Merge pull request #81 from tvdeyen/fix-80

tvdeyen · web-flow · commit ab1781db136c · 2019-04-24T18:36:14.000+02:00
Run CSRF protection before all other controller filters
diff --git a/app/controllers/alchemy/user_sessions_controller.rb b/app/controllers/alchemy/user_sessions_controller.rb
@@ -2,6 +2,8 @@ module Alchemy
   class UserSessionsController < ::Devise::SessionsController
     include Alchemy::Admin::Locale
 
+    protect_from_forgery prepend: true
+
     before_action except: 'destroy' do
       enforce_ssl if ssl_required? && !request.ssl?
     end
diff --git a/spec/dummy/app/controllers/application_controller.rb b/spec/dummy/app/controllers/application_controller.rb
@@ -1,5 +1,4 @@
 class ApplicationController < ActionController::Base
-  # Prevent CSRF attacks by raising an exception.
-  # For APIs, you may want to use :null_session instead.
-  protect_from_forgery with: :exception
+  # @See https://github.com/AlchemyCMS/alchemy-devise/issues/80
+  before_action { current_user }
 end
diff --git a/spec/dummy/config/application.rb b/spec/dummy/config/application.rb
@@ -21,7 +21,7 @@
 module Dummy
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
-    config.load_defaults 5.1
+    config.load_defaults 5.2
 
     # Settings in config/environments/* take precedence over those specified here.
     # Application configuration can go into files in config/initializers
diff --git a/spec/dummy/config/environments/test.rb b/spec/dummy/config/environments/test.rb
@@ -26,10 +26,7 @@
   config.action_dispatch.show_exceptions = false
 
   # Disable request forgery protection in test environment.
-  config.action_controller.allow_forgery_protection = false
-
-  # Store uploaded files on the local file system in a temporary directory
-  # config.active_storage.service = :test
+  config.action_controller.allow_forgery_protection = true
 
   config.action_mailer.perform_caching = false
 
diff --git a/spec/dummy/config/initializers/new_framework_defaults.rb b/spec/dummy/config/initializers/new_framework_defaults.rb
diff --git a/spec/dummy/config/initializers/new_framework_defaults_5_1.rb b/spec/dummy/config/initializers/new_framework_defaults_5_1.rb
diff --git a/spec/dummy/config/initializers/new_framework_defaults_5_2.rb b/spec/dummy/config/initializers/new_framework_defaults_5_2.rb
diff --git a/spec/dummy/db/migrate/20190424075603_add_fixed_to_alchemy_elements.alchemy.rb b/spec/dummy/db/migrate/20190424075603_add_fixed_to_alchemy_elements.alchemy.rb
@@ -0,0 +1,7 @@
+# This migration comes from alchemy (originally 20180519204655)
+class AddFixedToAlchemyElements < ActiveRecord::Migration[5.0]
+  def change
+    add_column :alchemy_elements, :fixed, :boolean, default: false, null: false
+    add_index :alchemy_elements, :fixed
+  end
+end
diff --git a/spec/dummy/db/schema.rb b/spec/dummy/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2018_03_01_103350) do
+ActiveRecord::Schema.define(version: 2019_04_24_075603) do
 
   create_table "alchemy_attachments", force: :cascade do |t|
     t.string "name"
@@ -60,7 +60,9 @@
     t.integer "updater_id"
     t.integer "cell_id"
     t.integer "parent_element_id"
+    t.boolean "fixed", default: false, null: false
     t.index ["cell_id"], name: "index_alchemy_elements_on_cell_id"
+    t.index ["fixed"], name: "index_alchemy_elements_on_fixed"
     t.index ["page_id", "parent_element_id"], name: "index_alchemy_elements_on_page_id_and_parent_element_id"
     t.index ["page_id", "position"], name: "index_elements_on_page_id_and_position"
   end
diff --git a/spec/features/login_feature_spec.rb b/spec/features/login_feature_spec.rb
@@ -1,7 +1,17 @@
 require 'spec_helper'
 
 describe "Login: " do
-  context "If users present" do
+  context "If user is present" do
+    let!(:user) do
+      Alchemy::User.create!(
+        login: 'admin',
+        email: 'admin@example.com',
+        password: 's3cr3t',
+        password_confirmation: 's3cr3t',
+        alchemy_roles: %w[admin]
+      )
+    end
+
     let!(:default_key) { Devise.authentication_keys }
 
     before do
@@ -13,6 +23,14 @@
         visit '/admin/login'
         expect(page).to have_field('user_login')
       end
+
+      it "works" do
+        visit '/admin/login'
+        fill_in 'user_login', with: user.login
+        fill_in 'user_password', with: user.password
+        click_button 'Login'
+        expect(page).to have_content('Welcome back admin')
+      end
     end
 
     context "with default Devise configuration" do
@@ -25,6 +43,14 @@
         expect(page).to have_field('user_email')
       end
 
+      it "works" do
+        visit '/admin/login'
+        fill_in 'user_email', with: user.email
+        fill_in 'user_password', with: user.password
+        click_button 'Login'
+        expect(page).to have_content('Welcome back admin')
+      end
+
       after do
         Devise.authentication_keys = default_key
       end
