Fix authentication on "untenanted" controllers

trying out the name "disallow_account_scope" for this, but I don't
think it's quite right yet.
This commit is contained in:
Mike Dalessio
2025-11-10 14:25:15 -05:00
parent 086a9ceada
commit 89d1299ec0
11 changed files with 23 additions and 22 deletions
+12 -7
View File
@@ -2,10 +2,9 @@ module Authentication
extend ActiveSupport::Concern
included do
# Checking for tenant must happen first so we redirect before trying to access the db.
before_action :require_tenant
prepend_before_action :clear_old_scoped_session_cookies
before_action :require_account # Checking and setting account must happen first
before_action :require_authentication
helper_method :authenticated?
@@ -26,8 +25,8 @@ module Authentication
allow_unauthorized_access **options
end
def require_untenanted_access(**options)
skip_before_action :require_tenant, **options
def disallow_account_scope(**options)
skip_before_action :require_account, **options
before_action :redirect_tenanted_request, **options
end
end
@@ -37,9 +36,11 @@ module Authentication
Current.session.present?
end
def require_tenant
if ApplicationRecord.current_tenant.blank?
def require_account
if request_account_id.blank?
redirect_to session_menu_url(script_name: nil)
else
set_current_account
end
end
@@ -81,7 +82,7 @@ module Authentication
end
def redirect_tenanted_request
redirect_to root_url if ApplicationRecord.current_tenant
redirect_to root_url if request_account_id
end
def start_new_session_for(identity)
@@ -101,6 +102,10 @@ module Authentication
cookies.delete(:session_token)
end
def set_current_account
Current.account = Account.find_by(external_account_id: request_account_id)
end
def request_account_id
request.env["fizzy.external_account_id"]
end
@@ -2,7 +2,6 @@ module Authorization
extend ActiveSupport::Concern
included do
prepend_before_action :set_account, if: -> { request_account_id.present? }
before_action :ensure_can_access_account, if: -> { Current.account.present? && authenticated? }
end
@@ -18,10 +17,6 @@ module Authorization
end
private
def set_account
Current.account = Account.find_by(external_account_id: request_account_id)
end
def ensure_admin
head :forbidden unless Current.user.admin?
end
+3 -2
View File
@@ -1,5 +1,5 @@
class JoinCodesController < ApplicationController
require_untenanted_access
disallow_account_scope
allow_unauthenticated_access
before_action :set_join_code
before_action :ensure_join_code_is_valid
@@ -7,7 +7,8 @@ class JoinCodesController < ApplicationController
layout "public"
def new
@account_name = Current.account.name
@account = Account.find_by_external_account_id!(tenant)
@account_name = @account.name
end
def create
@@ -1,5 +1,5 @@
class Memberships::EmailAddresses::ConfirmationsController < ApplicationController
require_untenanted_access
disallow_account_scope
allow_unauthenticated_access
before_action :set_membership
@@ -1,5 +1,5 @@
class Memberships::EmailAddressesController < ApplicationController
require_untenanted_access
disallow_account_scope
layout "public"
@@ -1,5 +1,5 @@
class Memberships::UnlinkController < ApplicationController
require_untenanted_access
disallow_account_scope
before_action :set_membership
def show
+1 -1
View File
@@ -1,5 +1,5 @@
class PwaController < ApplicationController
require_untenanted_access
disallow_account_scope
skip_forgery_protection
# We need a stable URL at the root, so we can't use the regular asset path here.
@@ -1,5 +1,5 @@
class Sessions::MagicLinksController < ApplicationController
require_untenanted_access
disallow_account_scope
require_unauthenticated_access
rate_limit to: 10, within: 15.minutes, only: :create, with: -> { redirect_to session_magic_link_path, alert: "Try again in 15 minutes." }
+1 -1
View File
@@ -1,5 +1,5 @@
class Sessions::MenusController < ApplicationController
require_untenanted_access
disallow_account_scope
before_action(if: :render_as_menu_section?) { request.variant = :menu_section }
@@ -1,5 +1,5 @@
class Sessions::TransfersController < ApplicationController
require_untenanted_access
disallow_account_scope
require_unauthenticated_access
def show
+1 -1
View File
@@ -4,7 +4,7 @@ class SessionsController < ApplicationController
SIGNUP_PASSWORD = Rails.env.local? ? "testpassword" : Rails.application.credentials.account_signup_http_basic_auth.password
http_basic_authenticate_with name: SIGNUP_USERNAME, password: SIGNUP_PASSWORD, realm: "Fizzy Signup", only: :create, unless: -> { Identity.exists?(email_address: email_address) }
require_untenanted_access
disallow_account_scope
require_unauthenticated_access except: :destroy
rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }