Merge pull request #232 from wvengen/feature-remove_unused_redirect_to
Security improvements
This commit is contained in:
wvengen
commit
19f583381d
2 changed files with 12 additions and 18 deletions
|
|
@ -4,7 +4,7 @@ class ApplicationController < ActionController::Base
|
||||||
helper_method :available_locales
|
helper_method :available_locales
|
||||||
|
|
||||||
protect_from_forgery
|
protect_from_forgery
|
||||||
before_filter :select_foodcoop, :authenticate, :store_controller, :items_per_page, :set_redirect_to
|
before_filter :select_foodcoop, :authenticate, :store_controller, :items_per_page
|
||||||
after_filter :remove_controller
|
after_filter :remove_controller
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -80,8 +80,8 @@ class ApplicationController < ActionController::Base
|
||||||
|
|
||||||
# checks if the current_user is member of given group.
|
# checks if the current_user is member of given group.
|
||||||
# if fails the user will redirected to startpage
|
# if fails the user will redirected to startpage
|
||||||
def authenticate_membership_or_admin
|
def authenticate_membership_or_admin(group_id = params[:id])
|
||||||
@group = Group.find(params[:id])
|
@group = Group.find(group_id)
|
||||||
unless @group.member?(@current_user) or @current_user.role_admin?
|
unless @group.member?(@current_user) or @current_user.role_admin?
|
||||||
redirect_to root_path, alert: I18n.t('application.controller.error_members_only')
|
redirect_to root_path, alert: I18n.t('application.controller.error_members_only')
|
||||||
end
|
end
|
||||||
|
|
@ -128,18 +128,6 @@ class ApplicationController < ActionController::Base
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def set_redirect_to
|
|
||||||
session[:redirect_to] = params[:redirect_to] if params[:redirect_to]
|
|
||||||
end
|
|
||||||
|
|
||||||
def back_or_default_path(default = root_path)
|
|
||||||
if session[:redirect_to].present?
|
|
||||||
default = session[:redirect_to]
|
|
||||||
session[:redirect_to] = nil
|
|
||||||
end
|
|
||||||
default
|
|
||||||
end
|
|
||||||
|
|
||||||
# Always stay in foodcoop url scope
|
# Always stay in foodcoop url scope
|
||||||
def default_url_options(options = {})
|
def default_url_options(options = {})
|
||||||
{foodcoop: FoodsoftConfig.scope}
|
{foodcoop: FoodsoftConfig.scope}
|
||||||
|
|
|
||||||
|
|
@ -1,20 +1,20 @@
|
||||||
class InvitesController < ApplicationController
|
class InvitesController < ApplicationController
|
||||||
|
|
||||||
before_filter :authenticate_membership_or_admin, :only => [:new]
|
before_filter :authenticate_membership_or_admin_for_invites
|
||||||
#TODO: authorize also for create action.
|
|
||||||
|
|
||||||
def new
|
def new
|
||||||
@invite = Invite.new(:user => @current_user, :group => @group)
|
@invite = Invite.new(:user => @current_user, :group => @group)
|
||||||
end
|
end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
|
authenticate_membership_or_admin params[:invite][:group_id]
|
||||||
@invite = Invite.new(params[:invite])
|
@invite = Invite.new(params[:invite])
|
||||||
if @invite.save
|
if @invite.save
|
||||||
Mailer.invite(@invite).deliver
|
Mailer.invite(@invite).deliver
|
||||||
|
|
||||||
respond_to do |format|
|
respond_to do |format|
|
||||||
format.html do
|
format.html do
|
||||||
redirect_to back_or_default_path, notice: I18n.t('invites.success')
|
redirect_to root_path, notice: I18n.t('invites.success')
|
||||||
end
|
end
|
||||||
format.js { render layout: false }
|
format.js { render layout: false }
|
||||||
end
|
end
|
||||||
|
|
@ -23,4 +23,10 @@ class InvitesController < ApplicationController
|
||||||
render action: :new
|
render action: :new
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
protected
|
||||||
|
|
||||||
|
def authenticate_membership_or_admin_for_invites
|
||||||
|
authenticate_membership_or_admin((params[:invite][:group_id] rescue params[:id]))
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue