##// END OF EJS Templates
jro_apps » redmine
RSS
Fixed confidentiality issue on account/show....
Jean-Philippe Lang -
r564:1a2aee84b21a
parent child
Show More
Show file before | Show file after | Hide comments
@@ -1,138 +1,143
1 1 # redMine - project management software
2 2 # Copyright (C) 2006-2007 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class AccountController < ApplicationController
19 19 layout 'base'
20 20 helper :custom_fields
21 21 include CustomFieldsHelper
22 22
23 23 # prevents login action to be filtered by check_if_login_required application scope filter
24 24 skip_before_filter :check_if_login_required, :only => [:login, :lost_password, :register]
25 25 before_filter :require_login, :only => :logout
26 26
27 27 # Show user's account
28 28 def show
29 29 @user = User.find(params[:id])
30 30 @custom_values = @user.custom_values.find(:all, :include => :custom_field)
31
32 # show only public projects and private projects that the logged in user is also a member of
33 @memberships = @user.memberships.select do |membership|
34 membership.project.is_public? || (logged_in_user && logged_in_user.role_for_project(membership.project))
35 end
31 36 rescue ActiveRecord::RecordNotFound
32 37 render_404
33 38 end
34 39
35 40 # Login request and validation
36 41 def login
37 42 if request.get?
38 43 # Logout user
39 44 self.logged_in_user = nil
40 45 else
41 46 # Authenticate user
42 47 user = User.try_to_login(params[:login], params[:password])
43 48 if user
44 49 self.logged_in_user = user
45 50 # generate a key and set cookie if autologin
46 51 if params[:autologin] && Setting.autologin?
47 52 token = Token.create(:user => user, :action => 'autologin')
48 53 cookies[:autologin] = { :value => token.value, :expires => 1.year.from_now }
49 54 end
50 55 redirect_back_or_default :controller => 'my', :action => 'page'
51 56 else
52 57 flash.now[:notice] = l(:notice_account_invalid_creditentials)
53 58 end
54 59 end
55 60 end
56 61
57 62 # Log out current user and redirect to welcome page
58 63 def logout
59 64 cookies.delete :autologin
60 65 Token.delete_all(["user_id = ? AND action = ?", logged_in_user.id, "autologin"]) if logged_in_user
61 66 self.logged_in_user = nil
62 67 redirect_to :controller => 'welcome'
63 68 end
64 69
65 70 # Enable user to choose a new password
66 71 def lost_password
67 72 redirect_to :controller => 'welcome' and return unless Setting.lost_password?
68 73 if params[:token]
69 74 @token = Token.find_by_action_and_value("recovery", params[:token])
70 75 redirect_to :controller => 'welcome' and return unless @token and !@token.expired?
71 76 @user = @token.user
72 77 if request.post?
73 78 @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
74 79 if @user.save
75 80 @token.destroy
76 81 flash[:notice] = l(:notice_account_password_updated)
77 82 redirect_to :action => 'login'
78 83 return
79 84 end
80 85 end
81 86 render :template => "account/password_recovery"
82 87 return
83 88 else
84 89 if request.post?
85 90 user = User.find_by_mail(params[:mail])
86 91 # user not found in db
87 92 flash.now[:notice] = l(:notice_account_unknown_email) and return unless user
88 93 # user uses an external authentification
89 94 flash.now[:notice] = l(:notice_can_t_change_password) and return if user.auth_source_id
90 95 # create a new token for password recovery
91 96 token = Token.new(:user => user, :action => "recovery")
92 97 if token.save
93 98 Mailer.deliver_lost_password(token)
94 99 flash[:notice] = l(:notice_account_lost_email_sent)
95 100 redirect_to :action => 'login'
96 101 return
97 102 end
98 103 end
99 104 end
100 105 end
101 106
102 107 # User self-registration
103 108 def register
104 109 redirect_to :controller => 'welcome' and return unless Setting.self_registration?
105 110 if params[:token]
106 111 token = Token.find_by_action_and_value("register", params[:token])
107 112 redirect_to :controller => 'welcome' and return unless token and !token.expired?
108 113 user = token.user
109 114 redirect_to :controller => 'welcome' and return unless user.status == User::STATUS_REGISTERED
110 115 user.status = User::STATUS_ACTIVE
111 116 if user.save
112 117 token.destroy
113 118 flash[:notice] = l(:notice_account_activated)
114 119 redirect_to :action => 'login'
115 120 return
116 121 end
117 122 else
118 123 if request.get?
119 124 @user = User.new(:language => Setting.default_language)
120 125 @custom_values = UserCustomField.find(:all).collect { |x| CustomValue.new(:custom_field => x, :customized => @user) }
121 126 else
122 127 @user = User.new(params[:user])
123 128 @user.admin = false
124 129 @user.login = params[:user][:login]
125 130 @user.status = User::STATUS_REGISTERED
126 131 @user.password, @user.password_confirmation = params[:password], params[:password_confirmation]
127 132 @custom_values = UserCustomField.find(:all).collect { |x| CustomValue.new(:custom_field => x, :customized => @user, :value => params["custom_fields"][x.id.to_s]) }
128 133 @user.custom_values = @custom_values
129 134 token = Token.new(:user => @user, :action => "register")
130 135 if @user.save and token.save
131 136 Mailer.deliver_register(token)
132 137 flash[:notice] = l(:notice_account_register_done)
133 138 redirect_to :controller => 'welcome' and return
134 139 end
135 140 end
136 141 end
137 142 end
138 143 end
Show file before | Show file after | Hide comments
@@ -1,26 +1,26
1 1 <h2><%= @user.display_name %></h2>
2 2
3 3 <p>
4 4 <%= mail_to @user.mail unless @user.pref.hide_mail %>
5 5 <ul>
6 6 <li><%=l(:label_registered_on)%>: <%= format_date(@user.created_on) %></li>
7 7 <% for custom_value in @custom_values %>
8 8 <% if !custom_value.value.empty? %>
9 9 <li><%= custom_value.custom_field.name%>: <%=h show_value(custom_value) %></li>
10 10 <% end %>
11 11 <% end %>
12 12 </ul>
13 13 </p>
14 14
15 15 <h3><%=l(:label_project_plural)%></h3>
16 <p>
17 <% for membership in @user.memberships %>
18 <%= membership.project.name %> (<%= membership.role.name %>, <%= format_date(membership.created_on) %>)
19 <br />
16 <ul>
17 <% for membership in @memberships %>
18 <li><%= link_to membership.project.name, :controller => 'projects', :action => 'show', :id => membership.project %>
19 (<%= membership.role.name %>, <%= format_date(membership.created_on) %>)</li>
20 20 <% end %>
21 </p>
21 </ul>
22 22
23 23 <h3><%=l(:label_activity)%></h3>
24 24 <p>
25 25 <%=l(:label_reported_issues)%>: <%= Issue.count(["author_id=?", @user.id]) %>
26 26 </p> No newline at end of file
General Comments 0
You need to be logged in to leave comments. Login now