ref: refs/heads/master
commit 2a08502a47c5b7b1072fac1b4a4ffe665179e8d0
Author: Ladislav Slezak
Date: Sun Aug 9 23:44:52 2009 +0200
system controller - added permission checks
also added access rights tests
---
.../system/app/controllers/system_controller.rb | 25 ++++++++++++------
.../test/functional/system_controller_test.rb | 27 ++++++++++++++++++++
2 files changed, 44 insertions(+), 8 deletions(-)
diff --git a/plugins/system/app/controllers/system_controller.rb b/plugins/system/app/controllers/system_controller.rb
index a00959a..7fa7f73 100644
--- a/plugins/system/app/controllers/system_controller.rb
+++ b/plugins/system/app/controllers/system_controller.rb
@@ -26,7 +26,6 @@ class SystemController < ApplicationController
# do the action
root.each do |k, v|
-
if v.nil? or !v.has_key? 'active'
render ErrorResult.error(404, 2, "format error - missing requested status") and return
end
@@ -40,15 +39,25 @@ class SystemController < ApplicationController
render ErrorResult.error(404, 2, "format error - unknown action requested") and return
end
- if v['active'] == true and @system.actions[k.to_sym][:active] == false
- case k
- when 'reboot'
+ case k
+ when 'reboot'
+ unless permission_check( 'org.freedesktop.hal.power-management.reboot')
+ render ErrorResult.error(403, 1, "no permission") and return
+ end
+
+ if v['active'] == true and @system.actions[k.to_sym][:active] == false
do_reboot = true
- when 'shutdown'
+ end
+ when 'shutdown'
+ unless permission_check( 'org.freedesktop.hal.power-management.shutdown')
+ render ErrorResult.error(403, 1, "no permission") and return
+ end
+
+ if v['active'] == true and @system.actions[k.to_sym][:active] == false
do_shutdown = true
- else
- render ErrorResult.error(404, 2, "internal error - unknown action requested") and return
- end
+ end
+ else
+ render ErrorResult.error(404, 2, "internal error - unknown action requested") and return
end
end
diff --git a/plugins/system/test/functional/system_controller_test.rb b/plugins/system/test/functional/system_controller_test.rb
index bfde6f1..85b539d 100644
--- a/plugins/system/test/functional/system_controller_test.rb
+++ b/plugins/system/test/functional/system_controller_test.rb
@@ -66,6 +66,33 @@ class SystemControllerTest < ActionController::TestCase
end
+ # test access rights
+
+ test "return error when not logged in" do
+ # remember the current setting
+ session_backup = @request.session
+ @request.session = {} # the session is not defined
+
+ ret = get :show
+ # expect 401 Unauthorized error code
+ assert_response :unauthorized
+
+ # revert back the original session setting (for the following tests)
+ @request.session = session_backup
+ end
+
+ test "return error when not permitted" do
+ @controller.stubs(:permission_check).returns(false);
+
+ ret = put :update, :actions => {:reboot => {:active => true}}
+ # expect 403 Forbidden error code
+ assert_response :forbidden
+
+ # set permissions back for the other tests
+ @controller.stubs(:permission_check).returns(true);
+ end
+
+
# test invalid / malformed requests
test "invalid (empty) request" do
--
To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org
For additional commands, e-mail: yast-commit+help@opensuse.org