Lock down pages

Add a `require_login` before_action to ApplicationController so we need to specifically make pages public rather than the reverse.
2023-08-20 12:39:22 +01:00 · 2023-08-20 12:39:22 +01:00 · b246c5ac70
parent d5b5bbdbfd
commit b246c5ac70
6 changed files with 24 additions and 2 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1,2 +1,9 @@
+# frozen_string_literal: true
+
 class ApplicationController < ActionController::Base
+  before_action :require_login
+
+  def require_login
+    redirect_to new_session_path unless helpers.logged_in?
+  end
 end
--- a/app/controllers/email_confirmations_controller.rb
+++ b/app/controllers/email_confirmations_controller.rb
@ -1,6 +1,7 @@
 # frozen_string_literal: true

 class EmailConfirmationsController < ApplicationController
+  skip_before_action :require_login, only: [:confirm]
  def confirm
    @user = User.find_by(email: params[:email])
    if params[:confirmation_string] == @user.email_confirmation_string
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class SessionsController < ApplicationController
+  skip_before_action :require_login, only: [:new, :create]
+
  before_action :set_user, only: [:create]
  before_action :ensure_email_confirmed, only: [:create]

--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class UsersController < ApplicationController
+  skip_before_action :require_login, only: [:new, :create, :show]
+
  before_action :set_user, only: [:edit, :update, :show]

  def new
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@ -13,12 +13,12 @@
  <body>
    <header>
      <%= link_to root_path do %>
-        <h1>Summon Player</h1>
+        <h1><%= t("site_title") %></h1>
      <% end %>
      <nav>
        <ul>
-          <li><%= link_to t("home"), root_path %></li>
          <% if logged_in? %>
+            <li><%= link_to t("home"), root_path %></li>
            <li><%= link_to t("profile"), user_path(current_user) %></li>
            <li><%= link_to t("log_out"), log_out_path, data: { turbo_method: :delete } %></li>
          <% else %>
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class UsersControllerTest < ActionDispatch::IntegrationTest
+  test "cannot edit a user when not logged in" do
+    get edit_user_path(users(:user))
+    assert_redirected_to new_session_path
+  end
+end