]> git.openstreetmap.org Git - rails.git/blob - app/controllers/users_controller.rb
Add validation for maximum ID passed to changesets#index
[rails.git] / app / controllers / users_controller.rb
1 class UsersController < ApplicationController
2   include EmailMethods
3   include SessionMethods
4   include UserMethods
5   include PaginationMethods
6
7   layout "site"
8
9   skip_before_action :verify_authenticity_token, :only => [:auth_success]
10   before_action :disable_terms_redirect, :only => [:terms, :save]
11   before_action :authorize_web
12   before_action :set_locale
13   before_action :check_database_readable
14
15   authorize_resource
16
17   before_action :check_database_writable, :only => [:new, :go_public]
18   before_action :require_cookies, :only => [:new]
19   before_action :lookup_user_by_name, :only => [:set_status, :destroy]
20   before_action :allow_thirdparty_images, :only => [:show]
21
22   ##
23   # display a list of users matching specified criteria
24   def index
25     if request.post?
26       ids = params[:user].keys.collect(&:to_i)
27
28       User.where(:id => ids).update_all(:status => "confirmed") if params[:confirm]
29       User.where(:id => ids).update_all(:status => "deleted") if params[:hide]
30
31       redirect_to url_for(:status => params[:status], :ip => params[:ip], :page => params[:page])
32     else
33       @params = params.permit(:status, :ip, :before, :after)
34
35       users = User.all
36       users = users.where(:status => @params[:status]) if @params[:status]
37       users = users.where(:creation_ip => @params[:ip]) if @params[:ip]
38
39       @users_count = users.count
40       @users, @newer_users_id, @older_users_id = get_page_items(users, :limit => 50)
41     end
42   end
43
44   def show
45     @user = User.find_by(:display_name => params[:display_name])
46
47     if @user &&
48        (@user.visible? || current_user&.administrator?)
49       @title = @user.display_name
50     else
51       render_unknown_user params[:display_name]
52     end
53   end
54
55   def new
56     @title = t ".title"
57     @referer = if params[:referer]
58                  safe_referer(params[:referer])
59                else
60                  session[:referer]
61                end
62
63     append_content_security_policy_directives(
64       :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
65     )
66
67     if current_user
68       # The user is logged in already, so don't show them the signup
69       # page, instead send them to the home page
70       redirect_to @referer || { :controller => "site", :action => "index" }
71     elsif params.key?(:auth_provider) && params.key?(:auth_uid)
72       self.current_user = User.new(:email => params[:email],
73                                    :email_confirmation => params[:email],
74                                    :display_name => params[:nickname],
75                                    :auth_provider => params[:auth_provider],
76                                    :auth_uid => params[:auth_uid])
77
78       flash.now[:notice] = render_to_string :partial => "auth_association"
79     else
80       check_signup_allowed
81
82       self.current_user = User.new
83     end
84   end
85
86   def create
87     self.current_user = User.new(user_params)
88
89     if check_signup_allowed(current_user.email)
90       session[:referer] = safe_referer(params[:referer]) if params[:referer]
91
92       Rails.logger.info "create: #{session[:referer]}"
93
94       if current_user.auth_provider.present? && current_user.pass_crypt.empty?
95         # We are creating an account with external authentication and
96         # no password was specified so create a random one
97         current_user.pass_crypt = SecureRandom.base64(16)
98         current_user.pass_crypt_confirmation = current_user.pass_crypt
99       end
100
101       if current_user.invalid?
102         # Something is wrong with a new user, so rerender the form
103         render :action => "new"
104       elsif current_user.auth_provider.present?
105         # Verify external authenticator before moving on
106         session[:new_user] = current_user.slice("email", "display_name", "pass_crypt", "pass_crypt_confirmation")
107         redirect_to auth_url(current_user.auth_provider, current_user.auth_uid), :status => :temporary_redirect
108       else
109         # Save the user record
110         session[:new_user] = current_user.slice("email", "display_name", "pass_crypt", "pass_crypt_confirmation")
111         redirect_to :action => :terms
112       end
113     end
114   end
115
116   ##
117   # destroy a user, marking them as deleted and removing personal data
118   def destroy
119     @user.soft_destroy!
120     redirect_to user_path(:display_name => params[:display_name])
121   end
122
123   def terms
124     @legale = params[:legale] || OSM.ip_to_country(request.remote_ip) || Settings.default_legale
125     @text = OSM.legal_text_for_country(@legale)
126
127     if request.xhr?
128       render :partial => "terms"
129     else
130       @title = t ".title"
131
132       if current_user&.terms_agreed?
133         # Already agreed to terms, so just show settings
134         redirect_to edit_account_path
135       elsif current_user.nil? && session[:new_user].nil?
136         redirect_to login_path(:referer => request.fullpath)
137       end
138     end
139   end
140
141   def save
142     @title = t "users.new.title"
143
144     if params[:decline] || !(params[:read_tou] && params[:read_ct])
145       if current_user
146         current_user.terms_seen = true
147
148         flash[:notice] = { :partial => "users/terms_declined_flash" } if current_user.save
149
150         referer = safe_referer(params[:referer]) if params[:referer]
151
152         redirect_to referer || edit_account_path
153       elsif params[:decline]
154         redirect_to t("users.terms.declined"), :allow_other_host => true
155       else
156         redirect_to :action => :terms
157       end
158     elsif current_user
159       unless current_user.terms_agreed?
160         current_user.consider_pd = params[:user][:consider_pd]
161         current_user.tou_agreed = Time.now.utc
162         current_user.terms_agreed = Time.now.utc
163         current_user.terms_seen = true
164
165         flash[:notice] = t "users.new.terms accepted" if current_user.save
166       end
167
168       referer = safe_referer(params[:referer]) if params[:referer]
169
170       redirect_to referer || edit_account_path
171     else
172       new_user = session.delete(:new_user)
173       verified_email = new_user.delete("verified_email")
174
175       self.current_user = User.new(new_user)
176
177       if check_signup_allowed(current_user.email)
178         current_user.data_public = true
179         current_user.description = "" if current_user.description.nil?
180         current_user.creation_ip = request.remote_ip
181         current_user.languages = http_accept_language.user_preferred_languages
182         current_user.terms_agreed = Time.now.utc
183         current_user.tou_agreed = Time.now.utc
184         current_user.terms_seen = true
185
186         if current_user.auth_uid.blank?
187           current_user.auth_provider = nil
188           current_user.auth_uid = nil
189         elsif current_user.email == verified_email
190           current_user.activate
191         end
192
193         if current_user.save
194           SIGNUP_IP_LIMITER&.update(request.remote_ip)
195           SIGNUP_EMAIL_LIMITER&.update(canonical_email(current_user.email))
196
197           flash[:matomo_goal] = Settings.matomo["goals"]["signup"] if defined?(Settings.matomo)
198
199           referer = welcome_path(welcome_options)
200
201           if current_user.status == "active"
202             session[:referer] = referer
203             successful_login(current_user)
204           else
205             session[:pending_user] = current_user.id
206             UserMailer.signup_confirm(current_user, current_user.generate_token_for(:new_user), referer).deliver_later
207             redirect_to :controller => :confirmations, :action => :confirm, :display_name => current_user.display_name
208           end
209         else
210           render :action => "new", :referer => params[:referer]
211         end
212       end
213     end
214   end
215
216   def go_public
217     current_user.data_public = true
218     current_user.save
219     flash[:notice] = t ".flash success"
220     redirect_to edit_account_path
221   end
222
223   ##
224   # sets a user's status
225   def set_status
226     @user.activate! if params[:event] == "activate"
227     @user.confirm! if params[:event] == "confirm"
228     @user.unconfirm! if params[:event] == "unconfirm"
229     @user.hide! if params[:event] == "hide"
230     @user.unhide! if params[:event] == "unhide"
231     @user.unsuspend! if params[:event] == "unsuspend"
232     redirect_to user_path(:display_name => params[:display_name])
233   end
234
235   ##
236   # omniauth success callback
237   def auth_success
238     auth_info = request.env["omniauth.auth"]
239
240     provider = auth_info[:provider]
241     uid = auth_info[:uid]
242     name = auth_info[:info][:name]
243     email = auth_info[:info][:email]
244
245     email_verified = case provider
246                      when "openid"
247                        uid.match(%r{https://www.google.com/accounts/o8/id?(.*)}) ||
248                        uid.match(%r{https://me.yahoo.com/(.*)})
249                      when "google", "facebook", "microsoft", "github", "wikipedia"
250                        true
251                      else
252                        false
253                      end
254
255     if settings = session.delete(:new_user_settings)
256       current_user.auth_provider = provider
257       current_user.auth_uid = uid
258
259       update_user(current_user, settings)
260
261       flash.discard
262
263       session[:user_errors] = current_user.errors.as_json
264
265       redirect_to edit_account_path
266     elsif session[:new_user]
267       session[:new_user]["auth_provider"] = provider
268       session[:new_user]["auth_uid"] = uid
269       session[:new_user]["verified_email"] = email if email_verified
270
271       redirect_to :action => "terms"
272     else
273       user = User.find_by(:auth_provider => provider, :auth_uid => uid)
274
275       if user.nil? && provider == "google"
276         openid_url = auth_info[:extra][:id_info]["openid_id"]
277         user = User.find_by(:auth_provider => "openid", :auth_uid => openid_url) if openid_url
278         user&.update(:auth_provider => provider, :auth_uid => uid)
279       end
280
281       if user
282         case user.status
283         when "pending"
284           unconfirmed_login(user)
285         when "active", "confirmed"
286           successful_login(user, request.env["omniauth.params"]["referer"])
287         when "suspended"
288           failed_login({ :partial => "sessions/suspended_flash" })
289         else
290           failed_login t("sessions.new.auth failure")
291         end
292       else
293         redirect_to :action => "new", :nickname => name, :email => email,
294                     :auth_provider => provider, :auth_uid => uid
295       end
296     end
297   end
298
299   ##
300   # omniauth failure callback
301   def auth_failure
302     flash[:error] = t(params[:message], :scope => "users.auth_failure", :default => t(".unknown_error"))
303
304     origin = safe_referer(params[:origin]) if params[:origin]
305
306     redirect_to origin || login_url
307   end
308
309   private
310
311   def welcome_options
312     uri = URI(session[:referer]) if session[:referer].present?
313
314     return { "oauth_return_url" => uri&.to_s } if uri&.path == oauth_authorization_path
315
316     begin
317       %r{map=(.*)/(.*)/(.*)}.match(uri.fragment) do |m|
318         editor = Rack::Utils.parse_query(uri.query).slice("editor")
319         return { "zoom" => m[1], "lat" => m[2], "lon" => m[3] }.merge(editor)
320       end
321     rescue StandardError
322       # Use default
323     end
324   end
325
326   ##
327   # ensure that there is a "user" instance variable
328   def lookup_user_by_name
329     @user = User.find_by(:display_name => params[:display_name])
330   rescue ActiveRecord::RecordNotFound
331     redirect_to :action => "view", :display_name => params[:display_name] unless @user
332   end
333
334   ##
335   # return permitted user parameters
336   def user_params
337     params.require(:user).permit(:email, :email_confirmation, :display_name,
338                                  :auth_provider, :auth_uid,
339                                  :pass_crypt, :pass_crypt_confirmation)
340   end
341
342   ##
343   # check signup acls
344   def check_signup_allowed(email = nil)
345     domain = if email.nil?
346                nil
347              else
348                email.split("@").last
349              end
350
351     mx_servers = if domain.nil?
352                    nil
353                  else
354                    domain_mx_servers(domain)
355                  end
356
357     return true if Acl.allow_account_creation(request.remote_ip, :domain => domain, :mx => mx_servers)
358
359     blocked = Acl.no_account_creation(request.remote_ip, :domain => domain, :mx => mx_servers)
360
361     blocked ||= SIGNUP_IP_LIMITER && !SIGNUP_IP_LIMITER.allow?(request.remote_ip)
362
363     blocked ||= email && SIGNUP_EMAIL_LIMITER && !SIGNUP_EMAIL_LIMITER.allow?(canonical_email(email))
364
365     if blocked
366       logger.info "Blocked signup from #{request.remote_ip} for #{email}"
367
368       render :action => "blocked"
369     end
370
371     !blocked
372   end
373 end