From e42d51a71c0aad0ed45aa2de2112236efac51f75 Mon Sep 17 00:00:00 2001
From: Hiroshi Miura <miurahr@linux.com>
Date: Wed, 22 Apr 2015 00:46:38 +0900
Subject: [PATCH] constrains to allow user authenticated or access with token

Signed-off-by: Hiroshi Miura <miurahr@linux.com>
---
 config/routes.rb | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/config/routes.rb b/config/routes.rb
index b3964f8d..e53110e0 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,3 +1,15 @@
+def authenticated_or_have_token (scope=nil, block=nil)
+  constraint = lambda do |request|
+    (request.env["warden"].authenticate?(:scope => scope) ||
+     request.query_parameters['auth_token'].present?) &&
+         (block.nil? || block.call(request.env["warden"].user(scope)))
+  end
+
+  constraints(constraint) do
+    yield
+  end
+end
+
 Kandan::Application.routes.draw do
 
   devise_for :users, :controllers => {
@@ -5,24 +17,27 @@
   }
   devise_scope :user do
 
-    # these are allow to access with auth_token
-    get "/active_users" => "apis#active_users"
-    get "/me" => "apis#me"
-
     resources :channels do
       resources :activities
-      resources :attachments
+    end
+
+    authenticated_or_have_token :user do
+      get "/active_users" => "apis#active_users"
+      get "/me" => "apis#me"
+
+      resources :users, :only => [:index, :show]
     end
 
     authenticated :user do
       root :to => "main#index"
 
       get '/search' => "main#search"
-
-      resources :users, :only => [:index, :show]
-
       get "/users/edit" =>"main#users_edit"
 
+      resource :channels do
+        resource :attachments
+      end
+
       namespace :admin do
         root :to => "admin#index"
         post "/update", :to => "admin#update", :as => "update"