From adf75a4757465a5f08c1675919d7c88aff78adb9 Mon Sep 17 00:00:00 2001 From: murny <1930474+murny@users.noreply.github.com> Date: Thu, 29 Aug 2024 16:00:25 -0600 Subject: [PATCH 1/2] Add ability to password protect certain pages --- .../initializers/comfortable_mexican_sofa.rb | 17 +++++---- test/integration/cms_protected_pages_test.rb | 35 +++++++++++++++++++ test/integration/cms_test.rb | 1 + 3 files changed, 47 insertions(+), 6 deletions(-) create mode 100644 test/integration/cms_protected_pages_test.rb diff --git a/config/initializers/comfortable_mexican_sofa.rb b/config/initializers/comfortable_mexican_sofa.rb index 61965ba9..9fd74c26 100644 --- a/config/initializers/comfortable_mexican_sofa.rb +++ b/config/initializers/comfortable_mexican_sofa.rb @@ -19,7 +19,7 @@ # Module responsible for public authentication. Similar to the above. You also # will have access to @cms_site, @cms_layout, @cms_page so you can use them in # your logic. Default module doesn't do anything. - # config.public_auth = 'ComfyPublicAuthentication' + config.public_auth = "ComfyPublicAuthentication" # Module responsible for public authorization. It should have #authorize # method that returns true or false based on params and loaded instance @@ -99,11 +99,16 @@ # end # Uncomment this module and `config.public_auth` above to use custom public authentication -# module ComfyPublicAuthentication -# def authenticate -# return true -# end -# end +module ComfyPublicAuthentication + def authenticate + protected_paths = ["secret"] + + return unless protected_paths.any? { |protected_path| params["cms_path"].include?(protected_path) } + authenticate_or_request_with_http_basic do |username, password| + username == Rails.application.secrets.cms_user && password == Rails.application.secrets.cms_password + end + end +end # Uncomment this module and `config.public_authorization` above to use custom public authorization # module ComfyPublicAuthorization diff --git a/test/integration/cms_protected_pages_test.rb b/test/integration/cms_protected_pages_test.rb new file mode 100644 index 00000000..ad068a97 --- /dev/null +++ b/test/integration/cms_protected_pages_test.rb @@ -0,0 +1,35 @@ +# frozen_string_literal: true + +require "test_helper" + +class CmsProtectedPagesTest < ActionDispatch::IntegrationTest + setup do + # create a nested protected CMS page under "secret" slug + @secret_parent = Comfy::Cms::Page.create!( + site: Comfy::Cms::Site.first, + layout: Comfy::Cms::Layout.first, + slug: "secret", + label: "Secret Parent" + ) + + @page = Comfy::Cms::Page.create!( + site: Comfy::Cms::Site.first, + layout: Comfy::Cms::Layout.first, + slug: "protected-page", + label: "Protected Page", + parent: @secret_parent + ) + end + + test "visting protected page returns unauthorized" do + get comfy_cms_render_page_path(cms_path: "secret/protected-page") + + assert_response :unauthorized + end + + test "visting protected page with correct credentials returns success" do + get comfy_cms_render_page_path(cms_path: "secret/protected-page"), headers: admin_authorization_headers + + assert_response :success + end +end diff --git a/test/integration/cms_test.rb b/test/integration/cms_test.rb index 957aef6c..6e5697be 100644 --- a/test/integration/cms_test.rb +++ b/test/integration/cms_test.rb @@ -9,6 +9,7 @@ class CmsTest < ActionDispatch::IntegrationTest assert_response :success assert_select "h2", "Search the Library" end + test "ask us page" do get comfy_cms_render_page_path(cms_path: "ask-us") From 61ded17434d6b9d5dced9eaa0ee9328ec7515a96 Mon Sep 17 00:00:00 2001 From: murny <1930474+murny@users.noreply.github.com> Date: Thu, 29 Aug 2024 16:17:49 -0600 Subject: [PATCH 2/2] Protect against when cms_path is nil, e.g homepage --- config/initializers/comfortable_mexican_sofa.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/initializers/comfortable_mexican_sofa.rb b/config/initializers/comfortable_mexican_sofa.rb index 9fd74c26..63b134dd 100644 --- a/config/initializers/comfortable_mexican_sofa.rb +++ b/config/initializers/comfortable_mexican_sofa.rb @@ -103,7 +103,8 @@ module ComfyPublicAuthentication def authenticate protected_paths = ["secret"] - return unless protected_paths.any? { |protected_path| params["cms_path"].include?(protected_path) } + return unless protected_paths.any? { |protected_path| params["cms_path"]&.include?(protected_path) } + authenticate_or_request_with_http_basic do |username, password| username == Rails.application.secrets.cms_user && password == Rails.application.secrets.cms_password end