Module: Lockdown::Frameworks::Rails::Controller::Lock

Defined in:
lib/lockdown/frameworks/rails/controller.rb

Overview

Locking methods

Constant Summary collapse

@@http_auth_headers = 
%w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)

Instance Method Summary collapse

Instance Method Details

#access_denied(e) ⇒ Object 



94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 94

def access_denied(e)

  RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"

  if Lockdown::System.fetch(:logout_on_access_violation)
    reset_session
  end
  respond_to do |format|
    format.html do
      store_location
      redirect_to Lockdown::System.fetch(:access_denied_path)
      return
    end
    format.xml do
      headers["Status"] = "Unauthorized"
      headers["WWW-Authenticate"] = %(Basic realm="Web Password")
      render :text => e.message, :status => "401 Unauthorized"
      return
    end
  end
end

#authorized?(url, method = nil) ⇒ Boolean

Returns:

  • (Boolean) 


63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 63

def authorized?(url, method = nil)
  return false unless url

  return true if current_user_is_admin?

  method ||= (params[:method] || request.method)

  url_parts = URI::split(url.strip)

  path = url_parts[5]

  return true if path_allowed?(path)

  begin
    hash = ActionController::Routing::Routes.recognize_path(path, :method => method)
    return path_allowed?(path_from_hash(hash)) if hash
  rescue Exception
    # continue on
  end

  # Mailto link
  return true if url =~ /^mailto:/

  # Public file
  file = File.join(RAILS_ROOT, 'public', url)
  return true if File.exists?(file)

  # Passing in different domain
  return remote_url?(url_parts[2])
end

#check_request_authorizationObject 



33
34
35
36
37
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 33

def check_request_authorization
  unless authorized?(path_from_hash(params))
    raise SecurityError, "Authorization failed for params #{params.inspect}"
  end
end

#check_session_expiryObject 



44
45
46
47
48
49
50
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 44

def check_session_expiry
  if session[:expiry_time] && session[:expiry_time] < Time.now
    nil_lockdown_values
    Lockdown::System.call(self, :session_timeout_method)
  end
  session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
end

#configure_lockdownObject 



20
21
22
23
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 20

def configure_lockdown
  check_session_expiry
  store_location
end

#get_auth_dataObject

gets BASIC auth info



150
151
152
153
154
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 150

def get_auth_data
  auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
  auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
  return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil] 
end

#logged_from_basic_auth?Boolean

Whether the login has been made through basic auth

Returns:

  • (Boolean) 


144
145
146
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 144

def logged_from_basic_auth?
  @_logged_from_basic_auth
end

#login_from_basic_auth?Boolean

Called from current_user. Now, attempt to login by basic authentication information.

Returns:

  • (Boolean) 


135
136
137
138
139
140
141
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 135

def 
  username, passwd = get_auth_data
  if username && passwd
    add_lockdown_session_values ::User.authenticate(username, passwd)
    @_logged_from_basic_auth = logged_in?
  end
end

#path_allowed?(url) ⇒ Boolean

Returns:

  • (Boolean) 


39
40
41
42
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 39

def path_allowed?(url)
  session[:access_rights] ||= Lockdown::System.public_access
  session[:access_rights].include?(url)
end

#path_from_hash(hash) ⇒ Object 



116
117
118
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 116

def path_from_hash(hash)
  hash[:controller].to_s + "/" + hash[:action].to_s
end

#redirect_back_or_default(default) ⇒ Object 



125
126
127
128
129
130
131
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 125

def redirect_back_or_default(default)
  if session[:prevpage].nil? || session[:prevpage].blank?
    redirect_to(default) 
  else
    redirect_to(session[:prevpage])
  end
end

#remote_url?(domain = nil) ⇒ Boolean

Returns:

  • (Boolean) 


120
121
122
123
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 120

def remote_url?(domain = nil)
  return false if domain.nil? || domain.strip.length == 0
  request.host.downcase != domain.downcase
end

#sent_from_uriObject 



59
60
61
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 59

def sent_from_uri
  request.request_uri
end

#set_current_userObject 



25
26
27
28
29
30
31
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 25

def set_current_user
   unless logged_in?
  if logged_in?
    Thread.current[:who_did_it] = Lockdown::System.
      call(self, :who_did_it)
  end
end

#store_locationObject 



52
53
54
55
56
57
 
# File 'lib/lockdown/frameworks/rails/controller.rb', line 52

def store_location
  if (request.method == :get) && (session[:thispage] != sent_from_uri)
    session[:prevpage] = session[:thispage] || ''
    session[:thispage] = sent_from_uri
  end
end