Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
GitLab
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Analytics
Analytics
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Commits
Open sidebar
projects.thm.de
GitLab
Commits
d3462e71
Commit
d3462e71
authored
Apr 22, 2016
by
Douwe Maan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix issue with impersonation
parent
80893cad
Changes
9
Hide whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
192 additions
and
69 deletions
+192
-69
app/controllers/admin/application_controller.rb
app/controllers/admin/application_controller.rb
+1
-7
app/controllers/admin/impersonation_controller.rb
app/controllers/admin/impersonation_controller.rb
+0
-38
app/controllers/admin/impersonations_controller.rb
app/controllers/admin/impersonations_controller.rb
+28
-0
app/controllers/admin/users_controller.rb
app/controllers/admin/users_controller.rb
+16
-0
app/views/layouts/header/_default.html.haml
app/views/layouts/header/_default.html.haml
+1
-1
config/routes.rb
config/routes.rb
+3
-3
spec/controllers/admin/impersonation_controller_spec.rb
spec/controllers/admin/impersonation_controller_spec.rb
+0
-19
spec/controllers/admin/impersonations_controller_spec.rb
spec/controllers/admin/impersonations_controller_spec.rb
+95
-0
spec/controllers/admin/users_controller_spec.rb
spec/controllers/admin/users_controller_spec.rb
+48
-1
No files found.
app/controllers/admin/application_controller.rb
View file @
d3462e71
...
...
@@ -6,12 +6,6 @@ class Admin::ApplicationController < ApplicationController
layout
'admin'
def
authenticate_admin!
return
render_404
unless
current_user
.
is_admin?
end
def
authorize_impersonator!
if
session
[
:impersonator_id
]
User
.
find_by!
(
username:
session
[
:impersonator_id
]).
admin?
end
render_404
unless
current_user
.
is_admin?
end
end
app/controllers/admin/impersonation_controller.rb
deleted
100644 → 0
View file @
80893cad
class
Admin::ImpersonationController
<
Admin
::
ApplicationController
skip_before_action
:authenticate_admin!
,
only: :destroy
before_action
:user
before_action
:authorize_impersonator!
def
create
if
@user
.
blocked?
flash
[
:alert
]
=
"You cannot impersonate a blocked user"
redirect_to
admin_user_path
(
@user
)
else
session
[
:impersonator_id
]
=
current_user
.
username
session
[
:impersonator_return_to
]
=
admin_user_path
(
@user
)
warden
.
set_user
(
user
,
scope:
'user'
)
flash
[
:alert
]
=
"You are impersonating
#{
user
.
username
}
."
redirect_to
root_path
end
end
def
destroy
redirect
=
session
[
:impersonator_return_to
]
warden
.
set_user
(
user
,
scope:
'user'
)
session
[
:impersonator_return_to
]
=
nil
session
[
:impersonator_id
]
=
nil
redirect_to
redirect
||
root_path
end
def
user
@user
||=
User
.
find_by!
(
username:
params
[
:id
]
||
session
[
:impersonator_id
])
end
end
app/controllers/admin/impersonations_controller.rb
0 → 100644
View file @
d3462e71
class
Admin::ImpersonationsController
<
Admin
::
ApplicationController
skip_before_action
:authenticate_admin!
before_action
:authenticate_impersonator!
def
destroy
redirect_path
=
admin_user_path
(
current_user
)
warden
.
set_user
(
impersonator
,
scope: :user
)
session
[
:impersonator_id
]
=
nil
redirect_to
redirect_path
end
private
def
user
@user
||=
User
.
find
(
params
[
:id
])
end
def
impersonator
@impersonator
||=
User
.
find
(
session
[
:impersonator_id
])
if
session
[
:impersonator_id
]
end
def
authenticate_impersonator!
render_404
unless
impersonator
&&
impersonator
.
is_admin?
&&
!
impersonator
.
blocked?
end
end
app/controllers/admin/users_controller.rb
View file @
d3462e71
...
...
@@ -31,6 +31,22 @@ def edit
user
end
def
impersonate
if
user
.
blocked?
flash
[
:alert
]
=
"You cannot impersonate a blocked user"
redirect_to
admin_user_path
(
user
)
else
session
[
:impersonator_id
]
=
current_user
.
id
warden
.
set_user
(
user
,
scope: :user
)
flash
[
:alert
]
=
"You are now impersonating
#{
user
.
username
}
"
redirect_to
root_path
end
end
def
block
if
user
.
block
redirect_back_or_admin_user
(
notice:
"Successfully blocked"
)
...
...
app/views/layouts/header/_default.html.haml
View file @
d3462e71
...
...
@@ -15,7 +15,7 @@
-
if
current_user
-
if
session
[
:impersonator_id
]
%li
.impersonation
=
link_to
stop_impersonation_admin_users
_path
,
method: :delete
,
title:
'Stop Impersonation'
,
data:
{
toggle:
'tooltip'
,
placement:
'bottom'
,
container:
'body'
}
do
=
link_to
admin_impersonation
_path
,
method: :delete
,
title:
'Stop Impersonation'
,
data:
{
toggle:
'tooltip'
,
placement:
'bottom'
,
container:
'body'
}
do
=
icon
(
'user-secret fw'
)
-
if
current_user
.
is_admin?
%li
...
...
config/routes.rb
View file @
d3462e71
...
...
@@ -212,8 +212,6 @@
resources
:keys
,
only:
[
:show
,
:destroy
]
resources
:identities
,
except:
[
:show
]
delete
'stop_impersonation'
=>
'impersonation#destroy'
,
on: :collection
member
do
get
:projects
get
:keys
...
...
@@ -223,12 +221,14 @@
put
:unblock
put
:unlock
put
:confirm
post
'impersonate'
=>
'impersonation#create'
post
:impersonate
patch
:disable_two_factor
delete
'remove/:email_id'
,
action:
'remove_email'
,
as:
'remove_email'
end
end
resource
:impersonation
,
only: :destroy
resources
:abuse_reports
,
only:
[
:index
,
:destroy
]
resources
:spam_logs
,
only:
[
:index
,
:destroy
]
...
...
spec/controllers/admin/impersonation_controller_spec.rb
deleted
100644 → 0
View file @
80893cad
require
'spec_helper'
describe
Admin
::
ImpersonationController
do
let
(
:admin
)
{
create
(
:admin
)
}
before
do
sign_in
(
admin
)
end
describe
'CREATE #impersonation when blocked'
do
let
(
:blocked_user
)
{
create
(
:user
,
state: :blocked
)
}
it
'does not allow impersonation'
do
post
:create
,
id:
blocked_user
.
username
expect
(
flash
[
:alert
]).
to
eq
'You cannot impersonate a blocked user'
end
end
end
spec/controllers/admin/impersonations_controller_spec.rb
0 → 100644
View file @
d3462e71
require
'spec_helper'
describe
Admin
::
ImpersonationsController
do
let
(
:impersonator
)
{
create
(
:admin
)
}
let
(
:user
)
{
create
(
:user
)
}
describe
"DELETE destroy"
do
context
"when not signed in"
do
it
"redirects to the sign in page"
do
delete
:destroy
expect
(
response
).
to
redirect_to
(
new_user_session_path
)
end
end
context
"when signed in"
do
before
do
sign_in
(
user
)
end
context
"when not impersonating"
do
it
"responds with status 404"
do
delete
:destroy
expect
(
response
.
status
).
to
eq
(
404
)
end
it
"doesn't sign us in"
do
delete
:destroy
expect
(
warden
.
user
).
to
eq
(
user
)
end
end
context
"when impersonating"
do
before
do
session
[
:impersonator_id
]
=
impersonator
.
id
end
context
"when the impersonator is not impersonator (anymore)"
do
before
do
impersonator
.
admin
=
false
impersonator
.
save
end
it
"responds with status 404"
do
delete
:destroy
expect
(
response
.
status
).
to
eq
(
404
)
end
it
"doesn't sign us in as the impersonator"
do
delete
:destroy
expect
(
warden
.
user
).
to
eq
(
user
)
end
end
context
"when the impersonator is admin"
do
context
"when the impersonator is blocked"
do
before
do
impersonator
.
block!
end
it
"responds with status 404"
do
delete
:destroy
expect
(
response
.
status
).
to
eq
(
404
)
end
it
"doesn't sign us in as the impersonator"
do
delete
:destroy
expect
(
warden
.
user
).
to
eq
(
user
)
end
end
context
"when the impersonator is not blocked"
do
it
"redirects to the impersonated user's page"
do
delete
:destroy
expect
(
response
).
to
redirect_to
(
admin_user_path
(
user
))
end
it
"signs us in as the impersonator"
do
delete
:destroy
expect
(
warden
.
user
).
to
eq
(
impersonator
)
end
end
end
end
end
end
end
spec/controllers/admin/users_controller_spec.rb
View file @
d3462e71
...
...
@@ -2,9 +2,10 @@
describe
Admin
::
UsersController
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:admin
)
{
create
(
:admin
)
}
before
do
sign_in
(
create
(
:admin
)
)
sign_in
(
admin
)
end
describe
'DELETE #user with projects'
do
...
...
@@ -112,4 +113,50 @@ def go
patch
:disable_two_factor
,
id:
user
.
to_param
end
end
describe
"POST impersonate"
do
context
"when the user is blocked"
do
before
do
user
.
block!
end
it
"shows a notice"
do
post
:impersonate
,
id:
user
.
username
expect
(
flash
[
:alert
]).
to
eq
(
"You cannot impersonate a blocked user"
)
end
it
"doesn't sign us in as the user"
do
post
:impersonate
,
id:
user
.
username
expect
(
warden
.
user
).
to
eq
(
admin
)
end
end
context
"when the user is not blocked"
do
it
"stores the impersonator in the session"
do
post
:impersonate
,
id:
user
.
username
expect
(
session
[
:impersonator_id
]).
to
eq
(
admin
.
id
)
end
it
"signs us in as the user"
do
post
:impersonate
,
id:
user
.
username
expect
(
warden
.
user
).
to
eq
(
user
)
end
it
"redirects to root"
do
post
:impersonate
,
id:
user
.
username
expect
(
response
).
to
redirect_to
(
root_path
)
end
it
"shows a notice"
do
post
:impersonate
,
id:
user
.
username
expect
(
flash
[
:alert
]).
to
eq
(
"You are now impersonating
#{
user
.
username
}
"
)
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment