diff options
author | Azul <azul@leap.se> | 2014-07-14 12:18:18 +0200 |
---|---|---|
committer | Azul <azul@leap.se> | 2014-07-14 13:04:08 +0200 |
commit | b80be9832526ee956b3a73a634896c6cd8d2914e (patch) | |
tree | 3c8d4ebafd6a7d063fedaeb0d307667b05c05e74 /app/controllers | |
parent | 3885308e9a2aa48f25313567525e375362253f47 (diff) |
ApiController with API style auth
require_login is require_token for the api controller
It also skips the verify_authenticity_token before filter.
So all Subclasses of the ApiController will only support token auth.
Also made the V1::UsersController a bit more strict. Now way for admins to alter other users through the api. We don't support that yet so let's not allow it either.
Diffstat (limited to 'app/controllers')
-rw-r--r-- | app/controllers/api_controller.rb | 11 | ||||
-rw-r--r-- | app/controllers/v1/certs_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/v1/configs_controller.rb | 18 | ||||
-rw-r--r-- | app/controllers/v1/messages_controller.rb | 7 | ||||
-rw-r--r-- | app/controllers/v1/services_controller.rb | 4 | ||||
-rw-r--r-- | app/controllers/v1/sessions_controller.rb | 5 | ||||
-rw-r--r-- | app/controllers/v1/smtp_certs_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/v1/users_controller.rb | 14 |
8 files changed, 38 insertions, 25 deletions
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb new file mode 100644 index 0000000..0aa9507 --- /dev/null +++ b/app/controllers/api_controller.rb @@ -0,0 +1,11 @@ +class ApiController < ApplicationController + + skip_before_filter :verify_authenticity_token + respond_to :json + + def require_login + require_token + end + +end + diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb index b6d1d0b..68d6586 100644 --- a/app/controllers/v1/certs_controller.rb +++ b/app/controllers/v1/certs_controller.rb @@ -1,4 +1,4 @@ -class V1::CertsController < ApplicationController +class V1::CertsController < ApiController before_filter :require_login, :unless => :anonymous_certs_allowed? diff --git a/app/controllers/v1/configs_controller.rb b/app/controllers/v1/configs_controller.rb index b11b0a9..537123f 100644 --- a/app/controllers/v1/configs_controller.rb +++ b/app/controllers/v1/configs_controller.rb @@ -1,12 +1,4 @@ -class V1::ConfigsController < ApplicationController - - CONFIGS = { - services: { - soledad: "/1/configs/soledad-service.json", - eip: "/1/configs/eip-service.json", - smtp: "/1/configs/smtp-service.json" - } - } +class V1::ConfigsController < ApiController before_filter :require_login @@ -17,4 +9,12 @@ class V1::ConfigsController < ApplicationController def show end + CONFIGS = { + services: { + soledad: "/1/configs/soledad-service.json", + eip: "/1/configs/eip-service.json", + smtp: "/1/configs/smtp-service.json" + } + } + end diff --git a/app/controllers/v1/messages_controller.rb b/app/controllers/v1/messages_controller.rb index 85156b7..a9b93a9 100644 --- a/app/controllers/v1/messages_controller.rb +++ b/app/controllers/v1/messages_controller.rb @@ -1,10 +1,7 @@ module V1 - class MessagesController < ApplicationController + class MessagesController < ApiController - skip_before_filter :verify_authenticity_token - before_filter :require_token - - respond_to :json + before_filter :require_login def index render json: current_user.messages diff --git a/app/controllers/v1/services_controller.rb b/app/controllers/v1/services_controller.rb index 594940e..114870f 100644 --- a/app/controllers/v1/services_controller.rb +++ b/app/controllers/v1/services_controller.rb @@ -1,6 +1,4 @@ -class V1::ServicesController < ApplicationController - - respond_to :json +class V1::ServicesController < ApiController def show respond_with current_user.effective_service_level diff --git a/app/controllers/v1/sessions_controller.rb b/app/controllers/v1/sessions_controller.rb index d88fcdc..a343d9b 100644 --- a/app/controllers/v1/sessions_controller.rb +++ b/app/controllers/v1/sessions_controller.rb @@ -1,8 +1,7 @@ module V1 - class SessionsController < ApplicationController + class SessionsController < ApiController - skip_before_filter :verify_authenticity_token - before_filter :require_token, only: :destroy + before_filter :require_login, only: :destroy def new @session = Session.new diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb index 377a49c..fa53b26 100644 --- a/app/controllers/v1/smtp_certs_controller.rb +++ b/app/controllers/v1/smtp_certs_controller.rb @@ -1,4 +1,4 @@ -class V1::SmtpCertsController < ApplicationController +class V1::SmtpCertsController < ApiController before_filter :require_login before_filter :require_email_account diff --git a/app/controllers/v1/users_controller.rb b/app/controllers/v1/users_controller.rb index abaefd8..5c9e33f 100644 --- a/app/controllers/v1/users_controller.rb +++ b/app/controllers/v1/users_controller.rb @@ -1,10 +1,9 @@ module V1 - class UsersController < UsersBaseController + class UsersController < ApiController - skip_before_filter :verify_authenticity_token before_filter :fetch_user, :only => [:update] before_filter :require_admin, :only => [:index] - before_filter :require_token, :only => [:update] + before_filter :require_login, :only => [:index, :update] before_filter :require_registration_allowed, only: :create respond_to :json @@ -29,11 +28,20 @@ module V1 respond_with @user end + protected + def require_registration_allowed unless APP_CONFIG[:allow_registration] head :forbidden end end + def fetch_user + @user = User.find(params[:id]) + if @user != current_user + access_denied + end + end + end end |