application is absoluetly un-usable so it's in the
|
36
36
|
maximum secure mode ; )
|
37
37
|
|
38
|
+
### Configuration
|
39
|
+
|
40
|
+
#### externals
|
41
|
+
|
42
|
+
When using a gem adding controllers to your application, like Devise, Fortress
|
43
|
+
needs to be aware of them otherwise it will prevent access to them.
|
44
|
+
|
45
|
+
You can do this by using the `externals` option within an initializer:
|
46
|
+
|
47
|
+
```ruby
|
48
|
+
Fortress.configure do |config|
|
49
|
+
config.externals = %w(SessionsController)
|
50
|
+
end
|
51
|
+
```
|
52
|
+
|
38
53
|
### Allow access to the root controller
|
39
54
|
|
40
55
|
The first action to take is to allow the root controller as it's the place
|
@@ -144,6 +159,18 @@ class PostsController < ApplicationController
|
|
144
159
|
end
|
145
160
|
```
|
146
161
|
|
162
|
+
## Detecting blocked controllers
|
163
|
+
|
164
|
+
It can be a little bit hard to find all the blocked controller in a big
|
165
|
+
application.
|
166
|
+
|
167
|
+
I recommend you to use the following command:
|
168
|
+
|
169
|
+
$ tail -f log/*.log | grep prevent_access -B 5
|
170
|
+
|
171
|
+
You will see which controller is called and then blocked by the prevent_access!
|
172
|
+
method from Fortress.
|
173
|
+
|
147
174
|
## Contributing
|
148
175
|
|
149
176
|
1. Fork it ( https://github.com/YourCursus/fortress/fork )
|
@@ -1,3 +1,8 @@
|
|
1
|
+
#
|
2
|
+
# Fortress is a protection mechanism for Rails applications
|
3
|
+
#
|
4
|
+
# @author zedtux
|
5
|
+
#
|
1
6
|
module Fortress
|
2
7
|
class << self
|
3
8
|
attr_accessor :configuration
|
@@ -11,6 +16,11 @@ module Fortress
|
|
11
16
|
apply_configuration!
|
12
17
|
end
|
13
18
|
|
19
|
+
#
|
20
|
+
# Fortress configuration management class
|
21
|
+
#
|
22
|
+
# @author zedtux
|
23
|
+
#
|
14
24
|
class Configuration
|
15
25
|
attr_reader :options
|
16
26
|
|
data/lib/fortress/controller.rb
CHANGED
@@ -29,20 +29,10 @@ module Fortress
|
|
29
29
|
# You can re-define it within the ApplicationController of you rails
|
30
30
|
# application.
|
31
31
|
def access_deny
|
32
|
-
message = 'You are not authorised to access this page.'
|
33
32
|
respond_to do |format|
|
34
|
-
format.html
|
35
|
-
|
36
|
-
|
37
|
-
end
|
38
|
-
format.json do
|
39
|
-
self.status = :unauthorized
|
40
|
-
self.response_body = { error: message }.to_json
|
41
|
-
end
|
42
|
-
format.xml do
|
43
|
-
self.status = :unauthorized
|
44
|
-
self.response_body = { error: message }.to_xml
|
45
|
-
end
|
33
|
+
format.html { redirect_to_root_url_with_flash_message }
|
34
|
+
format.json { unauthorized_with_error_message(:json) }
|
35
|
+
format.xml { unauthorized_with_error_message(:xml) }
|
46
36
|
end
|
47
37
|
end
|
48
38
|
|
@@ -57,5 +47,29 @@ module Fortress
|
|
57
47
|
Mechanism.parse_options(self, actions, options) if options.present?
|
58
48
|
end
|
59
49
|
end
|
50
|
+
|
51
|
+
private
|
52
|
+
|
53
|
+
def error_message
|
54
|
+
'You are not authorised to access this page.'
|
55
|
+
end
|
56
|
+
|
57
|
+
def redirect_to_root_url_with_flash_message
|
58
|
+
flash[:error] = error_message
|
59
|
+
redirect_to root_url
|
60
|
+
end
|
61
|
+
|
62
|
+
def unauthorized_with_error_message(format)
|
63
|
+
self.status = :unauthorized
|
64
|
+
self.response_body = response_for_format(format)
|
65
|
+
end
|
66
|
+
|
67
|
+
def response_for_format(format)
|
68
|
+
response = { error: error_message }
|
69
|
+
case
|
70
|
+
when format == :json then response.to_json
|
71
|
+
when format == :xml then response.to_xml
|
72
|
+
end
|
73
|
+
end
|
60
74
|
end
|
61
75
|
end
|
@@ -29,15 +29,13 @@ module Fortress
|
|
29
29
|
end
|
30
30
|
|
31
31
|
def allow_action?(name)
|
32
|
-
return false if
|
32
|
+
return false if action_forbidden?(name.to_sym)
|
33
33
|
|
34
|
-
if
|
35
|
-
|
36
|
-
return params[:if][:method] == true
|
37
|
-
end
|
34
|
+
if conditionnal_method_with_action?(name.to_sym)
|
35
|
+
return params[:if][:method] == true
|
38
36
|
end
|
39
37
|
|
40
|
-
return true if
|
38
|
+
return true if action_allowed_from_only?(name.to_sym)
|
41
39
|
|
42
40
|
allow_all?
|
43
41
|
end
|
@@ -54,5 +52,24 @@ module Fortress
|
|
54
52
|
def call_allow_method
|
55
53
|
instance.send(params[:if][:method])
|
56
54
|
end
|
55
|
+
|
56
|
+
def conditionally_allowed?(action_name)
|
57
|
+
return unless allow_method?
|
58
|
+
return unless needs_to_check_action?(action_name)
|
59
|
+
call_allow_method
|
60
|
+
end
|
61
|
+
|
62
|
+
def conditionnal_method_with_action?(name)
|
63
|
+
return false unless params.key?(:if) && params[:if].key?(:actions)
|
64
|
+
return true if params[:if][:actions].include?(name)
|
65
|
+
end
|
66
|
+
|
67
|
+
def action_forbidden?(name)
|
68
|
+
Array(params[:except]).include?(name.to_sym)
|
69
|
+
end
|
70
|
+
|
71
|
+
def action_allowed_from_only?(name)
|
72
|
+
Array(params[:only]).include?(name.to_sym)
|
73
|
+
end
|
57
74
|
end
|
58
75
|
end
|
data/lib/fortress/mechanism.rb
CHANGED
@@ -67,14 +67,11 @@ module Fortress
|
|
67
67
|
|
68
68
|
def self.append_or_update(controller_name, key, value)
|
69
69
|
authorisations[controller_name] ||= {}
|
70
|
+
|
70
71
|
if authorisations[controller_name].key?(key)
|
71
|
-
|
72
|
-
authorisations[controller_name][key].merge!(value)
|
73
|
-
else
|
74
|
-
authorisations[controller_name][key] = value
|
75
|
-
end
|
72
|
+
update_authorisations(controller_name, key, value)
|
76
73
|
else
|
77
|
-
|
74
|
+
append_to_authorisations(controller_name, key, value)
|
78
75
|
end
|
79
76
|
end
|
80
77
|
|
@@ -108,14 +105,21 @@ module Fortress
|
|
108
105
|
return true if controller.allow_action?(action_name)
|
109
106
|
|
110
107
|
# When the controller implement the authorisation method
|
111
|
-
if controller.
|
112
|
-
if controller.needs_to_check_action?(action_name)
|
113
|
-
allowed = controller.call_allow_method
|
114
|
-
return true if allowed
|
115
|
-
end
|
116
|
-
end
|
108
|
+
return true if controller.conditionally_allowed?(action_name)
|
117
109
|
|
118
110
|
false
|
119
111
|
end
|
112
|
+
|
113
|
+
def self.append_to_authorisations(controller_name, key, value)
|
114
|
+
authorisations[controller_name].merge!(key => value)
|
115
|
+
end
|
116
|
+
|
117
|
+
def self.update_authorisations(controller_name, key, value)
|
118
|
+
if authorisations[controller_name][key].is_a?(Hash)
|
119
|
+
authorisations[controller_name][key].merge!(value)
|
120
|
+
else
|
121
|
+
authorisations[controller_name][key] = value
|
122
|
+
end
|
123
|
+
end
|
120
124
|
end
|
121
125
|
end
|
data/lib/fortress/version.rb
CHANGED