Additional tests authenticating as anounymous or subparticipant.

It's not any more possible to use arbitrary authentication values in the Cookie
header. Now it's only possible to use anonymous cookie values in anomymous
Cookie header and subparticipant cookie values in subparticipant Cookie header.

1 files changed, 4 insertions, 4 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 4ea8cfb..6c3e6bd 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -103,8 +103,8 @@ protected
     if !(@cookie = cookies[:ecs_anonymous]).blank?
       if (identity = Identity.find_by_name(@cookie)).blank?
         raise Ecs::AuthenticationException, "No valid identity found for cookie: #{@cookie}"
-      elsif (participant = identity.participant).blank?
-        raise Ecs::AuthenticationException, "Cookie: #{@cookie}\" is not assigned any participant"
+      elsif (participant = identity.participant).blank? or !participant.anonymous
+        raise Ecs::AuthenticationException, "Cookie: #{@cookie}\" is not assigned any anonymous participant"
       else
         return participant
       end
@@ -117,8 +117,8 @@ protected
     if !(@cookie = cookies[:ecs_subparticipant]).blank?
       if (identity = Identity.find_by_name(@cookie)).blank?
         raise Ecs::AuthenticationException, "No valid identity found for subparticipant cookie: #{@cookie}"
-      elsif (participant = identity.participant).blank?
-        raise Ecs::AuthenticationException, "Subparticipant-Cookie: #{@cookie}\" is not assigned any participant"
+      elsif (participant = identity.participant).blank? or !participant.subparticipant
+        raise Ecs::AuthenticationException, "Subparticipant-Cookie: #{@cookie}\" is not assigned any subparticipant"
       else
         return participant
       end