allow login via private token only for atom feeds

2012-06-01 06:56:28 -07:00 · 2012-06-01 06:56:28 -07:00 · cc3c6ad0ef
commit cc3c6ad0ef
parent f8f6ff065e
2 changed files with 16 additions and 2 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1,7 +1,7 @@
 class ApplicationController < ActionController::Base
  before_filter :authenticate_user!
  before_filter :reject_blocked!
-  before_filter :set_current_user_for_mailer
+  before_filter :set_current_user_for_mailer, :check_token_auth
  protect_from_forgery
  helper_method :abilities, :can?

@ -17,9 +17,16 @@ class ApplicationController < ActionController::Base

  protected

+  def check_token_auth
+    # Redirect to login page if not atom feed
+    if params[:private_token].present? && params[:format] != 'atom'
+      redirect_to new_user_session_path
+    end
+  end
+
  def reject_blocked!
    if current_user && current_user.blocked
-      sign_out current_user 
+      sign_out current_user
      flash[:alert] = "Your account was blocked"
      redirect_to new_user_session_path
    end
--- a/spec/requests/projects_spec.rb
+++ b/spec/requests/projects_spec.rb
@ -28,6 +28,13 @@ describe "Projects" do
      visit projects_path(:atom, :private_token => @user.private_token)
      page.body.should have_selector("feed title")
    end
+
+    it "should not render projects page via private token" do
+      logout
+
+      visit projects_path(:private_token => @user.private_token)
+      current_path.should == new_user_session_path
+    end
  end

  describe "GET /projects/new" do