app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
# TODO: restore once ExceptionLogger is 3.1 compatible
# include ExceptionLogger::ExceptionLoggable
# rescue_from Exception, :with => :log_exception_handler
before_action :configure_permitted_parameters, if: :devise_controller?
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
include Mixpanel
def info_for_paper_trail
{ ip: request.remote_ip }
end
rescue_from CanCan::AccessDenied do |exception|
Rails.logger.debug "Access denied on #{exception.action} #{exception.subject.inspect}"
redirect_to root_url, alert: exception.message
end
before_action :log_additional_data
before_action :security_headers
before_action :cleanup
# incompatible w/ rails 4.
#
# include Apotomo::Rails::ControllerMethods
# has_widgets do |root|
# root << widget(:cart, :user => current_user)
# root << widget(:cart_item, :user => current_user)
# end
force_ssl if: :ssl_configured?
def hidden_service?
request.env['HTTP_HOST'] =~ /\.onion\z/
end
helper_method :hidden_service?
def tor?
request.env['tor']
end
helper_method :tor?
def admin?
current_user && (current_user.id == 1)
end
helper_method :admin?
def deny_tor_users
redirect_to root_path, alert: 'Tor users may not use that functionality.' if tor?
end
private
def ssl_configured?
Rails.env.production? && !tor?
end
# Note: Strict-Transport-Security is already set to 1 year through config.force_ssl (i.e. Rack:SSL)
def security_headers
response.headers['X-Frame-Options'] = 'SAMEORIGIN'
response.headers['X-XSS-Protection'] = '1; mode=block'
end
def cleanup
flash[:timedout] = nil # added by Devise, redundant
end
protected
def log_additional_data
request.env['exception_notifier.exception_data'] = {
user: current_user
}
end
def configure_permitted_parameters
# Defaults (see https://github.com/plataformatec/devise/tree/rails4):
# sign_in (Devise::SessionsController#new) - Permits only the authentication keys (like email)
# sign_up (Devise::RegistrationsController#create) - Permits authentication keys plus password
# and password_confirmation
# account_update (Devise::RegistrationsController#update) - Permits authentication keys plus
# password, password_confirmation and current_password
# Formerly, in Rails 3
# attr_accessible :email, :password, :password_confirmation, :remember_me, :name, :login,
# :login_or_email
# Modify them:
# devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:login_or_email) }
devise_parameter_sanitizer.permit(:sign_up, keys: [:email, :name, :password, :password_confirmation]) # :login
end
end