restrict format access in ResourceController

fixes #3539 ActiveAdmin raises Access Denied Error if format was disabled with download_links
activeadmin · Mar 18, 2017 · 9f83674 · agustinf · Mar 21, 2017 · varyonic
1 parent 33bdc23
commit 9f83674
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 1 deletion.
diff --git a/features/index/formats.feature b/features/index/formats.feature
@@ -51,6 +51,15 @@ Feature: Index Formats
     And I should not see a link to download "XML"
     And I should not see a link to download "JSON"
 
+    When I go to the csv index page for posts
+    Then access denied
+
+    When I go to the xml index page for posts
+    Then access denied
+
+    When I go to the json index page for posts
+    Then access denied
+
   Scenario: View index with download_links block which returns [:csv]
     Given an index configuration of:
     """
@@ -64,3 +73,16 @@ Feature: Index Formats
     And I should not see a link to download "XML"
     And I should not see a link to download "JSON"
     And I should not see a link to download "PDF"
+
+  Scenario: View index with restricted formats
+    Given an index configuration of:
+    """
+      ActiveAdmin.register Post do
+        index download_links: -> { [:json] }
+      end
+    """
+    When I go to the csv index page for posts
+    Then access denied
+
+    When I go to the xml index page for posts
+    Then access denied
diff --git a/features/step_definitions/format_steps.rb b/features/step_definitions/format_steps.rb
@@ -50,3 +50,7 @@
 Then /^the encoding of the CSV file should be "([^"]*)"$/ do |text|
   expect(page.driver.response.body.encoding).to be Encoding.find(Encoding.aliases[text] || text)
 end
+
+Then /^access denied$/ do
+  expect(page).to have_content(I18n.t("active_admin.access_denied.message"))
+end
diff --git a/features/support/paths.rb b/features/support/paths.rb
@@ -41,6 +41,9 @@ def path_to(page_name)
     when /^the index page for (.*)$/
       send "admin_#{$1}_path"
 
+    when /^the (.*) index page for (.*)$/
+      send "admin_#{$2}_path", format: $1
+
     when /^the last author's posts$/
       admin_user_posts_path(User.last)
 

diff --git a/lib/active_admin/error.rb b/lib/active_admin/error.rb
@@ -5,7 +5,7 @@ module ActiveAdmin
   class AccessDenied < StandardError
     attr_reader :user, :action, :subject
 
-    def initialize(user, action, subject)
+    def initialize(user, action, subject = nil)
       @user, @action, @subject = user, action, subject
 
       super()

diff --git a/lib/active_admin/resource_controller.rb b/lib/active_admin/resource_controller.rb
@@ -21,6 +21,7 @@ class ResourceController < BaseController
     include Scoping
     include Streaming
     include Sidebars
+    include ViewHelpers::DownloadFormatLinksHelper
     extend  ResourceClassMethods
 
     def self.active_admin_config=(config)
@@ -45,7 +46,19 @@ def self.inherited(base)
     def renderer_for(action)
       active_admin_namespace.view_factory["#{action}_page"]
     end
+
     helper_method :renderer_for
 
+    def restrict_format_access!
+      unless request.format.html?
+        presenter = active_admin_config.get_page_presenter(:index)
+        download_formats  = (presenter || {}).fetch(:download_links, active_admin_config.namespace.download_links)
+        unless build_download_formats(download_formats).include?(request.format.symbol)
+          raise ActiveAdmin::AccessDenied.new(current_active_admin_user, :index)
+        end
+      end
+    end
+
+    before_filter :restrict_format_access!, only: [:index, :show]
   end
 end