FEATURE: restrict admin access based on IP address

2025-06-04 23:36:11 +08:00 · 2014-09-04 18:50:27 -04:00
parent 1040a88389
commit ca5f361d0a
12 changed files with 118 additions and 10 deletions
--- a/spec/controllers/session_controller_spec.rb
+++ b/spec/controllers/session_controller_spec.rb
@ -291,6 +291,36 @@ describe SessionController do
          end
        end
      end
+
+      context 'when admins are restricted by ip address' do
+        let(:permitted_ip_address) { '111.234.23.11' }
+
+        before do
+          Fabricate(:screened_ip_address, ip_address: permitted_ip_address, action_type: ScreenedIpAddress.actions[:allow_admin])
+        end
+
+        it 'is successful for admin at the ip address' do
+          User.any_instance.stubs(:admin?).returns(true)
+          ActionDispatch::Request.any_instance.stubs(:remote_ip).returns(permitted_ip_address)
+          xhr :post, :create, login: user.username, password: 'myawesomepassword'
+          session[:current_user_id].should == user.id
+        end
+
+        it 'returns an error for admin not at the ip address' do
+          User.any_instance.stubs(:admin?).returns(true)
+          ActionDispatch::Request.any_instance.stubs(:remote_ip).returns("111.234.23.12")
+          xhr :post, :create, login: user.username, password: 'myawesomepassword'
+          JSON.parse(response.body)['error'].should be_present
+          session[:current_user_id].should_not == user.id
+        end
+
+        it 'is successful for non-admin not at the ip address' do
+          User.any_instance.stubs(:admin?).returns(false)
+          ActionDispatch::Request.any_instance.stubs(:remote_ip).returns("111.234.23.12")
+          xhr :post, :create, login: user.username, password: 'myawesomepassword'
+          session[:current_user_id].should == user.id
+        end
+      end
    end

    context 'when email has not been confirmed' do