FIX: don't return 200s when login is required to paths

When running `ensure_login_required` it should always happen prior to `check_xhr` cause check xhr will trigger a 200 response
2018-02-01 12:26:45 +11:00 · 2018-02-01 12:26:45 +11:00 · f2e7b74d88
parent 7d2283167a
commit f2e7b74d88
28 changed files with 81 additions and 59 deletions
--- a/app/controllers/about_controller.rb
+++ b/app/controllers/about_controller.rb
@ -1,8 +1,8 @@
 require_dependency 'rate_limiter'

 class AboutController < ApplicationController
+  prepend_before_action :check_xhr, :ensure_logged_in, only: [:live_post_counts]
  skip_before_action :check_xhr, only: [:index]
-  before_action :ensure_logged_in, only: [:live_post_counts]

  def index
    return redirect_to path('/login') if SiteSetting.login_required? && current_user.nil?
--- a/app/controllers/admin/admin_controller.rb
+++ b/app/controllers/admin/admin_controller.rb
@ -1,7 +1,7 @@
 class Admin::AdminController < ApplicationController

-  before_action :ensure_logged_in
-  before_action :ensure_staff
+  prepend_before_action :check_xhr, :ensure_logged_in
+  prepend_before_action :check_xhr, :ensure_staff

  def index
    render body: nil
--- a/app/controllers/admin/embeddable_hosts_controller.rb
+++ b/app/controllers/admin/embeddable_hosts_controller.rb
@ -1,7 +1,5 @@
 class Admin::EmbeddableHostsController < Admin::AdminController

-  before_action :ensure_logged_in, :ensure_staff
-
  def create
    save_host(EmbeddableHost.new)
  end
--- a/app/controllers/admin/embedding_controller.rb
+++ b/app/controllers/admin/embedding_controller.rb
@ -2,7 +2,7 @@ require_dependency 'embedding'

 class Admin::EmbeddingController < Admin::AdminController

-  before_action :ensure_logged_in, :ensure_staff, :fetch_embedding
+  before_action :fetch_embedding

  def show
    render_serialized(@embedding, EmbeddingSerializer, root: 'embedding', rest_serializer: true)
--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
@ -2,7 +2,7 @@ require_dependency 'category_serializer'

 class CategoriesController < ApplicationController

-  before_action :ensure_logged_in, except: [:index, :categories_and_latest, :show, :redirect, :find_by_slug]
+  prepend_before_action :check_xhr, :ensure_logged_in, except: [:index, :categories_and_latest, :show, :redirect, :find_by_slug]
  before_action :fetch_category, only: [:show, :update, :destroy]
  before_action :initialize_staff_action_logger, only: [:create, :update, :destroy]
  skip_before_action :check_xhr, only: [:index, :categories_and_latest, :redirect]
--- a/app/controllers/category_hashtags_controller.rb
+++ b/app/controllers/category_hashtags_controller.rb
@ -1,5 +1,5 @@
 class CategoryHashtagsController < ApplicationController
-  before_action :ensure_logged_in
+  prepend_before_action :check_xhr, :ensure_logged_in

  def check
    category_slugs = params[:category_slugs]
--- a/app/controllers/composer_controller.rb
+++ b/app/controllers/composer_controller.rb
@ -2,7 +2,7 @@ require_dependency 'html_to_markdown'

 class ComposerController < ApplicationController

-  before_action :ensure_logged_in
+  prepend_before_action :check_xhr, :ensure_logged_in

  def parse_html
    markdown_text = HtmlToMarkdown.new(params[:html]).to_markdown
--- a/app/controllers/composer_messages_controller.rb
+++ b/app/controllers/composer_messages_controller.rb
@ -2,7 +2,7 @@ require_dependency 'composer_messages_finder'

 class ComposerMessagesController < ApplicationController

-  before_action :ensure_logged_in
+  prepend_before_action :check_xhr, :ensure_logged_in

  def index
    finder = ComposerMessagesFinder.new(current_user, params.slice(:composer_action, :topic_id, :post_id))
--- a/app/controllers/draft_controller.rb
+++ b/app/controllers/draft_controller.rb
@ -1,6 +1,5 @@
 class DraftController < ApplicationController
-  before_action :ensure_logged_in
-  # TODO really do we need to skip this?
+  prepend_before_action :ensure_logged_in
  skip_before_action :check_xhr, :preload_json

  def show
--- a/app/controllers/email_controller.rb
+++ b/app/controllers/email_controller.rb
@ -1,7 +1,7 @@
 class EmailController < ApplicationController
-  skip_before_action :check_xhr, :preload_json, :redirect_to_login_if_required
  layout 'no_ember'

+  skip_before_action :check_xhr, :preload_json, :redirect_to_login_if_required
  before_action :ensure_logged_in, only: :preferences_redirect

  def preferences_redirect
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@ -1,6 +1,6 @@
 class GroupsController < ApplicationController

-  before_action :ensure_logged_in, only: [
+  prepend_before_action :check_xhr, :ensure_logged_in, only: [
    :set_notifications,
    :mentionable,
    :messageable,
--- a/app/controllers/inline_onebox_controller.rb
+++ b/app/controllers/inline_onebox_controller.rb
@ -1,7 +1,7 @@
 require_dependency 'inline_oneboxer'

 class InlineOneboxController < ApplicationController
-  before_action :ensure_logged_in
+  prepend_before_action :check_xhr, :ensure_logged_in

  def show
    oneboxes = InlineOneboxer.new(params[:urls] || []).process
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -2,11 +2,15 @@ require_dependency 'rate_limiter'

 class InvitesController < ApplicationController

+  prepend_before_action :check_xhr, :ensure_logged_in, only: [
+    :destroy, :create, :create_invite_link, :rescind_all_invites,
+    :resend_invite, :resend_all_invites, :upload_csv
+  ]
+
  skip_before_action :check_xhr, except: [:perform_accept_invitation]
  skip_before_action :preload_json, except: [:show]
  skip_before_action :redirect_to_login_if_required

-  before_action :ensure_logged_in, only: [:destroy, :create, :create_invite_link, :rescind_all_invites, :resend_invite, :resend_all_invites, :upload_csv]
  before_action :ensure_new_registrations_allowed, only: [:show, :perform_accept_invitation]
  before_action :ensure_not_logged_in, only: [:show, :perform_accept_invitation]

--- a/app/controllers/notifications_controller.rb
+++ b/app/controllers/notifications_controller.rb
@ -2,7 +2,7 @@ require_dependency 'notification_serializer'

 class NotificationsController < ApplicationController

-  before_action :ensure_logged_in
+  prepend_before_action :check_xhr, :ensure_logged_in

  def index
    user =
--- a/app/controllers/onebox_controller.rb
+++ b/app/controllers/onebox_controller.rb
@ -1,7 +1,7 @@
 require_dependency 'oneboxer'

 class OneboxController < ApplicationController
-  before_action :ensure_logged_in
+  prepend_before_action :check_xhr, :ensure_logged_in

  def show
    unless params[:refresh] == 'true'
--- a/app/controllers/post_actions_controller.rb
+++ b/app/controllers/post_actions_controller.rb
@ -1,7 +1,7 @@
 require_dependency 'discourse'

 class PostActionsController < ApplicationController
-  before_action :ensure_logged_in
+  prepend_before_action :check_xhr, :ensure_logged_in
  before_action :fetch_post_from_params
  before_action :fetch_post_action_type_id_from_params

--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -8,7 +8,7 @@ require_dependency 'post_locker'

 class PostsController < ApplicationController

-  before_action :ensure_logged_in, except: [
+  prepend_before_action :check_xhr, :ensure_logged_in, except: [
    :show,
    :replies,
    :by_number,
--- a/app/controllers/steps_controller.rb
+++ b/app/controllers/steps_controller.rb
@ -5,7 +5,7 @@ require_dependency 'wizard/step_updater'
 class StepsController < ApplicationController

  before_action :ensure_wizard_enabled
-  before_action :ensure_logged_in
+  prepend_before_action :check_xhr, :ensure_logged_in
  before_action :ensure_admin

  def update
--- a/app/controllers/tag_groups_controller.rb
+++ b/app/controllers/tag_groups_controller.rb
@ -1,6 +1,6 @@
 class TagGroupsController < ApplicationController
+  prepend_before_action :check_xhr, :ensure_logged_in, except: [:index, :show]
  skip_before_action :check_xhr, only: [:index, :show]
-  before_action :ensure_logged_in, except: [:index, :show]
  before_action :fetch_tag_group, only: [:show, :update, :destroy]

  def index
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@ -7,8 +7,7 @@ class TagsController < ::ApplicationController

  before_action :ensure_tags_enabled

-  skip_before_action :check_xhr, only: [:tag_feed, :show, :index]
-  before_action :ensure_logged_in, except: [
+  prepend_before_action :check_xhr, :ensure_logged_in, except: [
    :index,
    :show,
    :tag_feed,
@ -16,7 +15,11 @@ class TagsController < ::ApplicationController
    :check_hashtag,
    Discourse.anonymous_filters.map { |f| :"show_#{f}" }
  ].flatten
-  before_action :set_category_from_params, except: [:index, :update, :destroy, :tag_feed, :search, :notifications, :update_notifications]
+
+  skip_before_action :check_xhr, only: [:tag_feed, :show, :index]
+
+  before_action :set_category_from_params, except: [:index, :update, :destroy,
+    :tag_feed, :search, :notifications, :update_notifications]

  def index
    @description_meta = I18n.t("tags.title")
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -6,31 +6,32 @@ require_dependency 'discourse_event'
 require_dependency 'rate_limiter'

 class TopicsController < ApplicationController
-  before_action :ensure_logged_in, only: [:timings,
-                                          :destroy_timings,
-                                          :update,
-                                          :star,
-                                          :destroy,
-                                          :recover,
-                                          :status,
-                                          :invite,
-                                          :mute,
-                                          :unmute,
-                                          :set_notifications,
-                                          :move_posts,
-                                          :merge_topic,
-                                          :clear_pin,
-                                          :re_pin,
-                                          :status_update,
-                                          :timer,
-                                          :bulk,
-                                          :reset_new,
-                                          :change_post_owners,
-                                          :change_timestamps,
-                                          :archive_message,
-                                          :move_to_inbox,
-                                          :convert_topic,
-                                          :bookmark]
+  prepend_before_action :check_xhr, :ensure_logged_in, only: [
+    :timings,
+    :destroy_timings,
+    :update,
+    :destroy,
+    :recover,
+    :status,
+    :invite,
+    :mute,
+    :unmute,
+    :set_notifications,
+    :move_posts,
+    :merge_topic,
+    :clear_pin,
+    :re_pin,
+    :status_update,
+    :timer,
+    :bulk,
+    :reset_new,
+    :change_post_owners,
+    :change_timestamps,
+    :archive_message,
+    :move_to_inbox,
+    :convert_topic,
+    :bookmark
+  ]

  before_action :consider_user_for_promotion, only: :show

--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@ -2,7 +2,7 @@ require "mini_mime"
 require_dependency 'upload_creator'

 class UploadsController < ApplicationController
-  before_action :ensure_logged_in, except: [:show]
+  prepend_before_action :check_xhr, :ensure_logged_in, except: [:show]
  skip_before_action :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]

  def create
--- a/app/controllers/user_api_keys_controller.rb
+++ b/app/controllers/user_api_keys_controller.rb
@ -2,9 +2,9 @@ class UserApiKeysController < ApplicationController

  layout 'no_ember'

+  prepend_before_action :check_xhr, :ensure_logged_in, only: [:create, :revoke, :undo_revoke]
  skip_before_action :redirect_to_login_if_required, only: [:new]
  skip_before_action :check_xhr, :preload_json
-  before_action :ensure_logged_in, only: [:create, :revoke, :undo_revoke]

  AUTH_API_VERSION ||= 2

--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -8,10 +8,18 @@ require_dependency 'admin_confirmation'
 class UsersController < ApplicationController

  skip_before_action :authorize_mini_profiler, only: [:avatar]
-  skip_before_action :check_xhr, only: [:show, :badges, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login, :confirm_admin]

-  before_action :ensure_logged_in, only: [:username, :update, :user_preferences_redirect, :upload_user_image,
-                                          :pick_avatar, :destroy_user_image, :destroy, :check_emails, :topic_tracking_state]
+  prepend_before_action :check_xhr, :ensure_logged_in, only: [
+    :username, :update, :user_preferences_redirect, :upload_user_image,
+    :pick_avatar, :destroy_user_image, :destroy, :check_emails, :topic_tracking_state,
+    :preferences
+  ]
+
+  skip_before_action :check_xhr, only: [
+    :show, :badges, :password_reset, :update, :account_created,
+    :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar,
+    :my_redirect, :toggle_anon, :admin_login, :confirm_admin
+  ]

  before_action :respond_to_suspicious_request, only: [:create]

--- a/app/controllers/users_email_controller.rb
+++ b/app/controllers/users_email_controller.rb
@ -4,7 +4,7 @@ require_dependency 'email_updater'

 class UsersEmailController < ApplicationController

-  before_action :ensure_logged_in, only: [:index, :update]
+  prepend_before_action :check_xhr, :ensure_logged_in, only: [:index, :update]

  skip_before_action :check_xhr, only: [:confirm]
  skip_before_action :redirect_to_login_if_required, only: [:confirm]
--- a/app/controllers/wizard_controller.rb
+++ b/app/controllers/wizard_controller.rb
@ -2,10 +2,9 @@ require_dependency 'wizard'
 require_dependency 'wizard/builder'

 class WizardController < ApplicationController
+  prepend_before_action :check_xhr, :ensure_admin, except: [:qunit]
+  prepend_before_action :check_xhr, :ensure_logged_in, except: [:qunit]
  before_action :ensure_wizard_enabled, only: [:index]
-  before_action :ensure_logged_in, except: [:qunit]
-  before_action :ensure_admin, except: [:qunit]
-
  skip_before_action :check_xhr, :preload_json

  layout false
--- a/spec/controllers/wizard_controller_spec.rb
+++ b/spec/controllers/wizard_controller_spec.rb
@ -14,6 +14,13 @@ describe WizardController do
      expect(response.status).to eq(403)
    end

+    it 'needs you to be logged in' do
+      get :index
+      # for whatever reason, no access is 404
+      # we may want to revisit this at some point and make it 403
+      expect(response.status).to eq(404)
+    end
+
    it "raises an error if you aren't an admin" do
      log_in(:moderator)
      get :index, format: :json
--- a/spec/requests/admin/admin_controller_spec.rb
+++ b/spec/requests/admin/admin_controller_spec.rb
@ -4,5 +4,8 @@ RSpec.describe Admin::AdminController do
  it "should return the right response if user isn't a staff" do
    get "/admin", params: { api_key: 'asdiasiduga' }
    expect(response.status).to eq(404)
+
+    get "/admin"
+    expect(response.status).to eq(404)
  end
 end