X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/104727f889aaf31f917c8243014b161732b6e351..e2f55c1c1b3345be7c7737a27eb27c8964420b9c:/app/controllers/user_controller.rb diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index 3fd136554..a3d1b6e67 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -12,69 +12,25 @@ class UserController < ApplicationController before_filter :check_api_readable, :only => [:api_read, :api_details, :api_gpx_files] before_filter :require_allow_read_prefs, :only => [:api_details] before_filter :require_allow_read_gpx, :only => [:api_gpx_files] - before_filter :require_cookies, :only => [:login, :confirm] + before_filter :require_cookies, :only => [:new, :login, :confirm] before_filter :require_administrator, :only => [:set_status, :delete, :list] around_filter :api_call_handle_error, :only => [:api_read, :api_details, :api_gpx_files] before_filter :lookup_user_by_id, :only => [:api_read] before_filter :lookup_user_by_name, :only => [:set_status, :delete] - cache_sweeper :user_sweeper, :only => [:account, :set_status, :delete] - def terms @legale = params[:legale] || OSM.IPToCountry(request.remote_ip) || DEFAULT_LEGALE @text = OSM.legal_text_for_country(@legale) if request.xhr? render :partial => "terms" - elsif using_open_id? - # The redirect from the OpenID provider reenters here - # again and we need to pass the parameters through to - # the open_id_authentication function - @user = session.delete(:new_user) - - openid_verify(nil, @user) do |user| - end - - if @user.openid_url.nil? or @user.invalid? - render :action => 'new' - else - render :action => 'terms' - end - elsif params[:user] and Acl.no_account_creation(request.remote_ip, params[:user][:email].split("@").last) - render :action => 'blocked' else - session[:referer] = params[:referer] - @title = t 'user.terms.title' - @user = User.new(params[:user]) if params[:user] - if params[:user] and params[:user][:openid_url] and @user.pass_crypt.empty? - # We are creating an account with OpenID and no password - # was specified so create a random one - @user.pass_crypt = SecureRandom.base64(16) - @user.pass_crypt_confirmation = @user.pass_crypt - end - - if @user - if @user.invalid? - if @user.new_record? - # Something is wrong with a new user, so rerender the form - render :action => :new - else - # Error in existing user, so go to account settings - flash[:errors] = @user.errors - redirect_to :action => :account, :display_name => @user.display_name - end - elsif @user.terms_agreed? - # Already agreed to terms, so just show settings - redirect_to :action => :account, :display_name => @user.display_name - elsif params[:user] and params[:user][:openid_url] and not params[:user][:openid_url].empty? - # Verify OpenID before moving on - session[:new_user] = @user - openid_verify(params[:user][:openid_url], @user) - end - else - # Not logged in, so redirect to the login page + if @user and @user.terms_agreed? + # Already agreed to terms, so just show settings + redirect_to :action => :account, :display_name => @user.display_name + elsif @user.nil? and session[:new_user].nil? redirect_to :action => :login, :referer => request.fullpath end end @@ -114,42 +70,46 @@ class UserController < ApplicationController else redirect_to :action => :account, :display_name => @user.display_name end - elsif Acl.no_account_creation(request.remote_ip, params[:user][:email].split("@").last) - render :action => 'blocked' else - @user = User.new(params[:user]) + @user = session.delete(:new_user) - @user.status = "pending" - @user.data_public = true - @user.description = "" if @user.description.nil? - @user.creation_ip = request.remote_ip - @user.languages = request.user_preferred_languages - @user.terms_agreed = Time.now.getutc - @user.terms_seen = true - @user.openid_url = nil if @user.openid_url and @user.openid_url.empty? - - if (session[:openid_verified]) - openid_verified = session.delete(:openid_verified) - if (openid_verified[:identity_url]) and (openid_verified[:identity_url] == @user.openid_url) and (openid_verified[:email]) and (openid_verified[:email] == @user.email) - # if we have an email from an OpenID provider that we trust to have verified the email for us, then activate the account directly - # without doing our own email verification. - @user.status = "active" - end - end + if check_signup_allowed(@user.email) + @user.data_public = true + @user.description = "" if @user.description.nil? + @user.creation_ip = request.remote_ip + @user.languages = http_accept_language.user_preferred_languages + @user.terms_agreed = Time.now.getutc + @user.terms_seen = true + @user.openid_url = nil if @user.openid_url and @user.openid_url.empty? - if @user.save - flash[:piwik_goal] = PIWIK_SIGNUP_GOAL if defined?(PIWIK_SIGNUP_GOAL) - flash[:notice] = t 'user.new.flash create success message', :email => @user.email - if @user.status == "active" - Notifier.signup_confirm(@user, nil).deliver - successful_login(@user) + if @user.save + flash[:piwik_goal] = PIWIK["goals"]["signup"] if defined?(PIWIK) + + referer = welcome_path + + begin + uri = URI(session[:referer]) + /map=(.*)\/(.*)\/(.*)/.match(uri.fragment) do |m| + editor = Rack::Utils.parse_query(uri.query).slice('editor') + referer = welcome_path({'zoom' => m[1], + 'lat' => m[2], + 'lon' => m[3]}.merge(editor)) + end + rescue + # Use default + end + + if @user.status == "active" + session[:referer] = referer + successful_login(@user) + else + session[:token] = @user.tokens.create.token + Notifier.signup_confirm(@user, @user.tokens.create(:referer => referer)).deliver + redirect_to :action => 'confirm', :display_name => @user.display_name + end else - Notifier.signup_confirm(@user, @user.tokens.create(:referer => session.delete(:referer))).deliver - session[:token] = @user.tokens.create.token - redirect_to :action => 'login', :referer => params[:referer] + render :action => 'new', :referer => params[:referer] end - else - render :action => 'new', :referer => params[:referer] end end end @@ -245,7 +205,23 @@ class UserController < ApplicationController @title = t 'user.new.title' @referer = params[:referer] || session[:referer] - if @user + if using_open_id? + # The redirect from the OpenID provider reenters here + # again and we need to pass the parameters through to + # the open_id_authentication function + @user = session.delete(:new_user) + + openid_verify(nil, @user) do |user, verified_email| + user.status = "active" if user.email == verified_email + end + + if @user.openid_url.nil? or @user.invalid? + render :action => 'new' + else + session[:new_user] = @user + redirect_to :action => 'terms' + end + elsif @user # The user is logged in already, so don't show them the signup # page, instead send them to the home page if @referer @@ -260,8 +236,38 @@ class UserController < ApplicationController :openid_url => params[:openid]) flash.now[:notice] = t 'user.new.openid association' - elsif Acl.no_account_creation(request.remote_ip) - render :action => 'blocked' + else + check_signup_allowed + end + end + + def create + @user = User.new(user_params) + + if check_signup_allowed(@user.email) + session[:referer] = params[:referer] + + @user.status = "pending" + + if @user.openid_url.present? && @user.pass_crypt.empty? + # We are creating an account with OpenID and no password + # was specified so create a random one + @user.pass_crypt = SecureRandom.base64(16) + @user.pass_crypt_confirmation = @user.pass_crypt + end + + if @user.invalid? + # Something is wrong with a new user, so rerender the form + render :action => "new" + elsif @user.openid_url.present? + # Verify OpenID before moving on + session[:new_user] = @user + openid_verify(@user.openid_url, @user) + else + # Save the user record + session[:new_user] = @user + redirect_to :action => :terms + end end end @@ -301,55 +307,44 @@ class UserController < ApplicationController def confirm if request.post? - if token = UserToken.find_by_token(params[:confirm_string]) - if token.user.active? - flash[:error] = t('user.confirm.already active') - redirect_to :action => 'login' - else - user = token.user - user.status = "active" - user.email_valid = true - user.save! - referer = token.referer - token.destroy - - if session[:token] - token = UserToken.find_by_token(session[:token]) - session.delete(:token) - else - token = nil - end - - if token.nil? or token.user != user - flash[:notice] = t('user.confirm.success') - redirect_to :action => :login, :referer => referer - else - token.destroy - - session[:user] = user.id - cookies.permanent["_osm_username"] = user.display_name - - if referer.nil? - flash[:notice] = t('user.confirm.success') + "

" + t('user.confirm.before you start') - redirect_to :action => :account, :display_name => user.display_name - else - flash[:notice] = t('user.confirm.success') - redirect_to referer - end - end - end + token = UserToken.find_by_token(params[:confirm_string]) + if token && token.user.active? + flash[:error] = t('user.confirm.already active') + redirect_to :action => 'login' + elsif !token || token.expired? + flash[:error] = t('user.confirm.unknown token') + redirect_to :action => 'confirm' else - user = User.find_by_display_name(params[:display_name]) + user = token.user + user.status = "active" + user.email_valid = true + user.save! + referer = token.referer + token.destroy - if user and user.active? - flash[:error] = t('user.confirm.already active') - elsif user - flash[:error] = t('user.confirm.unknown token') + t('user.confirm.reconfirm', :reconfirm => url_for(:action => 'confirm_resend', :display_name => params[:display_name])) + if session[:token] + token = UserToken.find_by_token(session[:token]) + session.delete(:token) else - flash[:error] = t('user.confirm.unknown token') + token = nil end - redirect_to :action => 'login' + if token.nil? or token.user != user + flash[:notice] = t('user.confirm.success') + redirect_to :action => :login, :referer => referer + else + token.destroy + + session[:user] = user.id + cookies.permanent["_osm_username"] = user.display_name + + redirect_to referer || welcome_path + end + end + else + user = User.find_by_display_name(params[:display_name]) + if !user || user.active? + redirect_to root_path end end end @@ -390,7 +385,7 @@ class UserController < ApplicationController end def api_read - render :nothing => true, :status => :gone unless @this_user.visible? + render :text => "", :status => :gone unless @this_user.visible? end def api_details @@ -515,7 +510,7 @@ private if user = User.authenticate(:username => username, :password => password) successful_login(user) elsif user = User.authenticate(:username => username, :password => password, :pending => true) - failed_login t('user.login.account not active', :reconfirm => url_for(:action => 'confirm_resend', :display_name => user.display_name)) + unconfirmed_login(user) elsif User.authenticate(:username => username, :password => password, :suspended => true) failed_login t('user.login.account is suspended', :webmaster => "mailto:webmaster@openstreetmap.org") else @@ -546,7 +541,7 @@ private if user = User.find_by_openid_url(identity_url) case user.status when "pending" then - failed_login t('user.login.account not active', :reconfirm => url_for(:action => 'confirm_resend', :display_name => user.display_name)) + unconfirmed_login(user) when "active", "confirmed" then successful_login(user) when "suspended" then @@ -566,8 +561,6 @@ private nickname = sreg["nickname"] || ax["http://axschema.org/namePerson/friendly"].first email = sreg["email"] || ax["http://axschema.org/contact/email"].first - # Check if the openID is from a "trusted" OpenID provider and thus provides a verified email address - session[:openid_verified] = openid_email_verified(identity_url, email) redirect_to :controller => 'user', :action => 'new', :nickname => nickname, :email => email, :openid => identity_url end elsif result.missing? @@ -585,8 +578,18 @@ private def openid_verify(openid_url, user) user.openid_url = openid_url - authenticate_with_open_id(openid_expand_url(openid_url), :method => :get) do |result, identity_url| + authenticate_with_open_id(openid_expand_url(openid_url), :method => :get, :required => [:email, "http://axschema.org/contact/email"]) do |result, identity_url, sreg, ax| if result.successful? + # Do we trust the emails this provider returns? + if openid_email_verified(identity_url) + # Guard against not getting any extension data + sreg = Hash.new if sreg.nil? + ax = Hash.new if ax.nil? + + # Get the verified email + verified_email = sreg["email"] || ax["http://axschema.org/contact/email"].first + end + # We need to use the openid url passed back from the OpenID provider # rather than the one supplied by the user, as these can be different. # @@ -594,7 +597,7 @@ private # than a user specific url. Only once it comes back from the provider # provider do we know the unique address for the user. user.openid_url = identity_url - yield user + yield user, verified_email elsif result.missing? flash.now[:error] = t 'user.login.openid missing provider' elsif result.invalid? @@ -622,18 +625,12 @@ private end end - def openid_email_verified(openid_url, email) - # OpenID providers Google and Yahoo are guaranteed to return (if at all) an email address that has been verified by - # them already. So we can trust the email addresses to be valid and own by the user without having to verify them our - # selves. - # Store the email in the session to compare agains the user set email address during account creation. - openid_verified = Hash.new - openid_verified[:identity_url] = openid_url - if openid_url.match(/https:\/\/www.google.com\/accounts\/o8\/id?(.*)/) or openid_url.match(/https:\/\/me.yahoo.com\/(.*)/) - openid_verified[:email] = email - end - return openid_verified - + ## + # check if we trust an OpenID provider to return a verified + # email, so that we can skpi verifying it ourselves + def openid_email_verified(openid_url) + openid_url.match(/https:\/\/www.google.com\/accounts\/o8\/id?(.*)/) or + openid_url.match(/https:\/\/me.yahoo.com\/(.*)/) end ## @@ -675,6 +672,15 @@ private session.delete(:referer) end + ## + # + def unconfirmed_login(user) + redirect_to :action => 'confirm', :display_name => user.display_name + + session.delete(:remember_me) + session.delete(:referer) + end + ## # update a user's details def update_user(user, params) @@ -721,7 +727,7 @@ private cookies.permanent["_osm_username"] = user.display_name - if user.new_email.blank? + if user.new_email.blank? or user.new_email == user.email flash.now[:notice] = t 'user.account.flash update success' else user.email = user.new_email @@ -798,4 +804,28 @@ private # it's .now so that this doesn't propagate to other pages. flash.now[:skip_terms] = true end + + ## + # return permitted user parameters + def user_params + params.require(:user).permit(:email, :email_confirmation, :display_name, :openid_url, :pass_crypt, :pass_crypt_confirmation) + end + + ## + # check signup acls + def check_signup_allowed(email = nil) + if email.nil? + domain = nil + else + domain = email.split("@").last + end + + if blocked = Acl.no_account_creation(request.remote_ip, domain) + logger.info "Blocked signup from #{request.remote_ip} for #{email}" + + render :action => 'blocked' + end + + not blocked + end end