diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index b0bce9ac4..a8a0e1b20 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -2,6 +2,8 @@ module Authentication extend ActiveSupport::Concern included do + # Checking for tenant must happen first so we redirect before trying to access the db. + before_action :require_tenant prepend_before_action :clear_old_scoped_session_cookies before_action :require_authentication @@ -23,6 +25,11 @@ module Authentication before_action :resume_session, **options allow_unauthorized_access **options end + + def require_untenanted_access(**options) + skip_before_action :require_tenant, **options + before_action :redirect_tenanted_request, **options + end end private @@ -30,6 +37,12 @@ module Authentication Current.session.present? end + def require_tenant + if ApplicationRecord.current_tenant.blank? + redirect_to session_menu_url(script_name: nil) + end + end + def require_authentication resume_session || request_authentication end @@ -67,6 +80,10 @@ module Authentication redirect_to root_url if authenticated? end + def redirect_tenanted_request + redirect_to root_url if ApplicationRecord.current_tenant + end + def start_new_session_for(identity) identity.sessions.create!(user_agent: request.user_agent, ip_address: request.remote_ip).tap do |session| set_current_session session diff --git a/app/controllers/join_codes_controller.rb b/app/controllers/join_codes_controller.rb index dcceb9f60..320f06553 100644 --- a/app/controllers/join_codes_controller.rb +++ b/app/controllers/join_codes_controller.rb @@ -1,4 +1,5 @@ class JoinCodesController < ApplicationController + require_untenanted_access allow_unauthenticated_access before_action :set_join_code before_action :ensure_join_code_is_valid diff --git a/app/controllers/memberships/email_addresses/confirmations_controller.rb b/app/controllers/memberships/email_addresses/confirmations_controller.rb index 42d9fb096..b53fdc135 100644 --- a/app/controllers/memberships/email_addresses/confirmations_controller.rb +++ b/app/controllers/memberships/email_addresses/confirmations_controller.rb @@ -1,4 +1,5 @@ class Memberships::EmailAddresses::ConfirmationsController < ApplicationController + require_untenanted_access allow_unauthenticated_access before_action :set_membership diff --git a/app/controllers/memberships/email_addresses_controller.rb b/app/controllers/memberships/email_addresses_controller.rb index f72389e64..0870410a9 100644 --- a/app/controllers/memberships/email_addresses_controller.rb +++ b/app/controllers/memberships/email_addresses_controller.rb @@ -1,4 +1,6 @@ class Memberships::EmailAddressesController < ApplicationController + require_untenanted_access + layout "public" before_action :set_membership diff --git a/app/controllers/memberships/unlink_controller.rb b/app/controllers/memberships/unlink_controller.rb index ab29d5be9..63664aca8 100644 --- a/app/controllers/memberships/unlink_controller.rb +++ b/app/controllers/memberships/unlink_controller.rb @@ -1,4 +1,5 @@ class Memberships::UnlinkController < ApplicationController + require_untenanted_access before_action :set_membership def show diff --git a/app/controllers/pwa_controller.rb b/app/controllers/pwa_controller.rb index 53f299311..bd6127182 100644 --- a/app/controllers/pwa_controller.rb +++ b/app/controllers/pwa_controller.rb @@ -1,4 +1,5 @@ class PwaController < ApplicationController + require_untenanted_access skip_forgery_protection # We need a stable URL at the root, so we can't use the regular asset path here. diff --git a/app/controllers/sessions/magic_links_controller.rb b/app/controllers/sessions/magic_links_controller.rb index 43021befc..3b836e445 100644 --- a/app/controllers/sessions/magic_links_controller.rb +++ b/app/controllers/sessions/magic_links_controller.rb @@ -1,4 +1,5 @@ class Sessions::MagicLinksController < ApplicationController + require_untenanted_access require_unauthenticated_access rate_limit to: 10, within: 15.minutes, only: :create, with: -> { redirect_to session_magic_link_path, alert: "Try again in 15 minutes." } diff --git a/app/controllers/sessions/menus_controller.rb b/app/controllers/sessions/menus_controller.rb index c6f884856..7ad3b6a09 100644 --- a/app/controllers/sessions/menus_controller.rb +++ b/app/controllers/sessions/menus_controller.rb @@ -1,4 +1,6 @@ class Sessions::MenusController < ApplicationController + require_untenanted_access + before_action(if: :render_as_menu_section?) { request.variant = :menu_section } layout "public" diff --git a/app/controllers/sessions/transfers_controller.rb b/app/controllers/sessions/transfers_controller.rb index 97a48daa4..b3b7ae773 100644 --- a/app/controllers/sessions/transfers_controller.rb +++ b/app/controllers/sessions/transfers_controller.rb @@ -1,4 +1,5 @@ class Sessions::TransfersController < ApplicationController + require_untenanted_access require_unauthenticated_access def show diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index e6f4ab665..8f8222ed9 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -4,6 +4,7 @@ class SessionsController < ApplicationController SIGNUP_PASSWORD = Rails.env.local? ? "testpassword" : Rails.application.credentials.account_signup_http_basic_auth.password http_basic_authenticate_with name: SIGNUP_USERNAME, password: SIGNUP_PASSWORD, realm: "Fizzy Signup", only: :create, unless: -> { Identity.exists?(email_address: email_address) } + require_untenanted_access require_unauthenticated_access except: :destroy rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }