]> git.openstreetmap.org Git - rails.git/blob - app/controllers/confirmations_controller.rb
Don't mark banner cookies as HttpOnly
[rails.git] / app / controllers / confirmations_controller.rb
1 class ConfirmationsController < ApplicationController
2   include SessionMethods
3
4   layout "site"
5
6   before_action :authorize_web
7   before_action :set_locale
8   before_action :check_database_readable
9
10   authorize_resource :class => false
11
12   before_action :check_database_writable, :only => [:confirm, :confirm_email]
13   before_action :require_cookies, :only => [:confirm]
14
15   def confirm
16     if request.post?
17       token = UserToken.find_by(:token => params[:confirm_string])
18       if token&.user&.active?
19         flash[:error] = t("confirmations.confirm.already active")
20         redirect_to login_path
21       elsif !token || token.expired?
22         flash[:error] = t("confirmations.confirm.unknown token")
23         redirect_to :action => "confirm"
24       elsif !token.user.visible?
25         render_unknown_user token.user.display_name
26       else
27         user = token.user
28         user.status = "active"
29         user.email_valid = true
30         flash[:notice] = gravatar_status_message(user) if gravatar_enable(user)
31         user.save!
32         referer = safe_referer(token.referer) if token.referer
33         token.destroy
34
35         if session[:token]
36           token = UserToken.find_by(:token => session[:token])
37           session.delete(:token)
38         else
39           token = nil
40         end
41
42         if token.nil? || token.user != user
43           flash[:notice] = t("confirmations.confirm.success")
44           redirect_to login_path(:referer => referer)
45         else
46           token.destroy
47
48           session[:user] = user.id
49           session[:fingerprint] = user.fingerprint
50
51           redirect_to referer || welcome_path
52         end
53       end
54     else
55       user = User.visible.find_by(:display_name => params[:display_name])
56
57       redirect_to root_path if user.nil? || user.active?
58     end
59   end
60
61   def confirm_resend
62     user = User.visible.find_by(:display_name => params[:display_name])
63     token = UserToken.find_by(:token => session[:token])
64
65     if user.nil? || token.nil? || token.user != user
66       flash[:error] = t "confirmations.confirm_resend.failure", :name => params[:display_name]
67     else
68       UserMailer.signup_confirm(user, user.tokens.create).deliver_later
69       flash[:notice] = t "confirmations.confirm_resend.success_html", :email => user.email, :sender => Settings.email_from
70     end
71
72     redirect_to login_path
73   end
74
75   def confirm_email
76     if request.post?
77       token = UserToken.find_by(:token => params[:confirm_string])
78       if token&.user&.new_email?
79         self.current_user = token.user
80         current_user.email = current_user.new_email
81         current_user.new_email = nil
82         current_user.email_valid = true
83         gravatar_enabled = gravatar_enable(current_user)
84         if current_user.save
85           flash[:notice] = if gravatar_enabled
86                              "#{t('confirmations.confirm_email.success')} #{gravatar_status_message(current_user)}"
87                            else
88                              t("confirmations.confirm_email.success")
89                            end
90         else
91           flash[:errors] = current_user.errors
92         end
93         current_user.tokens.delete_all
94         session[:user] = current_user.id
95         session[:fingerprint] = current_user.fingerprint
96         redirect_to :controller => :users, :action => :account, :display_name => current_user.display_name
97       elsif token
98         flash[:error] = t "confirmations.confirm_email.failure"
99         redirect_to :controller => :users, :action => :account, :display_name => token.user.display_name
100       else
101         flash[:error] = t "confirmations.confirm_email.unknown_token"
102       end
103     end
104   end
105
106   private
107
108   ##
109   # check if this user has a gravatar and set the user pref is true
110   def gravatar_enable(user)
111     # code from example https://en.gravatar.com/site/implement/images/ruby/
112     return false if user.avatar.attached?
113
114     begin
115       hash = Digest::MD5.hexdigest(user.email.downcase)
116       url = "https://www.gravatar.com/avatar/#{hash}?d=404" # without d=404 we will always get an image back
117       response = OSM.http_client.get(URI.parse(url))
118       available = response.success?
119     rescue StandardError
120       available = false
121     end
122
123     oldsetting = user.image_use_gravatar
124     user.image_use_gravatar = available
125     oldsetting != user.image_use_gravatar
126   end
127
128   ##
129   # display a message about th current status of the gravatar setting
130   def gravatar_status_message(user)
131     if user.image_use_gravatar
132       t "users.account.gravatar.enabled"
133     else
134       t "users.account.gravatar.disabled"
135     end
136   end
137 end