Merge pull request #957 from chrishunt/chrishunt/lock-down-the-base

Add 'login required' site setting

app/controllers/application_controller.rb

@@ -22,6 +22,7 @@ class ApplicationController < ActionController::Base
   before_filter :preload_json
   before_filter :check_xhr
   before_filter :set_locale
+  before_filter :redirect_to_login_if_required
 
   rescue_from Exception do |exception|
     unless [ ActiveRecord::RecordNotFound, ActionController::RoutingError,
@@ -280,6 +281,10 @@ class ApplicationController < ActionController::Base
       raise Discourse::NotLoggedIn.new unless current_user.present?
     end
 
+    def redirect_to_login_if_required
+      redirect_to :login if SiteSetting.login_required? && !current_user
+    end
+
     def render_not_found_page(status=404)
       f = Topic.where(deleted_at: nil, archetype: "regular")
       @latest = f.order('views desc').take(10)

app/controllers/session_controller.rb

@@ -4,6 +4,7 @@ class SessionController < ApplicationController
   #  page is going to be empty, this means that server will see an invalid CSRF and blow the session
   #  once that happens you can't log in with social
   skip_before_filter :verify_authenticity_token, only: [:create]
+  skip_before_filter :redirect_to_login_if_required
 
   def create
     requires_parameter(:login, :password)

app/controllers/static_controller.rb

@@ -1,6 +1,6 @@
 class StaticController < ApplicationController
 
-  skip_before_filter :check_xhr
+  skip_before_filter :check_xhr, :redirect_to_login_if_required
 
   def show
 
@@ -30,8 +30,13 @@ class StaticController < ApplicationController
   def enter
     params.delete(:username)
     params.delete(:password)
-    redirect_to(params[:redirect] || '/')
+
+    redirect_to(
+      if params[:redirect].blank? || params[:redirect].match(login_path)
+        root_path
+      else
+        params[:redirect]
+      end
+    )
   end
-
-
 end