Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OK, this one is embarrassing.
Up until now, hdm never actually restricted access to hiera data from anonymous users. If you were not logged in, you could still access "internal" pages if you knew the URL.
This was due to a combination of reasons:
1.) Authorization is performed with the help of the
cancancan
gem. The rules live inapp/models/abilities.rb
. If no user was signed in, the following line simply created one:hdm/app/models/ability.rb
Line 37 in 52d8487
So anonymous users had the same rights a regular user.
This PR changes that line, so anonymous (i.e. non-existent) users have no rights.
2.) It is customary in rails applications to check for signed in users in a so called
before_action
as the very first step when a request hits the application. This is so there is no need to query the authorization layer or waste other resources in these cases at all.Such a
before_action
was missing from hdm.This PR adds a
before_action
checking the authentication inApplicationController
, so all controllers inherit it. In the few places where login is not required, exceptions to that rule have been added.I am really sorry that I did not catch this earlier. I guess there were so many familiar patterns already in place that I just expected this to work☹️