From e53ad9f5d19492cab5bb7a5fe73a9451a939bed3 Mon Sep 17 00:00:00 2001 From: Fu Matthew Date: Thu, 7 Mar 2013 16:51:47 +0800 Subject: [PATCH] 1.make module app forbid unearthed access except from admin 2.override sidebar link when it's object_auth or app_auth. --- .../module_apps_new_interface_controller.rb | 18 +++++++++++++++-- lib/orbit_app/module/side_bar.rb | 20 ++++++++++++++++++- public/403.html | 1 + .../back_end/approvals_controller.rb | 2 ++ .../back_end/bulletins_controller.rb | 1 - vendor/built_in_modules/announcement/init.rb | 3 +-- 6 files changed, 39 insertions(+), 6 deletions(-) create mode 100644 public/403.html diff --git a/app/controllers/admin/module_apps_new_interface_controller.rb b/app/controllers/admin/module_apps_new_interface_controller.rb index e1b66eac0..b0af8bd67 100644 --- a/app/controllers/admin/module_apps_new_interface_controller.rb +++ b/app/controllers/admin/module_apps_new_interface_controller.rb @@ -1,10 +1,24 @@ class Admin::ModuleAppsNewInterfaceController < OrbitBackendController - before_filter :authenticate_user! - before_filter :is_admin? + before_filter :check_auth + # before_filter :authenticate_user! + # before_filter :is_admin? include AdminHelper layout "new_admin" + def check_auth + + unless is_admin? and is_manager? + flash[:error] = "unauthorized access" + if request.env["HTTP_REFERER"] + redirect_to :back + else + render(:file => File.join(Rails.root, 'public/403.html'), :status => 403, :layout => false) + end + false + end + end + def setting @sys_users = User.all(conditions: {admin: false}).includes(:avatar).not_guest_user @module_app = ModuleApp.find(params[:module_app_id]) diff --git a/lib/orbit_app/module/side_bar.rb b/lib/orbit_app/module/side_bar.rb index 50811f03a..cdd98f967 100644 --- a/lib/orbit_app/module/side_bar.rb +++ b/lib/orbit_app/module/side_bar.rb @@ -138,9 +138,9 @@ module OrbitApp def initialize(label_i18n="NoNameLink",options={}) @label_i18n = label_i18n - @available_for = options[:available_for] @priority = options[:priority] || 0 @path = options[:link_path] || "" + set_available_for_avoiding_sensitive_links(options[:available_for] ) @active_for_action = options[:active_for_action] || [] @active_for_object_auth = options[:active_for_object_auth] || [] @active_for_app_auth = options[:active_for_app_auth] || [] @@ -148,6 +148,24 @@ module OrbitApp @get_module_app = options[:get_module_app] end + def set_available_for_avoiding_sensitive_links(available_for) + sensitive_list = {} + sensitive_list[:module_app] =/.*manager_auth_proc.*/ + sensitive_list[:object_auth] = /.*object_auth.*/ + + sensitive_list.each do |index,regx| + if @path.match(regx) + @available_for = case index + when :module_app + [:admin] + when :object_auth + [:manager,:admin] + end #of case + end #of if + end #of each + @available_for = available_for if @available_for.nil? + end #of def + def get_module_app @get_module_app.call end diff --git a/public/403.html b/public/403.html new file mode 100644 index 000000000..fa192f1e4 --- /dev/null +++ b/public/403.html @@ -0,0 +1 @@ +403 FORIBDDEN \ No newline at end of file diff --git a/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/approvals_controller.rb b/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/approvals_controller.rb index 0fce44695..cb8da5db1 100644 --- a/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/approvals_controller.rb +++ b/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/approvals_controller.rb @@ -3,6 +3,8 @@ class Panel::Announcement::BackEnd::ApprovalsController < OrbitBackendControlle before_filter :is_admin? include AdminHelper # layout 'admin' + + def preview_and_approve @bulletin = Bulletin.find params[:bulletin_id] end diff --git a/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb b/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb index c132bce9b..5ec65b367 100644 --- a/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb +++ b/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb @@ -1,5 +1,4 @@ class Panel::Announcement::BackEnd::BulletinsController < OrbitBackendController - include AdminHelper include OrbitControllerLib::DivisionForDisable before_filter :clean_values, :only => [:create, :update] diff --git a/vendor/built_in_modules/announcement/init.rb b/vendor/built_in_modules/announcement/init.rb index ab54a4384..d0c4801e0 100644 --- a/vendor/built_in_modules/announcement/init.rb +++ b/vendor/built_in_modules/announcement/init.rb @@ -131,8 +131,7 @@ module Announcement context_link 'admin.module.authorization', :link_path=>"admin_module_app_manager_auth_proc_path(ModuleApp.first(conditions: {title: 'Announcement'}))", :priority=>6, - :active_for_app_auth => 'Announcement', - :available_for => [:admin] + :active_for_app_auth => 'Announcement' end end end