1 class UserController < ApplicationController
2 layout 'site', :except => :api_details
4 before_filter :authorize, :only => [:api_details, :api_gpx_files]
5 before_filter :authorize_web, :except => [:api_details, :api_gpx_files]
6 before_filter :set_locale, :except => [:api_details, :api_gpx_files]
7 before_filter :require_user, :only => [:account, :go_public, :make_friend, :remove_friend]
8 before_filter :check_database_readable, :except => [:api_details, :api_gpx_files]
9 before_filter :check_database_writable, :only => [:login, :new, :account, :go_public, :make_friend, :remove_friend]
10 before_filter :check_api_readable, :only => [:api_details, :api_gpx_files]
11 before_filter :require_allow_read_prefs, :only => [:api_details]
12 before_filter :require_allow_read_gpx, :only => [:api_gpx_files]
13 before_filter :require_cookies, :only => [:login, :confirm]
14 before_filter :require_administrator, :only => [:set_status, :delete, :list]
15 before_filter :lookup_this_user, :only => [:set_status, :delete]
17 filter_parameter_logging :password, :pass_crypt, :pass_crypt_confirmation
19 cache_sweeper :user_sweeper, :only => [:account, :set_status, :delete], :unless => STATUS == :database_offline
22 @legale = params[:legale] || OSM.IPToCountry(request.remote_ip) || DEFAULT_LEGALE
23 @text = OSM.legal_text_for_country(@legale)
26 render :update do |page|
27 page.replace_html "contributorTerms", :partial => "terms", :locals => { :has_decline => params[:has_decline] }
30 # The redirect from the OpenID provider reenters here
31 # again and we need to pass the parameters through to
32 # the open_id_authentication function
33 @user = session.delete(:new_user)
35 openid_verify(nil, @user) do |user|
38 if @user.openid_url.nil? or @user.invalid?
39 render :action => 'new'
41 render :action => 'terms'
44 session[:referer] = params[:referer]
46 @title = t 'user.terms.title'
47 @user = User.new(params[:user]) if params[:user]
49 if params[:user] and params[:user][:openid_url] and @user.pass_crypt.empty?
50 # We are creating an account with OpenID and no password
51 # was specified so create a random one
52 @user.pass_crypt = ActiveSupport::SecureRandom.base64(16)
53 @user.pass_crypt_confirmation = @user.pass_crypt
58 # Something is wrong, so rerender the form
59 render :action => :new
60 elsif @user.terms_agreed?
61 # Already agreed to terms, so just show settings
62 redirect_to :action => :account, :display_name => @user.display_name
63 elsif params[:user] and params[:user][:openid_url]
64 # Verify OpenID before moving on
65 session[:new_user] = @user
66 openid_verify(params[:user][:openid_url], @user)
69 # Not logged in, so redirect to the login page
70 redirect_to :action => :login, :referer => request.request_uri
76 @title = t 'user.new.title'
78 if Acl.find_by_address(request.remote_ip, :conditions => {:k => "no_account_creation"})
79 render :action => 'new'
80 elsif params[:decline]
81 redirect_to t('user.terms.declined')
83 if !@user.terms_agreed?
84 @user.consider_pd = params[:user][:consider_pd]
85 @user.terms_agreed = Time.now.getutc
87 flash[:notice] = t 'user.new.terms accepted'
91 redirect_to :action => :account, :display_name => @user.display_name
93 @user = User.new(params[:user])
95 @user.status = "pending"
96 @user.data_public = true
97 @user.description = "" if @user.description.nil?
98 @user.creation_ip = request.remote_ip
99 @user.languages = request.user_preferred_languages
100 @user.terms_agreed = Time.now.getutc
103 flash[:notice] = t 'user.new.flash create success message', :email => @user.email
104 Notifier.deliver_signup_confirm(@user, @user.tokens.create(:referer => session.delete(:referer)))
105 redirect_to :action => 'login'
107 render :action => 'new'
113 @title = t 'user.account.title'
114 @tokens = @user.oauth_tokens.find :all, :conditions => 'oauth_tokens.invalidated_at is null and oauth_tokens.authorized_at is not null'
116 if params[:user] and params[:user][:display_name] and params[:user][:description]
117 @user.display_name = params[:user][:display_name]
118 @user.new_email = params[:user][:new_email]
120 if params[:user][:pass_crypt].length > 0 or params[:user][:pass_crypt_confirmation].length > 0
121 @user.pass_crypt = params[:user][:pass_crypt]
122 @user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
125 @user.description = params[:user][:description]
126 @user.languages = params[:user][:languages].split(",")
128 case params[:image_action]
129 when "new" then @user.image = params[:user][:image]
130 when "delete" then @user.image = nil
133 @user.home_lat = params[:user][:home_lat]
134 @user.home_lon = params[:user][:home_lon]
136 @user.openid_url = nil if params[:user][:openid_url].empty?
138 if params[:user][:openid_url].length > 0 and
139 params[:user][:openid_url] != @user.openid_url
140 # If the OpenID has changed, we want to check that it is a
141 # valid OpenID and one the user has control over before saving
142 # it as a password equivalent for the user.
143 session[:new_user] = @user
144 openid_verify(params[:user][:openid_url], @user)
149 # The redirect from the OpenID provider reenters here
150 # again and we need to pass the parameters through to
151 # the open_id_authentication function
152 @user = session.delete(:new_user)
153 openid_verify(nil, @user) do |user|
160 @user.data_public = true
162 flash[:notice] = t 'user.go_public.flash success'
163 redirect_to :controller => 'user', :action => 'account', :display_name => @user.display_name
167 @title = t 'user.lost_password.title'
169 if params[:user] and params[:user][:email]
170 user = User.find_by_email(params[:user][:email], :conditions => {:status => ["pending", "active", "confirmed"]})
173 token = user.tokens.create
174 Notifier.deliver_lost_password(user, token)
175 flash[:notice] = t 'user.lost_password.notice email on way'
176 redirect_to :action => 'login'
178 flash.now[:error] = t 'user.lost_password.notice email cannot find'
184 @title = t 'user.reset_password.title'
187 token = UserToken.find_by_token(params[:token])
193 @user.pass_crypt = params[:user][:pass_crypt]
194 @user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
195 @user.status = "active" if @user.status == "pending"
196 @user.email_valid = true
200 flash[:notice] = t 'user.reset_password.flash changed'
201 redirect_to :action => 'login'
205 flash[:error] = t 'user.reset_password.flash token bad'
206 redirect_to :action => 'lost_password'
212 @title = t 'user.new.title'
213 @referer = params[:referer] || session[:referer]
216 # The user is logged in already, so don't show them the signup
217 # page, instead send them to the home page
218 redirect_to :controller => 'site', :action => 'index'
219 elsif not params['openid'].nil?
220 flash.now[:notice] = t 'user.new.openid association'
225 if params[:username] or using_open_id?
226 session[:remember_me] ||= params[:remember_me]
227 session[:referer] ||= params[:referer]
230 openid_authentication(params[:openid_url])
232 password_authentication(params[:username], params[:password])
234 elsif flash[:notice].nil?
235 flash.now[:notice] = t 'user.login.notice'
240 @title = t 'user.logout.title'
242 if params[:session] == request.session_options[:id]
244 token = UserToken.find_by_token(session[:token])
248 session[:token] = nil
251 session_expires_automatically
253 redirect_to params[:referer]
255 redirect_to :controller => 'site', :action => 'index'
262 if token = UserToken.find_by_token(params[:confirm_string])
263 if token.user.active?
264 flash[:error] = t('user.confirm.already active')
265 redirect_to :action => 'login'
268 user.status = "active"
269 user.email_valid = true
271 referer = token.referer
273 session[:user] = user.id
276 flash[:notice] = t('user.confirm.success')
279 flash[:notice] = t('user.confirm.success') + "<br /><br />" + t('user.confirm.before you start')
280 redirect_to :action => 'account', :display_name => user.display_name
284 user = User.find_by_display_name(params[:display_name])
286 if user and user.active?
287 flash[:error] = t('user.confirm.already active')
289 flash[:error] = t('user.confirm.unknown token') + t('user.confirm.reconfirm', :reconfirm => url_for(:action => 'confirm_resend', :display_name => params[:display_name]))
291 flash[:error] = t('user.confirm.unknown token')
294 redirect_to :action => 'login'
300 if user = User.find_by_display_name(params[:display_name])
301 Notifier.deliver_signup_confirm(user, user.tokens.create)
302 flash[:notice] = t 'user.confirm_resend.success', :email => user.email
304 flash[:notice] = t 'user.confirm_resend.failure', :name => params[:display_name]
307 redirect_to :action => 'login'
312 token = UserToken.find_by_token(params[:confirm_string])
313 if token and token.user.new_email?
315 @user.email = @user.new_email
316 @user.new_email = nil
317 @user.email_valid = true
319 flash[:notice] = t 'user.confirm_email.success'
321 flash[:errors] = @user.errors
324 session[:user] = @user.id
325 redirect_to :action => 'account', :display_name => @user.display_name
327 flash[:error] = t 'user.confirm_email.failure'
328 redirect_to :action => 'account', :display_name => @user.display_name
334 doc = OSM::API.new.get_xml_doc
335 @user.traces.each do |trace|
336 doc.root << trace.to_xml_node() if trace.public? or trace.user == @user
338 render :text => doc.to_s, :content_type => "text/xml"
342 @this_user = User.find_by_display_name(params[:display_name])
345 (@this_user.visible? or (@user and @user.administrator?))
346 @title = @this_user.display_name
348 @title = t 'user.no_such_user.title'
349 @not_found_user = params[:display_name]
350 render :action => 'no_such_user', :status => :not_found
355 if params[:display_name]
356 name = params[:display_name]
357 new_friend = User.find_by_display_name(name, :conditions => {:status => ["active", "confirmed"]})
359 friend.user_id = @user.id
360 friend.friend_user_id = new_friend.id
361 unless @user.is_friends_with?(new_friend)
363 flash[:notice] = t 'user.make_friend.success', :name => name
364 Notifier.deliver_friend_notification(friend)
366 friend.add_error(t('user.make_friend.failed', :name => name))
369 flash[:warning] = t 'user.make_friend.already_a_friend', :name => name
373 redirect_to params[:referer]
375 redirect_to :controller => 'user', :action => 'view'
381 if params[:display_name]
382 name = params[:display_name]
383 friend = User.find_by_display_name(name, :conditions => {:status => ["active", "confirmed"]})
384 if @user.is_friends_with?(friend)
385 Friend.delete_all "user_id = #{@user.id} AND friend_user_id = #{friend.id}"
386 flash[:notice] = t 'user.remove_friend.success', :name => friend.display_name
388 flash[:error] = t 'user.remove_friend.not_a_friend', :name => friend.display_name
392 redirect_to params[:referer]
394 redirect_to :controller => 'user', :action => 'view'
400 # sets a user's status
402 @this_user.update_attributes(:status => params[:status])
403 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name]
407 # delete a user, marking them as deleted and removing personal data
410 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name]
414 # display a list of users matching specified criteria
417 ids = params[:user].keys.collect { |id| id.to_i }
419 User.update_all("status = 'confirmed'", :id => ids) if params[:confirm]
420 User.update_all("status = 'deleted'", :id => ids) if params[:hide]
422 redirect_to url_for(:status => params[:status], :ip => params[:ip], :page => params[:page])
424 conditions = Hash.new
425 conditions[:status] = params[:status] if params[:status]
426 conditions[:creation_ip] = params[:ip] if params[:ip]
428 @user_pages, @users = paginate(:users,
429 :conditions => conditions,
438 # handle password authentication
439 def password_authentication(username, password)
440 if user = User.authenticate(:username => username, :password => password)
441 successful_login(user)
442 elsif user = User.authenticate(:username => username, :password => password, :pending => true)
443 failed_login t('user.login.account not active', :reconfirm => url_for(:action => 'confirm_resend', :display_name => user.display_name))
444 elsif User.authenticate(:username => username, :password => password, :suspended => true)
445 webmaster = link_to t('user.login.webmaster'), "mailto:webmaster@openstreetmap.org"
446 failed_login t('user.login.account suspended', :webmaster => webmaster)
448 failed_login t('user.login.auth failure')
453 # handle OpenID authentication
454 def openid_authentication(openid_url)
455 # If we don't appear to have a user for this URL then ask the
456 # provider for some extra information to help with signup
457 if openid_url and User.find_by_openid_url(openid_url)
460 required = [:nickname, :email, "http://axschema.org/namePerson/friendly", "http://axschema.org/contact/email"]
463 # Start the authentication
464 authenticate_with_open_id(openid_expand_url(openid_url), :required => required) do |result, identity_url, sreg, ax|
465 if result.successful?
466 # We need to use the openid url passed back from the OpenID provider
467 # rather than the one supplied by the user, as these can be different.
469 # For example, you can simply enter yahoo.com in the login box rather
470 # than a user specific url. Only once it comes back from the provider
471 # provider do we know the unique address for the user.
472 if user = User.find_by_openid_url(identity_url)
475 failed_login t('user.login.account not active')
476 when "active", "confirmed" then
477 successful_login(user)
478 when "suspended" then
479 webmaster = link_to t('user.login.webmaster'), "mailto:webmaster@openstreetmap.org"
480 failed_login t('user.login.account suspended', :webmaster => webmaster)
482 failed_login t('user.login.auth failure')
485 # We don't have a user registered to this OpenID, so redirect
486 # to the create account page with username and email filled
487 # in if they have been given by the OpenID provider through
488 # the simple registration protocol.
489 nickname = sreg["nickname"] || ax["http://axschema.org/namePerson/friendly"]
490 email = sreg["email"] || ax["http://axschema.org/contact/email"]
491 redirect_to :controller => 'user', :action => 'new', :nickname => nickname, :email => email, :openid => identity_url
493 elsif result.missing?
494 failed_login t('user.login.openid missing provider')
495 elsif result.invalid?
496 failed_login t('user.login.openid invalid')
498 failed_login t('user.login.auth failure')
504 # verify an OpenID URL
505 def openid_verify(openid_url, user)
506 user.openid_url = openid_url
508 authenticate_with_open_id(openid_expand_url(openid_url)) do |result, identity_url|
509 if result.successful?
510 # We need to use the openid url passed back from the OpenID provider
511 # rather than the one supplied by the user, as these can be different.
513 # For example, you can simply enter yahoo.com in the login box rather
514 # than a user specific url. Only once it comes back from the provider
515 # provider do we know the unique address for the user.
516 user.openid_url = identity_url
518 elsif result.missing?
519 flash.now[:error] = t 'user.login.openid missing provider'
520 elsif result.invalid?
521 flash.now[:error] = t 'user.login.openid invalid'
523 flash.now[:error] = t 'user.login.auth failure'
529 # special case some common OpenID providers by applying heuristics to
530 # try and come up with the correct URL based on what the user entered
531 def openid_expand_url(openid_url)
534 elsif openid_url.match(/(.*)gmail.com(\/?)$/) or openid_url.match(/(.*)googlemail.com(\/?)$/)
535 # Special case gmail.com as it is potentially a popular OpenID
536 # provider and, unlike yahoo.com, where it works automatically, Google
537 # have hidden their OpenID endpoint somewhere obscure this making it
538 # somewhat less user friendly.
539 return 'https://www.google.com/accounts/o8/id'
546 # process a successful login
547 def successful_login(user)
548 session[:user] = user.id
550 session_expires_after 1.month if session[:remember_me]
552 if user.blocked_on_view
553 redirect_to user.blocked_on_view, :referer => params[:referer]
554 elsif session[:referer]
555 redirect_to session[:referer]
557 redirect_to :controller => 'site', :action => 'index'
560 session.delete(:remember_me)
561 session.delete(:referer)
565 # process a failed login
566 def failed_login(message)
567 flash[:error] = message
569 redirect_to :action => 'login', :referer => session[:referer]
571 session.delete(:remember_me)
572 session.delete(:referer)
576 # update a user's details
577 def update_user(user)
581 if user.new_email.nil? or user.new_email.empty?
582 flash.now[:notice] = t 'user.account.flash update success'
584 flash.now[:notice] = t 'user.account.flash update success confirm needed'
587 Notifier.deliver_email_confirm(user, user.tokens.create)
589 # Ignore errors sending email
596 # require that the user is a administrator, or fill out a helpful error message
597 # and return them to the user page.
598 def require_administrator
599 if @user and not @user.administrator?
600 flash[:error] = t('user.filter.not_an_administrator')
602 if params[:display_name]
603 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name]
605 redirect_to :controller => 'user', :action => 'login', :referer => request.request_uri
608 redirect_to :controller => 'user', :action => 'login', :referer => request.request_uri
613 # ensure that there is a "this_user" instance variable
615 @this_user = User.find_by_display_name(params[:display_name])
616 rescue ActiveRecord::RecordNotFound
617 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] unless @this_user