[yast-commit] <rest-service> master : system controller - added permission checks

13 Aug 2009

ref: refs/heads/master
commit 2a08502a47c5b7b1072fac1b4a4ffe665179e8d0
Author: Ladislav Slezak 
Date:   Sun Aug 9 23:44:52 2009 +0200

    system controller - added permission checks
    
    also added access rights tests
---
 .../system/app/controllers/system_controller.rb    |   25 ++++++++++++------
 .../test/functional/system_controller_test.rb      |   27 ++++++++++++++++++++
 2 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/plugins/system/app/controllers/system_controller.rb b/plugins/system/app/controllers/system_controller.rb
index a00959a..7fa7f73 100644
--- a/plugins/system/app/controllers/system_controller.rb
+++ b/plugins/system/app/controllers/system_controller.rb
@@ -26,7 +26,6 @@ class SystemController < ApplicationController
 
 	# do the action
 	root.each do |k, v|
-
 	    if v.nil? or !v.has_key? 'active'
 		render ErrorResult.error(404, 2, "format error - missing requested status") and return
 	    end
@@ -40,15 +39,25 @@ class SystemController < ApplicationController
 		render ErrorResult.error(404, 2, "format error - unknown action requested") and return
 	    end
 
-	    if v['active'] == true and @system.actions[k.to_sym][:active] == false
-		case k
-		    when 'reboot'
+	    case k
+		when 'reboot'
+		    unless permission_check( 'org.freedesktop.hal.power-management.reboot')
+		      render ErrorResult.error(403, 1, "no permission") and return
+		    end
+
+		    if v['active'] == true and @system.actions[k.to_sym][:active] == false
 			do_reboot = true
-		    when 'shutdown'
+		    end
+		when 'shutdown'
+		    unless permission_check( 'org.freedesktop.hal.power-management.shutdown')
+		      render ErrorResult.error(403, 1, "no permission") and return
+		    end
+
+		    if v['active'] == true and @system.actions[k.to_sym][:active] == false
 			do_shutdown = true
-		    else
-			render ErrorResult.error(404, 2, "internal error - unknown action requested") and return
-		end
+		    end
+		else
+		    render ErrorResult.error(404, 2, "internal error - unknown action requested") and return
 	    end
 	end
 
diff --git a/plugins/system/test/functional/system_controller_test.rb b/plugins/system/test/functional/system_controller_test.rb
index bfde6f1..85b539d 100644
--- a/plugins/system/test/functional/system_controller_test.rb
+++ b/plugins/system/test/functional/system_controller_test.rb
@@ -66,6 +66,33 @@ class SystemControllerTest < ActionController::TestCase
   end
 
 
+  # test access rights
+
+  test "return error when not logged in" do
+    # remember the current setting
+    session_backup = @request.session
+    @request.session = {} # the session is not defined
+
+    ret = get :show
+    # expect 401 Unauthorized error code
+    assert_response :unauthorized
+
+    # revert back the original session setting (for the following tests)
+    @request.session = session_backup
+  end
+
+  test "return error when not permitted" do
+    @controller.stubs(:permission_check).returns(false);
+
+    ret = put :update, :actions => {:reboot => {:active => true}}
+    # expect 403 Forbidden error code
+    assert_response :forbidden
+
+    # set permissions back for the other tests
+    @controller.stubs(:permission_check).returns(true);
+  end
+
+
   # test invalid / malformed requests
 
   test "invalid (empty) request" do
-- 
To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org
For additional commands, e-mail: yast-commit+help@opensuse.org

    