Skip to content

Commit

Permalink
Merge pull request #66 from sul-dlss/sul-embed-591-iiif-token-creation
Browse files Browse the repository at this point in the history 
don't grant IIIF bearer tokens to anonymous users
  • Loading branch information
@tingulfsen
tingulfsen authored Jul 14, 2016
2 parents 76e9f78 + cf3bd57 commit a72035e
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 5 deletions.
3 changes: 2 additions & 1 deletion app/controllers/application_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ def webauth_user
end

def anonymous_locatable_user
User.new(ip_address: request.remote_ip)
User.new(ip_address: request.remote_ip,
anonymous_locatable_user: true)
end

def rescue_can_can(exception)
Expand Down
2 changes: 1 addition & 1 deletion app/controllers/iiif_token_controller.rb
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# API to create IIIF Authentication access tokens
class IiifTokenController < ApplicationController
def create
token = mint_bearer_token if current_user
token = mint_bearer_token unless current_user.anonymous_locatable_user?

write_bearer_token_cookie(token) if token

Expand Down
6 changes: 5 additions & 1 deletion app/models/user.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,16 @@
class User
include ActiveModel::Model

attr_accessor :id, :webauth_user, :app_user, :token_user, :ldap_groups, :ip_address
attr_accessor :id, :webauth_user, :anonymous_locatable_user, :app_user, :token_user, :ldap_groups, :ip_address

def webauth_user?
webauth_user
end

def anonymous_locatable_user?
anonymous_locatable_user
end

def stanford?
ldap_groups.present? && (ldap_groups & Settings.user.stanford_groups).any?
end
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/application_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,5 +42,11 @@
expect(subject).to be_a_webauth_user
end
end

context 'with no other credentials' do
it 'is an anonymous locatable user' do
expect(subject).to be_an_anonymous_locatable_user
end
end
end
end
4 changes: 2 additions & 2 deletions spec/controllers/iiif_token_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
get :create, format: :js
end

let(:user) { nil }
let(:user) { User.new(anonymous_locatable_user: true) }

before do
allow(controller).to receive(:current_user).and_return(user)
Expand Down Expand Up @@ -35,7 +35,7 @@
end
end

context 'without a user' do
context 'with an anonymous user' do
it 'returns the error response' do
expect(subject.status).to eq 401

Expand Down

0 comments on commit a72035e

Please sign in to comment.