From 1897cc238f0bd38fbd31dc260c415fea3459cd90 Mon Sep 17 00:00:00 2001 From: Jorge Manrubia Date: Fri, 28 Nov 2025 10:51:18 +0100 Subject: [PATCH] Only staff can access beta/staging https://app.fizzy.do/5986089/cards/3208 --- app/controllers/concerns/authorization.rb | 5 +++ .../non_production_remote_access_test.rb | 34 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 test/controllers/non_production_remote_access_test.rb diff --git a/app/controllers/concerns/authorization.rb b/app/controllers/concerns/authorization.rb index 46769992e..81bd0c781 100644 --- a/app/controllers/concerns/authorization.rb +++ b/app/controllers/concerns/authorization.rb @@ -3,6 +3,7 @@ module Authorization included do before_action :ensure_can_access_account, if: -> { Current.account.present? && authenticated? } + before_action :ensure_only_staff_can_access_non_production_remote_environments, if: :authenticated? end class_methods do @@ -29,6 +30,10 @@ module Authorization redirect_to session_menu_url(script_name: nil) if Current.user.blank? || !Current.user.active? end + def ensure_only_staff_can_access_non_production_remote_environments + head :forbidden unless Rails.env.local? || Rails.env.production? || Current.identity.staff? + end + def redirect_existing_user redirect_to root_path if Current.user end diff --git a/test/controllers/non_production_remote_access_test.rb b/test/controllers/non_production_remote_access_test.rb new file mode 100644 index 000000000..cb84eda35 --- /dev/null +++ b/test/controllers/non_production_remote_access_test.rb @@ -0,0 +1,34 @@ +require "test_helper" + +class NonProductionRemoteAccessTest < ActionDispatch::IntegrationTest + test "staff can access in staging environment" do + sign_in_as :david + + Rails.stubs(:env).returns(ActiveSupport::EnvironmentInquirer.new("staging")) + get cards_path + assert_response :success + end + + test "non-staff cannot access in staging environment" do + sign_in_as :jz + + Rails.stubs(:env).returns(ActiveSupport::EnvironmentInquirer.new("staging")) + get cards_path + assert_response :forbidden + end + + test "non-staff can access in production environment" do + sign_in_as :jz + + Rails.stubs(:env).returns(ActiveSupport::EnvironmentInquirer.new("production")) + get cards_path + assert_response :success + end + + test "non-staff can access in local environment" do + sign_in_as :jz + + get cards_path + assert_response :success + end +end