TheDude
/
openproject
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

do not pass user into authorization callback

Browse Source
pull/1636/head
Markus Kahl 10 years ago
parent 3303126657
commit fd1f8315cf
3 changed files with 16 additions and 18 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      app/controllers/concerns/omniauth_login.rb
  2. 21
      lib/open_project/omni_auth/authorization.rb
  3. 10
      spec/controllers/concerns/omniauth_login_spec.rb

3
app/controllers/concerns/omniauth_login.rb
Unescape View File

@ -10,8 +10,7 @@ module Concerns::OmniauthLogin
params[:back_url] = request.env['omniauth.origin'] params[:back_url] = request.env['omniauth.origin']
user = User.find_or_initialize_by_identity_url identity_url_from_omniauth(auth_hash) user = User.find_or_initialize_by_identity_url identity_url_from_omniauth(auth_hash)
dec = OpenProject::OmniAuth::Authorization.authorized? user_with_info(user, auth_hash), dec = OpenProject::OmniAuth::Authorization.authorized? auth_hash
auth_hash
if dec.approve? if dec.approve?
authorization_successful user, auth_hash authorization_successful user, auth_hash
else else

21
lib/open_project/omni_auth/authorization.rb
Unescape View File

@ -6,11 +6,11 @@ module OpenProject
## ##
# Checks whether the given user is authorized to login by calling # Checks whether the given user is authorized to login by calling
# all registered callbacks. If all callbacks approve the user is authorized and may log in. # all registered callbacks. If all callbacks approve the user is authorized and may log in.
def self.authorized?(user, auth_hash) def self.authorized?(auth_hash)
rejection = nil rejection = nil
callbacks.each do |callback| callbacks.each do |callback|
d = callback.authorize user, auth_hash d = callback.authorize auth_hash
if d.is_a? Decision if d.is_a? Decision
if d.reject? if d.reject?
@ -51,9 +51,9 @@ module OpenProject
end end
def self.authorize_user_for_provider(provider, &block) def self.authorize_user_for_provider(provider, &block)
callback = BlockCallback.new do |dec, user, auth_hash| callback = BlockCallback.new do |dec, auth_hash|
if auth_hash.provider.to_sym == provider.to_sym if auth_hash.provider.to_sym == provider.to_sym
block.call dec, user, auth_hash block.call dec, auth_hash
else else
Decision.approve Decision.approve
end end
@ -74,15 +74,14 @@ module OpenProject
# Performs user authorization. # Performs user authorization.
class Callback class Callback
## ##
# Given a user and an OmniAuth auth hash this decides if a user is authorized or not. # Given an OmniAuth auth hash this decides if a user is authorized or not.
# #
# @param [User] user The OpenProject user to be logged in. # @param [AuthHash] auth_hash OmniAuth authentication information including user info
# @param [AuthHash] OmniAuth authentication information including user info
# and credentials. # and credentials.
# #
# @return [Decision] A decision indicating whether the user is authorized or not. # @return [Decision] A decision indicating whether the user is authorized or not.
def authorize(user, auth_hash) def authorize(auth_hash)
fail "subclass responsibility: authorize(#{user}, #{auth_hash})" fail "subclass responsibility: authorize(#{auth_hash})"
end end
end end
@ -95,8 +94,8 @@ module OpenProject
@block = block @block = block
end end
def authorize(user, auth_hash) def authorize(auth_hash)
block.call Decision, user, auth_hash block.call Decision, auth_hash
end end
end end

10
spec/controllers/concerns/omniauth_login_spec.rb
Unescape View File

@ -226,7 +226,7 @@ describe AccountController do
# Let's set up a couple of authorization callbacks to see if the mechanism # Let's set up a couple of authorization callbacks to see if the mechanism
# works as intended. # works as intended.
OpenProject::OmniAuth::Authorization.authorize_user provider: :google do |dec, _, auth| OpenProject::OmniAuth::Authorization.authorize_user provider: :google do |dec, auth|
if auth.info.name == config.google_name if auth.info.name == config.google_name
dec.approve dec.approve
else else
@ -234,8 +234,8 @@ describe AccountController do
end end
end end
OpenProject::OmniAuth::Authorization.authorize_user do |dec, user, _| OpenProject::OmniAuth::Authorization.authorize_user do |dec, auth|
if user.mail == config.global_email if auth.info.email == config.global_email
dec.approve dec.approve
else else
dec.reject "I only want to see #{config[:global_email]} here." dec.reject "I only want to see #{config[:global_email]} here."
@ -243,12 +243,12 @@ describe AccountController do
end end
# ineffective callback # ineffective callback
OpenProject::OmniAuth::Authorization.authorize_user provider: :foobar do |dec, _, _| OpenProject::OmniAuth::Authorization.authorize_user provider: :foobar do |dec, _|
dec.reject 'Though shalt not pass!' dec.reject 'Though shalt not pass!'
end end
# free for all callback # free for all callback
OpenProject::OmniAuth::Authorization.authorize_user do |dec, _, _| OpenProject::OmniAuth::Authorization.authorize_user do |dec, _|
dec.approve dec.approve
end end
end end

Write Preview
Loading…
Cancel
Save