Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Call controller's current_user method during audited model creation #344

Merged
merged 1 commit into from
Apr 26, 2017
Merged

Call controller's current_user method during audited model creation #344

merged 1 commit into from
Apr 26, 2017

Conversation

domcleal
Copy link
Collaborator

Restores behaviour prior to 87d402a where the sweeper would call the
controller's current_user method from the audited model callback.

Since 87d402a, the current_user method was called from an around action
callback registered on the base controller which was being called prior
to other callbacks that were authenticating the user. This caused
problems in apps where the user hadn't yet been set (so audit users were
nil), or CSRF issues because current_user was called prior to session
changes.

Fixes #336

@domcleal domcleal mentioned this pull request Apr 21, 2017
Closed
grosser
grosser reviewed Apr 21, 2017
View reviewed changes
spec/audited/sweeper_spec.rb Outdated
@@ -1,6 +1,12 @@
require "spec_helper"

class AuditsController < ActionController::Base
if Rails::VERSION::MAJOR == 4
before_filter :populate_user
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will cause deprecations on 4.2 ... and I raise on deprecations ... so kaboom :D
... also add the raise on deprecations option to find this in tests easier.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The deprecation warning was added in 5.0 - in 4.2 the use of before_filter was just "discouraged" so this should be fine whether AS deprecations are raised or not.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

before_action already exists on rails 4.0
https://github.com/rails/rails/blob/f53132deea65ae673b29b811c606be103f1ae3ab/actionpack/lib/abstract_controller/callbacks.rb
I would suggest to remove this if here

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, you're right - thanks for the info. I've updated the PR to remove the conditional entirely.

grosser
grosser reviewed Apr 21, 2017
View reviewed changes
lib/audited/sweeper.rb
@@ -18,7 +18,7 @@ def around(controller)
end

def current_user
controller.send(Audited.current_user_method) if controller.respond_to?(Audited.current_user_method, true)
lambda { controller.send(Audited.current_user_method) if controller.respond_to?(Audited.current_user_method, true) }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just store the controller here and don't create a new lambda ?
... then move the remaining code to the sweeper

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I was initially planning to store the controller but I didn't think it was a good idea to have the Audit model calling methods directly on the controller. I preferred to keep the controller-specific calls and logic in this class.

... then move the remaining code to the sweeper

Which code's that? Do you mean to the model?

grosser
grosser approved these changes Apr 21, 2017
View reviewed changes
Copy link
Contributor

@grosser grosser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like a safer approach

@grosser
Copy link
Contributor

grosser commented Apr 21, 2017 via email

@domcleal
Copy link
Collaborator Author

Thanks for the review @grosser, appreciated.

@domcleal
Call controller's current_user method during audited model creation
96aebbc 
Restores behaviour prior to 87d402a where the sweeper would call the
controller's current_user method from the audited model callback.

Since 87d402a, the current_user method was called from an around action
callback registered on the base controller which was being called prior
to other callbacks that were authenticating the user. This caused
problems in apps where the user hadn't yet been set (so audit users were
nil), or CSRF issues because current_user was called prior to session
changes.

Fixes collectiveidea#336
@domcleal domcleal merged commit 3aed1f5 into collectiveidea:master Apr 26, 2017
@morgoth
Copy link

morgoth commented May 2, 2017

Can we have a release with this fix?

@domcleal
Copy link
Collaborator Author

domcleal commented May 2, 2017

@danielmorrison I opened #345 with updates for 4.5.0 if you'd kindly push the gem.

@morgoth
Copy link

morgoth commented May 30, 2017

@domcleal @danielmorrison hey, any news on releasing the new version?

@domcleal
Copy link
Collaborator Author

audited 4.5.0's released.

@morgoth
Copy link

morgoth commented May 30, 2017

Great, thanks :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lucianosousa lucianosousa lucianosousa left review comments

@grosser grosser grosser approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@domcleal @grosser @morgoth @lucianosousa