Lock down the controllers

2025-07-24 19:48:28 +02:00 · 2014-12-19 13:45:17 +02:00 · 2014-12-19 13:45:17 +02:00 · 3b1e632ab7
commit 3b1e632ab7
parent 3045c08b3e
36 changed files with 166 additions and 97 deletions
--- a/app/controllers/admin/contacts_controller.rb
+++ b/app/controllers/admin/contacts_controller.rb
@ -1,4 +1,5 @@
 class Admin::ContactsController < AdminController
+  load_and_authorize_resource
  before_action :set_contact, only: [:show]

  def index
--- a/app/controllers/admin/dashboards_controller.rb
+++ b/app/controllers/admin/dashboards_controller.rb
@ -0,0 +1,5 @@
+class Admin::DashboardsController < AdminController
+  authorize_resource class: false
+
+  def show; end
+end
--- a/app/controllers/admin/delayed_jobs_controller.rb
+++ b/app/controllers/admin/delayed_jobs_controller.rb
@ -1,4 +1,6 @@
 class Admin::DelayedJobsController < AdminController
+  authorize_resource class: false
+
  def index
    @jobs = Delayed::Job.all
  end
--- a/app/controllers/admin/domain_versions_controller.rb
+++ b/app/controllers/admin/domain_versions_controller.rb
@ -1,4 +1,6 @@
 class Admin::DomainVersionsController < AdminController
+  load_and_authorize_resource
+
  def index
    @q = DomainVersion.deleted.search(params[:q])
    @domains = @q.result.page(params[:page])
--- a/app/controllers/admin/domains_controller.rb
+++ b/app/controllers/admin/domains_controller.rb
@ -1,4 +1,5 @@
 class Admin::DomainsController < AdminController
+  load_and_authorize_resource
  before_action :set_domain, only: [:show, :edit, :update, :zonefile]

  def index
--- a/app/controllers/admin/epp_users_controller.rb
+++ b/app/controllers/admin/epp_users_controller.rb
@ -1,4 +1,5 @@
 class Admin::EppUsersController < AdminController
+  load_and_authorize_resource
  before_action :set_epp_user, only: [:show, :edit, :update, :destroy]

  def index
--- a/app/controllers/admin/registrars_controller.rb
+++ b/app/controllers/admin/registrars_controller.rb
@ -1,4 +1,5 @@
 class Admin::RegistrarsController < AdminController
+  load_and_authorize_resource
  before_action :set_registrar, only: [:show, :edit, :update, :destroy]
  def search
    render json: Registrar.search_by_query(params[:q])
--- a/app/controllers/admin/settings_controller.rb
+++ b/app/controllers/admin/settings_controller.rb
@ -1,4 +1,5 @@
 class Admin::SettingsController < AdminController
+  load_and_authorize_resource
  before_action :set_setting_group, only: [:show, :update]

  def index
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@ -1,4 +1,5 @@
 class Admin::UsersController < AdminController
+  load_and_authorize_resource
  before_action :set_user, only: [:show, :edit, :update, :destroy]

  def index
@ -54,6 +55,6 @@ class Admin::UsersController < AdminController

  def user_params
    params.require(:user).permit(:username, :password, :identity_code, :email,
-                                 :admin, :country_id)
+                                 :role_id, :country_id)
  end
 end
--- a/app/controllers/admin/zonefile_settings_controller.rb
+++ b/app/controllers/admin/zonefile_settings_controller.rb
@ -1,4 +1,5 @@
 class Admin::ZonefileSettingsController < ApplicationController
+  load_and_authorize_resource
  before_action :set_zonefile_setting, only: [:update, :edit]
  def index
    @zonefile_settings = ZonefileSetting.all
--- a/app/controllers/admin/zonefiles_controller.rb
+++ b/app/controllers/admin/zonefiles_controller.rb
@ -1,8 +1,7 @@
 class Admin::ZonefilesController < ApplicationController
+  authorize_resource class: false
  # TODO: Refactor this
  # rubocop:disable Metrics/MethodLength
-  def index
-  end

  def create
    if ZonefileSetting.pluck(:origin).include?(params[:origin])