1 class ApiController < ApplicationController
2 skip_before_action :verify_authenticity_token
6 def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
7 # make the current_user object from any auth sources we have
10 # handle authenticate pass/fail
12 # no auth, the user does not exist or the password was wrong
13 response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
14 render :plain => errormessage, :status => :unauthorized
19 def deny_access(_exception)
22 report_error t("oauth.permissions.missing"), :forbidden
26 realm = "Web Password"
27 errormessage = "Couldn't authenticate you"
28 response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
29 render :plain => errormessage, :status => :unauthorized
34 status = database_status
35 status = :offline if status == :online && Settings.status == "gpx_offline"
40 # sets up the current_user for use by other methods. this is mostly called
41 # from the authorize method, but can be called elsewhere if authorisation
44 # try and setup using OAuth
45 unless Authenticator.new(self, [:token]).allow?
46 username, passwd = get_auth_data # parse from headers
47 # authenticate per-scheme
48 self.current_user = if username.nil?
49 nil # no authentication provided - perhaps first connect (client should retry after 401)
50 elsif username == "token"
51 User.authenticate(:token => passwd) # preferred - random token for user from db, passed in basic auth
53 User.authenticate(:username => username, :password => passwd) # basic auth
57 # have we identified the user?
59 # check if the user has been banned
60 user_block = current_user.blocks.active.take
61 unless user_block.nil?
63 if user_block.zero_hour?
64 report_error t("application.setup_user_auth.blocked_zero_hour"), :forbidden
66 report_error t("application.setup_user_auth.blocked"), :forbidden
70 # if the user hasn't seen the contributor terms then don't
71 # allow editing - they have to go to the web site and see
72 # (but can decline) the CTs to continue.
73 if !current_user.terms_seen && flash[:skip_terms].nil?
75 report_error t("application.setup_user_auth.need_to_see_terms"), :forbidden