fortress 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0f461ea5452cda1e8c528abce340f785daf5563a
-  data.tar.gz: fdc2d34806a35bbe9d1b5783c8975aa0ce9c9ae1
+  metadata.gz: 3228b2df9776560d0160ae736f3f4decbd2ef0ec
+  data.tar.gz: 07a6e8228daa35591a4085a9894aca112a0ccc74
 SHA512:
-  metadata.gz: 79a48a060e3eb1c14ace5b630bcbeb580744d49f20e182440ec8303be1f075743773ced8615858433ce25f942bd0c77984bfd9318174e085f2a055fdb27b0947
-  data.tar.gz: 17a71c6918265fcdc18ddfd06e6dc35406ccd82ef0277e478a7ecfd33c396a9469284a0f5b8be1c7cf0bc3eb53b72ab7dd8f96fa5cac7b3e09dee97e1e00182e
+  metadata.gz: eec57ac7d0927ebbf9e52606ed0c9cadf6fd71f4ff9491851fd776503c97f2ab8489ec5269d293490807c8efe1686c1285cd23cb4f191b225337df4dc11066f6
+  data.tar.gz: a79e1f069fe5507ac33128edfa9cde2d4bc5401c06a93f51acecb850e955c0669103d1e719214711a1e8354d64b009b6bc1b75fee63630b74702ce6947f013f9

data/README.md

@@ -35,6 +35,21 @@ After having installed the gem, and started the server, all the routes are
 closed. At this moment your application is absoluetly un-usable so it's in the
 maximum secure mode ; )
 
+### Configuration
+
+#### externals
+
+When using a gem adding controllers to your application, like Devise, Fortress
+needs to be aware of them otherwise it will prevent access to them.
+
+You can do this by using the `externals` option within an initializer:
+
+```ruby
+Fortress.configure do |config|
+  config.externals = %w(SessionsController)
+end
+```
+
 ### Allow access to the root controller
 
 The first action to take is to allow the root controller as it's the place
@@ -144,6 +159,18 @@ class PostsController < ApplicationController
 end
 ```
 
+## Detecting blocked controllers
+
+It can be a little bit hard to find all the blocked controller in a big
+application.
+
+I recommend you to use the following command:
+
+    $ tail -f log/*.log | grep prevent_access -B 5
+
+You will see which controller is called and then blocked by the prevent_access!
+method from Fortress.
+
 ## Contributing
 
 1. Fork it ( https://github.com/YourCursus/fortress/fork )

data/lib/fortress/configuration.rb

@@ -1,3 +1,8 @@
+#
+# Fortress is a protection mechanism for Rails applications
+#
+# @author zedtux
+#
 module Fortress
   class << self
     attr_accessor :configuration
@@ -11,6 +16,11 @@ module Fortress
     apply_configuration!
   end
 
+  #
+  # Fortress configuration management class
+  #
+  # @author zedtux
+  #
   class Configuration
     attr_reader :options
 

data/lib/fortress/controller.rb

@@ -29,20 +29,10 @@ module Fortress
     # You can re-define it within the ApplicationController of you rails
     # application.
     def access_deny
-      message = 'You are not authorised to access this page.'
       respond_to do |format|
-        format.html do
-          flash[:error] = message
-          redirect_to root_url
-        end
-        format.json do
-          self.status = :unauthorized
-          self.response_body = { error: message }.to_json
-        end
-        format.xml do
-          self.status = :unauthorized
-          self.response_body = { error: message }.to_xml
-        end
+        format.html { redirect_to_root_url_with_flash_message }
+        format.json { unauthorized_with_error_message(:json) }
+        format.xml { unauthorized_with_error_message(:xml) }
       end
     end
 
@@ -57,5 +47,29 @@ module Fortress
         Mechanism.parse_options(self, actions, options) if options.present?
       end
     end
+
+    private
+
+    def error_message
+      'You are not authorised to access this page.'
+    end
+
+    def redirect_to_root_url_with_flash_message
+      flash[:error] = error_message
+      redirect_to root_url
+    end
+
+    def unauthorized_with_error_message(format)
+      self.status = :unauthorized
+      self.response_body = response_for_format(format)
+    end
+
+    def response_for_format(format)
+      response = { error: error_message }
+      case
+      when format == :json then response.to_json
+      when format == :xml then response.to_xml
+      end
+    end
   end
 end

data/lib/fortress/controller_interface.rb

@@ -29,15 +29,13 @@ module Fortress
     end
 
     def allow_action?(name)
-      return false if Array(params[:except]).include?(name.to_sym)
+      return false if action_forbidden?(name.to_sym)
 
-      if params.key?(:if) && params[:if].key?(:actions)
-        if params[:if][:actions].include?(name.to_sym)
-          return params[:if][:method] == true
-        end
+      if conditionnal_method_with_action?(name.to_sym)
+        return params[:if][:method] == true
       end
 
-      return true if Array(params[:only]).include?(name.to_sym)
+      return true if action_allowed_from_only?(name.to_sym)
 
       allow_all?
     end
@@ -54,5 +52,24 @@ module Fortress
     def call_allow_method
       instance.send(params[:if][:method])
     end
+
+    def conditionally_allowed?(action_name)
+      return unless allow_method?
+      return unless needs_to_check_action?(action_name)
+      call_allow_method
+    end
+
+    def conditionnal_method_with_action?(name)
+      return false unless params.key?(:if) && params[:if].key?(:actions)
+      return true if params[:if][:actions].include?(name)
+    end
+
+    def action_forbidden?(name)
+      Array(params[:except]).include?(name.to_sym)
+    end
+
+    def action_allowed_from_only?(name)
+      Array(params[:only]).include?(name.to_sym)
+    end
   end
 end

data/lib/fortress/mechanism.rb

@@ -67,14 +67,11 @@ module Fortress
 
     def self.append_or_update(controller_name, key, value)
       authorisations[controller_name] ||= {}
+
       if authorisations[controller_name].key?(key)
-        if authorisations[controller_name][key].is_a?(Hash)
-          authorisations[controller_name][key].merge!(value)
-        else
-          authorisations[controller_name][key] = value
-        end
+        update_authorisations(controller_name, key, value)
       else
-        authorisations[controller_name].merge!(key => value)
+        append_to_authorisations(controller_name, key, value)
       end
     end
 
@@ -108,14 +105,21 @@ module Fortress
       return true if controller.allow_action?(action_name)
 
       # When the controller implement the authorisation method
-      if controller.allow_method?
-        if controller.needs_to_check_action?(action_name)
-          allowed = controller.call_allow_method
-          return true if allowed
-        end
-      end
+      return true if controller.conditionally_allowed?(action_name)
 
       false
     end
+
+    def self.append_to_authorisations(controller_name, key, value)
+      authorisations[controller_name].merge!(key => value)
+    end
+
+    def self.update_authorisations(controller_name, key, value)
+      if authorisations[controller_name][key].is_a?(Hash)
+        authorisations[controller_name][key].merge!(value)
+      else
+        authorisations[controller_name][key] = value
+      end
+    end
   end
 end

data/lib/fortress/version.rb

@@ -4,5 +4,5 @@
 # @author zedtux
 #
 module Fortress
-  VERSION = '0.2.0'
+  VERSION = '0.2.1'
 end

data/spec/fortress/external_controllers_spec.rb

@@ -1,5 +1,10 @@
 require 'spec_helper'
 
+#
+# Represents an external controller
+#
+# @author zedtux
+#
 class StagesController < TestController
   def index; end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fortress
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Guillaume Hain