fortress 0.2.0 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +27 -0
- data/lib/fortress/configuration.rb +10 -0
- data/lib/fortress/controller.rb +27 -13
- data/lib/fortress/controller_interface.rb +23 -6
- data/lib/fortress/mechanism.rb +16 -12
- data/lib/fortress/version.rb +1 -1
- data/spec/fortress/external_controllers_spec.rb +5 -0
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3228b2df9776560d0160ae736f3f4decbd2ef0ec
|
|
4
|
+
data.tar.gz: 07a6e8228daa35591a4085a9894aca112a0ccc74
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: eec57ac7d0927ebbf9e52606ed0c9cadf6fd71f4ff9491851fd776503c97f2ab8489ec5269d293490807c8efe1686c1285cd23cb4f191b225337df4dc11066f6
|
|
7
|
+
data.tar.gz: a79e1f069fe5507ac33128edfa9cde2d4bc5401c06a93f51acecb850e955c0669103d1e719214711a1e8354d64b009b6bc1b75fee63630b74702ce6947f013f9
|
data/README.md
CHANGED
|
@@ -35,6 +35,21 @@ After having installed the gem, and started the server, all the routes are
|
|
|
35
35
|
closed. At this moment your application is absoluetly un-usable so it's in the
|
|
36
36
|
maximum secure mode ; )
|
|
37
37
|
|
|
38
|
+
### Configuration
|
|
39
|
+
|
|
40
|
+
#### externals
|
|
41
|
+
|
|
42
|
+
When using a gem adding controllers to your application, like Devise, Fortress
|
|
43
|
+
needs to be aware of them otherwise it will prevent access to them.
|
|
44
|
+
|
|
45
|
+
You can do this by using the `externals` option within an initializer:
|
|
46
|
+
|
|
47
|
+
```ruby
|
|
48
|
+
Fortress.configure do |config|
|
|
49
|
+
config.externals = %w(SessionsController)
|
|
50
|
+
end
|
|
51
|
+
```
|
|
52
|
+
|
|
38
53
|
### Allow access to the root controller
|
|
39
54
|
|
|
40
55
|
The first action to take is to allow the root controller as it's the place
|
|
@@ -144,6 +159,18 @@ class PostsController < ApplicationController
|
|
|
144
159
|
end
|
|
145
160
|
```
|
|
146
161
|
|
|
162
|
+
## Detecting blocked controllers
|
|
163
|
+
|
|
164
|
+
It can be a little bit hard to find all the blocked controller in a big
|
|
165
|
+
application.
|
|
166
|
+
|
|
167
|
+
I recommend you to use the following command:
|
|
168
|
+
|
|
169
|
+
$ tail -f log/*.log | grep prevent_access -B 5
|
|
170
|
+
|
|
171
|
+
You will see which controller is called and then blocked by the prevent_access!
|
|
172
|
+
method from Fortress.
|
|
173
|
+
|
|
147
174
|
## Contributing
|
|
148
175
|
|
|
149
176
|
1. Fork it ( https://github.com/YourCursus/fortress/fork )
|
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
#
|
|
2
|
+
# Fortress is a protection mechanism for Rails applications
|
|
3
|
+
#
|
|
4
|
+
# @author zedtux
|
|
5
|
+
#
|
|
1
6
|
module Fortress
|
|
2
7
|
class << self
|
|
3
8
|
attr_accessor :configuration
|
|
@@ -11,6 +16,11 @@ module Fortress
|
|
|
11
16
|
apply_configuration!
|
|
12
17
|
end
|
|
13
18
|
|
|
19
|
+
#
|
|
20
|
+
# Fortress configuration management class
|
|
21
|
+
#
|
|
22
|
+
# @author zedtux
|
|
23
|
+
#
|
|
14
24
|
class Configuration
|
|
15
25
|
attr_reader :options
|
|
16
26
|
|
data/lib/fortress/controller.rb
CHANGED
|
@@ -29,20 +29,10 @@ module Fortress
|
|
|
29
29
|
# You can re-define it within the ApplicationController of you rails
|
|
30
30
|
# application.
|
|
31
31
|
def access_deny
|
|
32
|
-
message = 'You are not authorised to access this page.'
|
|
33
32
|
respond_to do |format|
|
|
34
|
-
format.html
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
end
|
|
38
|
-
format.json do
|
|
39
|
-
self.status = :unauthorized
|
|
40
|
-
self.response_body = { error: message }.to_json
|
|
41
|
-
end
|
|
42
|
-
format.xml do
|
|
43
|
-
self.status = :unauthorized
|
|
44
|
-
self.response_body = { error: message }.to_xml
|
|
45
|
-
end
|
|
33
|
+
format.html { redirect_to_root_url_with_flash_message }
|
|
34
|
+
format.json { unauthorized_with_error_message(:json) }
|
|
35
|
+
format.xml { unauthorized_with_error_message(:xml) }
|
|
46
36
|
end
|
|
47
37
|
end
|
|
48
38
|
|
|
@@ -57,5 +47,29 @@ module Fortress
|
|
|
57
47
|
Mechanism.parse_options(self, actions, options) if options.present?
|
|
58
48
|
end
|
|
59
49
|
end
|
|
50
|
+
|
|
51
|
+
private
|
|
52
|
+
|
|
53
|
+
def error_message
|
|
54
|
+
'You are not authorised to access this page.'
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def redirect_to_root_url_with_flash_message
|
|
58
|
+
flash[:error] = error_message
|
|
59
|
+
redirect_to root_url
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def unauthorized_with_error_message(format)
|
|
63
|
+
self.status = :unauthorized
|
|
64
|
+
self.response_body = response_for_format(format)
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
def response_for_format(format)
|
|
68
|
+
response = { error: error_message }
|
|
69
|
+
case
|
|
70
|
+
when format == :json then response.to_json
|
|
71
|
+
when format == :xml then response.to_xml
|
|
72
|
+
end
|
|
73
|
+
end
|
|
60
74
|
end
|
|
61
75
|
end
|
|
@@ -29,15 +29,13 @@ module Fortress
|
|
|
29
29
|
end
|
|
30
30
|
|
|
31
31
|
def allow_action?(name)
|
|
32
|
-
return false if
|
|
32
|
+
return false if action_forbidden?(name.to_sym)
|
|
33
33
|
|
|
34
|
-
if
|
|
35
|
-
|
|
36
|
-
return params[:if][:method] == true
|
|
37
|
-
end
|
|
34
|
+
if conditionnal_method_with_action?(name.to_sym)
|
|
35
|
+
return params[:if][:method] == true
|
|
38
36
|
end
|
|
39
37
|
|
|
40
|
-
return true if
|
|
38
|
+
return true if action_allowed_from_only?(name.to_sym)
|
|
41
39
|
|
|
42
40
|
allow_all?
|
|
43
41
|
end
|
|
@@ -54,5 +52,24 @@ module Fortress
|
|
|
54
52
|
def call_allow_method
|
|
55
53
|
instance.send(params[:if][:method])
|
|
56
54
|
end
|
|
55
|
+
|
|
56
|
+
def conditionally_allowed?(action_name)
|
|
57
|
+
return unless allow_method?
|
|
58
|
+
return unless needs_to_check_action?(action_name)
|
|
59
|
+
call_allow_method
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def conditionnal_method_with_action?(name)
|
|
63
|
+
return false unless params.key?(:if) && params[:if].key?(:actions)
|
|
64
|
+
return true if params[:if][:actions].include?(name)
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
def action_forbidden?(name)
|
|
68
|
+
Array(params[:except]).include?(name.to_sym)
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
def action_allowed_from_only?(name)
|
|
72
|
+
Array(params[:only]).include?(name.to_sym)
|
|
73
|
+
end
|
|
57
74
|
end
|
|
58
75
|
end
|
data/lib/fortress/mechanism.rb
CHANGED
|
@@ -67,14 +67,11 @@ module Fortress
|
|
|
67
67
|
|
|
68
68
|
def self.append_or_update(controller_name, key, value)
|
|
69
69
|
authorisations[controller_name] ||= {}
|
|
70
|
+
|
|
70
71
|
if authorisations[controller_name].key?(key)
|
|
71
|
-
|
|
72
|
-
authorisations[controller_name][key].merge!(value)
|
|
73
|
-
else
|
|
74
|
-
authorisations[controller_name][key] = value
|
|
75
|
-
end
|
|
72
|
+
update_authorisations(controller_name, key, value)
|
|
76
73
|
else
|
|
77
|
-
|
|
74
|
+
append_to_authorisations(controller_name, key, value)
|
|
78
75
|
end
|
|
79
76
|
end
|
|
80
77
|
|
|
@@ -108,14 +105,21 @@ module Fortress
|
|
|
108
105
|
return true if controller.allow_action?(action_name)
|
|
109
106
|
|
|
110
107
|
# When the controller implement the authorisation method
|
|
111
|
-
if controller.
|
|
112
|
-
if controller.needs_to_check_action?(action_name)
|
|
113
|
-
allowed = controller.call_allow_method
|
|
114
|
-
return true if allowed
|
|
115
|
-
end
|
|
116
|
-
end
|
|
108
|
+
return true if controller.conditionally_allowed?(action_name)
|
|
117
109
|
|
|
118
110
|
false
|
|
119
111
|
end
|
|
112
|
+
|
|
113
|
+
def self.append_to_authorisations(controller_name, key, value)
|
|
114
|
+
authorisations[controller_name].merge!(key => value)
|
|
115
|
+
end
|
|
116
|
+
|
|
117
|
+
def self.update_authorisations(controller_name, key, value)
|
|
118
|
+
if authorisations[controller_name][key].is_a?(Hash)
|
|
119
|
+
authorisations[controller_name][key].merge!(value)
|
|
120
|
+
else
|
|
121
|
+
authorisations[controller_name][key] = value
|
|
122
|
+
end
|
|
123
|
+
end
|
|
120
124
|
end
|
|
121
125
|
end
|
data/lib/fortress/version.rb
CHANGED