Restrict logins to employees in staging
as inferred from the email domain, which must be "@37signals.com" or "@basecamp.com".
This commit is contained in:
@@ -0,0 +1,28 @@
|
||||
module Fizzy
|
||||
module Saas
|
||||
module Authorization
|
||||
module Controller
|
||||
extend ActiveSupport::Concern
|
||||
|
||||
included do
|
||||
before_action :ensure_only_employees_can_access_non_production_remote_environments, if: :authenticated?
|
||||
end
|
||||
|
||||
private
|
||||
def ensure_only_employees_can_access_non_production_remote_environments
|
||||
head :forbidden if Rails.env.staging? && !Current.identity.employee?
|
||||
end
|
||||
end
|
||||
|
||||
module Identity
|
||||
extend ActiveSupport::Concern
|
||||
|
||||
EMPLOYEE_DOMAINS = ["@37signals.com", "@basecamp.com"].freeze
|
||||
|
||||
def employee?
|
||||
email_address.end_with?(*EMPLOYEE_DOMAINS)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -1,5 +1,6 @@
|
||||
require_relative "transaction_pinning"
|
||||
require_relative "signup"
|
||||
require_relative "authorization"
|
||||
require_relative "../../rails_ext/active_record_tasks_database_tasks.rb"
|
||||
|
||||
module Fizzy
|
||||
@@ -112,6 +113,9 @@ module Fizzy
|
||||
::Object.send(:remove_const, const_name) if ::Object.const_defined?(const_name)
|
||||
::Object.const_set const_name, Subscription.const_get(short_name, false)
|
||||
end
|
||||
|
||||
::Authorization.include Fizzy::Saas::Authorization::Controller
|
||||
::Identity.include Fizzy::Saas::Authorization::Identity
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -0,0 +1,56 @@
|
||||
require "test_helper"
|
||||
|
||||
class NonProductionRemoteAccessTest < ActionDispatch::IntegrationTest
|
||||
test "employee can access in staging environment" do
|
||||
assert_predicate identities(:david), :employee?
|
||||
|
||||
sign_in_as :david
|
||||
|
||||
Rails.stubs(:env).returns(ActiveSupport::EnvironmentInquirer.new("staging"))
|
||||
get cards_path
|
||||
assert_response :success
|
||||
end
|
||||
|
||||
test "non-employee cannot access in staging environment" do
|
||||
identities(:jz).update!(email_address: "david@example.com")
|
||||
assert_not_predicate identities(:jz), :employee?
|
||||
|
||||
sign_in_as :jz
|
||||
|
||||
Rails.stubs(:env).returns(ActiveSupport::EnvironmentInquirer.new("staging"))
|
||||
get cards_path
|
||||
assert_response :forbidden
|
||||
end
|
||||
|
||||
test "non-employee can access in production environment" do
|
||||
identities(:jz).update!(email_address: "david@example.com")
|
||||
assert_not_predicate identities(:jz), :employee?
|
||||
|
||||
sign_in_as :jz
|
||||
|
||||
Rails.stubs(:env).returns(ActiveSupport::EnvironmentInquirer.new("production"))
|
||||
get cards_path
|
||||
assert_response :success
|
||||
end
|
||||
|
||||
test "non-employee can access in beta environment" do
|
||||
identities(:jz).update!(email_address: "david@example.com")
|
||||
assert_not_predicate identities(:jz), :employee?
|
||||
|
||||
sign_in_as :jz
|
||||
|
||||
Rails.stubs(:env).returns(ActiveSupport::EnvironmentInquirer.new("beta"))
|
||||
get cards_path
|
||||
assert_response :success
|
||||
end
|
||||
|
||||
test "non-employee can access in local environment" do
|
||||
identities(:jz).update!(email_address: "david@example.com")
|
||||
assert_not_predicate identities(:jz), :employee?
|
||||
|
||||
sign_in_as :jz
|
||||
|
||||
get cards_path
|
||||
assert_response :success
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,18 @@
|
||||
require "test_helper"
|
||||
|
||||
class Fizzy::Saas::IdentityTest < ActiveSupport::TestCase
|
||||
test "#employee? returns true for 37signals.com domains" do
|
||||
identity = Identity.new(email_address: "mike@37signals.com")
|
||||
assert_predicate identity, :employee?
|
||||
end
|
||||
|
||||
test "#employee? returns true for basecamp.com domains" do
|
||||
identity = Identity.new(email_address: "mike@basecamp.com")
|
||||
assert_predicate identity, :employee?
|
||||
end
|
||||
|
||||
test "#employee? returns false for other domains" do
|
||||
identity = Identity.new(email_address: "mike@example.com")
|
||||
assert_not_predicate identity, :employee?
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user