cafe-grader-web

Commit r756:aa79958f6521 public

parent | child
Description:
more test and clean up authorization
Commit status:
[Not Reviewed]
References:
algo
Diff options:
Raw Diff | Patch Diff | Download Diff | Ignore whitespace | Increase context
Comments:
0 Commit comments 0 Inline Comments
Unresolved TODOs:
There are no unresolved TODOs
Side by Side Unified
Expand All Files Collapse All Files Wide Mode Diff
Add another comment
Browse Files

r756:aa79958f6521 - - 13 files changed: 53 inserted, 38 deleted

Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -85,24 +85,25
85 85 xpath (~> 3.2)
86 86 childprocess (1.0.1)
87 87 rake (< 13.0)
88 88 coffee-rails (4.2.2)
89 89 coffee-script (>= 2.2.0)
90 90 railties (>= 4.0.0)
91 91 coffee-script (2.4.1)
92 92 coffee-script-source
93 93 execjs
94 94 coffee-script-source (1.12.2)
95 95 concurrent-ruby (1.1.5)
96 96 crass (1.0.4)
97 + diff-lcs (1.3)
97 98 dynamic_form (1.1.4)
98 99 erubi (1.8.0)
99 100 erubis (2.7.0)
100 101 execjs (2.7.0)
101 102 ffi (1.11.1)
102 103 fuzzy-string-match (1.0.1)
103 104 RubyInline (>= 3.8.6)
104 105 globalid (0.4.2)
105 106 activesupport (>= 4.2.0)
106 107 haml (5.1.0)
107 108 temple (>= 0.8.0)
108 109 tilt
@@ -201,24 +202,41
201 202 actionpack (= 5.2.3)
202 203 activesupport (= 5.2.3)
203 204 method_source
204 205 rake (>= 0.8.7)
205 206 thor (>= 0.19.0, < 2.0)
206 207 rake (12.3.2)
207 208 rb-fsevent (0.10.3)
208 209 rb-inotify (0.10.0)
209 210 ffi (~> 1.0)
210 211 rdiscount (2.2.0.1)
211 212 regexp_parser (1.5.1)
212 213 rouge (3.3.0)
214 + rspec-core (3.8.2)
215 + rspec-support (~> 3.8.0)
216 + rspec-expectations (3.8.4)
217 + diff-lcs (>= 1.2.0, < 2.0)
218 + rspec-support (~> 3.8.0)
219 + rspec-mocks (3.8.1)
220 + diff-lcs (>= 1.2.0, < 2.0)
221 + rspec-support (~> 3.8.0)
222 + rspec-rails (3.8.2)
223 + actionpack (>= 3.0)
224 + activesupport (>= 3.0)
225 + railties (>= 3.0)
226 + rspec-core (~> 3.8.0)
227 + rspec-expectations (~> 3.8.0)
228 + rspec-mocks (~> 3.8.0)
229 + rspec-support (~> 3.8.0)
230 + rspec-support (3.8.2)
213 231 ruby-progressbar (1.10.0)
214 232 ruby_dep (1.5.0)
215 233 ruby_parser (3.13.1)
216 234 sexp_processor (~> 4.9)
217 235 rubyzip (1.2.3)
218 236 sass (3.7.4)
219 237 sass-listen (~> 4.0.0)
220 238 sass-listen (4.0.0)
221 239 rb-fsevent (~> 0.9, >= 0.9.4)
222 240 rb-inotify (~> 0.9, >= 0.9.7)
223 241 sass-rails (5.0.7)
224 242 railties (>= 4.0.0, < 6)
@@ -311,24 +329,25
311 329 jquery-ui-rails
312 330 listen (>= 3.0.5, < 3.2)
313 331 mail
314 332 minitest-reporters
315 333 momentjs-rails
316 334 mysql2
317 335 puma
318 336 rails (~> 5.2)
319 337 rails-controller-testing
320 338 rails_bootstrap_sortable
321 339 rdiscount
322 340 rouge
341 + rspec-rails
323 342 sassc-rails
324 343 select2-rails
325 344 selenium-webdriver
326 345 simple_form
327 346 spring
328 347 spring-watcher-listen (~> 2.0.0)
329 348 sqlite3
330 349 uglifier
331 350 web-console (>= 3.3.0)
332 351 webdriver
333 352 will_paginate (~> 3.0.7)
334 353 yaml_db
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -2,99 +2,98
2 2
3 3 class ApplicationController < ActionController::Base
4 4 protect_from_forgery
5 5
6 6 before_action :current_user
7 7
8 8 SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode'
9 9 MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login'
10 10 ALLOW_WHITELIST_IP_ONLY_CONF_KEY = 'right.allow_whitelist_ip_only'
11 11 WHITELIST_IP_CONF_KEY = 'right.whitelist_ip'
12 12
13 13 #report and redirect for unauthorized activities
14 - def unauthorized_redirect
15 - flash[:notice] = 'You are not authorized to view the page you requested'
16 - redirect_to :controller => 'main', :action => 'login'
14 + def unauthorized_redirect(notice = 'You are not authorized to view the page you requested')
15 + flash[:notice] = notice
16 + redirect_to login_main_path
17 17 end
18 18
19 19 # Returns the current logged-in user (if any).
20 20 def current_user
21 21 return nil unless session[:user_id]
22 22 @current_user ||= User.find(session[:user_id])
23 23 end
24 24
25 25 def admin_authorization
26 - return false unless authenticate
26 + return false unless check_valid_login
27 27 user = User.includes(:roles).find(session[:user_id])
28 28 unless user.admin?
29 29 unauthorized_redirect
30 30 return false
31 31 end
32 32 return true
33 33 end
34 34
35 35 def authorization_by_roles(allowed_roles)
36 - return false unless authenticate
36 + return false unless check_valid_login
37 37 user = User.find(session[:user_id])
38 38 unless user.roles.detect { |role| allowed_roles.member?(role.name) }
39 39 unauthorized_redirect
40 40 return false
41 41 end
42 42 end
43 43
44 44 def testcase_authorization
45 45 #admin always has privileged
46 46 if @current_user.admin?
47 47 return true
48 48 end
49 49
50 50 unauthorized_redirect unless GraderConfiguration["right.view_testcase"]
51 51 end
52 52
53 53
54 54 protected
55 55
56 56 #redirect to root (and also force logout)
57 57 #if the user is not logged_in or the system is in "ADMIN ONLY" mode
58 - def authenticate
58 + def check_valid_login
59 + #check if logged in
59 60 unless session[:user_id]
60 - flash[:notice] = 'You need to login'
61 61 if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
62 - flash[:notice] = 'You need to login but you cannot log in at this time'
62 + unauthorized_redirect('You need to login but you cannot log in at this time')
63 + else
64 + unauthorized_redirect('You need to login')
63 65 end
64 - redirect_to :controller => 'main', :action => 'login'
65 66 return false
66 67 end
67 68
68 69 # check if run in single user mode
69 70 if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
70 71 if @current_user==nil || (not @current_user.admin?)
71 - flash[:notice] = 'You cannot log in at this time'
72 - redirect_to :controller => 'main', :action => 'login'
72 + unauthorized_redirect('You cannot log in at this time')
73 73 return false
74 74 end
75 75 end
76 76
77 77 # check if the user is enabled
78 78 unless @current_user.enabled? || @current_user.admin?
79 - flash[:notice] = 'Your account is disabled'
80 - redirect_to :controller => 'main', :action => 'login'
79 + unauthorized_redirect 'Your account is disabled'
81 80 return false
82 81 end
83 82
84 83 # check if user ip is allowed
85 84 unless @current_user.admin? || !GraderConfiguration[ALLOW_WHITELIST_IP_ONLY_CONF_KEY]
86 85 unless is_request_ip_allowed?
87 - flash[:notice] = 'Your IP is not allowed'
88 - redirect_to root_path
86 + unauthorized_redirect 'Your IP is not allowed'
87 + return false
89 88 end
90 89 end
91 90
92 91 if GraderConfiguration.multicontests?
93 92 return true if @current_user.admin?
94 93 begin
95 94 if @current_user.contest_stat(true).forced_logout
96 95 flash[:notice] = 'You have been automatically logged out.'
97 96 redirect_to :controller => 'main', :action => 'index'
98 97 end
99 98 rescue
100 99 end
@@ -115,25 +114,25
115 114 puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}"
116 115 return false
117 116 end
118 117 unless user.last_ip
119 118 user.last_ip = request.remote_ip
120 119 user.save
121 120 end
122 121 end
123 122 return true
124 123 end
125 124
126 125 def authorization
127 - return false unless authenticate
126 + return false unless check_valid_login
128 127 user = User.find(session[:user_id])
129 128 unless user.roles.detect { |role|
130 129 role.rights.detect{ |right|
131 130 right.controller == self.class.controller_name and
132 131 (right.action == 'all' || right.action == action_name)
133 132 }
134 133 }
135 134 flash[:notice] = 'You are not authorized to view the page you requested'
136 135 #request.env['HTTP_REFERER'] ? (redirect_to :back) : (redirect_to :controller => 'login')
137 136 redirect_to :controller => 'main', :action => 'login'
138 137 return false
139 138 end
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,17 +1,15
1 1 class ConfigurationsController < ApplicationController
2 2
3 - before_action :authenticate
4 - before_action { |controller| controller.authorization_by_roles(['admin'])}
5 -
3 + before_action :admin_authorization
6 4
7 5 def index
8 6 @configurations = GraderConfiguration.order(:key)
9 7 @group = GraderConfiguration.pluck("grader_configurations.key").map{ |x| x[0...(x.index('.'))] }.uniq.sort
10 8 end
11 9
12 10 def reload
13 11 GraderConfiguration.reload
14 12 redirect_to :action => 'index'
15 13 end
16 14
17 15 def update
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,18 +1,18
1 1 class GroupsController < ApplicationController
2 2 before_action :set_group, only: [:show, :edit, :update, :destroy,
3 3 :add_user, :remove_user,:remove_all_user,
4 4 :add_problem, :remove_problem,:remove_all_problem,
5 5 ]
6 - before_action :authenticate, :admin_authorization
6 + before_action :admin_authorization
7 7
8 8 # GET /groups
9 9 def index
10 10 @groups = Group.all
11 11 end
12 12
13 13 # GET /groups/1
14 14 def show
15 15 end
16 16
17 17 # GET /groups/new
18 18 def new
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,36 +1,31
1 1 class MainController < ApplicationController
2 2
3 - before_action :authenticate, :except => [:index, :login]
3 + before_action :check_valid_login, :except => [:login]
4 4 before_action :check_viewability, :except => [:index, :login]
5 5
6 6 append_before_action :confirm_and_update_start_time,
7 7 :except => [:index,
8 8 :login,
9 9 :confirm_contest_start]
10 10
11 11 # to prevent log in box to be shown when user logged out of the
12 12 # system only in some tab
13 13 prepend_before_action :reject_announcement_refresh_when_logged_out,
14 14 :only => [:announcements]
15 15
16 16 before_action :authenticate_by_ip_address, :only => [:list]
17 17
18 - # NOTE: This method is not actually needed, 'config/routes.rb' has
19 - # assigned action login as a default action.
20 - def index
21 - redirect_to :action => 'login'
22 - end
23 -
24 18 #reset login, clear session
19 + #front page
25 20 def login
26 21 saved_notice = flash[:notice]
27 22 reset_session
28 23 flash.now[:notice] = saved_notice
29 24
30 25 # EXPERIMENT:
31 26 # Hide login if in single user mode and the url does not
32 27 # explicitly specify /login
33 28 #
34 29 # logger.info "PATH: #{request.path}"
35 30 # if GraderConfiguration['system.single_user_mode'] and
36 31 # request.path!='/main/login'
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,16 +1,19
1 1 class ProblemsController < ApplicationController
2 2
3 - before_action :authenticate, :authorization
4 - before_action :testcase_authorization, only: [:show_testcase]
3 + before_action :admin_authorization
4 +
5 + #NOTE: ghost from the past?
6 + #before_action :testcase_authorization, only: [:show_testcase]
7 +
5 8
6 9 in_place_edit_for :problem, :name
7 10 in_place_edit_for :problem, :full_name
8 11 in_place_edit_for :problem, :full_score
9 12
10 13 def index
11 14 @problems = Problem.order(date_added: :desc)
12 15 end
13 16
14 17
15 18 def show
16 19 @problem = Problem.find(params[:id])
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,22 +1,22
1 1 require 'csv'
2 2
3 3 class ReportController < ApplicationController
4 4
5 - before_action :authenticate
5 + before_action :check_valid_login
6 6
7 7 before_action :admin_authorization, only: [:login_stat,:submission_stat, :stuck, :cheat_report, :cheat_scruntinize, :show_max_score, :current_score]
8 8
9 9 before_action(only: [:problem_hof]) { |c|
10 - return false unless authenticate
10 + return false unless check_valid_login
11 11
12 12 admin_authorization unless GraderConfiguration["right.user_view_submission"]
13 13 }
14 14
15 15 def max_score
16 16 end
17 17
18 18 def current_score
19 19 @problems = Problem.available_problems
20 20 @users = User.includes(:contests).includes(:contest_stat).where(enabled: true)
21 21 @scorearray = calculate_max_score(@problems, @users,0,0,true)
22 22
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,14 +1,14
1 1 class SubmissionsController < ApplicationController
2 - before_action :authenticate
2 + before_action :check_valid_login
3 3 before_action :submission_authorization, only: [:show, :download, :edit]
4 4 before_action :admin_authorization, only: [:rejudge]
5 5
6 6 # GET /submissions
7 7 # GET /submissions.json
8 8 # Show problem selection and user's submission of that problem
9 9 def index
10 10 @user = @current_user
11 11 @problems = @user.available_problems
12 12
13 13 if params[:problem_id]==nil
14 14 @problem = nil
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,13 +1,14
1 1 class TagsController < ApplicationController
2 + before_action :admin_authorization
2 3 before_action :set_tag, only: [:show, :edit, :update, :destroy]
3 4
4 5 # GET /tags
5 6 def index
6 7 @tags = Tag.all
7 8 end
8 9
9 10 # GET /tags/1
10 11 def show
11 12 end
12 13
13 14 # GET /tags/new
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,15 +1,15
1 1 class TasksController < ApplicationController
2 2
3 - before_action :authenticate, :check_viewability
3 + before_action :check_valid_login, :check_viewability
4 4
5 5 def index
6 6 redirect_to :action => 'list'
7 7 end
8 8
9 9 def list
10 10 @problems = @user.available_problems
11 11 end
12 12
13 13 # this has contest-wide access control
14 14 def view
15 15 base_name = params[:file]
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,15 +1,15
1 1 class TestController < ApplicationController
2 2
3 - before_action :authenticate, :check_viewability
3 + before_action :check_valid_login, :check_viewability
4 4
5 5
6 6 def index
7 7 prepare_index_information
8 8 end
9 9
10 10 def submit
11 11 @user = User.find(session[:user_id])
12 12
13 13 @submitted_test_request = TestRequest.new_from_form_params(@user,params[:test_request])
14 14
15 15 if ! @submitted_test_request.errors.empty?
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -1,29 +1,29
1 1 require 'net/smtp'
2 2
3 3 class UsersController < ApplicationController
4 4
5 5 include MailHelperMethods
6 6
7 - before_action :authenticate, :except => [:new,
7 + before_action :check_valid_login, :except => [:new,
8 8 :register,
9 9 :confirm,
10 10 :forget,
11 11 :retrieve_password]
12 12
13 13 before_action :verify_online_registration, :only => [:new,
14 14 :register,
15 15 :forget,
16 16 :retrieve_password]
17 - before_action :authenticate, :profile_authorization, only: [:profile]
17 + before_action :check_valid_login, :profile_authorization, only: [:profile]
18 18
19 19 before_action :admin_authorization, only: [:stat, :toggle_activate, :toggle_enable]
20 20
21 21
22 22 #in_place_edit_for :user, :alias_for_editing
23 23 #in_place_edit_for :user, :email_for_editing
24 24
25 25 def index
26 26 if !GraderConfiguration['system.user_setting_enabled']
27 27 redirect_to :controller => 'main', :action => 'list'
28 28 else
29 29 @user = User.find(session[:user_id])
Show file before | Show file after | Raw diff | Download diff | Ignore whitespace Increase context Show commentsHide comments
@@ -75,28 +75,28
75 75 end
76 76 assert_text "Turn off all problems"
77 77 end
78 78
79 79 test "try using admin from normal user" do
80 80 login 'admin','admin'
81 81 visit bulk_manage_user_admin_index_path
82 82 assert_current_path bulk_manage_user_admin_index_path
83 83 visit logout_main_path
84 84
85 85 login 'jack','morning'
86 86 visit bulk_manage_user_admin_index_path
87 - assert_current_path root_path
88 87 assert_text 'You are not authorized'
88 + assert_current_path login_main_path
89 89
90 90 login 'james','morning'
91 91 visit new_list_user_admin_index_path
92 - assert_current_path root_path
93 92 assert_text 'You are not authorized'
93 + assert_current_path login_main_path
94 94 end
95 95
96 96 def login(username,password)
97 97 visit root_path
98 98 fill_in "Login", with: username
99 99 fill_in "Password", with: password
100 100 click_on "Login"
101 101 end
102 102 end
You need to be logged in to leave comments. Login now