Merge remote-tracking branch 'upstream/pull/2125'
[rails.git] / app / controllers / oauth_controller.rb
1 require "oauth/controllers/provider_controller"
2
3 class OauthController < ApplicationController
4   include OAuth::Controllers::ProviderController
5
6   # The ProviderController will call login_required for any action that needs
7   # a login, but we want to check authorization on every action.
8   authorize_resource :class => false
9
10   layout "site"
11
12   def revoke
13     @token = current_user.oauth_tokens.find_by :token => params[:token]
14     if @token
15       @token.invalidate!
16       flash[:notice] = t(".flash", :application => @token.client_application.name)
17     end
18     redirect_to oauth_clients_url(:display_name => @token.user.display_name)
19   end
20
21   protected
22
23   def login_required
24     authorize_web
25     set_locale
26   end
27
28   def user_authorizes_token?
29     any_auth = false
30
31     @token.client_application.permissions.each do |pref|
32       if params[pref]
33         @token.write_attribute(pref, true)
34         any_auth ||= true
35       else
36         @token.write_attribute(pref, false)
37       end
38     end
39
40     any_auth
41   end
42
43   def oauth1_authorize
44     override_content_security_policy_directives(:form_action => []) if CSP_ENFORCE || defined?(CSP_REPORT_URL)
45
46     if @token.invalidated?
47       @message = t "oauth.authorize_failure.invalid"
48       render :action => "authorize_failure"
49     elsif request.post?
50       if user_authorizes_token?
51         @token.authorize!(current_user)
52         callback_url = if @token.oauth10?
53                          params[:oauth_callback] || @token.client_application.callback_url
54                        else
55                          @token.oob? ? @token.client_application.callback_url : @token.callback_url
56                        end
57         @redirect_url = URI.parse(callback_url) if callback_url.present?
58
59         if @redirect_url.to_s.blank?
60           render :action => "authorize_success"
61         else
62           @redirect_url.query = if @redirect_url.query.blank?
63                                   "oauth_token=#{@token.token}"
64                                 else
65                                   @redirect_url.query +
66                                     "&oauth_token=#{@token.token}"
67                                 end
68
69           @redirect_url.query += "&oauth_verifier=#{@token.verifier}" unless @token.oauth10?
70
71           redirect_to @redirect_url.to_s
72         end
73       else
74         @token.invalidate!
75         @message = t("oauth.authorize_failure.denied", :app_name => @token.client_application.name)
76         render :action => "authorize_failure"
77       end
78     end
79   end
80 end