summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAzul <azul@leap.se>2014-07-14 12:18:18 +0200
committerAzul <azul@leap.se>2014-07-14 13:04:08 +0200
commitb80be9832526ee956b3a73a634896c6cd8d2914e (patch)
tree3c8d4ebafd6a7d063fedaeb0d307667b05c05e74
parent3885308e9a2aa48f25313567525e375362253f47 (diff)
ApiController with API style auth
require_login is require_token for the api controller It also skips the verify_authenticity_token before filter. So all Subclasses of the ApiController will only support token auth. Also made the V1::UsersController a bit more strict. Now way for admins to alter other users through the api. We don't support that yet so let's not allow it either.
-rw-r--r--app/controllers/api_controller.rb11
-rw-r--r--app/controllers/v1/certs_controller.rb2
-rw-r--r--app/controllers/v1/configs_controller.rb18
-rw-r--r--app/controllers/v1/messages_controller.rb7
-rw-r--r--app/controllers/v1/services_controller.rb4
-rw-r--r--app/controllers/v1/sessions_controller.rb5
-rw-r--r--app/controllers/v1/smtp_certs_controller.rb2
-rw-r--r--app/controllers/v1/users_controller.rb14
8 files changed, 38 insertions, 25 deletions
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
new file mode 100644
index 0000000..0aa9507
--- /dev/null
+++ b/app/controllers/api_controller.rb
@@ -0,0 +1,11 @@
+class ApiController < ApplicationController
+
+ skip_before_filter :verify_authenticity_token
+ respond_to :json
+
+ def require_login
+ require_token
+ end
+
+end
+
diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb
index b6d1d0b..68d6586 100644
--- a/app/controllers/v1/certs_controller.rb
+++ b/app/controllers/v1/certs_controller.rb
@@ -1,4 +1,4 @@
-class V1::CertsController < ApplicationController
+class V1::CertsController < ApiController
before_filter :require_login, :unless => :anonymous_certs_allowed?
diff --git a/app/controllers/v1/configs_controller.rb b/app/controllers/v1/configs_controller.rb
index b11b0a9..537123f 100644
--- a/app/controllers/v1/configs_controller.rb
+++ b/app/controllers/v1/configs_controller.rb
@@ -1,12 +1,4 @@
-class V1::ConfigsController < ApplicationController
-
- CONFIGS = {
- services: {
- soledad: "/1/configs/soledad-service.json",
- eip: "/1/configs/eip-service.json",
- smtp: "/1/configs/smtp-service.json"
- }
- }
+class V1::ConfigsController < ApiController
before_filter :require_login
@@ -17,4 +9,12 @@ class V1::ConfigsController < ApplicationController
def show
end
+ CONFIGS = {
+ services: {
+ soledad: "/1/configs/soledad-service.json",
+ eip: "/1/configs/eip-service.json",
+ smtp: "/1/configs/smtp-service.json"
+ }
+ }
+
end
diff --git a/app/controllers/v1/messages_controller.rb b/app/controllers/v1/messages_controller.rb
index 85156b7..a9b93a9 100644
--- a/app/controllers/v1/messages_controller.rb
+++ b/app/controllers/v1/messages_controller.rb
@@ -1,10 +1,7 @@
module V1
- class MessagesController < ApplicationController
+ class MessagesController < ApiController
- skip_before_filter :verify_authenticity_token
- before_filter :require_token
-
- respond_to :json
+ before_filter :require_login
def index
render json: current_user.messages
diff --git a/app/controllers/v1/services_controller.rb b/app/controllers/v1/services_controller.rb
index 594940e..114870f 100644
--- a/app/controllers/v1/services_controller.rb
+++ b/app/controllers/v1/services_controller.rb
@@ -1,6 +1,4 @@
-class V1::ServicesController < ApplicationController
-
- respond_to :json
+class V1::ServicesController < ApiController
def show
respond_with current_user.effective_service_level
diff --git a/app/controllers/v1/sessions_controller.rb b/app/controllers/v1/sessions_controller.rb
index d88fcdc..a343d9b 100644
--- a/app/controllers/v1/sessions_controller.rb
+++ b/app/controllers/v1/sessions_controller.rb
@@ -1,8 +1,7 @@
module V1
- class SessionsController < ApplicationController
+ class SessionsController < ApiController
- skip_before_filter :verify_authenticity_token
- before_filter :require_token, only: :destroy
+ before_filter :require_login, only: :destroy
def new
@session = Session.new
diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
index 377a49c..fa53b26 100644
--- a/app/controllers/v1/smtp_certs_controller.rb
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -1,4 +1,4 @@
-class V1::SmtpCertsController < ApplicationController
+class V1::SmtpCertsController < ApiController
before_filter :require_login
before_filter :require_email_account
diff --git a/app/controllers/v1/users_controller.rb b/app/controllers/v1/users_controller.rb
index abaefd8..5c9e33f 100644
--- a/app/controllers/v1/users_controller.rb
+++ b/app/controllers/v1/users_controller.rb
@@ -1,10 +1,9 @@
module V1
- class UsersController < UsersBaseController
+ class UsersController < ApiController
- skip_before_filter :verify_authenticity_token
before_filter :fetch_user, :only => [:update]
before_filter :require_admin, :only => [:index]
- before_filter :require_token, :only => [:update]
+ before_filter :require_login, :only => [:index, :update]
before_filter :require_registration_allowed, only: :create
respond_to :json
@@ -29,11 +28,20 @@ module V1
respond_with @user
end
+ protected
+
def require_registration_allowed
unless APP_CONFIG[:allow_registration]
head :forbidden
end
end
+ def fetch_user
+ @user = User.find(params[:id])
+ if @user != current_user
+ access_denied
+ end
+ end
+
end
end