Lock down pages

Add a `require_login` before_action to ApplicationController so we need
to specifically make pages public rather than the reverse.
This commit is contained in:
Trevor Vallender 2023-08-20 12:39:22 +01:00
parent d5b5bbdbfd
commit b246c5ac70
6 changed files with 24 additions and 2 deletions

View File

@ -1,2 +1,9 @@
# frozen_string_literal: true
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
before_action :require_login
def require_login
redirect_to new_session_path unless helpers.logged_in?
end
end end

View File

@ -1,6 +1,7 @@
# frozen_string_literal: true # frozen_string_literal: true
class EmailConfirmationsController < ApplicationController class EmailConfirmationsController < ApplicationController
skip_before_action :require_login, only: [:confirm]
def confirm def confirm
@user = User.find_by(email: params[:email]) @user = User.find_by(email: params[:email])
if params[:confirmation_string] == @user.email_confirmation_string if params[:confirmation_string] == @user.email_confirmation_string

View File

@ -1,6 +1,8 @@
# frozen_string_literal: true # frozen_string_literal: true
class SessionsController < ApplicationController class SessionsController < ApplicationController
skip_before_action :require_login, only: [:new, :create]
before_action :set_user, only: [:create] before_action :set_user, only: [:create]
before_action :ensure_email_confirmed, only: [:create] before_action :ensure_email_confirmed, only: [:create]

View File

@ -1,6 +1,8 @@
# frozen_string_literal: true # frozen_string_literal: true
class UsersController < ApplicationController class UsersController < ApplicationController
skip_before_action :require_login, only: [:new, :create, :show]
before_action :set_user, only: [:edit, :update, :show] before_action :set_user, only: [:edit, :update, :show]
def new def new

View File

@ -13,12 +13,12 @@
<body> <body>
<header> <header>
<%= link_to root_path do %> <%= link_to root_path do %>
<h1>Summon Player</h1> <h1><%= t("site_title") %></h1>
<% end %> <% end %>
<nav> <nav>
<ul> <ul>
<li><%= link_to t("home"), root_path %></li>
<% if logged_in? %> <% if logged_in? %>
<li><%= link_to t("home"), root_path %></li>
<li><%= link_to t("profile"), user_path(current_user) %></li> <li><%= link_to t("profile"), user_path(current_user) %></li>
<li><%= link_to t("log_out"), log_out_path, data: { turbo_method: :delete } %></li> <li><%= link_to t("log_out"), log_out_path, data: { turbo_method: :delete } %></li>
<% else %> <% else %>

View File

@ -0,0 +1,10 @@
# frozen_string_literal: true
require "test_helper"
class UsersControllerTest < ActionDispatch::IntegrationTest
test "cannot edit a user when not logged in" do
get edit_user_path(users(:user))
assert_redirected_to new_session_path
end
end