diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 340a091..242ef84 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -13,7 +13,7 @@ def create render 'new' else sign_in user - redirect_to user + redirect_back_or user end end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 09e96dc..3b14eed 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,5 +1,6 @@ class UsersController < ApplicationController before_filter :authenticate, :only => [:edit, :update] + before_filter :correct_user, :only => [:edit, :update] def show @user = User.find(params[:id]) @@ -42,4 +43,9 @@ def update def authenticate deny_access unless signed_in? end + + def correct_user + @user = User.find(params[:id]) + redirect_to(root_path) unless current_user?(@user) + end end diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb index 05efae9..a47c55b 100644 --- a/app/helpers/sessions_helper.rb +++ b/app/helpers/sessions_helper.rb @@ -22,9 +22,27 @@ def sign_out self.current_user = nil end + def current_user?(user) + user == current_user + end + def deny_access + store_location redirect_to signin_path, :notice => "Please sign in to access this page." - end + end + + def store_location + session[:return_to] = request.fullpath + end + + def redirect_back_or(default) + redirect_to(session[:return_to] || default) + clear_return_to + end + + def clear_return_to + session[:return_to] = nil + end private diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index 0b459cf..94b0b08 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -188,15 +188,37 @@ @user = Factory(:user) end - it "should deny access to 'edit'" do - get :edit, :id => @user - response.should redirect_to(signin_path) - flash[:notice].should =~ /sign in/i - end + describe "for non-signed-in users" do + + it "should deny access to 'edit'" do + get :edit, :id => @user + response.should redirect_to(signin_path) + flash[:notice].should =~ /sign in/i + end - it "should deny access to 'update'" do - put :update, :id => @user, :user => {} - response.should redirect_to(signin_path) + it "should deny access to 'update'" do + put :update, :id => @user, :user => {} + response.should redirect_to(signin_path) + end end + + describe "for signed-in users" do + + before(:each) do + wrong_user = Factory(:user, :email => "user@example.net") + test_sign_in(wrong_user) + end + + it "should require matching users for 'edit'" do + get :edit, :id => @user + response.should redirect_to(root_path) + end + + it "should require matching users for 'update'" do + put :update, :id => @user, :user => {} + response.should redirect_to(root_path) + end + end + end end diff --git a/spec/requests/friendly_forwardings_spec.rb b/spec/requests/friendly_forwardings_spec.rb new file mode 100644 index 0000000..48b753e --- /dev/null +++ b/spec/requests/friendly_forwardings_spec.rb @@ -0,0 +1,19 @@ +require 'spec_helper' + +describe "FriendlyForwardings" do + + it "should forward to the requested page after signin" do + user = Factory(:user) + visit edit_user_path(user) + fill_in :email, :with => user.email + fill_in :password, :with => user.password + click_button + response.should render_template('users/edit') + visit signout_path + visit signin_path + fill_in :email, :with => user.email + fill_in :password, :with => user.password + click_button + response.should render_template('users/show') + end +end