Fix sidekiq route security

2019-10-05 02:20:23 -07:00 · 2019-10-05 02:20:23 -07:00 · a2f97acfdc
commit a2f97acfdc
parent 709eae7abd
2 changed files with 9 additions and 1 deletions
--- a/app/logical/admin_route_constraint.rb
+++ b/app/logical/admin_route_constraint.rb
@ -0,0 +1,7 @@
+class AdminRouteConstraint
+  def matches?(request)
+    return false unless request.session[:user_id]
+    user = User.find(request.session[:user_id])
+    user && user.is_admin?
+  end
+end
--- a/config/routes.rb
+++ b/config/routes.rb
@ -2,8 +2,9 @@ Rails.application.routes.draw do

  require 'sidekiq/web'
  require 'sidekiq_unique_jobs/web'
+
  Sidekiq::Web.set :session_secret, Rails.application.credentials[:secret_key_base]
-  mount Sidekiq::Web => '/sidekiq'
+  mount Sidekiq::Web => '/sidekiq', constraints: AdminRouteConstraint.new

  namespace :admin do
    resources :users, :only => [:edit, :update, :edit_blacklist, :update_blacklist] do