Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

A stopgap solution for restricting barkeep by a whitelist of user emails

See #361 for the full proposal.
  • Loading branch information...
commit aab9c575a1d6a0d57a68ca475fba1b658e70fedf 1 parent 410d33b
@philc philc authored
Showing with 16 additions and 2 deletions.
  1. +12 −2 barkeep_server.rb
  2. +4 −0 environment.rb
View
14 barkeep_server.rb
@@ -39,7 +39,12 @@
NODE_MODULES_BIN_PATH = "./node_modules/.bin"
OPENID_AX_EMAIL_SCHEMA = "http://axschema.org/contact/email"
-LOGIN_WHITELIST_ROUTES = ["/signin", "/signout", "/commits/", "/stats", "/inspire", "/statusz", "/api/"]
+UNAUTHENTICATED_ROUTES = ["/signin", "/signout", "/inspire", "/statusz", "/api/"]
+# NOTE(philc): Currently we let you see previews of individual commits and the code review stats without
+# being logged in, as a friendly UX. When we flesh out our auth model, we should intentionally make this
+# configurable.
+UNAUTHENTICATED_PREVIEW_ROUTES = ["/commits/", "/stats"]
+
# OPENID_PROVIDERS is a string env variable. It's a comma-separated list of OpenID providers.
OPENID_PROVIDERS_ARRAY = OPENID_PROVIDERS.split(",")
@@ -176,7 +181,9 @@ def ensure_required_params(*required_params)
else
SavedSearch.raise_on_save_failure = true
end
- next if LOGIN_WHITELIST_ROUTES.any? { |route| request.path =~ /^#{route}/ }
+ next if UNAUTHENTICATED_ROUTES.any? { |route| request.path =~ /^#{route}/ }
+ next if PERMITTED_USERS.empty? &&
+ UNAUTHENTICATED_PREVIEW_ROUTES.any? { |route| request.path =~ /^#{route}/ }
unless current_user
# TODO(philc): Revisit this UX. Dumping the user into Google with no explanation is not what we want.
@@ -225,6 +232,9 @@ def ensure_required_params(*required_params)
when OpenID::Consumer::SUCCESS
ax_resp = OpenID::AX::FetchResponse.from_success_response(openid_response)
email = ax_resp["http://axschema.org/contact/email"][0]
+ unless PERMITTED_USERS.split(",").map(&:strip).include?(email)
+ halt 401, "Your email #{email} is not authorized to login to Barkeep."
+ end
session[:email] = email
unless User.find(:email => email)
# If there are no admin users yet, make the first user to log in the first admin.
View
4 environment.rb
@@ -33,3 +33,7 @@
# The number of resque workers to spawn
RESQUE_WORKERS = 2
+
+# A comma-separated list of permitted users, to restrict access to barkeep. If unset, any user can log in
+# via their Gmail account. This feature is a work in progress and not ready for general use; see #361.
+PERMITTED_USERS = ""
Please sign in to comment.
Something went wrong with that request. Please try again.