jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ip bans: forbid all non-GET actions for ip banned users.

Browse Source 
Previously only actions that were marked member_only or above were
subject to IP ban restrictions. This meant that certain actions that
weren't marked member_only, like creating new accounts, could still be
done by IP banned users.

Now IP banned users can't do any non-GET actions, which means they're
not allowed to even login to their accounts.
This commit is contained in:
evazion
2020-03-16 01:19:13 -05:00
parent ea96295940
commit 93a60eebed
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/controllers/application_controller.rb
View File

@@ -8,6 +8,7 @@ class ApplicationController < ActionController::Base
before_action :set_current_user
before_action :normalize_search
before_action :api_check
before_action :ip_ban_check
before_action :set_variant
before_action :enable_cors
before_action :cause_error
@@ -154,10 +155,13 @@ class ApplicationController < ActionController::Base
render_error_page(status, error)
end
def ip_ban_check
raise User::PrivilegeError if !request.get? && IpBan.is_banned?(CurrentUser.ip_addr)
end
def role_only!(role)
raise User::PrivilegeError if !CurrentUser.send("is_#{role}?")
raise User::PrivilegeError if !request.get? && CurrentUser.user.is_banned?
raise User::PrivilegeError if !request.get? && IpBan.is_banned?(CurrentUser.ip_addr)
end
User::Roles.each do |role|

12
test/functional/sessions_controller_test.rb
View File

@@ -16,10 +16,18 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
context "create action" do
should "create a new session" do
post session_path, params: {:name => @user.name, :password => "password"}
assert_redirected_to posts_path
@user.reload
assert_equal(@user.id, session[:user_id])
assert_not_nil(@user.last_ip_addr)
assert_not_nil(@user.reload.last_ip_addr)
end
should "not allow IP banned users to create a new session" do
create(:ip_ban, ip_addr: "1.2.3.4")
post session_path, params: { name: @user.name, password: "password" }, headers: { REMOTE_ADDR: "1.2.3.4" }
assert_response 403
assert_not_equal(@user.id, session[:user_id])
end
end