class Rails::Auth::ErrorPage::DebugMiddleware

Render a descriptive access denied page with debugging information about why the given request was not authorized. Useful for debugging, but leaks information about your ACL to a potential attacker. Make sure you're ok with that information being public.

Constants

RESPONSE_HEADERS

Configure CSP to disable JavaScript, but allow inline CSS This is just in case someone pulls off reflective XSS, but hopefully all values are properly escaped on the page so that won't happen.

Public Class Methods

new(app, acl: nil) click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 24
def initialize(app, acl: nil)
  raise ArgumentError, "ACL must be a Rails::Auth::ACL" unless acl.is_a?(Rails::Auth::ACL)

  @app = app
  @acl = acl
  @erb = ERB.new(File.read(File.expand_path("debug_page.html.erb", __dir__))).freeze
end

Public Instance Methods

call(env) click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 32
def call(env)
  @app.call(env)
rescue Rails::Auth::NotAuthorizedError
  [403, RESPONSE_HEADERS.dup, [error_page(env)]]
end
error_page(env) click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 38
def error_page(env)
  credentials = Rails::Auth.credentials(env)
  resources   = @acl.matching_resources(env)

  @erb.result(binding)
end
format_attributes(value) click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 49
def format_attributes(value)
  value.respond_to?(:attributes) ? value.attributes.inspect : value.inspect
end
format_path(path) click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 53
def format_path(path)
  path.source.sub(/\A\\A/, "").sub(/\\z\z/, "")
end
h(text) click to toggle source
# File lib/rails/auth/error_page/debug_middleware.rb, line 45
def h(text)
  CGI.escapeHTML(text || "")
end