class UsersController < ApplicationController
+ include SessionMethods
+
layout "site"
skip_before_action :verify_authenticity_token, :only => [:auth_success]
- before_action :disable_terms_redirect, :only => [:terms, :save, :logout]
+ before_action :disable_terms_redirect, :only => [:terms, :save]
before_action :authorize_web
before_action :set_locale
before_action :check_database_readable
before_action :require_self, :only => [:account]
before_action :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public]
- before_action :require_cookies, :only => [:new, :login, :confirm]
+ before_action :require_cookies, :only => [:new, :confirm]
before_action :lookup_user_by_name, :only => [:set_status, :destroy]
before_action :allow_thirdparty_images, :only => [:show, :account]
:form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
)
- if params[:user] && params[:user][:display_name] && params[:user][:description]
+ if request.post?
if params[:user][:auth_provider].blank? ||
(params[:user][:auth_provider] == current_user.auth_provider &&
params[:user][:auth_uid] == current_user.auth_uid)
redirect_to user_account_url(current_user) if current_user.errors.count.zero?
else
session[:new_user_settings] = params
- redirect_to auth_url(params[:user][:auth_provider], params[:user][:auth_uid])
+ redirect_to auth_url(params[:user][:auth_provider], params[:user][:auth_uid]), :status => :temporary_redirect
end
elsif errors = session.delete(:user_errors)
errors.each do |attribute, error|
def lost_password
@title = t "users.lost_password.title"
- if params[:email]
+ if request.post?
user = User.visible.find_by(:email => params[:email])
if user.nil?
token = user.tokens.create
UserMailer.lost_password(user, token).deliver_later
flash[:notice] = t "users.lost_password.notice email on way"
- redirect_to :action => "login"
+ redirect_to login_path
else
flash.now[:error] = t "users.lost_password.notice email cannot find"
end
end
end
- def login
- append_content_security_policy_directives(
- :form_action => %w[accounts.google.com *.facebook.com login.live.com github.com meta.wikimedia.org]
- )
-
- session[:referer] = safe_referer(params[:referer]) if params[:referer]
-
- if params[:username].present? && params[:password].present?
- session[:remember_me] ||= params[:remember_me]
- password_authentication(params[:username], params[:password])
- end
- end
-
- def logout
- @title = t "users.logout.title"
-
- if request.post?
- if session[:token]
- token = UserToken.find_by(:token => session[:token])
- token&.destroy
- session.delete(:token)
- end
- session.delete(:user)
- session_expires_automatically
- if params[:referer]
- redirect_to safe_referer(params[:referer])
- else
- redirect_to :controller => "site", :action => "index"
- end
- end
- end
-
def confirm
if request.post?
token = UserToken.find_by(:token => params[:confirm_string])
if token&.user&.active?
flash[:error] = t("users.confirm.already active")
- redirect_to :action => "login"
+ redirect_to login_path
elsif !token || token.expired?
flash[:error] = t("users.confirm.unknown token")
redirect_to :action => "confirm"
+ elsif !token.user.visible?
+ render_unknown_user token.user.display_name
else
user = token.user
user.status = "active"
if token.nil? || token.user != user
flash[:notice] = t("users.confirm.success")
- redirect_to :action => :login, :referer => referer
+ redirect_to login_path(:referer => referer)
else
token.destroy
end
end
else
- user = User.find_by(:display_name => params[:display_name])
+ user = User.visible.find_by(:display_name => params[:display_name])
redirect_to root_path if user.nil? || user.active?
end
end
def confirm_resend
- user = User.find_by(:display_name => params[:display_name])
+ user = User.visible.find_by(:display_name => params[:display_name])
token = UserToken.find_by(:token => session[:token])
if user.nil? || token.nil? || token.user != user
flash[:notice] = t "users.confirm_resend.success_html", :email => user.email, :sender => Settings.support_email
end
- redirect_to :action => "login"
+ redirect_to login_path
end
def confirm_email
private
- ##
- # handle password authentication
- def password_authentication(username, password)
- if user = User.authenticate(:username => username, :password => password)
- successful_login(user)
- elsif user = User.authenticate(:username => username, :password => password, :pending => true)
- unconfirmed_login(user)
- elsif User.authenticate(:username => username, :password => password, :suspended => true)
- failed_login t("users.login.account is suspended", :webmaster => "mailto:#{Settings.support_email}").html_safe, username
- else
- failed_login t("users.login.auth failure"), username
- end
- end
-
- ##
- # return the URL to use for authentication
- def auth_url(provider, uid, referer = nil)
- params = { :provider => provider }
-
- params[:openid_url] = openid_expand_url(uid) if provider == "openid"
-
- if referer.nil?
- params[:origin] = request.path
- else
- params[:origin] = "#{request.path}?referer=#{CGI.escape(referer)}"
- params[:referer] = referer
- end
-
- auth_path(params)
- end
-
- ##
- # special case some common OpenID providers by applying heuristics to
- # try and come up with the correct URL based on what the user entered
- def openid_expand_url(openid_url)
- if openid_url.nil?
- nil
- elsif openid_url.match(%r{(.*)gmail.com(/?)$}) || openid_url.match(%r{(.*)googlemail.com(/?)$})
- # Special case gmail.com as it is potentially a popular OpenID
- # provider and, unlike yahoo.com, where it works automatically, Google
- # have hidden their OpenID endpoint somewhere obscure this making it
- # somewhat less user friendly.
- "https://www.google.com/accounts/o8/id"
- else
- openid_url
- end
- end
-
- ##
- # process a successful login
- def successful_login(user, referer = nil)
- session[:user] = user.id
- session[:fingerprint] = user.fingerprint
- session_expires_after 28.days if session[:remember_me]
-
- target = referer || session[:referer] || url_for(:controller => :site, :action => :index)
-
- # The user is logged in, so decide where to send them:
- #
- # - If they haven't seen the contributor terms, send them there.
- # - If they have a block on them, show them that.
- # - If they were referred to the login, send them back there.
- # - Otherwise, send them to the home page.
- if !user.terms_seen
- redirect_to :action => :terms, :referer => target
- elsif user.blocked_on_view
- redirect_to user.blocked_on_view, :referer => target
- else
- redirect_to target
- end
-
- session.delete(:remember_me)
- session.delete(:referer)
- end
-
- ##
- # process a failed login
- def failed_login(message, username = nil)
- flash[:error] = message
-
- redirect_to :action => "login", :referer => session[:referer],
- :username => username, :remember_me => session[:remember_me]
-
- session.delete(:remember_me)
- session.delete(:referer)
- end
-
##
#
def unconfirmed_login(user)
redirect_to :action => "view", :display_name => params[:display_name] unless @user
end
- ##
- #
- def disable_terms_redirect
- # this is necessary otherwise going to the user terms page, when
- # having not agreed already would cause an infinite redirect loop.
- # it's .now so that this doesn't propagate to other pages.
- flash.now[:skip_terms] = true
- end
-
##
# return permitted user parameters
def user_params
# code from example https://en.gravatar.com/site/implement/images/ruby/
return false if user.avatar.attached?
- hash = Digest::MD5.hexdigest(user.email.downcase)
- url = "https://www.gravatar.com/avatar/#{hash}?d=404" # without d=404 we will always get an image back
- response = OSM.http_client.get(URI.parse(url))
+ begin
+ hash = Digest::MD5.hexdigest(user.email.downcase)
+ url = "https://www.gravatar.com/avatar/#{hash}?d=404" # without d=404 we will always get an image back
+ response = OSM.http_client.get(URI.parse(url))
+ available = response.success?
+ rescue StandardError
+ available = false
+ end
+
oldsetting = user.image_use_gravatar
- user.image_use_gravatar = response.success?
+ user.image_use_gravatar = available
oldsetting != user.image_use_gravatar
end