@@ -9,6 +9,7 @@ class Admin::ArticlesController < Admin::BaseController before_filter :check_for_new_draft, :only => [:create, :update, :upload] before_filter :find_site_article, :only => [:edit, :update, :comments, :approve, :unapprove, :destroy, :attach, :detach] + before_filter :protect_action, :only => [:approve, :unapprove, :attach, :detach] before_filter :login_required, :except => :upload before_filter :load_sections, :only => [:new, :edit] app/controllers/admin/articles_controller.rb @@ -2,11 +2,24 @@ class Admin::BaseController < ApplicationController class_inheritable_reader :member_actions write_inheritable_attribute :member_actions, [] include AuthenticatedSystem + before_filter :protect_action, :only => [:create, :update, :destroy] before_filter { |c| UserMailer.default_url_options[:host] = c.request.host_with_port } before_filter :login_from_cookie before_filter :login_required, :except => :feed protected + def protect_action + if request.get? + if params[:id] + redirect_to :action => 'show', :id => params[:id] + else + redirect_to :action => 'index' + end + else + true + end + end + # standard authorization method. allow logged in users that are admins, or members in certain actions def authorized? logged_in? && (admin? || member_actions.include?(action_name) || allow_member?) app/controllers/admin/base_controller.rb @@ -1,5 +1,6 @@ class Admin::CachedPagesController < Admin::BaseController before_filter { |c| raise ActionController::UnknownController unless c.class.perform_caching } + before_filter :protect_action, :only => :clear def index CachedPage.with_current_scope do app/controllers/admin/cached_pages_controller.rb @@ -1,6 +1,7 @@ class Admin::CommentsController < Admin::BaseController member_actions.push(*%w(index unapproved create edit update approve unapprove destroy close )) + before_filter :protect_action, :only => [:approve, :unapprove] private app/controllers/admin/comments_controller.rb @@ -3,6 +3,7 @@ class Admin::OverviewController < Admin::BaseController session :off, :only => :feed before_filter :basic_auth_required, :only => :feed caches_page :feed + before_filter :protect_action, :only => :delete helper Admin::ArticlesHelper app/controllers/admin/overview_controller.rb @@ -8,7 +8,7 @@ class Admin::ResourcesController < Admin::DesignController verify :method => :post, :params => :resource, :only => :upload, :add_flash => { :error => 'Resource required' }, :redirect_to => { :controller => 'design', :action => 'index' } - + def index redirect_to :controller => 'design' end @@ -26,6 +26,10 @@ class Admin::ResourcesController < Admin::DesignController end def upload + if request.get? + redirect_to :controller => 'design', :action => 'index' + return + end if params[:resource] && Asset.image?(params[:resource].content_type.strip) && (1..1.megabyte).include?(params[:resource].size) @resource = @theme.resources.write File.basename(params[:resource].original_filename), params[:resource].read flash[:notice] = "'#{@resource.basename}' was uploaded successfully." @@ -36,6 +40,10 @@ class Admin::ResourcesController < Admin::DesignController end def remove + if request.get? + redirect_to :action => 'edit' + return + end @resource = @theme.resources[params[:filename]] render :update do |page| @resource.unlink if @resource.file? app/controllers/admin/resources_controller.rb @@ -1,5 +1,6 @@ class Admin::SectionsController < Admin::BaseController cache_sweeper :article_sweeper, :except => :index + before_filter :protect_action, :only => :order before_filter :find_and_sort_templates, :only => [:index, :edit] before_filter :find_and_reorder_sections, :only => [:index, :edit] before_filter :find_section, :only => [:destroy, :update] app/controllers/admin/sections_controller.rb @@ -23,6 +23,10 @@ class Admin::TemplatesController < Admin::DesignController end def remove + if request.get? + redirect_to :action => 'edit' + return + end @tmpl = @theme.templates[params[:filename]] render :update do |page| if !@tmpl.file? app/controllers/admin/templates_controller.rb @@ -2,7 +2,7 @@ class Admin::ThemesController < Admin::BaseController @@theme_export_path = RAILS_PATH + 'tmp/export' @@theme_content_types = %w(application/zip multipart/x-zip application/x-zip-compressed) cattr_accessor :theme_export_path, :theme_content_types - + before_filter :protect_action, :only => [:export, :change_to, :rollback, :import] before_filter :find_theme, :only => [:preview_for, :export, :change_to, :show, :destroy] def preview_for app/controllers/admin/themes_controller.rb e668bea7af08a86c26f0b856b8f52555a37f2154 rick technoweenie@gmail.com http://github.com/technoweenie/mephisto/commit/45ffeb7a56d59b8abe0bd78b53cec861423c9654 45ffeb7a56d59b8abe0bd78b53cec861423c9654 2008-06-30T20:28:05-07:00 2008-06-30T20:27:44-07:00 security protection for admin actions 4637da92cd946221cfe706d64067d957a09a30aa rick technoweenie@gmail.com