fortress 0.2.0 → 0.2.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0f461ea5452cda1e8c528abce340f785daf5563a
4
- data.tar.gz: fdc2d34806a35bbe9d1b5783c8975aa0ce9c9ae1
3
+ metadata.gz: 3228b2df9776560d0160ae736f3f4decbd2ef0ec
4
+ data.tar.gz: 07a6e8228daa35591a4085a9894aca112a0ccc74
5
5
  SHA512:
6
- metadata.gz: 79a48a060e3eb1c14ace5b630bcbeb580744d49f20e182440ec8303be1f075743773ced8615858433ce25f942bd0c77984bfd9318174e085f2a055fdb27b0947
7
- data.tar.gz: 17a71c6918265fcdc18ddfd06e6dc35406ccd82ef0277e478a7ecfd33c396a9469284a0f5b8be1c7cf0bc3eb53b72ab7dd8f96fa5cac7b3e09dee97e1e00182e
6
+ metadata.gz: eec57ac7d0927ebbf9e52606ed0c9cadf6fd71f4ff9491851fd776503c97f2ab8489ec5269d293490807c8efe1686c1285cd23cb4f191b225337df4dc11066f6
7
+ data.tar.gz: a79e1f069fe5507ac33128edfa9cde2d4bc5401c06a93f51acecb850e955c0669103d1e719214711a1e8354d64b009b6bc1b75fee63630b74702ce6947f013f9
data/README.md CHANGED
@@ -35,6 +35,21 @@ After having installed the gem, and started the server, all the routes are
35
35
  closed. At this moment your application is absoluetly un-usable so it's in the
36
36
  maximum secure mode ; )
37
37
 
38
+ ### Configuration
39
+
40
+ #### externals
41
+
42
+ When using a gem adding controllers to your application, like Devise, Fortress
43
+ needs to be aware of them otherwise it will prevent access to them.
44
+
45
+ You can do this by using the `externals` option within an initializer:
46
+
47
+ ```ruby
48
+ Fortress.configure do |config|
49
+ config.externals = %w(SessionsController)
50
+ end
51
+ ```
52
+
38
53
  ### Allow access to the root controller
39
54
 
40
55
  The first action to take is to allow the root controller as it's the place
@@ -144,6 +159,18 @@ class PostsController < ApplicationController
144
159
  end
145
160
  ```
146
161
 
162
+ ## Detecting blocked controllers
163
+
164
+ It can be a little bit hard to find all the blocked controller in a big
165
+ application.
166
+
167
+ I recommend you to use the following command:
168
+
169
+ $ tail -f log/*.log | grep prevent_access -B 5
170
+
171
+ You will see which controller is called and then blocked by the prevent_access!
172
+ method from Fortress.
173
+
147
174
  ## Contributing
148
175
 
149
176
  1. Fork it ( https://github.com/YourCursus/fortress/fork )
@@ -1,3 +1,8 @@
1
+ #
2
+ # Fortress is a protection mechanism for Rails applications
3
+ #
4
+ # @author zedtux
5
+ #
1
6
  module Fortress
2
7
  class << self
3
8
  attr_accessor :configuration
@@ -11,6 +16,11 @@ module Fortress
11
16
  apply_configuration!
12
17
  end
13
18
 
19
+ #
20
+ # Fortress configuration management class
21
+ #
22
+ # @author zedtux
23
+ #
14
24
  class Configuration
15
25
  attr_reader :options
16
26
 
@@ -29,20 +29,10 @@ module Fortress
29
29
  # You can re-define it within the ApplicationController of you rails
30
30
  # application.
31
31
  def access_deny
32
- message = 'You are not authorised to access this page.'
33
32
  respond_to do |format|
34
- format.html do
35
- flash[:error] = message
36
- redirect_to root_url
37
- end
38
- format.json do
39
- self.status = :unauthorized
40
- self.response_body = { error: message }.to_json
41
- end
42
- format.xml do
43
- self.status = :unauthorized
44
- self.response_body = { error: message }.to_xml
45
- end
33
+ format.html { redirect_to_root_url_with_flash_message }
34
+ format.json { unauthorized_with_error_message(:json) }
35
+ format.xml { unauthorized_with_error_message(:xml) }
46
36
  end
47
37
  end
48
38
 
@@ -57,5 +47,29 @@ module Fortress
57
47
  Mechanism.parse_options(self, actions, options) if options.present?
58
48
  end
59
49
  end
50
+
51
+ private
52
+
53
+ def error_message
54
+ 'You are not authorised to access this page.'
55
+ end
56
+
57
+ def redirect_to_root_url_with_flash_message
58
+ flash[:error] = error_message
59
+ redirect_to root_url
60
+ end
61
+
62
+ def unauthorized_with_error_message(format)
63
+ self.status = :unauthorized
64
+ self.response_body = response_for_format(format)
65
+ end
66
+
67
+ def response_for_format(format)
68
+ response = { error: error_message }
69
+ case
70
+ when format == :json then response.to_json
71
+ when format == :xml then response.to_xml
72
+ end
73
+ end
60
74
  end
61
75
  end
@@ -29,15 +29,13 @@ module Fortress
29
29
  end
30
30
 
31
31
  def allow_action?(name)
32
- return false if Array(params[:except]).include?(name.to_sym)
32
+ return false if action_forbidden?(name.to_sym)
33
33
 
34
- if params.key?(:if) && params[:if].key?(:actions)
35
- if params[:if][:actions].include?(name.to_sym)
36
- return params[:if][:method] == true
37
- end
34
+ if conditionnal_method_with_action?(name.to_sym)
35
+ return params[:if][:method] == true
38
36
  end
39
37
 
40
- return true if Array(params[:only]).include?(name.to_sym)
38
+ return true if action_allowed_from_only?(name.to_sym)
41
39
 
42
40
  allow_all?
43
41
  end
@@ -54,5 +52,24 @@ module Fortress
54
52
  def call_allow_method
55
53
  instance.send(params[:if][:method])
56
54
  end
55
+
56
+ def conditionally_allowed?(action_name)
57
+ return unless allow_method?
58
+ return unless needs_to_check_action?(action_name)
59
+ call_allow_method
60
+ end
61
+
62
+ def conditionnal_method_with_action?(name)
63
+ return false unless params.key?(:if) && params[:if].key?(:actions)
64
+ return true if params[:if][:actions].include?(name)
65
+ end
66
+
67
+ def action_forbidden?(name)
68
+ Array(params[:except]).include?(name.to_sym)
69
+ end
70
+
71
+ def action_allowed_from_only?(name)
72
+ Array(params[:only]).include?(name.to_sym)
73
+ end
57
74
  end
58
75
  end
@@ -67,14 +67,11 @@ module Fortress
67
67
 
68
68
  def self.append_or_update(controller_name, key, value)
69
69
  authorisations[controller_name] ||= {}
70
+
70
71
  if authorisations[controller_name].key?(key)
71
- if authorisations[controller_name][key].is_a?(Hash)
72
- authorisations[controller_name][key].merge!(value)
73
- else
74
- authorisations[controller_name][key] = value
75
- end
72
+ update_authorisations(controller_name, key, value)
76
73
  else
77
- authorisations[controller_name].merge!(key => value)
74
+ append_to_authorisations(controller_name, key, value)
78
75
  end
79
76
  end
80
77
 
@@ -108,14 +105,21 @@ module Fortress
108
105
  return true if controller.allow_action?(action_name)
109
106
 
110
107
  # When the controller implement the authorisation method
111
- if controller.allow_method?
112
- if controller.needs_to_check_action?(action_name)
113
- allowed = controller.call_allow_method
114
- return true if allowed
115
- end
116
- end
108
+ return true if controller.conditionally_allowed?(action_name)
117
109
 
118
110
  false
119
111
  end
112
+
113
+ def self.append_to_authorisations(controller_name, key, value)
114
+ authorisations[controller_name].merge!(key => value)
115
+ end
116
+
117
+ def self.update_authorisations(controller_name, key, value)
118
+ if authorisations[controller_name][key].is_a?(Hash)
119
+ authorisations[controller_name][key].merge!(value)
120
+ else
121
+ authorisations[controller_name][key] = value
122
+ end
123
+ end
120
124
  end
121
125
  end
@@ -4,5 +4,5 @@
4
4
  # @author zedtux
5
5
  #
6
6
  module Fortress
7
- VERSION = '0.2.0'
7
+ VERSION = '0.2.1'
8
8
  end
@@ -1,5 +1,10 @@
1
1
  require 'spec_helper'
2
2
 
3
+ #
4
+ # Represents an external controller
5
+ #
6
+ # @author zedtux
7
+ #
3
8
  class StagesController < TestController
4
9
  def index; end
5
10
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fortress
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Guillaume Hain