Authorize access to admin panel, etc.

Adds a separate admin namespace and base controller, with authorization by looking up the admin property in the user's LDAP account.
2020-11-18 00:22:44 +01:00 · 2020-11-18 00:22:44 +01:00 · f0312cb8e7
commit f0312cb8e7
parent 6614f14d8a
13 changed files with 58 additions and 11 deletions
--- a/app/assets/stylesheets/fonts.scss
+++ b/app/assets/stylesheets/fonts.scss
@ -5,8 +5,19 @@
  font-style: normal;
 }

-h1 {
-  font-family: Raleway, sans-serif;
+body {
+  font-family: "Open Sans", Helvetica, Arial, sans-serif;
+  font-weight: 400;
+}
+
+h1, h2, h3 {
+  font-family: Raleway, inherit;
  font-weight: 300;
+}
+
+h1 {
  text-transform: uppercase;
 }
+
+h2 {
+}
--- a/app/assets/stylesheets/layout.scss
+++ b/app/assets/stylesheets/layout.scss
@ -2,8 +2,6 @@ $content-width: 800px;
 $content-max-width: 100%;

 body {
-  font-family: "Open Sans", Helvetica, Arial, sans-serif;
-  font-weight: 400;
 }

 #wrapper {
--- a/app/controllers/admin/base_controller.rb
+++ b/app/controllers/admin/base_controller.rb
@ -0,0 +1,6 @@
+class Admin::BaseController < ApplicationController
+
+  before_action :authenticate_user!
+  before_action :authorize_admin
+
+end
--- a/app/controllers/admin/dashboard_controller.rb
+++ b/app/controllers/admin/dashboard_controller.rb
@ -0,0 +1,4 @@
+class Admin::DashboardController < Admin::BaseController
+  def index
+  end
+end
--- a/app/controllers/admin/ldap_users_controller.rb
+++ b/app/controllers/admin/ldap_users_controller.rb
@ -1,4 +1,4 @@
-class LdapUsersController < ApplicationController
+class Admin::LdapUsersController < Admin::BaseController
  def index
    attributes = %w{dn cn uid mail admin}
    filter = Net::LDAP::Filter.eq("uid", "*")
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -8,4 +8,15 @@ class ApplicationController < ActionController::Base
      redirect_to welcome_path and return
    end
  end
+
+  def authorize_admin
+    http_status :forbidden unless current_user.is_admin?
+  end
+
+  def http_status(status)
+    respond_to do |format|
+      format.html { render template: "shared/status_#{status.to_s}", status: status }
+      format.any  { head status }
+    end
+  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -19,4 +19,12 @@ class User < ApplicationRecord
    clear_reset_password_token if valid?
    save
  end
+
+  def is_admin?
+    admin ||= if admin = Devise::LDAP::Adapter.get_ldap_param(self.cn, :admin)
+                !!admin.first
+              else
+                false
+              end
+  end
 end
--- a/app/views/admin/dashboard/index.html.erb
+++ b/app/views/admin/dashboard/index.html.erb
@ -0,0 +1,4 @@
+<h2>Admin Panel</h2>
+<p>
+  Ohai there, admin human.
+</p>
--- a/app/views/admin/ldap_users/index.html.erb
+++ b/app/views/admin/ldap_users/index.html.erb
@ -1,8 +1,8 @@
 <h2>LDAP users</h2>

 <ul>
-  <li><%= link_to 'kosmos.org', ldap_users_path %></li>
-  <li><%= link_to '5apps.com', ldap_users_path(ou: '5apps.com') %></li>
+  <li><%= link_to 'kosmos.org', admin_ldap_users_path %></li>
+  <li><%= link_to '5apps.com', admin_ldap_users_path(ou: '5apps.com') %></li>
 </ul>

 <table>
--- a/app/views/shared/status_forbidden.html.erb
+++ b/app/views/shared/status_forbidden.html.erb
@ -0,0 +1,2 @@
+<h2>Access forbidden</h2>
+<p>Not with those shoes, buddy.</p>
--- a/config/locales/devise.en.yml
+++ b/config/locales/devise.en.yml
@ -3,8 +3,8 @@
 en:
  devise:
    confirmations:
-      confirmed: "Your email address has been successfully confirmed."
-      send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes."
+      confirmed: "Your email address has been confirmed. You can now log in below."
+      send_instructions: "You will receive an email with instructions for how to confirm your email address in a moment."
      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
    failure:
      already_authenticated: "You are already signed in."
--- a/config/routes.rb
+++ b/config/routes.rb
@ -7,7 +7,10 @@ Rails.application.routes.draw do
  get 'welcome', to: 'welcome#index'
  get 'check_your_email', to: 'welcome#check_your_email'

-  get 'ldap_users', to: 'ldap_users#index'
+  namespace :admin do
+    root to: 'dashboard#index'
+    get 'ldap_users', to: 'ldap_users#index'
+  end

  # Letter Opener (open "sent" emails in dev and staging)
  if Rails.env.match(/staging|development/)
--- a/spec/views/admin/dashboard/index.html.erb_spec.rb
+++ b/spec/views/admin/dashboard/index.html.erb_spec.rb
@ -1,5 +1,5 @@
 require 'rails_helper'

-RSpec.describe "ldap_users/index.html.erb", type: :view do
+RSpec.describe "dashboard/index.html.erb", type: :view do
  pending "add some examples to (or delete) #{__FILE__}"
 end