jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

ip bans: forbid all non-GET actions for ip banned users.

Browse Source 
Previously only actions that were marked member_only or above were
subject to IP ban restrictions. This meant that certain actions that
weren't marked member_only, like creating new accounts, could still be
done by IP banned users.

Now IP banned users can't do any non-GET actions, which means they're
not allowed to even login to their accounts.
This commit is contained in:
evazion
2020-03-16 01:19:13 -05:00
parent ea96295940
commit 93a60eebed
2 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
test/functional/sessions_controller_test.rb
View File

@@ -16,10 +16,18 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
context "create action" do
should "create a new session" do
post session_path, params: {:name => @user.name, :password => "password"}
assert_redirected_to posts_path
@user.reload
assert_equal(@user.id, session[:user_id])
assert_not_nil(@user.last_ip_addr)
assert_not_nil(@user.reload.last_ip_addr)
end
should "not allow IP banned users to create a new session" do
create(:ip_ban, ip_addr: "1.2.3.4")
post session_path, params: { name: @user.name, password: "password" }, headers: { REMOTE_ADDR: "1.2.3.4" }
assert_response 403
assert_not_equal(@user.id, session[:user_id])
end
end