Skip to content

Commit

Permalink
Blocks all access if user has not validated his account. Fixes CartoD…
Browse files Browse the repository at this point in the history 
…B/cartodb-central#678
  • Loading branch information
@juanignaciosl
juanignaciosl committed Jun 24, 2015
1 parent 8c3c5b6 commit c72e4c2
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
7 changes: 7 additions & 0 deletions app/controllers/application_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ class ApplicationController < ActionController::Base
before_filter :store_request_host
before_filter :ensure_user_organization_valid
before_filter :ensure_org_url_if_org_user
before_filter :ensure_account_has_been_activated
before_filter :browser_is_html5_compliant?
before_filter :allow_cross_domain_access
before_filter :set_asset_debugging
Expand Down Expand Up @@ -197,6 +198,12 @@ def ensure_org_url_if_org_user
end
end

def ensure_account_has_been_activated
return unless current_user

redirect_to CartoDB.url(self, 'account_token_authentication_error') unless current_user.enable_account_token.nil?

This comment has been minimized.

Sign in to view

Copy link
@Kartones

Kartones Jun 24, 2015

Contributor

this redirect also works with api/json endpoints?

This comment has been minimized.

Sign in to view

Copy link
@juanignaciosl

juanignaciosl Jun 24, 2015

Author Contributor

This affects everything, just like ensure_org_url_if_org_user does, for example. I think the conditionals (return unless current_user and unless current_user.enable_account_token.nil?) should make it safe, since redirection can only happen if there's a current user who has a token. Only organization signups have those tokens at the moment.

This comment has been minimized.

Sign in to view

Copy link
@Kartones

Kartones Jun 24, 2015

Contributor

I was thinking more on if it will return a 400/403 for an api endpoint, assuming it renders some error page for admin endpoints.

I think is safe, indeed, is just about the error "presentation".

This comment has been minimized.

Sign in to view

Copy link
@juanignaciosl

juanignaciosl Jun 24, 2015

Author Contributor

You're right, opened #4189 for it since it's not critical for this PR.
end

def add_revision_header
response.headers['X-CartoDB-Rev'] = CartoDB::CARTODB_REV unless CartoDB::CARTODB_REV.nil?
end
Expand Down
1 change: 1 addition & 0 deletions app/controllers/sessions_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ class SessionsController < ApplicationController
before_filter :load_organization
# Don't force org urls
skip_before_filter :ensure_org_url_if_org_user
skip_before_filter :ensure_account_has_been_activated, :only => :account_token_authentication_error


def new
Expand Down

0 comments on commit c72e4c2

Please sign in to comment.