class UsersController < ApplicationController
+ include SessionMethods
+
layout "site"
skip_before_action :verify_authenticity_token, :only => [:auth_success]
- before_action :disable_terms_redirect, :only => [:terms, :save, :logout]
+ before_action :disable_terms_redirect, :only => [:terms, :save]
before_action :authorize_web
before_action :set_locale
before_action :check_database_readable
authorize_resource
before_action :require_self, :only => [:account]
- before_action :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public]
- before_action :require_cookies, :only => [:new, :login, :confirm]
+ before_action :check_database_writable, :only => [:new, :account, :go_public]
+ before_action :require_cookies, :only => [:new]
before_action :lookup_user_by_name, :only => [:set_status, :destroy]
before_action :allow_thirdparty_images, :only => [:show, :account]
else
session[:token] = current_user.tokens.create.token
UserMailer.signup_confirm(current_user, current_user.tokens.create(:referer => referer)).deliver_later
- redirect_to :action => "confirm", :display_name => current_user.display_name
+ redirect_to :controller => :confirmations, :action => :confirm, :display_name => current_user.display_name
end
else
render :action => "new", :referer => params[:referer]
redirect_to :action => "account", :display_name => current_user.display_name
end
- def lost_password
- @title = t "users.lost_password.title"
-
- if request.post?
- user = User.visible.find_by(:email => params[:email])
-
- if user.nil?
- users = User.visible.where("LOWER(email) = LOWER(?)", params[:email])
-
- user = users.first if users.count == 1
- end
-
- if user
- token = user.tokens.create
- UserMailer.lost_password(user, token).deliver_later
- flash[:notice] = t "users.lost_password.notice email on way"
- redirect_to login_path
- else
- flash.now[:error] = t "users.lost_password.notice email cannot find"
- end
- end
- end
-
- def reset_password
- @title = t "users.reset_password.title"
-
- if params[:token]
- token = UserToken.find_by(:token => params[:token])
-
- if token
- self.current_user = token.user
-
- if params[:user]
- current_user.pass_crypt = params[:user][:pass_crypt]
- current_user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
- current_user.status = "active" if current_user.status == "pending"
- current_user.email_valid = true
-
- if current_user.save
- token.destroy
- session[:fingerprint] = current_user.fingerprint
- flash[:notice] = t "users.reset_password.flash changed"
- successful_login(current_user)
- end
- end
- else
- flash[:error] = t "users.reset_password.flash token bad"
- redirect_to :action => "lost_password"
- end
- else
- head :bad_request
- end
- end
-
def new
@title = t "users.new.title"
@referer = if params[:referer]
end
end
- def login
- append_content_security_policy_directives(
- :form_action => %w[*]
- )
-
- session[:referer] = safe_referer(params[:referer]) if params[:referer]
-
- if request.post?
- session[:remember_me] ||= params[:remember_me]
- password_authentication(params[:username], params[:password])
- end
- end
-
- def logout
- @title = t "users.logout.title"
-
- if request.post?
- if session[:token]
- token = UserToken.find_by(:token => session[:token])
- token&.destroy
- session.delete(:token)
- end
- session.delete(:user)
- session_expires_automatically
- if params[:referer]
- redirect_to safe_referer(params[:referer])
- else
- redirect_to :controller => "site", :action => "index"
- end
- end
- end
-
- def confirm
- if request.post?
- token = UserToken.find_by(:token => params[:confirm_string])
- if token&.user&.active?
- flash[:error] = t("users.confirm.already active")
- redirect_to login_path
- elsif !token || token.expired?
- flash[:error] = t("users.confirm.unknown token")
- redirect_to :action => "confirm"
- else
- user = token.user
- user.status = "active"
- user.email_valid = true
- flash[:notice] = gravatar_status_message(user) if gravatar_enable(user)
- user.save!
- referer = safe_referer(token.referer) if token.referer
- token.destroy
-
- if session[:token]
- token = UserToken.find_by(:token => session[:token])
- session.delete(:token)
- else
- token = nil
- end
-
- if token.nil? || token.user != user
- flash[:notice] = t("users.confirm.success")
- redirect_to login_path(:referer => referer)
- else
- token.destroy
-
- session[:user] = user.id
- session[:fingerprint] = user.fingerprint
-
- redirect_to referer || welcome_path
- end
- end
- else
- user = User.find_by(:display_name => params[:display_name])
-
- redirect_to root_path if user.nil? || user.active?
- end
- end
-
- def confirm_resend
- user = User.find_by(:display_name => params[:display_name])
- token = UserToken.find_by(:token => session[:token])
-
- if user.nil? || token.nil? || token.user != user
- flash[:error] = t "users.confirm_resend.failure", :name => params[:display_name]
- else
- UserMailer.signup_confirm(user, user.tokens.create).deliver_later
- flash[:notice] = t "users.confirm_resend.success_html", :email => user.email, :sender => Settings.support_email
- end
-
- redirect_to login_path
- end
-
- def confirm_email
- if request.post?
- token = UserToken.find_by(:token => params[:confirm_string])
- if token&.user&.new_email?
- self.current_user = token.user
- current_user.email = current_user.new_email
- current_user.new_email = nil
- current_user.email_valid = true
- gravatar_enabled = gravatar_enable(current_user)
- if current_user.save
- flash[:notice] = if gravatar_enabled
- "#{t('users.confirm_email.success')} #{gravatar_status_message(current_user)}"
- else
- t("users.confirm_email.success")
- end
- else
- flash[:errors] = current_user.errors
- end
- current_user.tokens.delete_all
- session[:user] = current_user.id
- session[:fingerprint] = current_user.fingerprint
- redirect_to :action => "account", :display_name => current_user.display_name
- elsif token
- flash[:error] = t "users.confirm_email.failure"
- redirect_to :action => "account", :display_name => token.user.display_name
- else
- flash[:error] = t "users.confirm_email.unknown_token"
- end
- end
- end
-
def show
@user = User.find_by(:display_name => params[:display_name])
private
- ##
- # handle password authentication
- def password_authentication(username, password)
- if user = User.authenticate(:username => username, :password => password)
- successful_login(user)
- elsif user = User.authenticate(:username => username, :password => password, :pending => true)
- unconfirmed_login(user)
- elsif User.authenticate(:username => username, :password => password, :suspended => true)
- failed_login t("users.login.account is suspended", :webmaster => "mailto:#{Settings.support_email}").html_safe, username
- else
- failed_login t("users.login.auth failure"), username
- end
- end
-
- ##
- # return the URL to use for authentication
- def auth_url(provider, uid, referer = nil)
- params = { :provider => provider }
-
- params[:openid_url] = openid_expand_url(uid) if provider == "openid"
-
- if referer.nil?
- params[:origin] = request.path
- else
- params[:origin] = "#{request.path}?referer=#{CGI.escape(referer)}"
- params[:referer] = referer
- end
-
- auth_path(params)
- end
-
- ##
- # special case some common OpenID providers by applying heuristics to
- # try and come up with the correct URL based on what the user entered
- def openid_expand_url(openid_url)
- if openid_url.nil?
- nil
- elsif openid_url.match(%r{(.*)gmail.com(/?)$}) || openid_url.match(%r{(.*)googlemail.com(/?)$})
- # Special case gmail.com as it is potentially a popular OpenID
- # provider and, unlike yahoo.com, where it works automatically, Google
- # have hidden their OpenID endpoint somewhere obscure this making it
- # somewhat less user friendly.
- "https://www.google.com/accounts/o8/id"
- else
- openid_url
- end
- end
-
- ##
- # process a successful login
- def successful_login(user, referer = nil)
- session[:user] = user.id
- session[:fingerprint] = user.fingerprint
- session_expires_after 28.days if session[:remember_me]
-
- target = referer || session[:referer] || url_for(:controller => :site, :action => :index)
-
- # The user is logged in, so decide where to send them:
- #
- # - If they haven't seen the contributor terms, send them there.
- # - If they have a block on them, show them that.
- # - If they were referred to the login, send them back there.
- # - Otherwise, send them to the home page.
- if !user.terms_seen
- redirect_to :action => :terms, :referer => target
- elsif user.blocked_on_view
- redirect_to user.blocked_on_view, :referer => target
- else
- redirect_to target
- end
-
- session.delete(:remember_me)
- session.delete(:referer)
- end
-
- ##
- # process a failed login
- def failed_login(message, username = nil)
- flash[:error] = message
-
- redirect_to :action => "login", :referer => session[:referer],
- :username => username, :remember_me => session[:remember_me]
-
- session.delete(:remember_me)
- session.delete(:referer)
- end
-
##
#
def unconfirmed_login(user)
redirect_to :action => "view", :display_name => params[:display_name] unless @user
end
- ##
- #
- def disable_terms_redirect
- # this is necessary otherwise going to the user terms page, when
- # having not agreed already would cause an infinite redirect loop.
- # it's .now so that this doesn't propagate to other pages.
- flash.now[:skip_terms] = true
- end
-
##
# return permitted user parameters
def user_params
dns.getresources(domain, Resolv::DNS::Resource::IN::MX).collect(&:exchange).collect(&:to_s)
end
end
-
- ##
- # check if this user has a gravatar and set the user pref is true
- def gravatar_enable(user)
- # code from example https://en.gravatar.com/site/implement/images/ruby/
- return false if user.avatar.attached?
-
- hash = Digest::MD5.hexdigest(user.email.downcase)
- url = "https://www.gravatar.com/avatar/#{hash}?d=404" # without d=404 we will always get an image back
- response = OSM.http_client.get(URI.parse(url))
- oldsetting = user.image_use_gravatar
- user.image_use_gravatar = response.success?
- oldsetting != user.image_use_gravatar
- end
-
- ##
- # display a message about th current status of the gravatar setting
- def gravatar_status_message(user)
- if user.image_use_gravatar
- t "users.account.gravatar.enabled"
- else
- t "users.account.gravatar.disabled"
- end
- end
end