fortress 0.2.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0f461ea5452cda1e8c528abce340f785daf5563a
4
- data.tar.gz: fdc2d34806a35bbe9d1b5783c8975aa0ce9c9ae1
3
+ metadata.gz: 3228b2df9776560d0160ae736f3f4decbd2ef0ec
4
+ data.tar.gz: 07a6e8228daa35591a4085a9894aca112a0ccc74
5
5
  SHA512:
6
- metadata.gz: 79a48a060e3eb1c14ace5b630bcbeb580744d49f20e182440ec8303be1f075743773ced8615858433ce25f942bd0c77984bfd9318174e085f2a055fdb27b0947
7
- data.tar.gz: 17a71c6918265fcdc18ddfd06e6dc35406ccd82ef0277e478a7ecfd33c396a9469284a0f5b8be1c7cf0bc3eb53b72ab7dd8f96fa5cac7b3e09dee97e1e00182e
6
+ metadata.gz: eec57ac7d0927ebbf9e52606ed0c9cadf6fd71f4ff9491851fd776503c97f2ab8489ec5269d293490807c8efe1686c1285cd23cb4f191b225337df4dc11066f6
7
+ data.tar.gz: a79e1f069fe5507ac33128edfa9cde2d4bc5401c06a93f51acecb850e955c0669103d1e719214711a1e8354d64b009b6bc1b75fee63630b74702ce6947f013f9
data/README.md CHANGED
@@ -35,6 +35,21 @@ After having installed the gem, and started the server, all the routes are
35
35
  closed. At this moment your application is absoluetly un-usable so it's in the
36
36
  maximum secure mode ; )
37
37
 
38
+ ### Configuration
39
+
40
+ #### externals
41
+
42
+ When using a gem adding controllers to your application, like Devise, Fortress
43
+ needs to be aware of them otherwise it will prevent access to them.
44
+
45
+ You can do this by using the `externals` option within an initializer:
46
+
47
+ ```ruby
48
+ Fortress.configure do |config|
49
+ config.externals = %w(SessionsController)
50
+ end
51
+ ```
52
+
38
53
  ### Allow access to the root controller
39
54
 
40
55
  The first action to take is to allow the root controller as it's the place
@@ -144,6 +159,18 @@ class PostsController < ApplicationController
144
159
  end
145
160
  ```
146
161
 
162
+ ## Detecting blocked controllers
163
+
164
+ It can be a little bit hard to find all the blocked controller in a big
165
+ application.
166
+
167
+ I recommend you to use the following command:
168
+
169
+ $ tail -f log/*.log | grep prevent_access -B 5
170
+
171
+ You will see which controller is called and then blocked by the prevent_access!
172
+ method from Fortress.
173
+
147
174
  ## Contributing
148
175
 
149
176
  1. Fork it ( https://github.com/YourCursus/fortress/fork )
@@ -1,3 +1,8 @@
1
+ #
2
+ # Fortress is a protection mechanism for Rails applications
3
+ #
4
+ # @author zedtux
5
+ #
1
6
  module Fortress
2
7
  class << self
3
8
  attr_accessor :configuration
@@ -11,6 +16,11 @@ module Fortress
11
16
  apply_configuration!
12
17
  end
13
18
 
19
+ #
20
+ # Fortress configuration management class
21
+ #
22
+ # @author zedtux
23
+ #
14
24
  class Configuration
15
25
  attr_reader :options
16
26
 
@@ -29,20 +29,10 @@ module Fortress
29
29
  # You can re-define it within the ApplicationController of you rails
30
30
  # application.
31
31
  def access_deny
32
- message = 'You are not authorised to access this page.'
33
32
  respond_to do |format|
34
- format.html do
35
- flash[:error] = message
36
- redirect_to root_url
37
- end
38
- format.json do
39
- self.status = :unauthorized
40
- self.response_body = { error: message }.to_json
41
- end
42
- format.xml do
43
- self.status = :unauthorized
44
- self.response_body = { error: message }.to_xml
45
- end
33
+ format.html { redirect_to_root_url_with_flash_message }
34
+ format.json { unauthorized_with_error_message(:json) }
35
+ format.xml { unauthorized_with_error_message(:xml) }
46
36
  end
47
37
  end
48
38
 
@@ -57,5 +47,29 @@ module Fortress
57
47
  Mechanism.parse_options(self, actions, options) if options.present?
58
48
  end
59
49
  end
50
+
51
+ private
52
+
53
+ def error_message
54
+ 'You are not authorised to access this page.'
55
+ end
56
+
57
+ def redirect_to_root_url_with_flash_message
58
+ flash[:error] = error_message
59
+ redirect_to root_url
60
+ end
61
+
62
+ def unauthorized_with_error_message(format)
63
+ self.status = :unauthorized
64
+ self.response_body = response_for_format(format)
65
+ end
66
+
67
+ def response_for_format(format)
68
+ response = { error: error_message }
69
+ case
70
+ when format == :json then response.to_json
71
+ when format == :xml then response.to_xml
72
+ end
73
+ end
60
74
  end
61
75
  end
@@ -29,15 +29,13 @@ module Fortress
29
29
  end
30
30
 
31
31
  def allow_action?(name)
32
- return false if Array(params[:except]).include?(name.to_sym)
32
+ return false if action_forbidden?(name.to_sym)
33
33
 
34
- if params.key?(:if) && params[:if].key?(:actions)
35
- if params[:if][:actions].include?(name.to_sym)
36
- return params[:if][:method] == true
37
- end
34
+ if conditionnal_method_with_action?(name.to_sym)
35
+ return params[:if][:method] == true
38
36
  end
39
37
 
40
- return true if Array(params[:only]).include?(name.to_sym)
38
+ return true if action_allowed_from_only?(name.to_sym)
41
39
 
42
40
  allow_all?
43
41
  end
@@ -54,5 +52,24 @@ module Fortress
54
52
  def call_allow_method
55
53
  instance.send(params[:if][:method])
56
54
  end
55
+
56
+ def conditionally_allowed?(action_name)
57
+ return unless allow_method?
58
+ return unless needs_to_check_action?(action_name)
59
+ call_allow_method
60
+ end
61
+
62
+ def conditionnal_method_with_action?(name)
63
+ return false unless params.key?(:if) && params[:if].key?(:actions)
64
+ return true if params[:if][:actions].include?(name)
65
+ end
66
+
67
+ def action_forbidden?(name)
68
+ Array(params[:except]).include?(name.to_sym)
69
+ end
70
+
71
+ def action_allowed_from_only?(name)
72
+ Array(params[:only]).include?(name.to_sym)
73
+ end
57
74
  end
58
75
  end
@@ -67,14 +67,11 @@ module Fortress
67
67
 
68
68
  def self.append_or_update(controller_name, key, value)
69
69
  authorisations[controller_name] ||= {}
70
+
70
71
  if authorisations[controller_name].key?(key)
71
- if authorisations[controller_name][key].is_a?(Hash)
72
- authorisations[controller_name][key].merge!(value)
73
- else
74
- authorisations[controller_name][key] = value
75
- end
72
+ update_authorisations(controller_name, key, value)
76
73
  else
77
- authorisations[controller_name].merge!(key => value)
74
+ append_to_authorisations(controller_name, key, value)
78
75
  end
79
76
  end
80
77
 
@@ -108,14 +105,21 @@ module Fortress
108
105
  return true if controller.allow_action?(action_name)
109
106
 
110
107
  # When the controller implement the authorisation method
111
- if controller.allow_method?
112
- if controller.needs_to_check_action?(action_name)
113
- allowed = controller.call_allow_method
114
- return true if allowed
115
- end
116
- end
108
+ return true if controller.conditionally_allowed?(action_name)
117
109
 
118
110
  false
119
111
  end
112
+
113
+ def self.append_to_authorisations(controller_name, key, value)
114
+ authorisations[controller_name].merge!(key => value)
115
+ end
116
+
117
+ def self.update_authorisations(controller_name, key, value)
118
+ if authorisations[controller_name][key].is_a?(Hash)
119
+ authorisations[controller_name][key].merge!(value)
120
+ else
121
+ authorisations[controller_name][key] = value
122
+ end
123
+ end
120
124
  end
121
125
  end
@@ -4,5 +4,5 @@
4
4
  # @author zedtux
5
5
  #
6
6
  module Fortress
7
- VERSION = '0.2.0'
7
+ VERSION = '0.2.1'
8
8
  end
@@ -1,5 +1,10 @@
1
1
  require 'spec_helper'
2
2
 
3
+ #
4
+ # Represents an external controller
5
+ #
6
+ # @author zedtux
7
+ #
3
8
  class StagesController < TestController
4
9
  def index; end
5
10
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fortress
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Guillaume Hain