ApiController with API style auth

require_login is require_token for the api controller It also skips the verify_authenticity_token before filter. So all Subclasses of the ApiController will only support token auth. Also made the V1::UsersController a bit more strict. Now way for admins to alter other users through the api. We don't support that yet so let's not allow it either.
author: Azul <azul@leap.se> 2014-07-14 12:18:18 +0200
committer: Azul <azul@leap.se> 2014-07-14 13:04:08 +0200
commit: b80be9832526ee956b3a73a634896c6cd8d2914e (patch)
tree: 3c8d4ebafd6a7d063fedaeb0d307667b05c05e74
parent: 3885308e9a2aa48f25313567525e375362253f47 (diff)
8 files changed, 38 insertions, 25 deletions
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
new file mode 100644
index 0000000..0aa9507
--- /dev/null
+++ b/app/controllers/api_controller.rb
@@ -0,0 +1,11 @@
+class ApiController < ApplicationController
+
+  skip_before_filter :verify_authenticity_token
+  respond_to :json
+
+  def require_login
+    require_token
+  end
+
+end
+
diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb
index b6d1d0b..68d6586 100644
--- a/app/controllers/v1/certs_controller.rb
+++ b/app/controllers/v1/certs_controller.rb
@@ -1,4 +1,4 @@
-class V1::CertsController < ApplicationController
+class V1::CertsController < ApiController
 
   before_filter :require_login, :unless => :anonymous_certs_allowed?
 
diff --git a/app/controllers/v1/configs_controller.rb b/app/controllers/v1/configs_controller.rb
index b11b0a9..537123f 100644
--- a/app/controllers/v1/configs_controller.rb
+++ b/app/controllers/v1/configs_controller.rb
@@ -1,12 +1,4 @@
-class V1::ConfigsController < ApplicationController
-
-  CONFIGS = {
-    services: {
-      soledad: "/1/configs/soledad-service.json",
-      eip: "/1/configs/eip-service.json",
-      smtp: "/1/configs/smtp-service.json"
-    }
-  }
+class V1::ConfigsController < ApiController
 
   before_filter :require_login
 
@@ -17,4 +9,12 @@ class V1::ConfigsController < ApplicationController
   def show
   end
 
+  CONFIGS = {
+    services: {
+      soledad: "/1/configs/soledad-service.json",
+      eip: "/1/configs/eip-service.json",
+      smtp: "/1/configs/smtp-service.json"
+    }
+  }
+
 end
diff --git a/app/controllers/v1/messages_controller.rb b/app/controllers/v1/messages_controller.rb
index 85156b7..a9b93a9 100644
--- a/app/controllers/v1/messages_controller.rb
+++ b/app/controllers/v1/messages_controller.rb
@@ -1,10 +1,7 @@
 module V1
-  class MessagesController < ApplicationController
+  class MessagesController < ApiController
 
-    skip_before_filter :verify_authenticity_token
-    before_filter :require_token
-
-    respond_to :json
+    before_filter :require_login
 
     def index
       render json: current_user.messages
diff --git a/app/controllers/v1/services_controller.rb b/app/controllers/v1/services_controller.rb
index 594940e..114870f 100644
--- a/app/controllers/v1/services_controller.rb
+++ b/app/controllers/v1/services_controller.rb
@@ -1,6 +1,4 @@
-class V1::ServicesController < ApplicationController
-
-  respond_to :json
+class V1::ServicesController < ApiController
 
   def show
     respond_with current_user.effective_service_level
diff --git a/app/controllers/v1/sessions_controller.rb b/app/controllers/v1/sessions_controller.rb
index d88fcdc..a343d9b 100644
--- a/app/controllers/v1/sessions_controller.rb
+++ b/app/controllers/v1/sessions_controller.rb
@@ -1,8 +1,7 @@
 module V1
-  class SessionsController < ApplicationController
+  class SessionsController < ApiController
 
-    skip_before_filter :verify_authenticity_token
-    before_filter :require_token, only: :destroy
+    before_filter :require_login, only: :destroy
 
     def new
       @session = Session.new
diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
index 377a49c..fa53b26 100644
--- a/app/controllers/v1/smtp_certs_controller.rb
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -1,4 +1,4 @@
-class V1::SmtpCertsController < ApplicationController
+class V1::SmtpCertsController < ApiController
 
   before_filter :require_login
   before_filter :require_email_account
diff --git a/app/controllers/v1/users_controller.rb b/app/controllers/v1/users_controller.rb
index abaefd8..5c9e33f 100644
--- a/app/controllers/v1/users_controller.rb
+++ b/app/controllers/v1/users_controller.rb
@@ -1,10 +1,9 @@
 module V1
-  class UsersController < UsersBaseController
+  class UsersController < ApiController
 
-    skip_before_filter :verify_authenticity_token
     before_filter :fetch_user, :only => [:update]
     before_filter :require_admin, :only => [:index]
-    before_filter :require_token, :only => [:update]
+    before_filter :require_login, :only => [:index, :update]
     before_filter :require_registration_allowed, only: :create
 
     respond_to :json
@@ -29,11 +28,20 @@ module V1
       respond_with @user
     end
 
+    protected
+
     def require_registration_allowed
       unless APP_CONFIG[:allow_registration]
         head :forbidden
       end
     end
 
+    def fetch_user
+      @user = User.find(params[:id])
+      if @user != current_user
+        access_denied
+      end
+    end
+
   end
 end
author	Azul <azul@leap.se>	2014-07-14 12:18:18 +0200
committer	Azul <azul@leap.se>	2014-07-14 13:04:08 +0200
commit	b80be9832526ee956b3a73a634896c6cd8d2914e (patch)
tree	3c8d4ebafd6a7d063fedaeb0d307667b05c05e74
parent	3885308e9a2aa48f25313567525e375362253f47 (diff)