From 8baf5b8abd3f677e4cf0fd851fff2799e80f7f6b Mon Sep 17 00:00:00 2001 From: Jorge Manrubia Date: Wed, 26 Nov 2025 13:40:46 +0100 Subject: [PATCH] Make mission control only accessible for staff members --- app/controllers/admin/stats_controller.rb | 2 -- app/controllers/admin_controller.rb | 1 + config/application.rb | 2 ++ config/initializers/mission_control.rb | 4 +--- .../controllers/admin/mission_control_test.rb | 23 +++++++++++++++++++ .../admin/stats_controller_test.rb | 23 +++++++++++++++++++ test/fixtures/identities.yml | 2 ++ 7 files changed, 52 insertions(+), 5 deletions(-) create mode 100644 test/controllers/admin/mission_control_test.rb create mode 100644 test/controllers/admin/stats_controller_test.rb diff --git a/app/controllers/admin/stats_controller.rb b/app/controllers/admin/stats_controller.rb index 25d19ad31..92b49d3ce 100644 --- a/app/controllers/admin/stats_controller.rb +++ b/app/controllers/admin/stats_controller.rb @@ -1,6 +1,4 @@ class Admin::StatsController < AdminController - disallow_account_scope - layout "public" def show diff --git a/app/controllers/admin_controller.rb b/app/controllers/admin_controller.rb index cc268a567..0da780812 100644 --- a/app/controllers/admin_controller.rb +++ b/app/controllers/admin_controller.rb @@ -1,3 +1,4 @@ class AdminController < ApplicationController + disallow_account_scope before_action :ensure_staff end diff --git a/config/application.rb b/config/application.rb index 0399caaca..ced9d9305 100644 --- a/config/application.rb +++ b/config/application.rb @@ -24,5 +24,7 @@ module Fizzy config.generators do |g| g.orm :active_record, primary_key_type: :uuid end + + config.mission_control.jobs.http_basic_auth_enabled = false end end diff --git a/config/initializers/mission_control.rb b/config/initializers/mission_control.rb index c2098204e..2fe3c3ed0 100644 --- a/config/initializers/mission_control.rb +++ b/config/initializers/mission_control.rb @@ -1,5 +1,3 @@ Rails.application.config.before_initialize do - # We don't want normal tenanted authentication on mission control. - # Note that we're using HTTP basic auth configured via credentials. - MissionControl::Jobs.base_controller_class = "ActionController::Base" + MissionControl::Jobs.base_controller_class = "AdminController" end diff --git a/test/controllers/admin/mission_control_test.rb b/test/controllers/admin/mission_control_test.rb new file mode 100644 index 000000000..265090928 --- /dev/null +++ b/test/controllers/admin/mission_control_test.rb @@ -0,0 +1,23 @@ +require "test_helper" + +class Admin::MissionControlTest < ActionDispatch::IntegrationTest + test "staff can access mission control jobs" do + sign_in_as :david + + untenanted do + get "/admin/jobs" + end + + assert_response :success + end + + test "non-staff cannot access mission control jobs" do + sign_in_as :jz + + untenanted do + get "/admin/jobs" + end + + assert_response :forbidden + end +end diff --git a/test/controllers/admin/stats_controller_test.rb b/test/controllers/admin/stats_controller_test.rb new file mode 100644 index 000000000..f87dd7cf4 --- /dev/null +++ b/test/controllers/admin/stats_controller_test.rb @@ -0,0 +1,23 @@ +require "test_helper" + +class Admin::StatsControllerTest < ActionDispatch::IntegrationTest + test "staff can access stats" do + sign_in_as :david + + untenanted do + get admin_stats_url + end + + assert_response :success + end + + test "non-staff cannot access stats" do + sign_in_as :jz + + untenanted do + get admin_stats_url + end + + assert_response :forbidden + end +end diff --git a/test/fixtures/identities.yml b/test/fixtures/identities.yml index a014e801c..af4c2a060 100644 --- a/test/fixtures/identities.yml +++ b/test/fixtures/identities.yml @@ -1,11 +1,13 @@ david: email_address: david@37signals.com + staff: true jz: email_address: jz@37signals.com kevin: email_address: kevin@37signals.com + staff: true mike: email_address: mike@37signals.com