1 class UserController < ApplicationController
2 layout 'site', :except => [:api_details]
4 skip_before_filter :verify_authenticity_token, :only => [:api_read, :api_details, :api_gpx_files]
5 before_filter :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details]
6 before_filter :authorize, :only => [:api_details, :api_gpx_files]
7 before_filter :authorize_web, :except => [:api_read, :api_details, :api_gpx_files]
8 before_filter :set_locale, :except => [:api_read, :api_details, :api_gpx_files]
9 before_filter :require_user, :only => [:account, :go_public, :make_friend, :remove_friend]
10 before_filter :require_self, :only => [:account]
11 before_filter :check_database_readable, :except => [:login, :api_read, :api_details, :api_gpx_files]
12 before_filter :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public, :make_friend, :remove_friend]
13 before_filter :check_api_readable, :only => [:api_read, :api_details, :api_gpx_files]
14 before_filter :require_allow_read_prefs, :only => [:api_details]
15 before_filter :require_allow_read_gpx, :only => [:api_gpx_files]
16 before_filter :require_cookies, :only => [:new, :login, :confirm]
17 before_filter :require_administrator, :only => [:set_status, :delete, :list]
18 around_filter :api_call_handle_error, :only => [:api_read, :api_details, :api_gpx_files]
19 before_filter :lookup_user_by_id, :only => [:api_read]
20 before_filter :lookup_user_by_name, :only => [:set_status, :delete]
23 @legale = params[:legale] || OSM.IPToCountry(request.remote_ip) || DEFAULT_LEGALE
24 @text = OSM.legal_text_for_country(@legale)
27 render :partial => "terms"
29 @title = t 'user.terms.title'
31 if @user and @user.terms_agreed?
32 # Already agreed to terms, so just show settings
33 redirect_to :action => :account, :display_name => @user.display_name
34 elsif @user.nil? and session[:new_user].nil?
35 redirect_to :action => :login, :referer => request.fullpath
41 @title = t 'user.new.title'
45 @user.terms_seen = true
48 flash[:notice] = t 'user.new.terms declined', :url => t('user.new.terms declined url')
52 redirect_to params[:referer]
54 redirect_to :action => :account, :display_name => @user.display_name
57 redirect_to t('user.terms.declined')
60 if !@user.terms_agreed?
61 @user.consider_pd = params[:user][:consider_pd]
62 @user.terms_agreed = Time.now.getutc
63 @user.terms_seen = true
65 flash[:notice] = t 'user.new.terms accepted'
70 redirect_to params[:referer]
72 redirect_to :action => :account, :display_name => @user.display_name
75 @user = session.delete(:new_user)
77 if check_signup_allowed(@user.email)
78 @user.data_public = true
79 @user.description = "" if @user.description.nil?
80 @user.creation_ip = request.remote_ip
81 @user.languages = http_accept_language.user_preferred_languages
82 @user.terms_agreed = Time.now.getutc
83 @user.terms_seen = true
84 @user.openid_url = nil if @user.openid_url and @user.openid_url.empty?
87 flash[:piwik_goal] = PIWIK["goals"]["signup"] if defined?(PIWIK)
89 referer = welcome_path
92 uri = URI(session[:referer])
93 /map=(.*)\/(.*)\/(.*)/.match(uri.fragment) do |m|
94 editor = Rack::Utils.parse_query(uri.query).slice('editor')
95 referer = welcome_path({'zoom' => m[1],
97 'lon' => m[3]}.merge(editor))
103 if @user.status == "active"
104 session[:referer] = referer
105 successful_login(@user)
107 session[:token] = @user.tokens.create.token
108 Notifier.signup_confirm(@user, @user.tokens.create(:referer => referer)).deliver_now
109 redirect_to :action => 'confirm', :display_name => @user.display_name
112 render :action => 'new', :referer => params[:referer]
119 @title = t 'user.account.title'
120 @tokens = @user.oauth_tokens.authorized
122 if params[:user] and params[:user][:display_name] and params[:user][:description]
123 if params[:user][:openid_url] and
124 params[:user][:openid_url].length > 0 and
125 params[:user][:openid_url] != @user.openid_url
126 # If the OpenID has changed, we want to check that it is a
127 # valid OpenID and one the user has control over before saving
128 # it as a password equivalent for the user.
129 session[:new_user_settings] = params
130 openid_verify(params[:user][:openid_url], @user)
132 update_user(@user, params)
135 # The redirect from the OpenID provider reenters here
136 # again and we need to pass the parameters through to
137 # the open_id_authentication function
138 settings = session.delete(:new_user_settings)
139 openid_verify(nil, @user) do |user|
140 update_user(user, settings)
146 @user.data_public = true
148 flash[:notice] = t 'user.go_public.flash success'
149 redirect_to :controller => 'user', :action => 'account', :display_name => @user.display_name
153 @title = t 'user.lost_password.title'
155 if params[:user] and params[:user][:email]
156 user = User.visible.find_by_email(params[:user][:email])
159 users = User.visible.where("LOWER(email) = LOWER(?)", params[:user][:email])
167 token = user.tokens.create
168 Notifier.lost_password(user, token).deliver_now
169 flash[:notice] = t 'user.lost_password.notice email on way'
170 redirect_to :action => 'login'
172 flash.now[:error] = t 'user.lost_password.notice email cannot find'
178 @title = t 'user.reset_password.title'
181 token = UserToken.find_by_token(params[:token])
187 @user.pass_crypt = params[:user][:pass_crypt]
188 @user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
189 @user.status = "active" if @user.status == "pending"
190 @user.email_valid = true
194 flash[:notice] = t 'user.reset_password.flash changed'
195 redirect_to :action => 'login'
199 flash[:error] = t 'user.reset_password.flash token bad'
200 redirect_to :action => 'lost_password'
203 render :text => "", :status => :bad_request
208 @title = t 'user.new.title'
209 @referer = params[:referer] || session[:referer]
212 # The redirect from the OpenID provider reenters here
213 # again and we need to pass the parameters through to
214 # the open_id_authentication function
215 @user = session.delete(:new_user)
217 openid_verify(nil, @user) do |user, verified_email|
218 user.status = "active" if user.email == verified_email
221 if @user.openid_url.nil? or @user.invalid?
222 render :action => 'new'
224 session[:new_user] = @user
225 redirect_to :action => 'terms'
228 # The user is logged in already, so don't show them the signup
229 # page, instead send them to the home page
233 redirect_to :controller => 'site', :action => 'index'
235 elsif params.key?(:openid)
236 @user = User.new(:email => params[:email],
237 :email_confirmation => params[:email],
238 :display_name => params[:nickname],
239 :openid_url => params[:openid])
241 flash.now[:notice] = t 'user.new.openid association'
248 @user = User.new(user_params)
250 if check_signup_allowed(@user.email)
251 session[:referer] = params[:referer]
253 @user.status = "pending"
255 if @user.openid_url.present? && @user.pass_crypt.empty?
256 # We are creating an account with OpenID and no password
257 # was specified so create a random one
258 @user.pass_crypt = SecureRandom.base64(16)
259 @user.pass_crypt_confirmation = @user.pass_crypt
263 # Something is wrong with a new user, so rerender the form
264 render :action => "new"
265 elsif @user.openid_url.present?
266 # Verify OpenID before moving on
267 session[:new_user] = @user
268 openid_verify(@user.openid_url, @user)
270 # Save the user record
271 session[:new_user] = @user
272 redirect_to :action => :terms
278 if params[:username] or using_open_id?
279 session[:referer] ||= params[:referer]
282 session[:remember_me] ||= params[:remember_me_openid]
283 openid_authentication(params[:openid_url])
285 session[:remember_me] ||= params[:remember_me]
286 password_authentication(params[:username], params[:password])
292 @title = t 'user.logout.title'
294 if params[:session] == request.session_options[:id]
296 token = UserToken.find_by_token(session[:token])
300 session.delete(:token)
302 session.delete(:user)
303 session_expires_automatically
305 redirect_to params[:referer]
307 redirect_to :controller => 'site', :action => 'index'
314 token = UserToken.find_by_token(params[:confirm_string])
315 if token && token.user.active?
316 flash[:error] = t('user.confirm.already active')
317 redirect_to :action => 'login'
318 elsif !token || token.expired?
319 flash[:error] = t('user.confirm.unknown token')
320 redirect_to :action => 'confirm'
323 user.status = "active"
324 user.email_valid = true
326 referer = token.referer
330 token = UserToken.find_by_token(session[:token])
331 session.delete(:token)
336 if token.nil? or token.user != user
337 flash[:notice] = t('user.confirm.success')
338 redirect_to :action => :login, :referer => referer
342 session[:user] = user.id
344 redirect_to referer || welcome_path
348 user = User.find_by_display_name(params[:display_name])
349 if !user || user.active?
350 redirect_to root_path
356 if user = User.find_by_display_name(params[:display_name])
357 Notifier.signup_confirm(user, user.tokens.create).deliver_now
358 flash[:notice] = t 'user.confirm_resend.success', :email => user.email
360 flash[:notice] = t 'user.confirm_resend.failure', :name => params[:display_name]
363 redirect_to :action => 'login'
368 token = UserToken.find_by_token(params[:confirm_string])
369 if token and token.user.new_email?
371 @user.email = @user.new_email
372 @user.new_email = nil
373 @user.email_valid = true
375 flash[:notice] = t 'user.confirm_email.success'
377 flash[:errors] = @user.errors
380 session[:user] = @user.id
381 redirect_to :action => 'account', :display_name => @user.display_name
383 flash[:error] = t 'user.confirm_email.failure'
384 redirect_to :action => 'account', :display_name => @user.display_name
390 render :text => "", :status => :gone unless @this_user.visible?
395 render :action => :api_read
399 doc = OSM::API.new.get_xml_doc
400 @user.traces.each do |trace|
401 doc.root << trace.to_xml_node() if trace.public? or trace.user == @user
403 render :text => doc.to_s, :content_type => "text/xml"
407 @this_user = User.find_by_display_name(params[:display_name])
410 (@this_user.visible? or (@user and @user.administrator?))
411 @title = @this_user.display_name
413 render_unknown_user params[:display_name]
418 @new_friend = User.find_by_display_name(params[:display_name])
423 friend.user_id = @user.id
424 friend.friend_user_id = @new_friend.id
425 unless @user.is_friends_with?(@new_friend)
427 flash[:notice] = t 'user.make_friend.success', :name => @new_friend.display_name
428 Notifier.friend_notification(friend).deliver_now
430 friend.add_error(t('user.make_friend.failed', :name => @new_friend.display_name))
433 flash[:warning] = t 'user.make_friend.already_a_friend', :name => @new_friend.display_name
437 redirect_to params[:referer]
439 redirect_to :controller => 'user', :action => 'view'
443 render_unknown_user params[:display_name]
448 @friend = User.find_by_display_name(params[:display_name])
452 if @user.is_friends_with?(@friend)
453 Friend.delete_all "user_id = #{@user.id} AND friend_user_id = #{@friend.id}"
454 flash[:notice] = t 'user.remove_friend.success', :name => @friend.display_name
456 flash[:error] = t 'user.remove_friend.not_a_friend', :name => @friend.display_name
460 redirect_to params[:referer]
462 redirect_to :controller => 'user', :action => 'view'
466 render_unknown_user params[:display_name]
471 # sets a user's status
473 @this_user.status = params[:status]
475 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name]
479 # delete a user, marking them as deleted and removing personal data
482 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name]
486 # display a list of users matching specified criteria
489 ids = params[:user].keys.collect { |id| id.to_i }
491 User.update_all("status = 'confirmed'", :id => ids) if params[:confirm]
492 User.update_all("status = 'deleted'", :id => ids) if params[:hide]
494 redirect_to url_for(:status => params[:status], :ip => params[:ip], :page => params[:page])
496 conditions = Hash.new
497 conditions[:status] = params[:status] if params[:status]
498 conditions[:creation_ip] = params[:ip] if params[:ip]
500 @user_pages, @users = paginate(:users,
501 :conditions => conditions,
510 # handle password authentication
511 def password_authentication(username, password)
512 if user = User.authenticate(:username => username, :password => password)
513 successful_login(user)
514 elsif user = User.authenticate(:username => username, :password => password, :pending => true)
515 unconfirmed_login(user)
516 elsif User.authenticate(:username => username, :password => password, :suspended => true)
517 failed_login t('user.login.account is suspended', :webmaster => "mailto:webmaster@openstreetmap.org")
519 failed_login t('user.login.auth failure')
524 # handle OpenID authentication
525 def openid_authentication(openid_url)
526 # If we don't appear to have a user for this URL then ask the
527 # provider for some extra information to help with signup
528 if openid_url and User.find_by_openid_url(openid_url)
531 required = [:nickname, :email, "http://axschema.org/namePerson/friendly", "http://axschema.org/contact/email"]
534 # Start the authentication
535 authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => required) do |result, identity_url, sreg, ax|
536 if result.successful?
537 # We need to use the openid url passed back from the OpenID provider
538 # rather than the one supplied by the user, as these can be different.
540 # For example, you can simply enter yahoo.com in the login box rather
541 # than a user specific url. Only once it comes back from the provider
542 # provider do we know the unique address for the user.
543 if user = User.find_by_openid_url(identity_url)
546 unconfirmed_login(user)
547 when "active", "confirmed" then
548 successful_login(user)
549 when "suspended" then
550 failed_login t('user.login.account is suspended', :webmaster => "mailto:webmaster@openstreetmap.org")
552 failed_login t('user.login.auth failure')
555 # Guard against not getting any extension data
556 sreg = Hash.new if sreg.nil?
557 ax = Hash.new if ax.nil?
559 # We don't have a user registered to this OpenID, so redirect
560 # to the create account page with username and email filled
561 # in if they have been given by the OpenID provider through
562 # the simple registration protocol.
563 nickname = sreg["nickname"] || ax["http://axschema.org/namePerson/friendly"].first
564 email = sreg["email"] || ax["http://axschema.org/contact/email"].first
566 redirect_to :controller => 'user', :action => 'new', :nickname => nickname, :email => email, :openid => identity_url
568 elsif result.missing?
569 failed_login t('user.login.openid missing provider')
570 elsif result.invalid?
571 failed_login t('user.login.openid invalid')
573 failed_login t('user.login.auth failure')
579 # verify an OpenID URL
580 def openid_verify(openid_url, user)
581 user.openid_url = openid_url
583 authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => [:email, "http://axschema.org/contact/email"]) do |result, identity_url, sreg, ax|
584 if result.successful?
585 # Do we trust the emails this provider returns?
586 if openid_email_verified(identity_url)
587 # Guard against not getting any extension data
588 sreg = Hash.new if sreg.nil?
589 ax = Hash.new if ax.nil?
591 # Get the verified email
592 verified_email = sreg["email"] || ax["http://axschema.org/contact/email"].first
595 # We need to use the openid url passed back from the OpenID provider
596 # rather than the one supplied by the user, as these can be different.
598 # For example, you can simply enter yahoo.com in the login box rather
599 # than a user specific url. Only once it comes back from the provider
600 # provider do we know the unique address for the user.
601 user.openid_url = identity_url
602 yield user, verified_email
603 elsif result.missing?
604 flash.now[:error] = t 'user.login.openid missing provider'
605 elsif result.invalid?
606 flash.now[:error] = t 'user.login.openid invalid'
608 flash.now[:error] = t 'user.login.auth failure'
614 # special case some common OpenID providers by applying heuristics to
615 # try and come up with the correct URL based on what the user entered
616 def openid_expand_url(openid_url)
619 elsif openid_url.match(/(.*)gmail.com(\/?)$/) or openid_url.match(/(.*)googlemail.com(\/?)$/)
620 # Special case gmail.com as it is potentially a popular OpenID
621 # provider and, unlike yahoo.com, where it works automatically, Google
622 # have hidden their OpenID endpoint somewhere obscure this making it
623 # somewhat less user friendly.
624 return 'https://www.google.com/accounts/o8/id'
631 # check if we trust an OpenID provider to return a verified
632 # email, so that we can skpi verifying it ourselves
633 def openid_email_verified(openid_url)
634 openid_url.match(/https:\/\/www.google.com\/accounts\/o8\/id?(.*)/) or
635 openid_url.match(/https:\/\/me.yahoo.com\/(.*)/)
639 # process a successful login
640 def successful_login(user)
641 session[:user] = user.id
642 session_expires_after 28.days if session[:remember_me]
644 target = session[:referer] || url_for(:controller => :site, :action => :index)
646 # The user is logged in, so decide where to send them:
648 # - If they haven't seen the contributor terms, send them there.
649 # - If they have a block on them, show them that.
650 # - If they were referred to the login, send them back there.
651 # - Otherwise, send them to the home page.
652 if REQUIRE_TERMS_SEEN and not user.terms_seen
653 redirect_to :controller => :user, :action => :terms, :referer => target
654 elsif user.blocked_on_view
655 redirect_to user.blocked_on_view, :referer => target
660 session.delete(:remember_me)
661 session.delete(:referer)
665 # process a failed login
666 def failed_login(message)
667 flash[:error] = message
669 redirect_to :action => 'login', :referer => session[:referer]
671 session.delete(:remember_me)
672 session.delete(:referer)
677 def unconfirmed_login(user)
678 redirect_to :action => 'confirm', :display_name => user.display_name
680 session.delete(:remember_me)
681 session.delete(:referer)
685 # update a user's details
686 def update_user(user, params)
687 user.display_name = params[:user][:display_name]
688 user.new_email = params[:user][:new_email]
690 if params[:user][:pass_crypt].length > 0 or params[:user][:pass_crypt_confirmation].length > 0
691 user.pass_crypt = params[:user][:pass_crypt]
692 user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
695 if params[:user][:description] != user.description
696 user.description = params[:user][:description]
697 user.description_format = "markdown"
700 user.languages = params[:user][:languages].split(",")
702 case params[:image_action]
704 user.image = params[:user][:image]
705 user.image_use_gravatar = false
708 user.image_use_gravatar = false
711 user.image_use_gravatar = true
714 user.home_lat = params[:user][:home_lat]
715 user.home_lon = params[:user][:home_lon]
717 if params[:user][:preferred_editor] == "default"
718 user.preferred_editor = nil
720 user.preferred_editor = params[:user][:preferred_editor]
723 user.openid_url = nil if params[:user][:openid_url].blank?
728 if user.new_email.blank? or user.new_email == user.email
729 flash.now[:notice] = t 'user.account.flash update success'
731 user.email = user.new_email
734 flash.now[:notice] = t 'user.account.flash update success confirm needed'
737 Notifier.email_confirm(user, user.tokens.create).deliver_now
739 # Ignore errors sending email
742 @user.errors.set(:new_email, @user.errors.get(:email))
743 @user.errors.set(:email, [])
752 # require that the user is a administrator, or fill out a helpful error message
753 # and return them to the user page.
754 def require_administrator
755 if @user and not @user.administrator?
756 flash[:error] = t('user.filter.not_an_administrator')
758 if params[:display_name]
759 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name]
761 redirect_to :controller => 'user', :action => 'login', :referer => request.fullpath
764 redirect_to :controller => 'user', :action => 'login', :referer => request.fullpath
769 # require that the user in the URL is the logged in user
771 if params[:display_name] != @user.display_name
772 render :text => "", :status => :forbidden
777 # ensure that there is a "this_user" instance variable
778 def lookup_user_by_id
779 @this_user = User.find(params[:id])
783 # ensure that there is a "this_user" instance variable
784 def lookup_user_by_name
785 @this_user = User.find_by_display_name(params[:display_name])
786 rescue ActiveRecord::RecordNotFound
787 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] unless @this_user
792 def disable_terms_redirect
793 # this is necessary otherwise going to the user terms page, when
794 # having not agreed already would cause an infinite redirect loop.
795 # it's .now so that this doesn't propagate to other pages.
796 flash.now[:skip_terms] = true
800 # return permitted user parameters
802 params.require(:user).permit(:email, :email_confirmation, :display_name, :openid_url, :pass_crypt, :pass_crypt_confirmation)
807 def check_signup_allowed(email = nil)
811 domain = email.split("@").last
814 if blocked = Acl.no_account_creation(request.remote_ip, domain)
815 logger.info "Blocked signup from #{request.remote_ip} for #{email}"
817 render :action => 'blocked'