metamaps--metamaps/app/controllers/application_controller.rb
Devin Howard 6e1797183e brakeman (#556)
* update rails to 4.2.5.1

* fix brakeman gem warning

* make brakeman happier and add it to travis

* install brakeman gem for static security analysis

* fix brakeman call in travis
2016-06-16 15:44:08 +08:00

87 lines
2 KiB
Ruby

class ApplicationController < ActionController::Base
include ApplicationHelper
include Pundit
include PunditExtra
rescue_from Pundit::NotAuthorizedError, with: :handle_unauthorized
protect_from_forgery(with: :exception)
before_action :get_invite_link
after_action :allow_embedding
def default_serializer_options
{ root: false }
end
# this is for global login
include ContentHelper
helper_method :user
helper_method :authenticated?
helper_method :admin?
def after_sign_in_path_for(resource)
sign_in_url = url_for(:action => 'new', :controller => 'sessions', :only_path => false, :protocol => 'https')
if request.referer == sign_in_url
super
elsif params[:uv_login] == "1"
"http://support.metamaps.cc/login_success?sso=" + current_sso_token
else
stored_location_for(resource) || request.referer || root_path
end
end
def handle_unauthorized
if authenticated?
head :forbidden # TODO make this better
else
redirect_to new_user_session_path, notice: "Try signing in to do that."
end
end
private
def get_invite_link
@invite_link = "#{request.base_url}/join" + (current_user ? "?code=#{current_user.code}" : "")
end
def require_no_user
if authenticated?
redirect_to edit_user_path(user), notice: "You must be logged out."
return false
end
end
def require_user
unless authenticated?
redirect_to new_user_session_path, notice: "You must be logged in."
return false
end
end
def require_admin
unless authenticated? && admin?
redirect_to root_url, notice: "You need to be an admin for that."
return false
end
end
def user
current_user
end
def authenticated?
current_user
end
def admin?
authenticated? && current_user.admin
end
def allow_embedding
#allow all
response.headers.except! 'X-Frame-Options'
# or allow a whitelist
# response.headers['X-Frame-Options'] = 'ALLOW-FROM http://blog.metamaps.cc'
end
end