]> git.openstreetmap.org Git - rails.git/blob - app/controllers/confirmations_controller.rb
Prevent API tokens without write_notes creating attributed comments
[rails.git] / app / controllers / confirmations_controller.rb
1 class ConfirmationsController < ApplicationController
2   include SessionMethods
3   include UserMethods
4
5   layout "site"
6
7   before_action :authorize_web
8   before_action :set_locale
9   before_action :check_database_readable
10
11   authorize_resource :class => false
12
13   before_action :check_database_writable, :only => [:confirm, :confirm_email]
14   before_action :require_cookies, :only => [:confirm]
15
16   def confirm
17     if request.post?
18       token = UserToken.find_by(:token => params[:confirm_string])
19       if token&.user&.active?
20         flash[:error] = t(".already active")
21         redirect_to login_path
22       elsif !token || token.expired?
23         flash[:error] = t(".unknown token")
24         redirect_to :action => "confirm"
25       elsif !token.user.visible?
26         render_unknown_user token.user.display_name
27       else
28         user = token.user
29         user.activate
30         user.email_valid = true
31         flash[:notice] = gravatar_status_message(user) if gravatar_enable(user)
32         user.save!
33         referer = safe_referer(token.referer) if token.referer
34         token.destroy
35
36         if session[:token]
37           token = UserToken.find_by(:token => session[:token])
38           session.delete(:token)
39         else
40           token = nil
41         end
42
43         if token.nil? || token.user != user
44           flash[:notice] = t(".success")
45           redirect_to login_path(:referer => referer)
46         else
47           token.destroy
48
49           session[:user] = user.id
50           session[:fingerprint] = user.fingerprint
51
52           redirect_to referer || welcome_path
53         end
54       end
55     else
56       user = User.visible.find_by(:display_name => params[:display_name])
57
58       redirect_to root_path if user.nil? || user.active?
59     end
60   end
61
62   def confirm_resend
63     user = User.visible.find_by(:display_name => params[:display_name])
64     token = UserToken.find_by(:token => session[:token])
65
66     if user.nil? || token.nil? || token.user != user
67       flash[:error] = t ".failure", :name => params[:display_name]
68     else
69       UserMailer.signup_confirm(user, user.tokens.create).deliver_later
70       flash[:notice] = { :partial => "confirmations/resend_success_flash", :locals => { :email => user.email, :sender => Settings.email_from } }
71     end
72
73     redirect_to login_path
74   end
75
76   def confirm_email
77     if request.post?
78       token = UserToken.find_by(:token => params[:confirm_string])
79       if token&.user&.new_email?
80         self.current_user = token.user
81         current_user.email = current_user.new_email
82         current_user.new_email = nil
83         current_user.email_valid = true
84         gravatar_enabled = gravatar_enable(current_user)
85         if current_user.save
86           flash[:notice] = if gravatar_enabled
87                              "#{t('.success')} #{gravatar_status_message(current_user)}"
88                            else
89                              t(".success")
90                            end
91         else
92           flash[:errors] = current_user.errors
93         end
94         current_user.tokens.delete_all
95         session[:user] = current_user.id
96         session[:fingerprint] = current_user.fingerprint
97       elsif token
98         flash[:error] = t ".failure"
99       else
100         flash[:error] = t ".unknown_token"
101       end
102
103       redirect_to edit_account_path
104     end
105   end
106
107   private
108
109   ##
110   # check if this user has a gravatar and set the user pref is true
111   def gravatar_enable(user)
112     # code from example https://en.gravatar.com/site/implement/images/ruby/
113     return false if user.avatar.attached?
114
115     begin
116       hash = Digest::MD5.hexdigest(user.email.downcase)
117       url = "https://www.gravatar.com/avatar/#{hash}?d=404" # without d=404 we will always get an image back
118       response = OSM.http_client.get(URI.parse(url))
119       available = response.success?
120     rescue StandardError
121       available = false
122     end
123
124     oldsetting = user.image_use_gravatar
125     user.image_use_gravatar = available
126     oldsetting != user.image_use_gravatar
127   end
128
129   ##
130   # display a message about th current status of the gravatar setting
131   def gravatar_status_message(user)
132     if user.image_use_gravatar
133       t "profiles.edit.gravatar.enabled"
134     else
135       t "profiles.edit.gravatar.disabled"
136     end
137   end
138 end