From 87e43e5cc397c29a2ab547568a6c2519dbeae631 Mon Sep 17 00:00:00 2001 From: Nicolae Claudius Date: Wed, 2 Nov 2011 11:59:17 -0700 Subject: [PATCH] restrict simple API to A records only --- app/controllers/records_controller.rb | 8 +++++++- spec/controllers/records_controller_spec.rb | 10 ++++++++++ spec/support/shared_context/data.rb | 2 ++ 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/app/controllers/records_controller.rb b/app/controllers/records_controller.rb index ef3a4fb..bd08acf 100644 --- a/app/controllers/records_controller.rb +++ b/app/controllers/records_controller.rb @@ -31,14 +31,20 @@ class RecordsController < ApplicationController protect_from_forgery :except => 'modify' skip_authorize_resource :only => :modify + MODIFY_ERROR = 'ERROR: only A records can be modified with this API' + MODIFY_OK = 'OK' + # TODO: externalize def modify @record = Record.where(:authentication_token => params[:authentication_token]).first! + if @record.type != 'A' + return render :text => MODIFY_ERROR + end @record.content = params[:ip] || client_remote_ip @record.save! respond_with(@record) do |format| format.html { - render :text => 'OK' + render :text => MODIFY_OK } end end diff --git a/spec/controllers/records_controller_spec.rb b/spec/controllers/records_controller_spec.rb index 4d37115..bf41b81 100644 --- a/spec/controllers/records_controller_spec.rb +++ b/spec/controllers/records_controller_spec.rb @@ -39,6 +39,7 @@ describe RecordsController do ip = '127.0.0.2' put :modify, :authentication_token => a_record.authentication_token, :ip => ip response.should be_success + response.body.should == RecordsController::MODIFY_OK assigns(:record).should == a_record assigns(:record).content.should == ip end @@ -48,9 +49,18 @@ describe RecordsController do request.env["HTTP_X_FORWARDED_FOR"] = ip put :modify, :authentication_token => a_record.authentication_token response.should be_success + response.body.should == RecordsController::MODIFY_OK assigns(:record).should == a_record assigns(:record).content.should == ip end + + it "errors when not A type @record with" do + ip = '127.0.0.3' + request.env["HTTP_X_FORWARDED_FOR"] = ip + put :modify, :authentication_token => soa_record.authentication_token + response.should be_success + response.body.should == RecordsController::MODIFY_ERROR + end end diff --git a/spec/support/shared_context/data.rb b/spec/support/shared_context/data.rb index a4f13e1..3bf5760 100644 --- a/spec/support/shared_context/data.rb +++ b/spec/support/shared_context/data.rb @@ -12,4 +12,6 @@ shared_context "data" do let(:a_record){Factory(:a, :content => '127.0.0.1', :domain => domain)} + let(:soa_record){domain.soa_record} + end