Permalink
Browse files

Re-enable controller back-end access checking.

  • Loading branch information...
1 parent 42f1887 commit ba98e45c6363f5ee5aef381f0b708347f3076594 @robyurkowski robyurkowski committed May 4, 2012
@@ -51,10 +51,13 @@ def restrict_plugins
end
def restrict_controller
- # if ::Refinery::Plugins.active.reject { |plugin| params[:controller] !~ Regexp.new(plugin.menu_match)}.empty?
- # warn "'#{current_refinery_user.username}' tried to access '#{params[:controller]}' but was rejected."
- # error_404
- # end
+ # We need to remove the admin/ section since the path is silent for the
+ # namespace.
+ path = params[:controller].gsub('admin/', '')
+ unless ::Refinery::Plugins.active.any? {|plugin| path =~ Regexp.new(plugin.menu_match) }
+ logger.warn "'#{current_refinery_user.username}' tried to access '#{path}' but was rejected."
+ error_404
+ end
end
private
@@ -0,0 +1,27 @@
+require "spec_helper"
+
+module Refinery
+ describe "plugin access" do
+ context "as refinery user" do
+ refinery_login_with :refinery_user
+
+ context "with permission" do
+ it "allows access" do
+ visit refinery.admin_pages_path
+ page.body.should_not include '404'
+ end
+ end
+
+ context "without permission" do
+ before do
+ logged_in_user.stub(:plugins).and_return []
+ end
+
+ it "denies access" do
+ visit refinery.admin_pages_path
+ page.body.should include '404'
+ end
+ end
+ end
+ end
+end

0 comments on commit ba98e45

Please sign in to comment.