Fix authentication on "untenanted" controllers
trying out the name "disallow_account_scope" for this, but I don't think it's quite right yet.
This commit is contained in:
@@ -2,10 +2,9 @@ module Authentication
|
||||
extend ActiveSupport::Concern
|
||||
|
||||
included do
|
||||
# Checking for tenant must happen first so we redirect before trying to access the db.
|
||||
before_action :require_tenant
|
||||
prepend_before_action :clear_old_scoped_session_cookies
|
||||
|
||||
before_action :require_account # Checking and setting account must happen first
|
||||
before_action :require_authentication
|
||||
helper_method :authenticated?
|
||||
|
||||
@@ -26,8 +25,8 @@ module Authentication
|
||||
allow_unauthorized_access **options
|
||||
end
|
||||
|
||||
def require_untenanted_access(**options)
|
||||
skip_before_action :require_tenant, **options
|
||||
def disallow_account_scope(**options)
|
||||
skip_before_action :require_account, **options
|
||||
before_action :redirect_tenanted_request, **options
|
||||
end
|
||||
end
|
||||
@@ -37,9 +36,11 @@ module Authentication
|
||||
Current.session.present?
|
||||
end
|
||||
|
||||
def require_tenant
|
||||
if ApplicationRecord.current_tenant.blank?
|
||||
def require_account
|
||||
if request_account_id.blank?
|
||||
redirect_to session_menu_url(script_name: nil)
|
||||
else
|
||||
set_current_account
|
||||
end
|
||||
end
|
||||
|
||||
@@ -81,7 +82,7 @@ module Authentication
|
||||
end
|
||||
|
||||
def redirect_tenanted_request
|
||||
redirect_to root_url if ApplicationRecord.current_tenant
|
||||
redirect_to root_url if request_account_id
|
||||
end
|
||||
|
||||
def start_new_session_for(identity)
|
||||
@@ -101,6 +102,10 @@ module Authentication
|
||||
cookies.delete(:session_token)
|
||||
end
|
||||
|
||||
def set_current_account
|
||||
Current.account = Account.find_by(external_account_id: request_account_id)
|
||||
end
|
||||
|
||||
def request_account_id
|
||||
request.env["fizzy.external_account_id"]
|
||||
end
|
||||
|
||||
@@ -2,7 +2,6 @@ module Authorization
|
||||
extend ActiveSupport::Concern
|
||||
|
||||
included do
|
||||
prepend_before_action :set_account, if: -> { request_account_id.present? }
|
||||
before_action :ensure_can_access_account, if: -> { Current.account.present? && authenticated? }
|
||||
end
|
||||
|
||||
@@ -18,10 +17,6 @@ module Authorization
|
||||
end
|
||||
|
||||
private
|
||||
def set_account
|
||||
Current.account = Account.find_by(external_account_id: request_account_id)
|
||||
end
|
||||
|
||||
def ensure_admin
|
||||
head :forbidden unless Current.user.admin?
|
||||
end
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class JoinCodesController < ApplicationController
|
||||
require_untenanted_access
|
||||
disallow_account_scope
|
||||
allow_unauthenticated_access
|
||||
before_action :set_join_code
|
||||
before_action :ensure_join_code_is_valid
|
||||
@@ -7,7 +7,8 @@ class JoinCodesController < ApplicationController
|
||||
layout "public"
|
||||
|
||||
def new
|
||||
@account_name = Current.account.name
|
||||
@account = Account.find_by_external_account_id!(tenant)
|
||||
@account_name = @account.name
|
||||
end
|
||||
|
||||
def create
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class Memberships::EmailAddresses::ConfirmationsController < ApplicationController
|
||||
require_untenanted_access
|
||||
disallow_account_scope
|
||||
allow_unauthenticated_access
|
||||
|
||||
before_action :set_membership
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class Memberships::EmailAddressesController < ApplicationController
|
||||
require_untenanted_access
|
||||
disallow_account_scope
|
||||
|
||||
layout "public"
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class Memberships::UnlinkController < ApplicationController
|
||||
require_untenanted_access
|
||||
disallow_account_scope
|
||||
before_action :set_membership
|
||||
|
||||
def show
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class PwaController < ApplicationController
|
||||
require_untenanted_access
|
||||
disallow_account_scope
|
||||
skip_forgery_protection
|
||||
|
||||
# We need a stable URL at the root, so we can't use the regular asset path here.
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class Sessions::MagicLinksController < ApplicationController
|
||||
require_untenanted_access
|
||||
disallow_account_scope
|
||||
require_unauthenticated_access
|
||||
rate_limit to: 10, within: 15.minutes, only: :create, with: -> { redirect_to session_magic_link_path, alert: "Try again in 15 minutes." }
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class Sessions::MenusController < ApplicationController
|
||||
require_untenanted_access
|
||||
disallow_account_scope
|
||||
|
||||
before_action(if: :render_as_menu_section?) { request.variant = :menu_section }
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
class Sessions::TransfersController < ApplicationController
|
||||
require_untenanted_access
|
||||
disallow_account_scope
|
||||
require_unauthenticated_access
|
||||
|
||||
def show
|
||||
|
||||
@@ -4,7 +4,7 @@ class SessionsController < ApplicationController
|
||||
SIGNUP_PASSWORD = Rails.env.local? ? "testpassword" : Rails.application.credentials.account_signup_http_basic_auth.password
|
||||
http_basic_authenticate_with name: SIGNUP_USERNAME, password: SIGNUP_PASSWORD, realm: "Fizzy Signup", only: :create, unless: -> { Identity.exists?(email_address: email_address) }
|
||||
|
||||
require_untenanted_access
|
||||
disallow_account_scope
|
||||
require_unauthenticated_access except: :destroy
|
||||
rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }
|
||||
|
||||
|
||||
Reference in New Issue
Block a user