-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make sure routes/actions are locked down correctly #166
Comments
reefdog
changed the title
Make sure routes are locked down correctly
Make sure routes/actions are locked down correctly
Aug 24, 2022
Also: the Jobs Status page ( |
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
Two separate problems going on here: 1. We were recreating `SessionsController#create` unnecessarily, as the code in our method was exactly the same as the normal Devise method. Removed that. 2. `SessionsController#new` incorrectly set the @title_tag right in the controller, when we can just add it in the template itself. This commit fixes both of those, and also restores the commented-out `destroy` method for future reference. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
Users don’t need to get to the login page or submit the login form while already logged in. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
Finally! This commit stops letting Devise generate the registration- related routes that we weren’t using anyway. They were around because of some testing requirements that I couldn’t pin down, but are now no more. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
- Use string, not symbol, for naming `new_applicant` path for consistency with the other routes - Replace the unnecessary `resources :applicants` with the more explicit `post “/“`, since we’re only using a single resource route - Add tests for the applicant routes to make sure all of the above didn’t break; this should’ve been in place already but oops Issue #166
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
Besides adding the `before_action`, this commit adds some controller tests and stubs out further ones that we should fill in. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
Prior to this commit, the Jobs page was hidden in the nav from non-admin users, but if they knew the URL they could still get to it. This commit locks that down and adds tests to verify. It also renames the relevant test file to bring it in alignment with the actual controller being tested, and cleans up one of the tests a bit. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
Previously, the controllers for our various media sources (Twitter, YouTube, etc.) weren’t authenticated, and thus could be accessed even while logged out. This commit: - Adds authentication to all of them - Fixes an inconsistency in the strict-typing declaration between them - Adds fixtures and tests for all sources Issue #166
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
reefdog
added a commit
that referenced
this issue
Sep 21, 2022
AFAIK these are unused. Login is handled in `users/sessions_controller.rb` and settings in `accounts_controller.rb`. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
Users don’t need to get to the login page while already logged in. This explicitly *doesn’t* block the other actions. `create` because blocking it causes some weird behavior (and who cares if people want to force a new authentication, really; we just want to stop them from accidentally stumbling in), and `destroy` because of course. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
Finally! This commit stops letting Devise generate the registration- related routes that we weren’t using anyway. They were around because of some testing requirements that I couldn’t pin down, but are now no more. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
- Use string, not symbol, for naming `new_applicant` path for consistency with the other routes - Replace the unnecessary `resources :applicants` with the more explicit `post “/“`, since we’re only using a single resource route - Add tests for the applicant routes to make sure all of the above didn’t break; this should’ve been in place already but oops Issue #166
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
Besides adding the `before_action`, this commit adds some controller tests and stubs out further ones that we should fill in. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
Prior to this commit, the Jobs page was hidden in the nav from non-admin users, but if they knew the URL they could still get to it. This commit locks that down and adds tests to verify. It also renames the relevant test file to bring it in alignment with the actual controller being tested, and cleans up one of the tests a bit. Issue #166
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
Previously, the controllers for our various media sources (Twitter, YouTube, etc.) weren’t authenticated, and thus could be accessed even while logged out. This commit: - Adds authentication to all of them - Fixes an inconsistency in the strict-typing declaration between them - Adds fixtures and tests for all sources Issue #166
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
reefdog
added a commit
that referenced
this issue
Sep 22, 2022
AFAIK these are unused. Login is handled in `users/sessions_controller.rb` and settings in `accounts_controller.rb`. Issue #166
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I noticed some funny behavior when clicking around the site while logged in and not logged in:
While logged in:
While not logged in:
/image_search
/twitter_users/*
So I think the things we need to do:
image_search
andtwitter_users
routes require authenticationThe text was updated successfully, but these errors were encountered: