Anmeldung via User-UUID nur für den deinen Controller

bfpi · Oct 19, 2023 · acbd70b · acbd70b
1 parent 029bb24
commit acbd70b
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/app/controllers/concerns/authorization.rb b/app/controllers/concerns/authorization.rb
@@ -53,6 +53,7 @@ def authenticate_with_auth_code
   end
 
   def authenticate_with_user_uuid
+    return unless controller_path.eql?('issues_rss')
     Current.user = User.find_by(uuid: params[:user_uuid])
   end
 

diff --git a/test/controllers/issues_rss_controller_test.rb b/test/controllers/issues_rss_controller_test.rb
@@ -8,4 +8,14 @@ class IssuesRssControllerTest < ActionDispatch::IntegrationTest
     get "/issues_rss/#{user(:one).uuid}.xml"
     assert_response :success
   end
+
+  %w[dashboards delegations districts editorial_notifications feedbacks field_services groups issues mail_blacklists
+     places responsibilities
+     users].each do |controller|
+    test "not authorized for user with uuid at #{controller} controller" do
+      assert_not user(:one)[:uuid].blank?
+      get "/issues/#{user(:one).uuid}.xml"
+      assert_response :redirect
+    end
+  end
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -53,6 +53,7 @@ def authenticate_with_auth_code @@
       end
       def authenticate_with_user_uuid
+        return unless controller_path.eql?('issues_rss')
         Current.user = User.find_by(uuid: params[:user_uuid])
       end
@@ Expand Down @@