##// END OF EJS Templates
jro_apps » redmine
RSS
Introduce virtual MenuNodes (#15880)....
Introduce virtual MenuNodes (#15880). They are characterized by having a blank url. they will only be rendered if the user is authorized to see at least one of its children. they render as links which do nothing when clicked. Patch by Jan Schulz-Hofen. git-svn-id: http://svn.redmine.org/redmine/trunk@15501 e93f8b46-1217-0410-a6f0-8f06a7374b81
Jean-Philippe Lang - - Load All Authors

File last commit:

r14856:cda9c63d9c21
r15119:53710d80fc88
Show More
application_controller.rb
662 lines | 19.3 KiB | text/x-ruby | RubyLexer
/ app / controllers / application_controller.rb
History | Source | Raw |Copy content |Copy permalink
Jean-Philippe Lang
Adds an issues visibility level on roles (#7412)....
 r5296 # Redmine - project management software
Jean-Philippe Lang
Updates copyright for 2016....
 r14856 # Copyright (C) 2006-2016 Jean-Philippe Lang
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 #
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629 #
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629 #
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 # You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Jean-Philippe Lang
Redirect user to the previous page after logging in (#1679)....
 r1686 require 'uri'
Jean-Philippe Lang
Unescape back_url param before calling redirect_to....
 r1891 require 'cgi'
Jean-Philippe Lang
Redirect user to the previous page after logging in (#1679)....
 r1686
Jean-Philippe Lang
Fixed: private queries should not be accessible to other users (#8729)....
 r6043 class Unauthorized < Exception; end
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 class ApplicationController < ActionController::Base
Jean-Philippe Lang
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2....
 r2430 include Redmine::I18n
Jean-Philippe Lang
Replaces the classic_pagination plugin with a simple pagination module....
 r10797 include Redmine::Pagination
Jean-Philippe Lang
Include helper instead of patching (#20508)....
 r14311 include Redmine::Hook::Helper
Jean-Philippe Lang
Moved routes helper methods to an helper....
 r10845 include RoutesHelper
helper :routes
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb...
 r10355
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 class_attribute :accept_api_auth_actions
class_attribute :accept_rss_auth_actions
class_attribute :model_object
Eric Davis
Upgraded to Rails 2.3.4 (#3597)...
 r2773
Jean-Philippe Lang
Moves @layout 'base'@ to ApplicationController....
 r1726 layout 'base'
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r6405
Jean-Philippe Lang
Sets forgery protection filter first....
 r6195 protect_from_forgery
Jean-Philippe Lang
Fixed that non-GET API requests respond with 422 (#15427)....
 r12080
def verify_authenticity_token
unless api_request?
super
end
end
Jean-Philippe Lang
Remove autologin cookie on unverified request....
 r6196 def handle_unverified_request
Jean-Philippe Lang
Fixed that non-GET API requests respond with 422 (#15427)....
 r12080 unless api_request?
super
cookies.delete(autologin_cookie_name)
Jean-Philippe Lang
Potentiel data leak in "Invalid form authenticity token" error screen (#16511)....
 r12766 self.logged_user = nil
Jean-Philippe Lang
Localisation not set correctly on authenticity token errors (#18499)....
 r13288 set_localization
Jean-Philippe Lang
Fixed that non-GET API requests respond with 422 (#15427)....
 r12080 render_error :status => 422, :message => "Invalid form authenticity token."
Jean-Philippe Lang
Code cleanup: unverified request no longer raises a InvalidAuthenticityToken exception....
 r12037 end
Jean-Philippe Lang
Remove autologin cookie on unverified request....
 r6196 end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Keep track of valid user sessions (#21058)....
 r14353 before_filter :session_expiration, :user_setup, :check_if_login_required, :check_password_change, :set_localization
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Fixed: private queries should not be accessible to other users (#8729)....
 r6043 rescue_from ::Unauthorized, :with => :deny_access
Jean-Philippe Lang
Respond with 404 on ActionView::MissingTemplate (#11503)....
 r10021 rescue_from ::ActionView::MissingTemplate, :with => :missing_template
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Contextual quick search (#3263)....
 r2829 include Redmine::Search::Controller
Jean-Philippe Lang
Highlight the current item of the main menu....
 r1062 include Redmine::MenuManager::MenuController
helper Redmine::MenuManager::MenuHelper
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Require password re-entry for sensitive actions (#19851)....
 r13951 include Redmine::SudoMode::Controller
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 def session_expiration
Jean-Philippe Lang
Keep track of valid user sessions (#21058)....
 r14353 if session[:user_id] && Rails.application.config.redmine_verify_sessions != false
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 if session_expired? && !try_to_autologin
Jean-Philippe Lang
Fixed: The error flash message on session expiration is not in the language of the user but of the user of the previous request (#17023)....
 r13028 set_localization(User.active.find_by_id(session[:user_id]))
Jean-Philippe Lang
Set a back_url when forcing new login after session expiration (#19655)....
 r13863 self.logged_user = nil
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 flash[:error] = l(:error_session_expired)
Jean-Philippe Lang
Set a back_url when forcing new login after session expiration (#19655)....
 r13863 require_login
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 end
end
end
def session_expired?
Jean-Philippe Lang
Keep track of valid user sessions (#21058)....
 r14353 ! User.verify_session_token(session[:user_id], session[:tk])
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 end
def start_user_session(user)
session[:user_id] = user.id
Jean-Philippe Lang
Keep track of valid user sessions (#21058)....
 r14353 session[:tk] = user.generate_session_token
Jean-Philippe Lang
Option to force a user to change his password (#3872)....
 r11851 if user.must_change_password?
session[:pwd] = '1'
end
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 end
Jean-Philippe Lang
Merged 0.6 branch into trunk....
 r663 def user_setup
Jean-Philippe Lang
Moved current user management to a dedicated method for modularity....
 r1016 # Check the settings cache for each request
Jean-Philippe Lang
Added cache for application settings (Setting model)....
 r674 Setting.check_cache
Jean-Philippe Lang
Moved current user management to a dedicated method for modularity....
 r1016 # Find the current user
Jean-Philippe Lang
Do not start user session when accessing atom feed with token-based authentication....
 r2679 User.current = find_current_user
Jean-Philippe Lang
Log current user on each request....
 r10156 logger.info(" Current user: " + (User.current.logged? ? "#{User.current.login} (id=#{User.current.id})" : "anonymous")) if logger
Jean-Philippe Lang
Moved current user management to a dedicated method for modularity....
 r1016 end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Moved current user management to a dedicated method for modularity....
 r1016 # Returns the current user or nil if no user is logged in
Jean-Philippe Lang
Do not start user session when accessing atom feed with token-based authentication....
 r2679 # and starts a session if needed
Jean-Philippe Lang
Moved current user management to a dedicated method for modularity....
 r1016 def find_current_user
Jean-Philippe Lang
Do not user user session for API requests....
 r9902 user = nil
unless api_request?
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb...
 r10355 if session[:user_id]
Jean-Philippe Lang
Do not user user session for API requests....
 r9902 # existing session
user = (User.active.find(session[:user_id]) rescue nil)
elsif autologin_user = try_to_autologin
user = autologin_user
elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth?
# RSS key authentication does not start a session
user = User.find_by_rss_key(params[:key])
end
end
if user.nil? && Setting.rest_api_enabled? && accept_api_auth?
Jean-Philippe Lang
Separation of RSS/API auth actions....
 r6077 if (key = api_key_from_request)
Eric Davis
Added support for HTTP Basic access to the API. (#3920)...
 r3105 # Use API key
Jean-Philippe Lang
Do not user user session for API requests....
 r9902 user = User.find_by_api_key(key)
Jean-Philippe Lang
Trigger basic HTTP authentication only when Basic authorization header is present (#16107)....
 r12640 elsif request.authorization.to_s =~ /\ABasic /i
Eric Davis
Added support for HTTP Basic access to the API. (#3920)...
 r3105 # HTTP Basic, either username/password or API key/random
authenticate_with_http_basic do |username, password|
Jean-Philippe Lang
Do not user user session for API requests....
 r9902 user = User.try_to_login(username, password) || User.find_by_api_key(username)
Eric Davis
Added support for HTTP Basic access to the API. (#3920)...
 r3105 end
Jean-Philippe Lang
Option to force a user to change his password (#3872)....
 r11851 if user && user.must_change_password?
render_error :message => 'You must change your password', :status => 403
return
end
Eric Davis
Added support for HTTP Basic access to the API. (#3920)...
 r3105 end
Jean-Philippe Lang
Adds an optional X-Redmine-Switch-User header to let admin users swicth user in API calls (#11755)....
 r10397 # Switch user if requested by an admin user
if user && user.admin? && (username = api_switch_user_from_request)
su = User.find_by_login(username)
if su && su.active?
logger.info(" User switched by: #{user.login} (id=#{user.id})") if logger
user = su
else
render_error :message => 'Invalid X-Redmine-Switch-User header', :status => 412
end
end
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 end
Jean-Philippe Lang
Security notifications when password or email adress is changed (#21421)....
 r14763 # store current ip address in user object ephemerally
user.remote_ip = request.remote_ip if user
Jean-Philippe Lang
Do not user user session for API requests....
 r9902 user
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 end
Eric Davis
Added support for HTTP Basic access to the API. (#3920)...
 r3105
Jean-Philippe Lang
Fixed that autologin is broken when using a custom cookie name (#13335)....
 r11289 def autologin_cookie_name
Redmine::Configuration['autologin_cookie_name'].presence || 'autologin'
end
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 def try_to_autologin
Jean-Philippe Lang
Fixed that autologin is broken when using a custom cookie name (#13335)....
 r11289 if cookies[autologin_cookie_name] && Setting.autologin?
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 # auto-login feature starts a new session
Jean-Philippe Lang
Fixed that autologin is broken when using a custom cookie name (#13335)....
 r11289 user = User.try_to_autologin(cookies[autologin_cookie_name])
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 if user
reset_session
start_user_session(user)
end
user
end
end
Jean-Philippe Lang
Fixed: When logging in via an autologin cookie the user's last_login_on should be updated (#2820)....
 r2460 # Sets the logged in user
def logged_user=(user)
Jean-Philippe Lang
Reset session on login/logout (#4248)....
 r2966 reset_session
Jean-Philippe Lang
Fixed: When logging in via an autologin cookie the user's last_login_on should be updated (#2820)....
 r2460 if user && user.is_a?(User)
User.current = user
Jean-Philippe Lang
Configurable session lifetime and timeout (#6597)....
 r9614 start_user_session(user)
Jean-Philippe Lang
Fixed: When logging in via an autologin cookie the user's last_login_on should be updated (#2820)....
 r2460 else
User.current = User.anonymous
end
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Adds the ability for users to delete their own account (#10664). Can be disabled in application settings....
 r9283 # Logs out current user
def logout_user
if User.current.logged?
Jean-Philippe Lang
Fixed that autologin cookie is not deleted when using custom cookie name (#13335)....
 r11290 cookies.delete(autologin_cookie_name)
Jean-Philippe Lang
Adds the ability for users to delete their own account (#10664). Can be disabled in application settings....
 r9283 Token.delete_all(["user_id = ? AND action = ?", User.current.id, 'autologin'])
Jean-Philippe Lang
Keep track of valid user sessions (#21058)....
 r14353 Token.delete_all(["user_id = ? AND action = ? AND value = ?", User.current.id, 'session', session[:tk]])
Jean-Philippe Lang
Adds the ability for users to delete their own account (#10664). Can be disabled in application settings....
 r9283 self.logged_user = nil
end
end
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 # check if login is globally required to access the application
def check_if_login_required
Jean-Philippe Lang
Added autologin feature (disabled by default)....
 r511 # no check needed if user is already logged in
Jean-Philippe Lang
Merged 0.6 branch into trunk....
 r663 return true if User.current.logged?
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 require_login if Setting.login_required?
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629 end
Jean-Philippe Lang
Option to force a user to change his password (#3872)....
 r11851 def check_password_change
if session[:pwd]
if User.current.must_change_password?
Jean-Philippe Lang
Add the ability to expire passwords after a configurable number of days (#19458)....
 r13882 flash[:error] = l(:error_password_expired)
Jean-Philippe Lang
Option to force a user to change his password (#3872)....
 r11851 redirect_to my_password_path
else
session.delete(:pwd)
end
end
end
Jean-Philippe Lang
Fixed: The error flash message on session expiration is not in the language of the user but of the user of the previous request (#17023)....
 r13028 def set_localization(user=User.current)
Jean-Philippe Lang
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2....
 r2430 lang = nil
Jean-Philippe Lang
Fixed: The error flash message on session expiration is not in the language of the user but of the user of the previous request (#17023)....
 r13028 if user && user.logged?
lang = find_language(user.language)
Jean-Philippe Lang
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2....
 r2430 end
Jean-Philippe Lang
Adds settings for disabling browser language detection and language preference (#2691)....
 r12416 if lang.nil? && !Setting.force_default_language_for_anonymous? && request.env['HTTP_ACCEPT_LANGUAGE']
Jean-Philippe Lang
Fixed: 500 internal error when browsing any Redmine page in Epiphany (#5401)....
 r3588 accept_lang = parse_qvalues(request.env['HTTP_ACCEPT_LANGUAGE']).first
Jean-Philippe Lang
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2....
 r2430 if !accept_lang.blank?
Jean-Philippe Lang
Fixed: 500 internal error when browsing any Redmine page in Epiphany (#5401)....
 r3588 accept_lang = accept_lang.downcase
Jean-Philippe Lang
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2....
 r2430 lang = find_language(accept_lang) || find_language(accept_lang.split('-').first)
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 end
Jean-Philippe Lang
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2....
 r2430 end
lang ||= Setting.default_language
set_language_if_valid(lang)
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 def require_login
Jean-Philippe Lang
Merged 0.6 branch into trunk....
 r663 if !User.current.logged?
Eric Davis
Fix 500 errors with a POST request that requires a login. #4216...
 r2936 # Extract only the basic url parameters on non-GET requests
if request.get?
url = url_for(params)
else
url = url_for(:controller => params[:controller], :action => params[:action], :id => params[:id], :project_id => params[:project_id])
end
Eric Davis
Allow authenticating with an API token via XML or JSON. (#3920)...
 r3104 respond_to do |format|
Jean-Philippe Lang
Don't redirect XHR requests to /login....
 r11732 format.html {
if request.xhr?
head :unauthorized
else
Jean-Philippe Lang
Use named routes....
 r13688 redirect_to signin_path(:back_url => url)
Jean-Philippe Lang
Don't redirect XHR requests to /login....
 r11732 end
}
Jean-Philippe Lang
Fixed that #require_login should respond for other request types (#19325)....
 r13687 format.any(:atom, :pdf, :csv) {
Jean-Philippe Lang
Use named routes....
 r13688 redirect_to signin_path(:back_url => url)
Jean-Philippe Lang
Fixed that #require_login should respond for other request types (#19325)....
 r13687 }
Jean-Philippe Lang
Fixed: API 401 response does not include WWW-Authenticate header (#5322)....
 r3565 format.xml { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
Eric Davis
Allow js formatted responses....
 r3713 format.js { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
Jean-Philippe Lang
Fixed: API 401 response does not include WWW-Authenticate header (#5322)....
 r3565 format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }
Jean-Philippe Lang
Fixed that #require_login should respond for other request types (#19325)....
 r13687 format.any { head :unauthorized }
Eric Davis
Allow authenticating with an API token via XML or JSON. (#3920)...
 r3104 end
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 return false
end
true
end
def require_admin
return unless require_login
Jean-Philippe Lang
Merged 0.6 branch into trunk....
 r663 if !User.current.admin?
Jean-Philippe Lang
A 403 error page is now displayed (instead of a blank page) when trying to access a protected page....
 r492 render_403
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 return false
end
true
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Adds cross-project time reports support (#994)....
 r1777 def deny_access
User.current.logged? ? render_403 : require_login
end
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330
Jean-Philippe Lang
Merged 0.6 branch into trunk....
 r663 # Authorize the user for the requested action
Jean-Philippe Lang
Ability to allow non-admin users to create projects (#1007)....
 r2651 def authorize(ctrl = params[:controller], action = params[:action], global = false)
Jean-Baptiste Barth
Added ability to delete issues from different projects through contextual menu (#5332)...
 r4122 allowed = User.current.allowed_to?({:controller => ctrl, :action => action}, @project || @projects, :global => global)
Jean-Philippe Lang
Improved error message when trying to access an archived project (#2995)....
 r4171 if allowed
true
else
if @project && @project.archived?
render_403 :message => :notice_not_authorized_archived_project
else
deny_access
end
end
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 end
Jean-Philippe Lang
Ability to allow non-admin users to create projects (#1007)....
 r2651
# Authorize the user for the requested action outside a project
def authorize_global(ctrl = params[:controller], action = params[:action], global = true)
authorize(ctrl, action, global)
end
Eric Davis
Refactor: Pull up several #find_project methods to ApplicationController...
 r3256
# Find project of id params[:id]
def find_project
@project = Project.find(params[:id])
rescue ActiveRecord::RecordNotFound
render_404
end
Eric Davis
Refactor: Split the find_object methods to prep for a larger refactoring....
 r3477
Eric Davis
Refactor: convert ProjectEnumerations to a resource on a project....
 r3961 # Find project of id params[:project_id]
def find_project_by_project_id
@project = Project.find(params[:project_id])
rescue ActiveRecord::RecordNotFound
render_404
end
Eric Davis
Refactor: Pull up #find_optional_project to ApplicationController....
 r3602 # Find a project based on params[:project_id]
# TODO: some subclasses override this, see about merging their logic
def find_optional_project
@project = Project.find(params[:project_id]) unless params[:project_id].blank?
allowed = User.current.allowed_to?({:controller => params[:controller], :action => params[:action]}, @project, :global => true)
allowed ? true : deny_access
rescue ActiveRecord::RecordNotFound
render_404
end
Eric Davis
Refactor: Split the find_object methods to prep for a larger refactoring....
 r3477 # Finds and sets @project based on @object.project
def find_project_from_association
render_404 unless @object.present?
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Eric Davis
Refactor: Split the find_object methods to prep for a larger refactoring....
 r3477 @project = @object.project
end
Eric Davis
Refactor: Change the different find_object filters to share a common method....
 r3483 def find_model_object
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 model = self.class.model_object
Eric Davis
Refactor: Change the different find_object filters to share a common method....
 r3483 if model
@object = model.find(params[:id])
self.instance_variable_set('@' + controller_name.singularize, @object) if @object
end
rescue ActiveRecord::RecordNotFound
render_404
end
def self.model_object(model)
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 self.model_object = model
Eric Davis
Refactor: Change the different find_object filters to share a common method....
 r3483 end
Eric Davis
Refactor: Pull up method to ApplicationController....
 r3824
Jean-Philippe Lang
Code cleanup....
 r10677 # Find the issue whose id is the :id parameter
# Raises a Unauthorized exception if the issue is not visible
def find_issue
# Issue.visible.find(...) can not be used to redirect user to the login form
# if the issue actually exists but requires authentication
@issue = Issue.find(params[:id])
raise Unauthorized unless @issue.visible?
@project = @issue.project
rescue ActiveRecord::RecordNotFound
render_404
end
# Find issues with a single :id param or :ids array param
# Raises a Unauthorized exception if one of the issues is not visible
Eric Davis
Refactor: Pull up method to ApplicationController....
 r3824 def find_issues
Jean-Philippe Lang
Preload issues custom values for bulk operations....
 r14348 @issues = Issue.
where(:id => (params[:id] || params[:ids])).
preload(:project, :status, :tracker, :priority, :author, :assigned_to, :relations_to, {:custom_values => :custom_field}).
to_a
Eric Davis
Refactor: Pull up method to ApplicationController....
 r3824 raise ActiveRecord::RecordNotFound if @issues.empty?
Jean-Philippe Lang
Fixed find_issues logic....
 r10678 raise Unauthorized unless @issues.all?(&:visible?)
Jean-Baptiste Barth
Splitted #find_issues filter in ApplicationController to #find_issues and #check_project_uniqueness (#5332)...
 r4114 @projects = @issues.collect(&:project).compact.uniq
@project = @projects.first if @projects.size == 1
rescue ActiveRecord::RecordNotFound
render_404
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Merged ajax_upload branch (#3957)....
 r10748 def find_attachments
if (attachments = params[:attachments]).present?
att = attachments.values.collect do |attachment|
Attachment.find_by_token( attachment[:token] ) if attachment[:token].present?
end
att.compact!
end
@attachments = att || []
end
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 # make sure that the user is a member of the project (or admin) if project is private
# used as a before_filter for actions that do not require any particular permission on the project
def check_project_privacy
Jean-Philippe Lang
Ability to close projects (read-only) (#3640)....
 r9700 if @project && !@project.archived?
Jean-Philippe Lang
Code cleanup....
 r8833 if @project.visible?
Jean-Philippe Lang
Fixes #820: invalid project id causes a NoMethodError in SearchController (Angel Dobbs-Sciortino)....
 r1223 true
else
Jean-Philippe Lang
Code cleanup....
 r7859 deny_access
Jean-Philippe Lang
Fixes #820: invalid project id causes a NoMethodError in SearchController (Angel Dobbs-Sciortino)....
 r1223 end
else
Jean-Philippe Lang
Added the ability to archive projects:...
 r546 @project = nil
render_404
Jean-Philippe Lang
Fixes #820: invalid project id causes a NoMethodError in SearchController (Angel Dobbs-Sciortino)....
 r1223 false
Jean-Philippe Lang
Added the ability to archive projects:...
 r546 end
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 end
Eric Davis
Refactor: extract back_url method to ApplicationController....
 r3798 def back_url
Jean-Philippe Lang
Do not use escaped back_url param (#11691)....
 r10056 url = params[:back_url]
if url.nil? && referer = request.env['HTTP_REFERER']
url = CGI.unescape(referer.to_s)
end
url
Eric Davis
Refactor: extract back_url method to ApplicationController....
 r3798 end
Jean-Philippe Lang
Redirect to back_url or referer when clicking "Sign in" while already logged-in (#15926)....
 r12430 def redirect_back_or_default(default, options={})
Jean-Philippe Lang
Do not use escaped back_url param (#11691)....
 r10056 back_url = params[:back_url].to_s
Jean-Philippe Lang
Open redirect vulnerability (#19577)....
 r14178 if back_url.present? && valid_url = validate_back_url(back_url)
redirect_to(valid_url)
Jean-Philippe Lang
Don't redirect to another suburi (#16530)....
 r12938 return
Jean-Philippe Lang
Redirect to back_url or referer when clicking "Sign in" while already logged-in (#15926)....
 r12430 elsif options[:referer]
redirect_to_referer_or default
return
Jean-Philippe Lang
v0.2.0...
 r5 end
Jean-Philippe Lang
Redirect user to the previous page after logging in (#1679)....
 r1686 redirect_to default
Toshi MARUYAMA
Fix potential Execution After Redirect bugs....
 r5491 false
Jean-Philippe Lang
v0.2.0...
 r5 end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Open redirect vulnerability (#19577)....
 r14178 # Returns a validated URL string if back_url is a valid url for redirection,
# otherwise false
def validate_back_url(back_url)
Jean-Philippe Lang
Don't redirect to another suburi (#16530)....
 r12938 if CGI.unescape(back_url).include?('..')
return false
end
begin
uri = URI.parse(back_url)
rescue URI::InvalidURIError
return false
end
Jean-Philippe Lang
Open redirect vulnerability (#19577)....
 r14178 [:scheme, :host, :port].each do |component|
if uri.send(component).present? && uri.send(component) != request.send(component)
return false
end
uri.send(:"#{component}=", nil)
end
# Always ignore basic user:password in the URL
uri.userinfo = nil
path = uri.to_s
# Ensure that the remaining URL starts with a slash, followed by a
# non-slash character or the end
if path !~ %r{\A/([^/]|\z)}
Jean-Philippe Lang
Don't redirect to another suburi (#16530)....
 r12938 return false
end
Jean-Philippe Lang
Open redirect vulnerability (#19577)....
 r14178 if path.match(%r{/(login|account/register)})
Jean-Philippe Lang
Don't redirect to another suburi (#16530)....
 r12938 return false
end
Jean-Philippe Lang
Open redirect vulnerability (#19577)....
 r14178 if relative_url_root.present? && !path.starts_with?(relative_url_root)
Jean-Philippe Lang
Don't redirect to another suburi (#16530)....
 r12938 return false
end
Jean-Philippe Lang
Open redirect vulnerability (#19577)....
 r14178 return path
end
private :validate_back_url
def valid_back_url?(back_url)
!!validate_back_url(back_url)
Jean-Philippe Lang
Don't redirect to another suburi (#16530)....
 r12938 end
private :valid_back_url?
Jean-Philippe Lang
Code cleanup....
 r9229 # Redirects to the request referer if present, redirects to args or call block otherwise.
def redirect_to_referer_or(*args, &block)
redirect_to :back
rescue ::ActionController::RedirectBackError
if args.any?
redirect_to *args
elsif block_given?
block.call
else
raise "#redirect_to_referer_or takes arguments or a block"
end
end
Jean-Philippe Lang
Improved error message when trying to access an archived project (#2995)....
 r4171 def render_403(options={})
Jean-Philippe Lang
A 403 error page is now displayed (instead of a blank page) when trying to access a protected page....
 r492 @project = nil
Jean-Philippe Lang
Refactor: merged error rendering methods....
 r4172 render_error({:message => :notice_not_authorized, :status => 403}.merge(options))
Jean-Philippe Lang
A 403 error page is now displayed (instead of a blank page) when trying to access a protected page....
 r492 return false
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Refactor: merged error rendering methods....
 r4172 def render_404(options={})
render_error({:message => :notice_file_not_found, :status => 404}.merge(options))
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 return false
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Refactor: merged error rendering methods....
 r4172 # Renders an error response
def render_error(arg)
arg = {:message => arg} unless arg.is_a?(Hash)
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Refactor: merged error rendering methods....
 r4172 @message = arg[:message]
@message = l(@message) if @message.is_a?(Symbol)
@status = arg[:status] || 500
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
XML REST API for issues that provides CRUD operations for Issues (#1214)....
 r3196 respond_to do |format|
Jean-Philippe Lang
Refactor: merged error rendering methods....
 r4172 format.html {
render :template => 'common/error', :layout => use_layout, :status => @status
Jean-Philippe Lang
XML REST API for issues that provides CRUD operations for Issues (#1214)....
 r3196 }
Jean-Philippe Lang
Respond with 404 on ActionView::MissingTemplate (#11503)....
 r10021 format.any { head @status }
Jean-Philippe Lang
XML REST API for issues that provides CRUD operations for Issues (#1214)....
 r3196 end
Jean-Philippe Lang
Show explicit error message when the scm command failed (eg. when svn binary is not available)....
 r1080 end
Jean-Philippe Lang
Respond with 404 on ActionView::MissingTemplate (#11503)....
 r10021
# Handler for ActionView::MissingTemplate exception
def missing_template
logger.warn "Missing template, responding with 404"
@project = nil
render_404
end
Jean-Philippe Lang
Adds API response to /trackers to get the list of all available trackers (#7181)....
 r7757 # Filter for actions that provide an API response
# but have no HTML representation for non admin users
def require_admin_or_api_request
return true if api_request?
if User.current.admin?
true
elsif User.current.logged?
render_error(:status => 406)
else
deny_access
end
end
Eric Davis
Use the base layout for all 403, 404, and 500 pages. #6172...
 r3835
# Picks which layout to use based on the request
#
# @return [boolean, string] name of the layout to use or false for no layout
def use_layout
request.xhr? ? false : 'base'
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
def render_feed(items, options={})
Jean-Philippe Lang
Merged rails-4.1 branch (#14534)....
 r13100 @items = (items || []).to_a
Jean-Philippe Lang
Added atom feed on the new cross-project issue list....
 r675 @items.sort! {|x,y| y.event_datetime <=> x.event_datetime }
Jean-Philippe Lang
Fixed: Feed content limit setting has no effect (closes #954)....
 r1295 @items = @items.slice(0, Setting.feeds_limit.to_i)
Jean-Philippe Lang
Merged 0.6 branch into trunk....
 r663 @title = options[:title] || Setting.app_title
Jean-Philippe Lang
Passing the format in the template name is deprecated....
 r10350 render :template => "common/feed", :formats => [:atom], :layout => false,
Toshi MARUYAMA
remove hard-coded '.rxml' from ApplicationController 'render_feed' (#6317)...
 r7453 :content_type => 'application/atom+xml'
Jean-Philippe Lang
Merged 0.6 branch into trunk....
 r663 end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r6405
Jean-Philippe Lang
Separation of RSS/API auth actions....
 r6077 def self.accept_rss_auth(*actions)
if actions.any?
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 self.accept_rss_auth_actions = actions
Jean-Philippe Lang
Separation of RSS/API auth actions....
 r6077 else
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 self.accept_rss_auth_actions || []
Jean-Philippe Lang
Separation of RSS/API auth actions....
 r6077 end
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r6405
Jean-Philippe Lang
Separation of RSS/API auth actions....
 r6077 def accept_rss_auth?(action=action_name)
self.class.accept_rss_auth.include?(action.to_sym)
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r6405
Jean-Philippe Lang
Separation of RSS/API auth actions....
 r6077 def self.accept_api_auth(*actions)
if actions.any?
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 self.accept_api_auth_actions = actions
Jean-Philippe Lang
Separation of RSS/API auth actions....
 r6077 else
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 self.accept_api_auth_actions || []
Jean-Philippe Lang
Separation of RSS/API auth actions....
 r6077 end
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r6405
Jean-Philippe Lang
Separation of RSS/API auth actions....
 r6077 def accept_api_auth?(action=action_name)
self.class.accept_api_auth.include?(action.to_sym)
Jean-Philippe Lang
Merged 0.6 branch into trunk....
 r663 end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
New setting added to specify how many objects should be displayed on most paginated lists....
 r1013 # Returns the number of objects that should be displayed
# on the paginated list
def per_page_option
per_page = nil
if params[:per_page] && Setting.per_page_options_array.include?(params[:per_page].to_s.to_i)
per_page = params[:per_page].to_s.to_i
session[:per_page] = per_page
elsif session[:per_page]
per_page = session[:per_page]
else
per_page = Setting.per_page_options_array.first || 25
end
per_page
end
Jean-Philippe Lang
Makes API accept offset/limit or page/limit parameters for retrieving collections....
 r4457 # Returns offset and limit used to retrieve objects
# for an API response based on offset, limit and page parameters
def api_offset_and_limit(options=params)
if options[:offset].present?
offset = options[:offset].to_i
Jean-Philippe Lang
Restores object count and adds offset/limit attributes to API responses for paginated collections (#6140)....
 r4375 if offset < 0
offset = 0
end
end
Jean-Philippe Lang
Makes API accept offset/limit or page/limit parameters for retrieving collections....
 r4457 limit = options[:limit].to_i
Jean-Philippe Lang
Restores object count and adds offset/limit attributes to API responses for paginated collections (#6140)....
 r4375 if limit < 1
limit = 25
elsif limit > 100
limit = 100
end
Jean-Philippe Lang
Makes API accept offset/limit or page/limit parameters for retrieving collections....
 r4457 if offset.nil? && options[:page].present?
offset = (options[:page].to_i - 1) * limit
offset = 0 if offset < 0
end
offset ||= 0
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Restores object count and adds offset/limit attributes to API responses for paginated collections (#6140)....
 r4375 [offset, limit]
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 # qvalues http header parser
# code taken from webrick
def parse_qvalues(value)
tmp = []
if value
parts = value.split(/,\s*/)
parts.each {|part|
if m = %r{^([^\s,]+?)(?:;\s*q=(\d+(?:\.\d+)?))?$}.match(part)
val = m[1]
q = (m[2] or 1).to_f
tmp.push([val, q])
end
}
tmp = tmp.sort_by{|val, q| -q}
tmp.collect!{|val, q| val}
end
return tmp
Jean-Philippe Lang
Merged Rails 2.2 branch. Redmine now requires Rails 2.2.2....
 r2430 rescue
nil
Jean-Philippe Lang
added svn:eol-style native property on /app files...
 r330 end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Non-ascii attachement filename fix for IE....
 r1039 # Returns a string that can be used as filename value in Content-Disposition header
def filename_for_content_disposition(name)
Jean-Philippe Lang
Fix Non ASCII attachment filename encoding broken (MOJIBAKE) in Microsoft Edge Explorer (#21656)....
 r14631 request.env['HTTP_USER_AGENT'] =~ %r{(MSIE|Trident|Edge)} ? ERB::Util.url_encode(name) : name
Jean-Philippe Lang
Non-ascii attachement filename fix for IE....
 r1039 end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Adds a log message when an API call raises an InvalidAuthenticityToken error....
 r3218 def api_request?
%w(xml json).include? params[:format]
end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Makes the API accepts the X-Redmine-API-Key header to hold the API key....
 r4459 # Returns the API key present in the request
def api_key_from_request
if params[:key].present?
Jean-Philippe Lang
Make sure that #api_key_from_request returns a String....
 r9615 params[:key].to_s
Jean-Philippe Lang
Makes the API accepts the X-Redmine-API-Key header to hold the API key....
 r4459 elsif request.headers["X-Redmine-API-Key"].present?
Jean-Philippe Lang
Make sure that #api_key_from_request returns a String....
 r9615 request.headers["X-Redmine-API-Key"].to_s
Jean-Philippe Lang
Makes the API accepts the X-Redmine-API-Key header to hold the API key....
 r4459 end
end
Eric Davis
Refactor: Decouple failed attachments and the flash messages...
 r3414
Jean-Philippe Lang
Adds an optional X-Redmine-Switch-User header to let admin users swicth user in API calls (#11755)....
 r10397 # Returns the API 'switch user' value if present
def api_switch_user_from_request
request.headers["X-Redmine-Switch-User"].to_s.presence
end
Eric Davis
Refactor: Decouple failed attachments and the flash messages...
 r3414 # Renders a warning flash if obj has unsaved attachments
def render_attachment_warning_if_needed(obj)
flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present?
end
Eric Davis
Refactor: pull #query_statement_invalid up to ApplicationController....
 r3582
# Rescues an invalid query statement. Just in case...
def query_statement_invalid(exception)
logger.error "Query::StatementInvalid: #{exception.message}" if logger
session.delete(:query)
sort_clear if respond_to?(:sort_clear)
render_error "An error occurred while executing the query and has been logged. Please report this error to your Redmine administrator."
end
Jean-Philippe Lang
Fixed that 200 API responses have a body containing one space (#11388)....
 r9792 # Renders a 200 response for successfull updates or deletions via the API
def render_api_ok
Jean-Philippe Lang
REST API for creating/updating wiki pages (#7082)....
 r10505 render_api_head :ok
end
# Renders a head API response
def render_api_head(status)
# #head would return a response body with one space
render :text => '', :status => status, :layout => nil
Jean-Philippe Lang
Fixed that 200 API responses have a body containing one space (#11388)....
 r9792 end
Jean-Philippe Lang
Adds a reusable method to render API response on validation failure....
 r4341 # Renders API response on validation failure
Jean-Philippe Lang
Error when adding user to group where he is already assigned (#18665)....
 r13403 # for an object or an array of objects
Jean-Philippe Lang
Cleanup in TimelogController#destroy....
 r8975 def render_validation_errors(objects)
Jean-Philippe Lang
Error when adding user to group where he is already assigned (#18665)....
 r13403 messages = Array.wrap(objects).map {|object| object.errors.full_messages}.flatten
render_api_errors(messages)
end
def render_api_errors(*messages)
@error_messages = messages.flatten
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 render :template => 'common/error_messages.api', :status => :unprocessable_entity, :layout => nil
Jean-Philippe Lang
Adds a pseudo format to api template names and overrides ActionController#default_template so that api templates are chosen automatically....
 r4352 end
Toshi MARUYAMA
remove trailing white-spaces from app/controllers/application_controller.rb....
 r5629
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 # Overrides #_include_layout? so that #render with no arguments
Jean-Philippe Lang
Adds a pseudo format to api template names and overrides ActionController#default_template so that api templates are chosen automatically....
 r4352 # doesn't use the layout for api requests
Jean-Philippe Lang
Merged rails-3.2 branch....
 r9346 def _include_layout?(*args)
api_request? ? false : super
Jean-Philippe Lang
Adds a pseudo format to api template names and overrides ActionController#default_template so that api templates are chosen automatically....
 r4352 end
Jean-Philippe Lang
Merged 0.6 branch into trunk....
 r663 end