Enforce authentication

[oneiros]

OK, this one is embarrassing.

Up until now, hdm never actually restricted access to hiera data from anonymous users. If you were not logged in, you could still access "internal" pages if you knew the URL.

This was due to a combination of reasons:

1.) Authorization is performed with the help of the cancancan gem. The rules live in app/models/abilities.rb. If no user was signed in, the following line simply created one:

hdm/app/models/ability.rb

Line 37 in 52d8487

user ||= User.new # guest user (not logged in)

So anonymous users had the same rights a regular user.

This PR changes that line, so anonymous (i.e. non-existent) users have no rights.

2.) It is customary in rails applications to check for signed in users in a so called before_action as the very first step when a request hits the application. This is so there is no need to query the authorization layer or waste other resources in these cases at all.

Such a before_action was missing from hdm.

This PR adds a before_action checking the authentication in ApplicationController, so all controllers inherit it. In the few places where login is not required, exceptions to that rule have been added.

I am really sorry that I did not catch this earlier. I guess there were so many familiar patterns already in place that I just expected this to work ☹️

[oneiros]

I added some simple tests to make sure this does not happen again.