mirrors
/
redmine
mirror of https://github.com/redmine/redmine.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 201 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12960 Commits
33 Branches
Tree: 9206d077d4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9206d077d4'
${ noResults }
redmine/app/controllers/account_controller.rb

account_controller.rb 11KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362 
  1. # Redmine - project management software

  2. # Copyright (C) 2006-2016  Jean-Philippe Lang

  3. #

  4. # This program is free software; you can redistribute it and/or

  5. # modify it under the terms of the GNU General Public License

  6. # as published by the Free Software Foundation; either version 2

  7. # of the License, or (at your option) any later version.

  8. #

  9. # This program is distributed in the hope that it will be useful,

  10. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  11. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  12. # GNU General Public License for more details.

  13. #

  14. # You should have received a copy of the GNU General Public License

  15. # along with this program; if not, write to the Free Software

  16. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  17. 

  18. class AccountController < ApplicationController

  19.   helper :custom_fields

  20.   include CustomFieldsHelper

  21. 

  22.   self.main_menu = false

  23. 

  24.   # prevents login action to be filtered by check_if_login_required application scope filter

  25.   skip_before_action :check_if_login_required, :check_password_change

  26. 

  27.   # Overrides ApplicationController#verify_authenticity_token to disable

  28.   # token verification on openid callbacks

  29.   def verify_authenticity_token

  30.     unless using_open_id?

  31.       super

  32.     end

  33.   end

  34. 

  35.   # Login request and validation

  36.   def login

  37.     if request.get?

  38.       if User.current.logged?

  39.         redirect_back_or_default home_url, :referer => true

  40.       end

  41.     else

  42.       authenticate_user

  43.     end

  44.   rescue AuthSourceException => e

  45.     logger.error "An error occured when authenticating #{params[:username]}: #{e.message}"

  46.     render_error :message => e.message

  47.   end

  48. 

  49.   # Log out current user and redirect to welcome page

  50.   def logout

  51.     if User.current.anonymous?

  52.       redirect_to home_url

  53.     elsif request.post?

  54.       logout_user

  55.       redirect_to home_url

  56.     end

  57.     # display the logout form

  58.   end

  59. 

  60.   # Lets user choose a new password

  61.   def lost_password

  62.     (redirect_to(home_url); return) unless Setting.lost_password?

  63.     if params[:token]

  64.       @token = Token.find_token("recovery", params[:token].to_s)

  65.       if @token.nil? || @token.expired?

  66.         redirect_to home_url

  67.         return

  68.       end

  69.       @user = @token.user

  70.       unless @user && @user.active?

  71.         redirect_to home_url

  72.         return

  73.       end

  74.       if request.post?

  75.         @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]

  76.         if @user.save

  77.           @token.destroy

  78.           Mailer.password_updated(@user)

  79.           flash[:notice] = l(:notice_account_password_updated)

  80.           redirect_to signin_path

  81.           return

  82.         end

  83.       end

  84.       render :template => "account/password_recovery"

  85.       return

  86.     else

  87.       if request.post?

  88.         email = params[:mail].to_s

  89.         user = User.find_by_mail(email)

  90.         # user not found

  91.         unless user

  92.           flash.now[:error] = l(:notice_account_unknown_email)

  93.           return

  94.         end

  95.         unless user.active?

  96.           handle_inactive_user(user, lost_password_path)

  97.           return

  98.         end

  99.         # user cannot change its password

  100.         unless user.change_password_allowed?

  101.           flash.now[:error] = l(:notice_can_t_change_password)

  102.           return

  103.         end

  104.         # create a new token for password recovery

  105.         token = Token.new(:user => user, :action => "recovery")

  106.         if token.save

  107.           # Don't use the param to send the email

  108.           recipent = user.mails.detect {|e| email.casecmp(e) == 0} || user.mail

  109.           Mailer.lost_password(token, recipent).deliver

  110.           flash[:notice] = l(:notice_account_lost_email_sent)

  111.           redirect_to signin_path

  112.           return

  113.         end

  114.       end

  115.     end

  116.   end

  117. 

  118.   # User self-registration

  119.   def register

  120.     (redirect_to(home_url); return) unless Setting.self_registration? || session[:auth_source_registration]

  121.     if request.get?

  122.       session[:auth_source_registration] = nil

  123.       @user = User.new(:language => current_language.to_s)

  124.     else

  125.       user_params = params[:user] || {}

  126.       @user = User.new

  127.       @user.safe_attributes = user_params

  128.       @user.pref.safe_attributes = params[:pref]

  129.       @user.admin = false

  130.       @user.register

  131.       if session[:auth_source_registration]

  132.         @user.activate

  133.         @user.login = session[:auth_source_registration][:login]

  134.         @user.auth_source_id = session[:auth_source_registration][:auth_source_id]

  135.         if @user.save

  136.           session[:auth_source_registration] = nil

  137.           self.logged_user = @user

  138.           flash[:notice] = l(:notice_account_activated)

  139.           redirect_to my_account_path

  140.         end

  141.       else

  142.         unless user_params[:identity_url].present? && user_params[:password].blank? && user_params[:password_confirmation].blank?

  143.           @user.password, @user.password_confirmation = user_params[:password], user_params[:password_confirmation]

  144.         end

  145. 

  146.         case Setting.self_registration

  147.         when '1'

  148.           register_by_email_activation(@user)

  149.         when '3'

  150.           register_automatically(@user)

  151.         else

  152.           register_manually_by_administrator(@user)

  153.         end

  154.       end

  155.     end

  156.   end

  157. 

  158.   # Token based account activation

  159.   def activate

  160.     (redirect_to(home_url); return) unless Setting.self_registration? && params[:token].present?

  161.     token = Token.find_token('register', params[:token].to_s)

  162.     (redirect_to(home_url); return) unless token and !token.expired?

  163.     user = token.user

  164.     (redirect_to(home_url); return) unless user.registered?

  165.     user.activate

  166.     if user.save

  167.       token.destroy

  168.       flash[:notice] = l(:notice_account_activated)

  169.     end

  170.     redirect_to signin_path

  171.   end

  172. 

  173.   # Sends a new account activation email

  174.   def activation_email

  175.     if session[:registered_user_id] && Setting.self_registration == '1'

  176.       user_id = session.delete(:registered_user_id).to_i

  177.       user = User.find_by_id(user_id)

  178.       if user && user.registered?

  179.         register_by_email_activation(user)

  180.         return

  181.       end

  182.     end

  183.     redirect_to(home_url)

  184.   end

  185. 

  186.   private

  187. 

  188.   def authenticate_user

  189.     if Setting.openid? && using_open_id?

  190.       open_id_authenticate(params[:openid_url])

  191.     else

  192.       password_authentication

  193.     end

  194.   end

  195. 

  196.   def password_authentication

  197.     user = User.try_to_login(params[:username], params[:password], false)

  198. 

  199.     if user.nil?

  200.       invalid_credentials

  201.     elsif user.new_record?

  202.       onthefly_creation_failed(user, {:login => user.login, :auth_source_id => user.auth_source_id })

  203.     else

  204.       # Valid user

  205.       if user.active?

  206.         successful_authentication(user)

  207.         update_sudo_timestamp! # activate Sudo Mode

  208.       else

  209.         handle_inactive_user(user)

  210.       end

  211.     end

  212.   end

  213. 

  214.   def open_id_authenticate(openid_url)

  215.     back_url = signin_url(:autologin => params[:autologin])

  216.     authenticate_with_open_id(

  217.           openid_url, :required => [:nickname, :fullname, :email],

  218.           :return_to => back_url, :method => :post

  219.     ) do |result, identity_url, registration|

  220.       if result.successful?

  221.         user = User.find_or_initialize_by_identity_url(identity_url)

  222.         if user.new_record?

  223.           # Self-registration off

  224.           (redirect_to(home_url); return) unless Setting.self_registration?

  225.           # Create on the fly

  226.           user.login = registration['nickname'] unless registration['nickname'].nil?

  227.           user.mail = registration['email'] unless registration['email'].nil?

  228.           user.firstname, user.lastname = registration['fullname'].split(' ') unless registration['fullname'].nil?

  229.           user.random_password

  230.           user.register

  231.           case Setting.self_registration

  232.           when '1'

  233.             register_by_email_activation(user) do

  234.               onthefly_creation_failed(user)

  235.             end

  236.           when '3'

  237.             register_automatically(user) do

  238.               onthefly_creation_failed(user)

  239.             end

  240.           else

  241.             register_manually_by_administrator(user) do

  242.               onthefly_creation_failed(user)

  243.             end

  244.           end

  245.         else

  246.           # Existing record

  247.           if user.active?

  248.             successful_authentication(user)

  249.           else

  250.             handle_inactive_user(user)

  251.           end

  252.         end

  253.       end

  254.     end

  255.   end

  256. 

  257.   def successful_authentication(user)

  258.     logger.info "Successful authentication for '#{user.login}' from #{request.remote_ip} at #{Time.now.utc}"

  259.     # Valid user

  260.     self.logged_user = user

  261.     # generate a key and set cookie if autologin

  262.     if params[:autologin] && Setting.autologin?

  263.       set_autologin_cookie(user)

  264.     end

  265.     call_hook(:controller_account_success_authentication_after, {:user => user })

  266.     redirect_back_or_default my_page_path

  267.   end

  268. 

  269.   def set_autologin_cookie(user)

  270.     token = Token.create(:user => user, :action => 'autologin')

  271.     secure = Redmine::Configuration['autologin_cookie_secure']

  272.     if secure.nil?

  273.       secure = request.ssl?

  274.     end

  275.     cookie_options = {

  276.       :value => token.value,

  277.       :expires => 1.year.from_now,

  278.       :path => (Redmine::Configuration['autologin_cookie_path'] || RedmineApp::Application.config.relative_url_root || '/'),

  279.       :secure => secure,

  280.       :httponly => true

  281.     }

  282.     cookies[autologin_cookie_name] = cookie_options

  283.   end

  284. 

  285.   # Onthefly creation failed, display the registration form to fill/fix attributes

  286.   def onthefly_creation_failed(user, auth_source_options = { })

  287.     @user = user

  288.     session[:auth_source_registration] = auth_source_options unless auth_source_options.empty?

  289.     render :action => 'register'

  290.   end

  291. 

  292.   def invalid_credentials

  293.     logger.warn "Failed login for '#{params[:username]}' from #{request.remote_ip} at #{Time.now.utc}"

  294.     flash.now[:error] = l(:notice_account_invalid_credentials)

  295.   end

  296. 

  297.   # Register a user for email activation.

  298.   #

  299.   # Pass a block for behavior when a user fails to save

  300.   def register_by_email_activation(user, &block)

  301.     token = Token.new(:user => user, :action => "register")

  302.     if user.save and token.save

  303.       Mailer.register(token).deliver

  304.       flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))

  305.       redirect_to signin_path

  306.     else

  307.       yield if block_given?

  308.     end

  309.   end

  310. 

  311.   # Automatically register a user

  312.   #

  313.   # Pass a block for behavior when a user fails to save

  314.   def register_automatically(user, &block)

  315.     # Automatic activation

  316.     user.activate

  317.     user.last_login_on = Time.now

  318.     if user.save

  319.       self.logged_user = user

  320.       flash[:notice] = l(:notice_account_activated)

  321.       redirect_to my_account_path

  322.     else

  323.       yield if block_given?

  324.     end

  325.   end

  326. 

  327.   # Manual activation by the administrator

  328.   #

  329.   # Pass a block for behavior when a user fails to save

  330.   def register_manually_by_administrator(user, &block)

  331.     if user.save

  332.       # Sends an email to the administrators

  333.       Mailer.account_activation_request(user).deliver

  334.       account_pending(user)

  335.     else

  336.       yield if block_given?

  337.     end

  338.   end

  339. 

  340.   def handle_inactive_user(user, redirect_path=signin_path)

  341.     if user.registered?

  342.       account_pending(user, redirect_path)

  343.     else

  344.       account_locked(user, redirect_path)

  345.     end

  346.   end

  347. 

  348.   def account_pending(user, redirect_path=signin_path)

  349.     if Setting.self_registration == '1'

  350.       flash[:error] = l(:notice_account_not_activated_yet, :url => activation_email_path)

  351.       session[:registered_user_id] = user.id

  352.     else

  353.       flash[:error] = l(:notice_account_pending)

  354.     end

  355.     redirect_to redirect_path

  356.   end

  357. 

  358.   def account_locked(user, redirect_path=signin_path)

  359.     flash[:error] = l(:notice_account_locked)

  360.     redirect_to redirect_path

  361.   end

  362. end