##// END OF EJS Templates
jro_apps » redmine
RSS
Activate sudo mode after password based login (#20589)....
Jean-Philippe Lang -
r14253:16cc9ec06a57
parent child
Show More
Side by Side Unified
Context file:
r14253:16cc9ec06a57 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,354 +1,355
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2015 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class AccountController < ApplicationController
19 19 helper :custom_fields
20 20 include CustomFieldsHelper
21 21
22 22 # prevents login action to be filtered by check_if_login_required application scope filter
23 23 skip_before_filter :check_if_login_required, :check_password_change
24 24
25 25 # Overrides ApplicationController#verify_authenticity_token to disable
26 26 # token verification on openid callbacks
27 27 def verify_authenticity_token
28 28 unless using_open_id?
29 29 super
30 30 end
31 31 end
32 32
33 33 # Login request and validation
34 34 def login
35 35 if request.get?
36 36 if User.current.logged?
37 37 redirect_back_or_default home_url, :referer => true
38 38 end
39 39 else
40 40 authenticate_user
41 41 end
42 42 rescue AuthSourceException => e
43 43 logger.error "An error occured when authenticating #{params[:username]}: #{e.message}"
44 44 render_error :message => e.message
45 45 end
46 46
47 47 # Log out current user and redirect to welcome page
48 48 def logout
49 49 if User.current.anonymous?
50 50 redirect_to home_url
51 51 elsif request.post?
52 52 logout_user
53 53 redirect_to home_url
54 54 end
55 55 # display the logout form
56 56 end
57 57
58 58 # Lets user choose a new password
59 59 def lost_password
60 60 (redirect_to(home_url); return) unless Setting.lost_password?
61 61 if params[:token]
62 62 @token = Token.find_token("recovery", params[:token].to_s)
63 63 if @token.nil? || @token.expired?
64 64 redirect_to home_url
65 65 return
66 66 end
67 67 @user = @token.user
68 68 unless @user && @user.active?
69 69 redirect_to home_url
70 70 return
71 71 end
72 72 if request.post?
73 73 @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
74 74 if @user.save
75 75 @token.destroy
76 76 flash[:notice] = l(:notice_account_password_updated)
77 77 redirect_to signin_path
78 78 return
79 79 end
80 80 end
81 81 render :template => "account/password_recovery"
82 82 return
83 83 else
84 84 if request.post?
85 85 email = params[:mail].to_s
86 86 user = User.find_by_mail(email)
87 87 # user not found
88 88 unless user
89 89 flash.now[:error] = l(:notice_account_unknown_email)
90 90 return
91 91 end
92 92 unless user.active?
93 93 handle_inactive_user(user, lost_password_path)
94 94 return
95 95 end
96 96 # user cannot change its password
97 97 unless user.change_password_allowed?
98 98 flash.now[:error] = l(:notice_can_t_change_password)
99 99 return
100 100 end
101 101 # create a new token for password recovery
102 102 token = Token.new(:user => user, :action => "recovery")
103 103 if token.save
104 104 # Don't use the param to send the email
105 105 recipent = user.mails.detect {|e| email.casecmp(e) == 0} || user.mail
106 106 Mailer.lost_password(token, recipent).deliver
107 107 flash[:notice] = l(:notice_account_lost_email_sent)
108 108 redirect_to signin_path
109 109 return
110 110 end
111 111 end
112 112 end
113 113 end
114 114
115 115 # User self-registration
116 116 def register
117 117 (redirect_to(home_url); return) unless Setting.self_registration? || session[:auth_source_registration]
118 118 if request.get?
119 119 session[:auth_source_registration] = nil
120 120 @user = User.new(:language => current_language.to_s)
121 121 else
122 122 user_params = params[:user] || {}
123 123 @user = User.new
124 124 @user.safe_attributes = user_params
125 125 @user.admin = false
126 126 @user.register
127 127 if session[:auth_source_registration]
128 128 @user.activate
129 129 @user.login = session[:auth_source_registration][:login]
130 130 @user.auth_source_id = session[:auth_source_registration][:auth_source_id]
131 131 if @user.save
132 132 session[:auth_source_registration] = nil
133 133 self.logged_user = @user
134 134 flash[:notice] = l(:notice_account_activated)
135 135 redirect_to my_account_path
136 136 end
137 137 else
138 138 @user.login = params[:user][:login]
139 139 unless user_params[:identity_url].present? && user_params[:password].blank? && user_params[:password_confirmation].blank?
140 140 @user.password, @user.password_confirmation = user_params[:password], user_params[:password_confirmation]
141 141 end
142 142
143 143 case Setting.self_registration
144 144 when '1'
145 145 register_by_email_activation(@user)
146 146 when '3'
147 147 register_automatically(@user)
148 148 else
149 149 register_manually_by_administrator(@user)
150 150 end
151 151 end
152 152 end
153 153 end
154 154
155 155 # Token based account activation
156 156 def activate
157 157 (redirect_to(home_url); return) unless Setting.self_registration? && params[:token].present?
158 158 token = Token.find_token('register', params[:token].to_s)
159 159 (redirect_to(home_url); return) unless token and !token.expired?
160 160 user = token.user
161 161 (redirect_to(home_url); return) unless user.registered?
162 162 user.activate
163 163 if user.save
164 164 token.destroy
165 165 flash[:notice] = l(:notice_account_activated)
166 166 end
167 167 redirect_to signin_path
168 168 end
169 169
170 170 # Sends a new account activation email
171 171 def activation_email
172 172 if session[:registered_user_id] && Setting.self_registration == '1'
173 173 user_id = session.delete(:registered_user_id).to_i
174 174 user = User.find_by_id(user_id)
175 175 if user && user.registered?
176 176 register_by_email_activation(user)
177 177 return
178 178 end
179 179 end
180 180 redirect_to(home_url)
181 181 end
182 182
183 183 private
184 184
185 185 def authenticate_user
186 186 if Setting.openid? && using_open_id?
187 187 open_id_authenticate(params[:openid_url])
188 188 else
189 189 password_authentication
190 190 end
191 191 end
192 192
193 193 def password_authentication
194 194 user = User.try_to_login(params[:username], params[:password], false)
195 195
196 196 if user.nil?
197 197 invalid_credentials
198 198 elsif user.new_record?
199 199 onthefly_creation_failed(user, {:login => user.login, :auth_source_id => user.auth_source_id })
200 200 else
201 201 # Valid user
202 202 if user.active?
203 203 successful_authentication(user)
204 update_sudo_timestamp! # activate Sudo Mode
204 205 else
205 206 handle_inactive_user(user)
206 207 end
207 208 end
208 209 end
209 210
210 211 def open_id_authenticate(openid_url)
211 212 back_url = signin_url(:autologin => params[:autologin])
212 213 authenticate_with_open_id(
213 214 openid_url, :required => [:nickname, :fullname, :email],
214 215 :return_to => back_url, :method => :post
215 216 ) do |result, identity_url, registration|
216 217 if result.successful?
217 218 user = User.find_or_initialize_by_identity_url(identity_url)
218 219 if user.new_record?
219 220 # Self-registration off
220 221 (redirect_to(home_url); return) unless Setting.self_registration?
221 222 # Create on the fly
222 223 user.login = registration['nickname'] unless registration['nickname'].nil?
223 224 user.mail = registration['email'] unless registration['email'].nil?
224 225 user.firstname, user.lastname = registration['fullname'].split(' ') unless registration['fullname'].nil?
225 226 user.random_password
226 227 user.register
227 228 case Setting.self_registration
228 229 when '1'
229 230 register_by_email_activation(user) do
230 231 onthefly_creation_failed(user)
231 232 end
232 233 when '3'
233 234 register_automatically(user) do
234 235 onthefly_creation_failed(user)
235 236 end
236 237 else
237 238 register_manually_by_administrator(user) do
238 239 onthefly_creation_failed(user)
239 240 end
240 241 end
241 242 else
242 243 # Existing record
243 244 if user.active?
244 245 successful_authentication(user)
245 246 else
246 247 handle_inactive_user(user)
247 248 end
248 249 end
249 250 end
250 251 end
251 252 end
252 253
253 254 def successful_authentication(user)
254 255 logger.info "Successful authentication for '#{user.login}' from #{request.remote_ip} at #{Time.now.utc}"
255 256 # Valid user
256 257 self.logged_user = user
257 258 # generate a key and set cookie if autologin
258 259 if params[:autologin] && Setting.autologin?
259 260 set_autologin_cookie(user)
260 261 end
261 262 call_hook(:controller_account_success_authentication_after, {:user => user })
262 263 redirect_back_or_default my_page_path
263 264 end
264 265
265 266 def set_autologin_cookie(user)
266 267 token = Token.create(:user => user, :action => 'autologin')
267 268 cookie_options = {
268 269 :value => token.value,
269 270 :expires => 1.year.from_now,
270 271 :path => (Redmine::Configuration['autologin_cookie_path'] || '/'),
271 272 :secure => (Redmine::Configuration['autologin_cookie_secure'] ? true : false),
272 273 :httponly => true
273 274 }
274 275 cookies[autologin_cookie_name] = cookie_options
275 276 end
276 277
277 278 # Onthefly creation failed, display the registration form to fill/fix attributes
278 279 def onthefly_creation_failed(user, auth_source_options = { })
279 280 @user = user
280 281 session[:auth_source_registration] = auth_source_options unless auth_source_options.empty?
281 282 render :action => 'register'
282 283 end
283 284
284 285 def invalid_credentials
285 286 logger.warn "Failed login for '#{params[:username]}' from #{request.remote_ip} at #{Time.now.utc}"
286 287 flash.now[:error] = l(:notice_account_invalid_creditentials)
287 288 end
288 289
289 290 # Register a user for email activation.
290 291 #
291 292 # Pass a block for behavior when a user fails to save
292 293 def register_by_email_activation(user, &block)
293 294 token = Token.new(:user => user, :action => "register")
294 295 if user.save and token.save
295 296 Mailer.register(token).deliver
296 297 flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
297 298 redirect_to signin_path
298 299 else
299 300 yield if block_given?
300 301 end
301 302 end
302 303
303 304 # Automatically register a user
304 305 #
305 306 # Pass a block for behavior when a user fails to save
306 307 def register_automatically(user, &block)
307 308 # Automatic activation
308 309 user.activate
309 310 user.last_login_on = Time.now
310 311 if user.save
311 312 self.logged_user = user
312 313 flash[:notice] = l(:notice_account_activated)
313 314 redirect_to my_account_path
314 315 else
315 316 yield if block_given?
316 317 end
317 318 end
318 319
319 320 # Manual activation by the administrator
320 321 #
321 322 # Pass a block for behavior when a user fails to save
322 323 def register_manually_by_administrator(user, &block)
323 324 if user.save
324 325 # Sends an email to the administrators
325 326 Mailer.account_activation_request(user).deliver
326 327 account_pending(user)
327 328 else
328 329 yield if block_given?
329 330 end
330 331 end
331 332
332 333 def handle_inactive_user(user, redirect_path=signin_path)
333 334 if user.registered?
334 335 account_pending(user, redirect_path)
335 336 else
336 337 account_locked(user, redirect_path)
337 338 end
338 339 end
339 340
340 341 def account_pending(user, redirect_path=signin_path)
341 342 if Setting.self_registration == '1'
342 343 flash[:error] = l(:notice_account_not_activated_yet, :url => activation_email_path)
343 344 session[:registered_user_id] = user.id
344 345 else
345 346 flash[:error] = l(:notice_account_pending)
346 347 end
347 348 redirect_to redirect_path
348 349 end
349 350
350 351 def account_locked(user, redirect_path=signin_path)
351 352 flash[:error] = l(:notice_account_locked)
352 353 redirect_to redirect_path
353 354 end
354 355 end
Show file before | Show file after | Hide comments
@@ -1,164 +1,191
1 1 require File.expand_path('../../test_helper', __FILE__)
2 2
3 3 class SudoModeTest < Redmine::IntegrationTest
4 4 fixtures :projects, :members, :member_roles, :roles, :users, :email_addresses
5 5
6 6 def setup
7 7 Redmine::SudoMode.stubs(:enabled?).returns(true)
8 8 end
9 9
10 def test_sudo_mode_should_be_active_after_login
11 log_user("admin", "admin")
12 get "/users/new"
13 assert_response :success
14 post "/users",
15 :user => { :login => "psmith", :firstname => "Paul",
16 :lastname => "Smith", :mail => "psmith@somenet.foo",
17 :language => "en", :password => "psmith09",
18 :password_confirmation => "psmith09" }
19 assert_response 302
20
21 user = User.find_by_login("psmith")
22 assert_kind_of User, user
23 end
24
10 25 def test_add_user
11 26 log_user("admin", "admin")
27 expire_sudo_mode!
12 28 get "/users/new"
13 29 assert_response :success
14 30 post "/users",
15 31 :user => { :login => "psmith", :firstname => "Paul",
16 32 :lastname => "Smith", :mail => "psmith@somenet.foo",
17 33 :language => "en", :password => "psmith09",
18 34 :password_confirmation => "psmith09" }
19 35 assert_response :success
20 36 assert_nil User.find_by_login("psmith")
21 37
22 38 assert_select 'input[name=?][value=?]', 'user[login]', 'psmith'
23 39 assert_select 'input[name=?][value=?]', 'user[firstname]', 'Paul'
24 40
25 41 post "/users",
26 42 :user => { :login => "psmith", :firstname => "Paul",
27 43 :lastname => "Smith", :mail => "psmith@somenet.foo",
28 44 :language => "en", :password => "psmith09",
29 45 :password_confirmation => "psmith09" },
30 46 :sudo_password => 'admin'
31 47 assert_response 302
32 48
33 49 user = User.find_by_login("psmith")
34 50 assert_kind_of User, user
35 51 end
36 52
37 53 def test_create_member_xhr
38 54 log_user 'admin', 'admin'
55 expire_sudo_mode!
39 56 get '/projects/ecookbook/settings/members'
40 57 assert_response :success
41 58
42 59 assert_no_difference 'Member.count' do
43 60 xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}
44 61 end
45 62
46 63 assert_no_difference 'Member.count' do
47 64 xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''
48 65 end
49 66
50 67 assert_no_difference 'Member.count' do
51 68 xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'
52 69 end
53 70
54 71 assert_difference 'Member.count' do
55 72 xhr :post, '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'
56 73 end
57 74 assert User.find(7).member_of?(Project.find(1))
58 75 end
59 76
60 77 def test_create_member
61 78 log_user 'admin', 'admin'
79 expire_sudo_mode!
62 80 get '/projects/ecookbook/settings/members'
63 81 assert_response :success
64 82
65 83 assert_no_difference 'Member.count' do
66 84 post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}
67 85 end
68 86
69 87 assert_no_difference 'Member.count' do
70 88 post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: ''
71 89 end
72 90
73 91 assert_no_difference 'Member.count' do
74 92 post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'wrong'
75 93 end
76 94
77 95 assert_difference 'Member.count' do
78 96 post '/projects/ecookbook/memberships', membership: {role_ids: [1], user_id: 7}, sudo_password: 'admin'
79 97 end
80 98
81 99 assert_redirected_to '/projects/ecookbook/settings/members'
82 100 assert User.find(7).member_of?(Project.find(1))
83 101 end
84 102
85 103 def test_create_role
86 104 log_user 'admin', 'admin'
105 expire_sudo_mode!
87 106 get '/roles'
88 107 assert_response :success
89 108
90 109 get '/roles/new'
91 110 assert_response :success
92 111
93 112 post '/roles', role: { }
94 113 assert_response :success
95 114 assert_select 'h2', 'Confirm your password to continue'
96 115 assert_select 'form[action="/roles"]'
97 116 assert assigns(:sudo_form).errors.blank?
98 117
99 118 post '/roles', role: { name: 'new role', issues_visibility: 'all' }
100 119 assert_response :success
101 120 assert_select 'h2', 'Confirm your password to continue'
102 121 assert_select 'form[action="/roles"]'
103 122 assert_match /"new role"/, response.body
104 123 assert assigns(:sudo_form).errors.blank?
105 124
106 125 post '/roles', role: { name: 'new role', issues_visibility: 'all' }, sudo_password: 'wrong'
107 126 assert_response :success
108 127 assert_select 'h2', 'Confirm your password to continue'
109 128 assert_select 'form[action="/roles"]'
110 129 assert_match /"new role"/, response.body
111 130 assert assigns(:sudo_form).errors[:password].present?
112 131
113 132 assert_difference 'Role.count' do
114 133 post '/roles', role: { name: 'new role', issues_visibility: 'all', assignable: '1', permissions: %w(view_calendar) }, sudo_password: 'admin'
115 134 end
116 135 assert_redirected_to '/roles'
117 136 end
118 137
119 138 def test_update_email_address
120 139 log_user 'jsmith', 'jsmith'
140 expire_sudo_mode!
121 141 get '/my/account'
122 142 assert_response :success
123 143 post '/my/account', user: { mail: 'newmail@test.com' }
124 144 assert_response :success
125 145 assert_select 'h2', 'Confirm your password to continue'
126 146 assert_select 'form[action="/my/account"]'
127 147 assert_match /"newmail@test\.com"/, response.body
128 148 assert assigns(:sudo_form).errors.blank?
129 149
130 150 # wrong password
131 151 post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'wrong'
132 152 assert_response :success
133 153 assert_select 'h2', 'Confirm your password to continue'
134 154 assert_select 'form[action="/my/account"]'
135 155 assert_match /"newmail@test\.com"/, response.body
136 156 assert assigns(:sudo_form).errors[:password].present?
137 157
138 158 # correct password
139 159 post '/my/account', user: { mail: 'newmail@test.com' }, sudo_password: 'jsmith'
140 160 assert_redirected_to '/my/account'
141 161 assert_equal 'newmail@test.com', User.find_by_login('jsmith').mail
142 162
143 163 # sudo mode should now be active and not require password again
144 164 post '/my/account', user: { mail: 'even.newer.mail@test.com' }
145 165 assert_redirected_to '/my/account'
146 166 assert_equal 'even.newer.mail@test.com', User.find_by_login('jsmith').mail
147 167 end
148 168
149 169 def test_sudo_mode_should_skip_api_requests
150 170 with_settings :rest_api_enabled => '1' do
151 171 assert_difference('User.count') do
152 172 post '/users.json', {
153 173 :user => {
154 174 :login => 'foo', :firstname => 'Firstname', :lastname => 'Lastname',
155 175 :mail => 'foo@example.net', :password => 'secret123',
156 176 :mail_notification => 'only_assigned'}
157 177 },
158 178 credentials('admin')
159 179
160 180 assert_response :created
161 181 end
162 182 end
163 183 end
184
185 private
186
187 # sudo mode is active after sign, let it expire by advancing the time
188 def expire_sudo_mode!
189 travel_to 20.minutes.from_now
190 end
164 191 end
General Comments 0
You need to be logged in to leave comments. Login now