Authorize access to admin panel, etc.

Adds a separate admin namespace and base controller, with authorization by looking up the admin property in the user's LDAP account.
2020-11-18 00:22:44 +01:00
parent 6614f14d8a
commit f0312cb8e7
13 changed files with 58 additions and 11 deletions
--- a/app/controllers/admin/base_controller.rb
+++ b/app/controllers/admin/base_controller.rb
@@ -0,0 +1,6 @@
+class Admin::BaseController < ApplicationController
+
+  before_action :authenticate_user!
+  before_action :authorize_admin
+
+end
--- a/app/controllers/admin/dashboard_controller.rb
+++ b/app/controllers/admin/dashboard_controller.rb
@@ -0,0 +1,4 @@
+class Admin::DashboardController < Admin::BaseController
+  def index
+  end
+end
--- a/app/controllers/admin/ldap_users_controller.rb
+++ b/app/controllers/admin/ldap_users_controller.rb
@@ -1,4 +1,4 @@
-class LdapUsersController < ApplicationController
+class Admin::LdapUsersController < Admin::BaseController
  def index
    attributes = %w{dn cn uid mail admin}
    filter = Net::LDAP::Filter.eq("uid", "*")
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -8,4 +8,15 @@ class ApplicationController < ActionController::Base
      redirect_to welcome_path and return
    end
  end
+
+  def authorize_admin
+    http_status :forbidden unless current_user.is_admin?
+  end
+
+  def http_status(status)
+    respond_to do |format|
+      format.html { render template: "shared/status_#{status.to_s}", status: status }
+      format.any  { head status }
+    end
+  end
 end