Created tests for backend_controller to cover security concerns, including #372 "user can add an action to another user's context via API". Modified backend_controller to close that hole and make the tests pass.

Added UserController#create to provide RESTful API for the admin user to create a new user in the system. This may be useful for the folks who have generously opened their Tracks installs to others. I have plans to document the RESTful API stuff at some point and write a Ruby wrapper. Created a class method User.get_salt that wraps all calls to the SALT constant so that unit-tests can be always run with the default salt (I was previously needing to modify my environment.rb to run tests). Replaced usages of assert_success in tests with assert_response :success because assert_success is deprecated. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@313 a4c988fc-2ded-0310-b66e-134b36920a42
2026-01-05 16:58:50 +01:00 · 2006-08-25 02:25:18 +00:00 · 2006-08-25 02:25:18 +00:00 · 3002fcf2f1
commit 3002fcf2f1
parent 14c8516002
12 changed files with 264 additions and 44 deletions
--- a/tracks/app/controllers/backend_controller.rb
+++ b/tracks/app/controllers/backend_controller.rb
@ -4,9 +4,8 @@ class BackendController < ApplicationController
  web_service_scaffold :invoke
  
  def new_todo(username, token, context_id, description)
-    if !check_token_against_user_word(username, token)
-      raise "invalid token"
-    end
+    check_token_against_user_word(username, token)
+    check_context_belongs_to_user(context_id)

    item = @user.todos.build
    item.description = description
@ -17,31 +16,34 @@ class BackendController < ApplicationController
  end
  
  def list_contexts(username, token)
-    if !check_token_against_user_word(username, token)
-      raise "invalid token"
-    end
+    check_token_against_user_word(username, token)
    
    @user.contexts
  end
  
  def list_projects(username, token)
-    if !check_token_against_user_word(username, token)
-      raise "invalid token"
-    end
+    check_token_against_user_word(username, token)
    
    @user.projects
  end
  
-  protected
+  private

    # Check whether the token in the URL matches the word in the User's table
    def check_token_against_user_word(username, token)
      @user = User.find_by_login( username )
      unless ( token == @user.word)
-        render :text => "Sorry, you don't have permission to perform this action."
-        return false
+        raise (InvalidToken, "Sorry, you don't have permission to perform this action.")
+      end
+    end
+    
+    def check_context_belongs_to_user(context_id)
+      unless @user.contexts.exists? context_id
+        raise (CannotAccessContext, "Cannot access a context that does not belong to this user.")
      end
-      true
    end
  
 end
+
+class InvalidToken < RuntimeError; end
+class CannotAccessContext < RuntimeError; end