diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index a68e056f2..7a63cdd95 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -8,6 +8,7 @@ class ApplicationController < ActionController::Base before_action :set_current_user before_action :normalize_search before_action :api_check + before_action :ip_ban_check before_action :set_variant before_action :enable_cors before_action :cause_error @@ -154,10 +155,13 @@ class ApplicationController < ActionController::Base render_error_page(status, error) end + def ip_ban_check + raise User::PrivilegeError if !request.get? && IpBan.is_banned?(CurrentUser.ip_addr) + end + def role_only!(role) raise User::PrivilegeError if !CurrentUser.send("is_#{role}?") raise User::PrivilegeError if !request.get? && CurrentUser.user.is_banned? - raise User::PrivilegeError if !request.get? && IpBan.is_banned?(CurrentUser.ip_addr) end User::Roles.each do |role| diff --git a/test/functional/sessions_controller_test.rb b/test/functional/sessions_controller_test.rb index a3c75a0b8..566950e39 100644 --- a/test/functional/sessions_controller_test.rb +++ b/test/functional/sessions_controller_test.rb @@ -16,10 +16,18 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest context "create action" do should "create a new session" do post session_path, params: {:name => @user.name, :password => "password"} + assert_redirected_to posts_path - @user.reload assert_equal(@user.id, session[:user_id]) - assert_not_nil(@user.last_ip_addr) + assert_not_nil(@user.reload.last_ip_addr) + end + + should "not allow IP banned users to create a new session" do + create(:ip_ban, ip_addr: "1.2.3.4") + post session_path, params: { name: @user.name, password: "password" }, headers: { REMOTE_ADDR: "1.2.3.4" } + + assert_response 403 + assert_not_equal(@user.id, session[:user_id]) end end