1 class UserController < ApplicationController
2 layout 'site', :except => [:api_details]
4 skip_before_filter :verify_authenticity_token, :only => [:api_read, :api_details, :api_gpx_files]
5 before_filter :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details]
6 before_filter :authorize, :only => [:api_details, :api_gpx_files]
7 before_filter :authorize_web, :except => [:api_read, :api_details, :api_gpx_files]
8 before_filter :set_locale, :except => [:api_read, :api_details, :api_gpx_files]
9 before_filter :require_user, :only => [:account, :go_public, :make_friend, :remove_friend]
10 before_filter :require_self, :only => [:account]
11 before_filter :check_database_readable, :except => [:login, :api_read, :api_details, :api_gpx_files]
12 before_filter :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public, :make_friend, :remove_friend]
13 before_filter :check_api_readable, :only => [:api_read, :api_details, :api_gpx_files]
14 before_filter :require_allow_read_prefs, :only => [:api_details]
15 before_filter :require_allow_read_gpx, :only => [:api_gpx_files]
16 before_filter :require_cookies, :only => [:new, :login, :confirm]
17 before_filter :require_administrator, :only => [:set_status, :delete, :list]
18 around_filter :api_call_handle_error, :only => [:api_read, :api_details, :api_gpx_files]
19 before_filter :lookup_user_by_id, :only => [:api_read]
20 before_filter :lookup_user_by_name, :only => [:set_status, :delete]
23 @legale = params[:legale] || OSM.IPToCountry(request.remote_ip) || DEFAULT_LEGALE
24 @text = OSM.legal_text_for_country(@legale)
27 render :partial => "terms"
29 @title = t 'user.terms.title'
31 if @user and @user.terms_agreed?
32 # Already agreed to terms, so just show settings
33 redirect_to :action => :account, :display_name => @user.display_name
34 elsif @user.nil? and session[:new_user].nil?
35 redirect_to :action => :login, :referer => request.fullpath
41 @title = t 'user.new.title'
45 @user.terms_seen = true
48 flash[:notice] = t 'user.new.terms declined', :url => t('user.new.terms declined url')
52 redirect_to params[:referer]
54 redirect_to :action => :account, :display_name => @user.display_name
57 redirect_to t('user.terms.declined')
60 if !@user.terms_agreed?
61 @user.consider_pd = params[:user][:consider_pd]
62 @user.terms_agreed = Time.now.getutc
63 @user.terms_seen = true
65 flash[:notice] = t 'user.new.terms accepted'
70 redirect_to params[:referer]
72 redirect_to :action => :account, :display_name => @user.display_name
75 @user = session.delete(:new_user)
77 if check_signup_allowed(@user.email)
78 @user.data_public = true
79 @user.description = "" if @user.description.nil?
80 @user.creation_ip = request.remote_ip
81 @user.languages = http_accept_language.user_preferred_languages
82 @user.terms_agreed = Time.now.getutc
83 @user.terms_seen = true
84 @user.openid_url = nil if @user.openid_url and @user.openid_url.empty?
87 flash[:piwik_goal] = PIWIK["goals"]["signup"] if defined?(PIWIK)
89 referer = welcome_path
92 uri = URI(session[:referer])
93 /map=(.*)\/(.*)\/(.*)/.match(uri.fragment) do |m|
94 editor = Rack::Utils.parse_query(uri.query).slice('editor')
95 referer = welcome_path({'zoom' => m[1],
97 'lon' => m[3]}.merge(editor))
103 if @user.status == "active"
104 session[:referer] = referer
105 successful_login(@user)
107 session[:token] = @user.tokens.create.token
108 Notifier.signup_confirm(@user, @user.tokens.create(:referer => referer)).deliver_now
109 redirect_to :action => 'confirm', :display_name => @user.display_name
112 render :action => 'new', :referer => params[:referer]
119 @title = t 'user.account.title'
120 @tokens = @user.oauth_tokens.authorized
122 if params[:user] and params[:user][:display_name] and params[:user][:description]
123 if params[:user][:openid_url] and
124 params[:user][:openid_url].length > 0 and
125 params[:user][:openid_url] != @user.openid_url
126 # If the OpenID has changed, we want to check that it is a
127 # valid OpenID and one the user has control over before saving
128 # it as a password equivalent for the user.
129 session[:new_user_settings] = params
130 openid_verify(params[:user][:openid_url], @user)
132 update_user(@user, params)
135 # The redirect from the OpenID provider reenters here
136 # again and we need to pass the parameters through to
137 # the open_id_authentication function
138 settings = session.delete(:new_user_settings)
139 openid_verify(nil, @user) do |user|
140 update_user(user, settings)
146 @user.data_public = true
148 flash[:notice] = t 'user.go_public.flash success'
149 redirect_to :controller => 'user', :action => 'account', :display_name => @user.display_name
153 @title = t 'user.lost_password.title'
155 if params[:user] and params[:user][:email]
156 user = User.visible.find_by_email(params[:user][:email])
159 users = User.visible.where("LOWER(email) = LOWER(?)", params[:user][:email])
167 token = user.tokens.create
168 Notifier.lost_password(user, token).deliver_now
169 flash[:notice] = t 'user.lost_password.notice email on way'
170 redirect_to :action => 'login'
172 flash.now[:error] = t 'user.lost_password.notice email cannot find'
178 @title = t 'user.reset_password.title'
181 token = UserToken.find_by_token(params[:token])
187 @user.pass_crypt = params[:user][:pass_crypt]
188 @user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
189 @user.status = "active" if @user.status == "pending"
190 @user.email_valid = true
194 flash[:notice] = t 'user.reset_password.flash changed'
195 redirect_to :action => 'login'
199 flash[:error] = t 'user.reset_password.flash token bad'
200 redirect_to :action => 'lost_password'
203 render :text => "", :status => :bad_request
208 @title = t 'user.new.title'
209 @referer = params[:referer] || session[:referer]
212 # The redirect from the OpenID provider reenters here
213 # again and we need to pass the parameters through to
214 # the open_id_authentication function
215 @user = session.delete(:new_user)
217 openid_verify(nil, @user) do |user, verified_email|
218 user.status = "active" if user.email == verified_email
221 if @user.openid_url.nil? or @user.invalid?
222 render :action => 'new'
224 session[:new_user] = @user
225 redirect_to :action => 'terms'
228 # The user is logged in already, so don't show them the signup
229 # page, instead send them to the home page
233 redirect_to :controller => 'site', :action => 'index'
235 elsif params.key?(:openid)
236 @user = User.new(:email => params[:email],
237 :email_confirmation => params[:email],
238 :display_name => params[:nickname],
239 :openid_url => params[:openid])
241 flash.now[:notice] = t 'user.new.openid association'
248 @user = User.new(user_params)
250 if check_signup_allowed(@user.email)
251 session[:referer] = params[:referer]
253 @user.status = "pending"
255 if @user.openid_url.present? && @user.pass_crypt.empty?
256 # We are creating an account with OpenID and no password
257 # was specified so create a random one
258 @user.pass_crypt = SecureRandom.base64(16)
259 @user.pass_crypt_confirmation = @user.pass_crypt
263 # Something is wrong with a new user, so rerender the form
264 render :action => "new"
265 elsif @user.openid_url.present?
266 # Verify OpenID before moving on
267 session[:new_user] = @user
268 openid_verify(@user.openid_url, @user)
270 # Save the user record
271 session[:new_user] = @user
272 redirect_to :action => :terms
278 if params[:username] or using_open_id?
279 session[:remember_me] ||= params[:remember_me]
280 session[:referer] ||= params[:referer]
283 openid_authentication(params[:openid_url])
285 password_authentication(params[:username], params[:password])
291 @title = t 'user.logout.title'
293 if params[:session] == request.session_options[:id]
295 token = UserToken.find_by_token(session[:token])
299 session.delete(:token)
301 session.delete(:user)
302 session_expires_automatically
304 redirect_to params[:referer]
306 redirect_to :controller => 'site', :action => 'index'
313 token = UserToken.find_by_token(params[:confirm_string])
314 if token && token.user.active?
315 flash[:error] = t('user.confirm.already active')
316 redirect_to :action => 'login'
317 elsif !token || token.expired?
318 flash[:error] = t('user.confirm.unknown token')
319 redirect_to :action => 'confirm'
322 user.status = "active"
323 user.email_valid = true
325 referer = token.referer
329 token = UserToken.find_by_token(session[:token])
330 session.delete(:token)
335 if token.nil? or token.user != user
336 flash[:notice] = t('user.confirm.success')
337 redirect_to :action => :login, :referer => referer
341 session[:user] = user.id
343 redirect_to referer || welcome_path
347 user = User.find_by_display_name(params[:display_name])
348 if !user || user.active?
349 redirect_to root_path
355 if user = User.find_by_display_name(params[:display_name])
356 Notifier.signup_confirm(user, user.tokens.create).deliver_now
357 flash[:notice] = t 'user.confirm_resend.success', :email => user.email
359 flash[:notice] = t 'user.confirm_resend.failure', :name => params[:display_name]
362 redirect_to :action => 'login'
367 token = UserToken.find_by_token(params[:confirm_string])
368 if token and token.user.new_email?
370 @user.email = @user.new_email
371 @user.new_email = nil
372 @user.email_valid = true
374 flash[:notice] = t 'user.confirm_email.success'
376 flash[:errors] = @user.errors
379 session[:user] = @user.id
380 redirect_to :action => 'account', :display_name => @user.display_name
382 flash[:error] = t 'user.confirm_email.failure'
383 redirect_to :action => 'account', :display_name => @user.display_name
389 render :text => "", :status => :gone unless @this_user.visible?
394 render :action => :api_read
398 doc = OSM::API.new.get_xml_doc
399 @user.traces.each do |trace|
400 doc.root << trace.to_xml_node() if trace.public? or trace.user == @user
402 render :text => doc.to_s, :content_type => "text/xml"
406 @this_user = User.find_by_display_name(params[:display_name])
409 (@this_user.visible? or (@user and @user.administrator?))
410 @title = @this_user.display_name
412 render_unknown_user params[:display_name]
417 @new_friend = User.find_by_display_name(params[:display_name])
422 friend.user_id = @user.id
423 friend.friend_user_id = @new_friend.id
424 unless @user.is_friends_with?(@new_friend)
426 flash[:notice] = t 'user.make_friend.success', :name => @new_friend.display_name
427 Notifier.friend_notification(friend).deliver_now
429 friend.add_error(t('user.make_friend.failed', :name => @new_friend.display_name))
432 flash[:warning] = t 'user.make_friend.already_a_friend', :name => @new_friend.display_name
436 redirect_to params[:referer]
438 redirect_to :controller => 'user', :action => 'view'
442 render_unknown_user params[:display_name]
447 @friend = User.find_by_display_name(params[:display_name])
451 if @user.is_friends_with?(@friend)
452 Friend.delete_all "user_id = #{@user.id} AND friend_user_id = #{@friend.id}"
453 flash[:notice] = t 'user.remove_friend.success', :name => @friend.display_name
455 flash[:error] = t 'user.remove_friend.not_a_friend', :name => @friend.display_name
459 redirect_to params[:referer]
461 redirect_to :controller => 'user', :action => 'view'
465 render_unknown_user params[:display_name]
470 # sets a user's status
472 @this_user.status = params[:status]
474 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name]
478 # delete a user, marking them as deleted and removing personal data
481 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name]
485 # display a list of users matching specified criteria
488 ids = params[:user].keys.collect { |id| id.to_i }
490 User.update_all("status = 'confirmed'", :id => ids) if params[:confirm]
491 User.update_all("status = 'deleted'", :id => ids) if params[:hide]
493 redirect_to url_for(:status => params[:status], :ip => params[:ip], :page => params[:page])
495 conditions = Hash.new
496 conditions[:status] = params[:status] if params[:status]
497 conditions[:creation_ip] = params[:ip] if params[:ip]
499 @user_pages, @users = paginate(:users,
500 :conditions => conditions,
509 # handle password authentication
510 def password_authentication(username, password)
511 if user = User.authenticate(:username => username, :password => password)
512 successful_login(user)
513 elsif user = User.authenticate(:username => username, :password => password, :pending => true)
514 unconfirmed_login(user)
515 elsif User.authenticate(:username => username, :password => password, :suspended => true)
516 failed_login t('user.login.account is suspended', :webmaster => "mailto:webmaster@openstreetmap.org")
518 failed_login t('user.login.auth failure')
523 # handle OpenID authentication
524 def openid_authentication(openid_url)
525 # If we don't appear to have a user for this URL then ask the
526 # provider for some extra information to help with signup
527 if openid_url and User.find_by_openid_url(openid_url)
530 required = [:nickname, :email, "http://axschema.org/namePerson/friendly", "http://axschema.org/contact/email"]
533 # Start the authentication
534 authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => required) do |result, identity_url, sreg, ax|
535 if result.successful?
536 # We need to use the openid url passed back from the OpenID provider
537 # rather than the one supplied by the user, as these can be different.
539 # For example, you can simply enter yahoo.com in the login box rather
540 # than a user specific url. Only once it comes back from the provider
541 # provider do we know the unique address for the user.
542 if user = User.find_by_openid_url(identity_url)
545 unconfirmed_login(user)
546 when "active", "confirmed" then
547 successful_login(user)
548 when "suspended" then
549 failed_login t('user.login.account is suspended', :webmaster => "mailto:webmaster@openstreetmap.org")
551 failed_login t('user.login.auth failure')
554 # Guard against not getting any extension data
555 sreg = Hash.new if sreg.nil?
556 ax = Hash.new if ax.nil?
558 # We don't have a user registered to this OpenID, so redirect
559 # to the create account page with username and email filled
560 # in if they have been given by the OpenID provider through
561 # the simple registration protocol.
562 nickname = sreg["nickname"] || ax["http://axschema.org/namePerson/friendly"].first
563 email = sreg["email"] || ax["http://axschema.org/contact/email"].first
565 redirect_to :controller => 'user', :action => 'new', :nickname => nickname, :email => email, :openid => identity_url
567 elsif result.missing?
568 failed_login t('user.login.openid missing provider')
569 elsif result.invalid?
570 failed_login t('user.login.openid invalid')
572 failed_login t('user.login.auth failure')
578 # verify an OpenID URL
579 def openid_verify(openid_url, user)
580 user.openid_url = openid_url
582 authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => [:email, "http://axschema.org/contact/email"]) do |result, identity_url, sreg, ax|
583 if result.successful?
584 # Do we trust the emails this provider returns?
585 if openid_email_verified(identity_url)
586 # Guard against not getting any extension data
587 sreg = Hash.new if sreg.nil?
588 ax = Hash.new if ax.nil?
590 # Get the verified email
591 verified_email = sreg["email"] || ax["http://axschema.org/contact/email"].first
594 # We need to use the openid url passed back from the OpenID provider
595 # rather than the one supplied by the user, as these can be different.
597 # For example, you can simply enter yahoo.com in the login box rather
598 # than a user specific url. Only once it comes back from the provider
599 # provider do we know the unique address for the user.
600 user.openid_url = identity_url
601 yield user, verified_email
602 elsif result.missing?
603 flash.now[:error] = t 'user.login.openid missing provider'
604 elsif result.invalid?
605 flash.now[:error] = t 'user.login.openid invalid'
607 flash.now[:error] = t 'user.login.auth failure'
613 # special case some common OpenID providers by applying heuristics to
614 # try and come up with the correct URL based on what the user entered
615 def openid_expand_url(openid_url)
618 elsif openid_url.match(/(.*)gmail.com(\/?)$/) or openid_url.match(/(.*)googlemail.com(\/?)$/)
619 # Special case gmail.com as it is potentially a popular OpenID
620 # provider and, unlike yahoo.com, where it works automatically, Google
621 # have hidden their OpenID endpoint somewhere obscure this making it
622 # somewhat less user friendly.
623 return 'https://www.google.com/accounts/o8/id'
630 # check if we trust an OpenID provider to return a verified
631 # email, so that we can skpi verifying it ourselves
632 def openid_email_verified(openid_url)
633 openid_url.match(/https:\/\/www.google.com\/accounts\/o8\/id?(.*)/) or
634 openid_url.match(/https:\/\/me.yahoo.com\/(.*)/)
638 # process a successful login
639 def successful_login(user)
640 session[:user] = user.id
641 session_expires_after 28.days if session[:remember_me]
643 target = session[:referer] || url_for(:controller => :site, :action => :index)
645 # The user is logged in, so decide where to send them:
647 # - If they haven't seen the contributor terms, send them there.
648 # - If they have a block on them, show them that.
649 # - If they were referred to the login, send them back there.
650 # - Otherwise, send them to the home page.
651 if REQUIRE_TERMS_SEEN and not user.terms_seen
652 redirect_to :controller => :user, :action => :terms, :referer => target
653 elsif user.blocked_on_view
654 redirect_to user.blocked_on_view, :referer => target
659 session.delete(:remember_me)
660 session.delete(:referer)
664 # process a failed login
665 def failed_login(message)
666 flash[:error] = message
668 redirect_to :action => 'login', :referer => session[:referer]
670 session.delete(:remember_me)
671 session.delete(:referer)
676 def unconfirmed_login(user)
677 redirect_to :action => 'confirm', :display_name => user.display_name
679 session.delete(:remember_me)
680 session.delete(:referer)
684 # update a user's details
685 def update_user(user, params)
686 user.display_name = params[:user][:display_name]
687 user.new_email = params[:user][:new_email]
689 if params[:user][:pass_crypt].length > 0 or params[:user][:pass_crypt_confirmation].length > 0
690 user.pass_crypt = params[:user][:pass_crypt]
691 user.pass_crypt_confirmation = params[:user][:pass_crypt_confirmation]
694 if params[:user][:description] != user.description
695 user.description = params[:user][:description]
696 user.description_format = "markdown"
699 user.languages = params[:user][:languages].split(",")
701 case params[:image_action]
703 user.image = params[:user][:image]
704 user.image_use_gravatar = false
707 user.image_use_gravatar = false
710 user.image_use_gravatar = true
713 user.home_lat = params[:user][:home_lat]
714 user.home_lon = params[:user][:home_lon]
716 if params[:user][:preferred_editor] == "default"
717 user.preferred_editor = nil
719 user.preferred_editor = params[:user][:preferred_editor]
722 user.openid_url = nil if params[:user][:openid_url].blank?
727 if user.new_email.blank? or user.new_email == user.email
728 flash.now[:notice] = t 'user.account.flash update success'
730 user.email = user.new_email
733 flash.now[:notice] = t 'user.account.flash update success confirm needed'
736 Notifier.email_confirm(user, user.tokens.create).deliver_now
738 # Ignore errors sending email
741 @user.errors.set(:new_email, @user.errors.get(:email))
742 @user.errors.set(:email, [])
751 # require that the user is a administrator, or fill out a helpful error message
752 # and return them to the user page.
753 def require_administrator
754 if @user and not @user.administrator?
755 flash[:error] = t('user.filter.not_an_administrator')
757 if params[:display_name]
758 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name]
760 redirect_to :controller => 'user', :action => 'login', :referer => request.fullpath
763 redirect_to :controller => 'user', :action => 'login', :referer => request.fullpath
768 # require that the user in the URL is the logged in user
770 if params[:display_name] != @user.display_name
771 render :text => "", :status => :forbidden
776 # ensure that there is a "this_user" instance variable
777 def lookup_user_by_id
778 @this_user = User.find(params[:id])
782 # ensure that there is a "this_user" instance variable
783 def lookup_user_by_name
784 @this_user = User.find_by_display_name(params[:display_name])
785 rescue ActiveRecord::RecordNotFound
786 redirect_to :controller => 'user', :action => 'view', :display_name => params[:display_name] unless @this_user
791 def disable_terms_redirect
792 # this is necessary otherwise going to the user terms page, when
793 # having not agreed already would cause an infinite redirect loop.
794 # it's .now so that this doesn't propagate to other pages.
795 flash.now[:skip_terms] = true
799 # return permitted user parameters
801 params.require(:user).permit(:email, :email_confirmation, :display_name, :openid_url, :pass_crypt, :pass_crypt_confirmation)
806 def check_signup_allowed(email = nil)
810 domain = email.split("@").last
813 if blocked = Acl.no_account_creation(request.remote_ip, domain)
814 logger.info "Blocked signup from #{request.remote_ip} for #{email}"
816 render :action => 'blocked'