- # Utility methods to make the controller filter methods easier to read and write.
- def require_allow_read_prefs
- require_capability(:allow_read_prefs)
- end
-
- def require_allow_write_prefs
- require_capability(:allow_write_prefs)
- end
-
- def require_allow_write_diary
- require_capability(:allow_write_diary)
- end
-
- def require_allow_write_api
- require_capability(:allow_write_api)
-
- if REQUIRE_TERMS_AGREED && @user.terms_agreed.nil?
- report_error "You must accept the contributor terms before you can edit.", :forbidden
- return false
- end
- end
-
- def require_allow_read_gpx
- require_capability(:allow_read_gpx)
- end
-
- def require_allow_write_gpx
- require_capability(:allow_write_gpx)
- end
-
- def require_allow_write_notes
- require_capability(:allow_write_notes)
- end
-
- ##
- # require that the user is a moderator, or fill out a helpful error message
- # and return them to the index for the controller this is wrapped from.
- def require_moderator
- unless @user.moderator?
- if request.get?
- flash[:error] = t('application.require_moderator.not_a_moderator')
- redirect_to :action => 'index'
- else
- render :text => "", :status => :forbidden
- end
- end
- end
-
- ##
- # sets up the @user object for use by other methods. this is mostly called
- # from the authorize method, but can be called elsewhere if authorisation
- # is optional.
- def setup_user_auth
- # try and setup using OAuth
- unless Authenticator.new(self, [:token]).allow?
- username, passwd = get_auth_data # parse from headers
- # authenticate per-scheme
- if username.nil?
- @user = nil # no authentication provided - perhaps first connect (client should retry after 401)
- elsif username == 'token'
- @user = User.authenticate(:token => passwd) # preferred - random token for user from db, passed in basic auth
- else
- @user = User.authenticate(:username => username, :password => passwd) # basic auth
- end
- end
-
- # have we identified the user?
- if @user
- # check if the user has been banned
- if @user.blocks.active.exists?
- # NOTE: need slightly more helpful message than this.
- report_error t('application.setup_user_auth.blocked'), :forbidden
- end
-
- # if the user hasn't seen the contributor terms then don't
- # allow editing - they have to go to the web site and see
- # (but can decline) the CTs to continue.
- if REQUIRE_TERMS_SEEN && !@user.terms_seen && flash[:skip_terms].nil?
- set_locale
- report_error t('application.setup_user_auth.need_to_see_terms'), :forbidden
- end
- end
- end
-
- def authorize(realm = 'Web Password', errormessage = "Couldn't authenticate you")
- # make the @user object from any auth sources we have
- setup_user_auth
-
- # handle authenticate pass/fail
- unless @user
- # no auth, the user does not exist or the password was wrong
- response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
- render :text => errormessage, :status => :unauthorized
- return false
- end
- end
-
- ##
- # to be used as a before_filter *after* authorize. this checks that
- # the user is a moderator and, if not, returns a forbidden error.
- #
- # NOTE: this isn't a very good way of doing it - it duplicates logic
- # from require_moderator - but what we really need to do is a fairly
- # drastic refactoring based on :format and respond_to? but not a
- # good idea to do that in this branch.
- def authorize_moderator(errormessage = "Access restricted to moderators")
- # check user is a moderator
- unless @user.moderator?
- render :text => errormessage, :status => :forbidden
- return false
- end
- end
-