+ ##
+ # handle password authentication
+ def password_authentication(username, password)
+ if user = User.authenticate(:username => username, :password => password)
+ successful_login(user)
+ elsif user = User.authenticate(:username => username, :password => password, :pending => true)
+ failed_login t('user.login.account not active', :reconfirm => url_for(:action => 'confirm_resend', :display_name => user.display_name))
+ elsif User.authenticate(:username => username, :password => password, :suspended => true)
+ failed_login t('user.login.account is suspended', :webmaster => "mailto:webmaster@openstreetmap.org")
+ else
+ failed_login t('user.login.auth failure')
+ end
+ end
+
+ ##
+ # handle OpenID authentication
+ def openid_authentication(openid_url)
+ # If we don't appear to have a user for this URL then ask the
+ # provider for some extra information to help with signup
+ if openid_url and User.find_by_openid_url(openid_url)
+ required = nil
+ else
+ required = [:nickname, :email, "http://axschema.org/namePerson/friendly", "http://axschema.org/contact/email"]
+ end
+
+ # Start the authentication
+ authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => required) do |result, identity_url, sreg, ax|
+ if result.successful?
+ # We need to use the openid url passed back from the OpenID provider
+ # rather than the one supplied by the user, as these can be different.
+ #
+ # For example, you can simply enter yahoo.com in the login box rather
+ # than a user specific url. Only once it comes back from the provider
+ # provider do we know the unique address for the user.
+ if user = User.find_by_openid_url(identity_url)
+ case user.status
+ when "pending" then
+ failed_login t('user.login.account not active', :reconfirm => url_for(:action => 'confirm_resend', :display_name => user.display_name))
+ when "active", "confirmed" then
+ successful_login(user)
+ when "suspended" then
+ failed_login t('user.login.account is suspended', :webmaster => "mailto:webmaster@openstreetmap.org")
+ else
+ failed_login t('user.login.auth failure')
+ end
+ else
+ # Guard against not getting any extension data
+ sreg = Hash.new if sreg.nil?
+ ax = Hash.new if ax.nil?
+
+ # We don't have a user registered to this OpenID, so redirect
+ # to the create account page with username and email filled
+ # in if they have been given by the OpenID provider through
+ # the simple registration protocol.
+ nickname = sreg["nickname"] || ax["http://axschema.org/namePerson/friendly"].first
+ email = sreg["email"] || ax["http://axschema.org/contact/email"].first
+
+ redirect_to :controller => 'user', :action => 'new', :nickname => nickname, :email => email, :openid => identity_url
+ end
+ elsif result.missing?
+ failed_login t('user.login.openid missing provider')
+ elsif result.invalid?
+ failed_login t('user.login.openid invalid')
+ else
+ failed_login t('user.login.auth failure')
+ end
+ end
+ end
+
+ ##
+ # verify an OpenID URL
+ def openid_verify(openid_url, user)
+ user.openid_url = openid_url
+
+ authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => [:email, "http://axschema.org/contact/email"]) do |result, identity_url, sreg, ax|
+ if result.successful?
+ # Do we trust the emails this provider returns?
+ if openid_email_verified(identity_url)
+ # Guard against not getting any extension data
+ sreg = Hash.new if sreg.nil?
+ ax = Hash.new if ax.nil?
+
+ # Get the verified email
+ verified_email = sreg["email"] || ax["http://axschema.org/contact/email"].first
+ end
+
+ # We need to use the openid url passed back from the OpenID provider
+ # rather than the one supplied by the user, as these can be different.
+ #
+ # For example, you can simply enter yahoo.com in the login box rather
+ # than a user specific url. Only once it comes back from the provider
+ # provider do we know the unique address for the user.
+ user.openid_url = identity_url
+ yield user, verified_email
+ elsif result.missing?
+ flash.now[:error] = t 'user.login.openid missing provider'
+ elsif result.invalid?
+ flash.now[:error] = t 'user.login.openid invalid'
+ else
+ flash.now[:error] = t 'user.login.auth failure'
+ end
+ end
+ end
+
+ ##
+ # special case some common OpenID providers by applying heuristics to
+ # try and come up with the correct URL based on what the user entered
+ def openid_expand_url(openid_url)
+ if openid_url.nil?
+ return nil
+ elsif openid_url.match(/(.*)gmail.com(\/?)$/) or openid_url.match(/(.*)googlemail.com(\/?)$/)
+ # Special case gmail.com as it is potentially a popular OpenID
+ # provider and, unlike yahoo.com, where it works automatically, Google
+ # have hidden their OpenID endpoint somewhere obscure this making it
+ # somewhat less user friendly.
+ return 'https://www.google.com/accounts/o8/id'
+ else
+ return openid_url
+ end
+ end
+
+ ##
+ # check if we trust an OpenID provider to return a verified
+ # email, so that we can skpi verifying it ourselves
+ def openid_email_verified(openid_url)
+ openid_url.match(/https:\/\/www.google.com\/accounts\/o8\/id?(.*)/) or
+ openid_url.match(/https:\/\/me.yahoo.com\/(.*)/)
+ end
+
+ ##
+ # process a successful login
+ def successful_login(user)
+ cookies.permanent["_osm_username"] = user.display_name
+
+ session[:user] = user.id
+ session_expires_after 28.days if session[:remember_me]
+
+ target = session[:referer] || url_for(:controller => :site, :action => :index)
+
+ # The user is logged in, so decide where to send them:
+ #
+ # - If they haven't seen the contributor terms, send them there.
+ # - If they have a block on them, show them that.
+ # - If they were referred to the login, send them back there.
+ # - Otherwise, send them to the home page.
+ if REQUIRE_TERMS_SEEN and not user.terms_seen
+ redirect_to :controller => :user, :action => :terms, :referer => target
+ elsif user.blocked_on_view
+ redirect_to user.blocked_on_view, :referer => target
+ else
+ redirect_to target
+ end
+
+ session.delete(:remember_me)
+ session.delete(:referer)
+ end
+
+ ##
+ # process a failed login
+ def failed_login(message)
+ flash[:error] = message
+
+ redirect_to :action => 'login', :referer => session[:referer]
+
+ session.delete(:remember_me)
+ session.delete(:referer)
+ end
+
+ ##
+ # update a user's details
+ def update_user(user, params)
+ user.display_name = params[:user][:display_name]
+ user.new_email = params[:user][:new_email]
+
+ if params[:user][:pass_crypt].length > 0 or params[:user][:pass_crypt_confirmation].length > 0
+ user.pass_crypt = params[:user][:pass_crypt]
+ user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
+ end
+
+ if params[:user][:description] != user.description
+ user.description = params[:user][:description]
+ user.description_format = "markdown"
+ end
+
+ user.languages = params[:user][:languages].split(",")
+
+ case params[:image_action]
+ when "new" then
+ user.image = params[:user][:image]
+ user.image_use_gravatar = false
+ when "delete" then
+ user.image = nil
+ user.image_use_gravatar = false
+ when "gravatar" then
+ user.image = nil
+ user.image_use_gravatar = true
+ end
+
+ user.home_lat = params[:user][:home_lat]
+ user.home_lon = params[:user][:home_lon]
+
+ if params[:user][:preferred_editor] == "default"
+ user.preferred_editor = nil
+ else
+ user.preferred_editor = params[:user][:preferred_editor]
+ end
+
+ user.openid_url = nil if params[:user][:openid_url].blank?
+
+ if user.save
+ set_locale
+
+ cookies.permanent["_osm_username"] = user.display_name
+
+ if user.new_email.blank?
+ flash.now[:notice] = t 'user.account.flash update success'
+ else
+ user.email = user.new_email
+
+ if user.valid?
+ flash.now[:notice] = t 'user.account.flash update success confirm needed'
+
+ begin
+ Notifier.email_confirm(user, user.tokens.create).deliver
+ rescue
+ # Ignore errors sending email
+ end
+ else
+ @user.errors.set(:new_email, @user.errors.get(:email))
+ @user.errors.set(:email, [])
+ end
+
+ user.reset_email!
+ end
+ end
+ end
+