app/controllers/users_controller.rb

   1 # frozen_string_literal: true
   2
   3 class UsersController < ApplicationController
   4   include EmailMethods
   5   include SessionMethods
   6   include UserMethods
   7
   8   layout :site_layout
   9
  10   skip_before_action :verify_authenticity_token, :only => [:auth_success]
  11   before_action :authorize_web
  12   before_action :set_locale
  13   before_action :check_database_readable
  14
  15   authorize_resource
  16
  17   before_action :check_database_writable, :only => [:new, :go_public]
  18   before_action :require_cookies, :only => [:new]
  19
  20   allow_thirdparty_images :only => :show
  21   allow_social_login :only => :new
  22
  23   def show
  24     @user = User.find_by(:display_name => params[:display_name])
  25
  26     if @user && (@user.visible? || current_user&.administrator?)
  27       @title = @user.display_name
  28       @heatmap_frame = true
  29     else
  30       render_unknown_user params[:display_name]
  31     end
  32   end
  33
  34   def new
  35     @title = t ".title"
  36     @referer = safe_referer(params[:referer])
  37
  38     parse_oauth_referer @referer
  39
  40     if current_user
  41       # The user is logged in already, so don't show them the signup
  42       # page, instead send them to the home page
  43       redirect_to @referer || { :controller => "site", :action => "index" }
  44     elsif params.key?(:auth_provider) && params.key?(:auth_uid)
  45       @email_hmac = params[:email_hmac]
  46
  47       self.current_user = User.new(:email => params[:email],
  48                                    :display_name => params[:nickname],
  49                                    :auth_provider => params[:auth_provider],
  50                                    :auth_uid => params[:auth_uid])
  51
  52       if current_user.valid? || current_user.errors[:email].empty?
  53         flash.now[:notice] = render_to_string :partial => "auth_association"
  54       else
  55         flash.now[:warning] = t ".duplicate_social_email"
  56       end
  57     elsif check_signup_allowed?
  58       self.current_user = User.new
  59     else
  60       render :action => "blocked"
  61     end
  62   end
  63
  64   def create
  65     self.current_user = User.new(user_params)
  66
  67     if check_signup_allowed?(current_user.email)
  68       if current_user.auth_uid.present?
  69         # We are creating an account with external authentication and
  70         # no password was specified so create a random one
  71         current_user.pass_crypt = SecureRandom.base64(16)
  72         current_user.pass_crypt_confirmation = current_user.pass_crypt
  73       end
  74
  75       if current_user.invalid?
  76         # Something is wrong with a new user, so rerender the form
  77         render :action => "new"
  78       else
  79         # Save the user record
  80         if save_new_user params[:email_hmac]
  81           SIGNUP_IP_LIMITER&.update(request.remote_ip)
  82           SIGNUP_EMAIL_LIMITER&.update(canonical_email(current_user.email))
  83
  84           flash[:matomo_goal] = Settings.matomo["goals"]["signup"] if defined?(Settings.matomo)
  85
  86           referer = welcome_path(welcome_options(params[:referer]))
  87
  88           if current_user.status == "active"
  89             successful_login(current_user, referer)
  90           else
  91             session[:pending_user] = current_user.id
  92             UserMailer.signup_confirm(current_user, current_user.generate_token_for(:new_user), referer).deliver_later
  93             redirect_to :controller => :confirmations, :action => :confirm, :display_name => current_user.display_name
  94           end
  95         else
  96           render :action => "new", :referer => params[:referer]
  97         end
  98       end
  99     else
 100       render :action => "blocked"
 101     end
 102   end
 103
 104   def go_public
 105     current_user.data_public = true
 106     current_user.save
 107     flash[:notice] = t ".flash success"
 108     redirect_to account_path
 109   end
 110
 111   ##
 112   # omniauth success callback
 113   def auth_success
 114     referer = request.env["omniauth.params"]["referer"]
 115     auth_info = request.env["omniauth.auth"]
 116
 117     provider = auth_info[:provider]
 118     uid = auth_info[:uid]
 119     name = auth_info[:info][:name]
 120     email = auth_info[:info][:email]
 121
 122     email_verified = case provider
 123                      when "google", "apple", "facebook", "microsoft", "github", "wikipedia"
 124                        true
 125                      else
 126                        false
 127                      end
 128
 129     if settings = session.delete(:new_user_settings)
 130       current_user.auth_provider = provider
 131       current_user.auth_uid = uid
 132
 133       update_user(current_user, settings)
 134
 135       flash.discard
 136
 137       session[:user_errors] = current_user.errors.as_json
 138
 139       redirect_to account_path
 140     else
 141       user = User.find_by(:auth_provider => provider, :auth_uid => uid)
 142
 143       if user.nil? && provider == "google"
 144         openid_url = auth_info[:extra][:id_info]["openid_id"]
 145         user = User.find_by(:auth_provider => "openid", :auth_uid => openid_url) if openid_url
 146         user&.update(:auth_provider => provider, :auth_uid => uid)
 147       end
 148
 149       if user
 150         case user.status
 151         when "pending"
 152           unconfirmed_login(user, referer)
 153         when "active", "confirmed"
 154           successful_login(user, referer)
 155         when "suspended"
 156           failed_login({ :partial => "sessions/suspended_flash" }, user.display_name, referer)
 157         else
 158           failed_login(t("sessions.new.auth failure"), user.display_name, referer)
 159         end
 160       else
 161         email_hmac = UsersController.message_hmac(email) if email_verified && email
 162         redirect_to :action => "new", :nickname => name, :email => email, :email_hmac => email_hmac,
 163                     :auth_provider => provider, :auth_uid => uid, :referer => referer
 164       end
 165     end
 166   end
 167
 168   ##
 169   # omniauth failure callback
 170   def auth_failure
 171     flash[:error] = t(params[:message], :scope => "users.auth_failure", :default => t(".unknown_error"))
 172
 173     origin = safe_referer(params[:origin]) if params[:origin]
 174
 175     redirect_to origin || login_url
 176   end
 177
 178   def self.message_hmac(text)
 179     sha256 = Digest::SHA256.new
 180     sha256 << Rails.application.key_generator.generate_key("openstreetmap/email_address")
 181     sha256 << text
 182     Base64.urlsafe_encode64(sha256.digest)
 183   end
 184
 185   private
 186
 187   def save_new_user(email_hmac)
 188     current_user.data_public = true
 189     current_user.description = "" if current_user.description.nil?
 190     current_user.creation_address = request.remote_ip
 191     current_user.languages = if request.cookies["_osm_locale"]
 192                                Locale.list(request.cookies["_osm_locale"])
 193                              else
 194                                http_accept_language.user_preferred_languages
 195                              end
 196     current_user.terms_agreed = Time.now.utc
 197     current_user.tou_agreed = Time.now.utc
 198     current_user.terms_seen = true
 199
 200     if current_user.auth_uid.blank?
 201       current_user.auth_provider = nil
 202       current_user.auth_uid = nil
 203     elsif email_hmac && ActiveSupport::SecurityUtils.secure_compare(email_hmac, UsersController.message_hmac(current_user.email))
 204       current_user.activate
 205     end
 206
 207     current_user.save
 208   end
 209
 210   def welcome_options(referer = nil)
 211     uri = URI(referer) if referer.present?
 212
 213     return { "oauth_return_url" => uri&.to_s } if uri&.path == oauth_authorization_path
 214
 215     begin
 216       %r{map=(.*)/(.*)/(.*)}.match(uri.fragment) do |m|
 217         editor = Rack::Utils.parse_query(uri.query).slice("editor")
 218         return { "zoom" => m[1], "lat" => m[2], "lon" => m[3] }.merge(editor)
 219       end
 220     rescue StandardError
 221       # Use default
 222     end
 223   end
 224
 225   ##
 226   # return permitted user parameters
 227   def user_params
 228     params.expect(:user => [:email, :display_name,
 229                             :auth_provider, :auth_uid,
 230                             :pass_crypt, :pass_crypt_confirmation])
 231   end
 232
 233   ##
 234   # check signup acls
 235   def check_signup_allowed?(email = nil)
 236     domain = if email.nil?
 237                nil
 238              else
 239                email.split("@").last
 240              end
 241
 242     mx_servers = if domain.nil?
 243                    nil
 244                  else
 245                    domain_mx_servers(domain)
 246                  end
 247
 248     return true if Acl.allow_account_creation?(request.remote_ip, :domain => domain, :mx => mx_servers)
 249
 250     blocked = Acl.no_account_creation?(request.remote_ip, :domain => domain, :mx => mx_servers)
 251
 252     blocked ||= SIGNUP_IP_LIMITER && !SIGNUP_IP_LIMITER.allow?(request.remote_ip)
 253
 254     blocked ||= email && SIGNUP_EMAIL_LIMITER && !SIGNUP_EMAIL_LIMITER.allow?(canonical_email(email))
 255
 256     logger.info "Blocked signup from #{request.remote_ip} for #{email}" if blocked
 257
 258     !blocked
 259   end
 260 end