X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/2fa422578448314fb6fad888b5c47cf994cb0b8c..04ad0f6251db42f98fa041749ccab1b0da28733c:/app/controllers/user_controller.rb diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb index fdef4ea04..99777ca2d 100644 --- a/app/controllers/user_controller.rb +++ b/app/controllers/user_controller.rb @@ -7,6 +7,7 @@ class UserController < ApplicationController before_filter :authorize_web, :except => [:api_read, :api_details, :api_gpx_files] before_filter :set_locale, :except => [:api_read, :api_details, :api_gpx_files] before_filter :require_user, :only => [:account, :go_public, :make_friend, :remove_friend] + before_filter :require_self, :only => [:account] before_filter :check_database_readable, :except => [:login, :api_read, :api_details, :api_gpx_files] before_filter :check_database_writable, :only => [:new, :account, :confirm, :confirm_email, :lost_password, :reset_password, :go_public, :make_friend, :remove_friend] before_filter :check_api_readable, :only => [:api_read, :api_details, :api_gpx_files] @@ -26,13 +27,12 @@ class UserController < ApplicationController render :partial => "terms" else @title = t 'user.terms.title' - @user ||= session[:new_user] - if !@user - redirect_to :action => :login, :referer => request.fullpath - elsif @user.terms_agreed? + if @user and @user.terms_agreed? # Already agreed to terms, so just show settings redirect_to :action => :account, :display_name => @user.display_name + elsif @user.nil? and session[:new_user].nil? + redirect_to :action => :login, :referer => request.fullpath end end end @@ -74,25 +74,30 @@ class UserController < ApplicationController else @user = session.delete(:new_user) - if Acl.no_account_creation(request.remote_ip, @user.email.split("@").last) - render :action => 'blocked' - else + if check_signup_allowed(@user.email) @user.data_public = true @user.description = "" if @user.description.nil? @user.creation_ip = request.remote_ip - @user.languages = request.user_preferred_languages + @user.languages = http_accept_language.user_preferred_languages @user.terms_agreed = Time.now.getutc @user.terms_seen = true @user.openid_url = nil if @user.openid_url and @user.openid_url.empty? if @user.save - flash[:piwik_goal] = PIWIK_SIGNUP_GOAL if defined?(PIWIK_SIGNUP_GOAL) + flash[:piwik_goal] = PIWIK["goals"]["signup"] if defined?(PIWIK) + + referer = welcome_path begin - referer_params = Rack::Utils.parse_query(URI(session[:referer]).query) - referer = welcome_path(referer_params.slice(:lat, :lon, :zoom, :editor)) + uri = URI(session[:referer]) + /map=(.*)\/(.*)\/(.*)/.match(uri.fragment) do |m| + editor = Rack::Utils.parse_query(uri.query).slice('editor') + referer = welcome_path({'zoom' => m[1], + 'lat' => m[2], + 'lon' => m[3]}.merge(editor)) + end rescue - referer = welcome_path + # Use default end if @user.status == "active" @@ -194,6 +199,8 @@ class UserController < ApplicationController flash[:error] = t 'user.reset_password.flash token bad' redirect_to :action => 'lost_password' end + else + render :text => "", :status => :bad_request end end @@ -232,19 +239,17 @@ class UserController < ApplicationController :openid_url => params[:openid]) flash.now[:notice] = t 'user.new.openid association' - elsif Acl.no_account_creation(request.remote_ip) - render :action => 'blocked' + else + check_signup_allowed end end def create - if params[:user] and Acl.no_account_creation(request.remote_ip, params[:user][:email].split("@").last) - render :action => 'blocked' + @user = User.new(user_params) - else + if check_signup_allowed(@user.email) session[:referer] = params[:referer] - @user = User.new(params[:user]) @user.status = "pending" if @user.openid_url.present? && @user.pass_crypt.empty? @@ -304,10 +309,14 @@ class UserController < ApplicationController end def confirm - if request.post? && (token = UserToken.find_by_token(params[:confirm_string])) - if token.user.active? + if request.post? + token = UserToken.find_by_token(params[:confirm_string]) + if token && token.user.active? flash[:error] = t('user.confirm.already active') redirect_to :action => 'login' + elsif !token || token.expired? + flash[:error] = t('user.confirm.unknown token') + redirect_to :action => 'confirm' else user = token.user user.status = "active" @@ -330,7 +339,6 @@ class UserController < ApplicationController token.destroy session[:user] = user.id - cookies.permanent["_osm_username"] = user.display_name redirect_to referer || welcome_path end @@ -369,7 +377,6 @@ class UserController < ApplicationController end token.destroy session[:user] = @user.id - cookies.permanent["_osm_username"] = @user.display_name redirect_to :action => 'account', :display_name => @user.display_name else flash[:error] = t 'user.confirm_email.failure' @@ -630,8 +637,6 @@ private ## # process a successful login def successful_login(user) - cookies.permanent["_osm_username"] = user.display_name - session[:user] = user.id session_expires_after 28.days if session[:remember_me] @@ -719,9 +724,7 @@ private if user.save set_locale - cookies.permanent["_osm_username"] = user.display_name - - if user.new_email.blank? + if user.new_email.blank? or user.new_email == user.email flash.now[:notice] = t 'user.account.flash update success' else user.email = user.new_email @@ -761,6 +764,14 @@ private end end + ## + # require that the user in the URL is the logged in user + def require_self + if params[:display_name] != @user.display_name + render :text => "", :status => :forbidden + end + end + ## # ensure that there is a "this_user" instance variable def lookup_user_by_id @@ -798,4 +809,28 @@ private # it's .now so that this doesn't propagate to other pages. flash.now[:skip_terms] = true end + + ## + # return permitted user parameters + def user_params + params.require(:user).permit(:email, :email_confirmation, :display_name, :openid_url, :pass_crypt, :pass_crypt_confirmation) + end + + ## + # check signup acls + def check_signup_allowed(email = nil) + if email.nil? + domain = nil + else + domain = email.split("@").last + end + + if blocked = Acl.no_account_creation(request.remote_ip, domain) + logger.info "Blocked signup from #{request.remote_ip} for #{email}" + + render :action => 'blocked' + end + + not blocked + end end