diff options
| -rw-r--r-- | lib/authorization.rb | 6 | ||||
| -rw-r--r-- | lib/helper.rb | 30 |
2 files changed, 19 insertions, 17 deletions
diff --git a/lib/authorization.rb b/lib/authorization.rb index dab228a..7e898cc 100644 --- a/lib/authorization.rb +++ b/lib/authorization.rb @@ -286,7 +286,11 @@ module OpenTox end true end - + + class << self + alias :token_valid? :is_token_valid + end + end end diff --git a/lib/helper.rb b/lib/helper.rb index cc643f3..5fe1857 100644 --- a/lib/helper.rb +++ b/lib/helper.rb @@ -3,18 +3,21 @@ helpers do # Authentification def protected!(subjectid) if env["session"] - flash[:notice] = "You don't have access to this section: " and \ - redirect back and \ - return unless authorized?(subjectid) + unless authorized?(subjectid) + flash[:notice] = "You don't have access to this section: " + redirect back + end elsif !env["session"] && subjectid - throw(:halt, [401, "Not authorized.\n"]) and \ - redirect back and \ - return unless authorized?(subjectid) + unless authorized?(subjectid) + throw(:halt, [401, "Not authorized.\n"]) + redirect back + end + else + throw(:halt, [401, "Not authorized.\n"]) unless authorized?(subjectid) end - throw(:halt, [401, "Not authorized.\n"]) and \ - return unless authorized?(subjectid) end + #Check Authorization for URI with method and subjectid. def authorized?(subjectid) request_method = request.env['REQUEST_METHOD'] @@ -40,12 +43,6 @@ helpers do "#{out.scheme}:" + (out.port != 80 ? out.port : "") + "//#{out.host}#{out.path}" end - def check_subjectid(subjectid) - return false if !subjectid - return true if subjectid.size > 62 - false - end - #unprotected uris for login/logout, webapplication ... def unprotected_requests case env['REQUEST_URI'] @@ -65,9 +62,10 @@ end before do unless unprotected_requests or CONFIG[:authorization][:free_request].include?(env['REQUEST_METHOD']) begin + subjectid = nil subjectid = session[:subjectid] if session[:subjectid] - subjectid = params[:subjectid] if params[:subjectid] and !check_subjectid(subjectid) - subjectid = request.env['HTTP_SUBJECTID'] if request.env['HTTP_SUBJECTID'] and !check_subjectid(subjectid) + subjectid = params[:subjectid] if params[:subjectid] and !subjectid + subjectid = request.env['HTTP_SUBJECTID'] if request.env['HTTP_SUBJECTID'] and !subjectid # see http://rack.rubyforge.org/doc/SPEC.html subjectid = CGI.unescape(subjectid) if subjectid.include?("%23") @subjectid = subjectid |