class Rails::Auth::ErrorPage::DebugMiddleware
Render a descriptive access denied page with debugging information about why the given request was not authorized. Useful for debugging, but leaks information about your ACL
to a potential attacker. Make sure you’re ok with that information being public.
Constants
- RESPONSE_HEADERS
Configure CSP to disable JavaScript, but allow inline CSS This is just in case someone pulls off reflective XSS, but hopefully all values are properly escaped on the page so that won’t happen.
Public Class Methods
new(app, acl: nil)
click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 24 def initialize(app, acl: nil) raise ArgumentError, "ACL must be a Rails::Auth::ACL" unless acl.is_a?(Rails::Auth::ACL) @app = app @acl = acl @erb = ERB.new(File.read(File.expand_path("debug_page.html.erb", __dir__))).freeze end
Public Instance Methods
call(env)
click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 32 def call(env) @app.call(env) rescue Rails::Auth::NotAuthorizedError [403, RESPONSE_HEADERS.dup, [error_page(env)]] end
error_page(env)
click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 38 def error_page(env) credentials = Rails::Auth.credentials(env) resources = @acl.matching_resources(env) @erb.result(binding) end
format_attributes(value)
click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 49 def format_attributes(value) value.respond_to?(:attributes) ? value.attributes.inspect : value.inspect end
format_path(path)
click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 53 def format_path(path) path.source.sub(/\A\\A/, "").sub(/\\z\z/, "") end
h(text)
click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 45 def h(text) CGI.escapeHTML(text || "") end