##// END OF EJS Templates
jro_apps » redmine
RSS
Set the httponly flag on the autologin cookie....
Jean-Philippe Lang -
r4637:507f9d753f56
parent child
Show More
Side by Side Unified
Context file:
r4637:507f9d753f56 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,283 +1,284
1 # Redmine - project management software
1 # Redmine - project management software
2 # Copyright (C) 2006-2009 Jean-Philippe Lang
2 # Copyright (C) 2006-2009 Jean-Philippe Lang
3 #
3 #
4 # This program is free software; you can redistribute it and/or
4 # This program is free software; you can redistribute it and/or
5 # modify it under the terms of the GNU General Public License
5 # modify it under the terms of the GNU General Public License
6 # as published by the Free Software Foundation; either version 2
6 # as published by the Free Software Foundation; either version 2
7 # of the License, or (at your option) any later version.
7 # of the License, or (at your option) any later version.
8 #
8 #
9 # This program is distributed in the hope that it will be useful,
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
12 # GNU General Public License for more details.
13 #
13 #
14 # You should have received a copy of the GNU General Public License
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17
17
18 class AccountController < ApplicationController
18 class AccountController < ApplicationController
19 helper :custom_fields
19 helper :custom_fields
20 include CustomFieldsHelper
20 include CustomFieldsHelper
21
21
22 # prevents login action to be filtered by check_if_login_required application scope filter
22 # prevents login action to be filtered by check_if_login_required application scope filter
23 skip_before_filter :check_if_login_required
23 skip_before_filter :check_if_login_required
24
24
25 # Login request and validation
25 # Login request and validation
26 def login
26 def login
27 if request.get?
27 if request.get?
28 logout_user
28 logout_user
29 else
29 else
30 authenticate_user
30 authenticate_user
31 end
31 end
32 end
32 end
33
33
34 # Log out current user and redirect to welcome page
34 # Log out current user and redirect to welcome page
35 def logout
35 def logout
36 logout_user
36 logout_user
37 redirect_to home_url
37 redirect_to home_url
38 end
38 end
39
39
40 # Enable user to choose a new password
40 # Enable user to choose a new password
41 def lost_password
41 def lost_password
42 redirect_to(home_url) && return unless Setting.lost_password?
42 redirect_to(home_url) && return unless Setting.lost_password?
43 if params[:token]
43 if params[:token]
44 @token = Token.find_by_action_and_value("recovery", params[:token])
44 @token = Token.find_by_action_and_value("recovery", params[:token])
45 redirect_to(home_url) && return unless @token and !@token.expired?
45 redirect_to(home_url) && return unless @token and !@token.expired?
46 @user = @token.user
46 @user = @token.user
47 if request.post?
47 if request.post?
48 @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
48 @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
49 if @user.save
49 if @user.save
50 @token.destroy
50 @token.destroy
51 flash[:notice] = l(:notice_account_password_updated)
51 flash[:notice] = l(:notice_account_password_updated)
52 redirect_to :action => 'login'
52 redirect_to :action => 'login'
53 return
53 return
54 end
54 end
55 end
55 end
56 render :template => "account/password_recovery"
56 render :template => "account/password_recovery"
57 return
57 return
58 else
58 else
59 if request.post?
59 if request.post?
60 user = User.find_by_mail(params[:mail])
60 user = User.find_by_mail(params[:mail])
61 # user not found in db
61 # user not found in db
62 (flash.now[:error] = l(:notice_account_unknown_email); return) unless user
62 (flash.now[:error] = l(:notice_account_unknown_email); return) unless user
63 # user uses an external authentification
63 # user uses an external authentification
64 (flash.now[:error] = l(:notice_can_t_change_password); return) if user.auth_source_id
64 (flash.now[:error] = l(:notice_can_t_change_password); return) if user.auth_source_id
65 # create a new token for password recovery
65 # create a new token for password recovery
66 token = Token.new(:user => user, :action => "recovery")
66 token = Token.new(:user => user, :action => "recovery")
67 if token.save
67 if token.save
68 Mailer.deliver_lost_password(token)
68 Mailer.deliver_lost_password(token)
69 flash[:notice] = l(:notice_account_lost_email_sent)
69 flash[:notice] = l(:notice_account_lost_email_sent)
70 redirect_to :action => 'login'
70 redirect_to :action => 'login'
71 return
71 return
72 end
72 end
73 end
73 end
74 end
74 end
75 end
75 end
76
76
77 # User self-registration
77 # User self-registration
78 def register
78 def register
79 redirect_to(home_url) && return unless Setting.self_registration? || session[:auth_source_registration]
79 redirect_to(home_url) && return unless Setting.self_registration? || session[:auth_source_registration]
80 if request.get?
80 if request.get?
81 session[:auth_source_registration] = nil
81 session[:auth_source_registration] = nil
82 @user = User.new(:language => Setting.default_language)
82 @user = User.new(:language => Setting.default_language)
83 else
83 else
84 @user = User.new(params[:user])
84 @user = User.new(params[:user])
85 @user.admin = false
85 @user.admin = false
86 @user.register
86 @user.register
87 if session[:auth_source_registration]
87 if session[:auth_source_registration]
88 @user.activate
88 @user.activate
89 @user.login = session[:auth_source_registration][:login]
89 @user.login = session[:auth_source_registration][:login]
90 @user.auth_source_id = session[:auth_source_registration][:auth_source_id]
90 @user.auth_source_id = session[:auth_source_registration][:auth_source_id]
91 if @user.save
91 if @user.save
92 session[:auth_source_registration] = nil
92 session[:auth_source_registration] = nil
93 self.logged_user = @user
93 self.logged_user = @user
94 flash[:notice] = l(:notice_account_activated)
94 flash[:notice] = l(:notice_account_activated)
95 redirect_to :controller => 'my', :action => 'account'
95 redirect_to :controller => 'my', :action => 'account'
96 end
96 end
97 else
97 else
98 @user.login = params[:user][:login]
98 @user.login = params[:user][:login]
99 @user.password, @user.password_confirmation = params[:password], params[:password_confirmation]
99 @user.password, @user.password_confirmation = params[:password], params[:password_confirmation]
100
100
101 case Setting.self_registration
101 case Setting.self_registration
102 when '1'
102 when '1'
103 register_by_email_activation(@user)
103 register_by_email_activation(@user)
104 when '3'
104 when '3'
105 register_automatically(@user)
105 register_automatically(@user)
106 else
106 else
107 register_manually_by_administrator(@user)
107 register_manually_by_administrator(@user)
108 end
108 end
109 end
109 end
110 end
110 end
111 end
111 end
112
112
113 # Token based account activation
113 # Token based account activation
114 def activate
114 def activate
115 redirect_to(home_url) && return unless Setting.self_registration? && params[:token]
115 redirect_to(home_url) && return unless Setting.self_registration? && params[:token]
116 token = Token.find_by_action_and_value('register', params[:token])
116 token = Token.find_by_action_and_value('register', params[:token])
117 redirect_to(home_url) && return unless token and !token.expired?
117 redirect_to(home_url) && return unless token and !token.expired?
118 user = token.user
118 user = token.user
119 redirect_to(home_url) && return unless user.registered?
119 redirect_to(home_url) && return unless user.registered?
120 user.activate
120 user.activate
121 if user.save
121 if user.save
122 token.destroy
122 token.destroy
123 flash[:notice] = l(:notice_account_activated)
123 flash[:notice] = l(:notice_account_activated)
124 end
124 end
125 redirect_to :action => 'login'
125 redirect_to :action => 'login'
126 end
126 end
127
127
128 private
128 private
129
129
130 def logout_user
130 def logout_user
131 if User.current.logged?
131 if User.current.logged?
132 cookies.delete :autologin
132 cookies.delete :autologin
133 Token.delete_all(["user_id = ? AND action = ?", User.current.id, 'autologin'])
133 Token.delete_all(["user_id = ? AND action = ?", User.current.id, 'autologin'])
134 self.logged_user = nil
134 self.logged_user = nil
135 end
135 end
136 end
136 end
137
137
138 def authenticate_user
138 def authenticate_user
139 if Setting.openid? && using_open_id?
139 if Setting.openid? && using_open_id?
140 open_id_authenticate(params[:openid_url])
140 open_id_authenticate(params[:openid_url])
141 else
141 else
142 password_authentication
142 password_authentication
143 end
143 end
144 end
144 end
145
145
146 def password_authentication
146 def password_authentication
147 user = User.try_to_login(params[:username], params[:password])
147 user = User.try_to_login(params[:username], params[:password])
148
148
149 if user.nil?
149 if user.nil?
150 invalid_credentials
150 invalid_credentials
151 elsif user.new_record?
151 elsif user.new_record?
152 onthefly_creation_failed(user, {:login => user.login, :auth_source_id => user.auth_source_id })
152 onthefly_creation_failed(user, {:login => user.login, :auth_source_id => user.auth_source_id })
153 else
153 else
154 # Valid user
154 # Valid user
155 successful_authentication(user)
155 successful_authentication(user)
156 end
156 end
157 end
157 end
158
158
159
159
160 def open_id_authenticate(openid_url)
160 def open_id_authenticate(openid_url)
161 authenticate_with_open_id(openid_url, :required => [:nickname, :fullname, :email], :return_to => signin_url) do |result, identity_url, registration|
161 authenticate_with_open_id(openid_url, :required => [:nickname, :fullname, :email], :return_to => signin_url) do |result, identity_url, registration|
162 if result.successful?
162 if result.successful?
163 user = User.find_or_initialize_by_identity_url(identity_url)
163 user = User.find_or_initialize_by_identity_url(identity_url)
164 if user.new_record?
164 if user.new_record?
165 # Self-registration off
165 # Self-registration off
166 redirect_to(home_url) && return unless Setting.self_registration?
166 redirect_to(home_url) && return unless Setting.self_registration?
167
167
168 # Create on the fly
168 # Create on the fly
169 user.login = registration['nickname'] unless registration['nickname'].nil?
169 user.login = registration['nickname'] unless registration['nickname'].nil?
170 user.mail = registration['email'] unless registration['email'].nil?
170 user.mail = registration['email'] unless registration['email'].nil?
171 user.firstname, user.lastname = registration['fullname'].split(' ') unless registration['fullname'].nil?
171 user.firstname, user.lastname = registration['fullname'].split(' ') unless registration['fullname'].nil?
172 user.random_password
172 user.random_password
173 user.register
173 user.register
174
174
175 case Setting.self_registration
175 case Setting.self_registration
176 when '1'
176 when '1'
177 register_by_email_activation(user) do
177 register_by_email_activation(user) do
178 onthefly_creation_failed(user)
178 onthefly_creation_failed(user)
179 end
179 end
180 when '3'
180 when '3'
181 register_automatically(user) do
181 register_automatically(user) do
182 onthefly_creation_failed(user)
182 onthefly_creation_failed(user)
183 end
183 end
184 else
184 else
185 register_manually_by_administrator(user) do
185 register_manually_by_administrator(user) do
186 onthefly_creation_failed(user)
186 onthefly_creation_failed(user)
187 end
187 end
188 end
188 end
189 else
189 else
190 # Existing record
190 # Existing record
191 if user.active?
191 if user.active?
192 successful_authentication(user)
192 successful_authentication(user)
193 else
193 else
194 account_pending
194 account_pending
195 end
195 end
196 end
196 end
197 end
197 end
198 end
198 end
199 end
199 end
200
200
201 def successful_authentication(user)
201 def successful_authentication(user)
202 # Valid user
202 # Valid user
203 self.logged_user = user
203 self.logged_user = user
204 # generate a key and set cookie if autologin
204 # generate a key and set cookie if autologin
205 if params[:autologin] && Setting.autologin?
205 if params[:autologin] && Setting.autologin?
206 set_autologin_cookie(user)
206 set_autologin_cookie(user)
207 end
207 end
208 call_hook(:controller_account_success_authentication_after, {:user => user })
208 call_hook(:controller_account_success_authentication_after, {:user => user })
209 redirect_back_or_default :controller => 'my', :action => 'page'
209 redirect_back_or_default :controller => 'my', :action => 'page'
210 end
210 end
211
211
212 def set_autologin_cookie(user)
212 def set_autologin_cookie(user)
213 token = Token.create(:user => user, :action => 'autologin')
213 token = Token.create(:user => user, :action => 'autologin')
214 cookie_name = Redmine::Configuration['autologin_cookie_name'] || 'autologin'
214 cookie_name = Redmine::Configuration['autologin_cookie_name'] || 'autologin'
215 cookie_options = {
215 cookie_options = {
216 :value => token.value,
216 :value => token.value,
217 :expires => 1.year.from_now,
217 :expires => 1.year.from_now,
218 :path => (Redmine::Configuration['autologin_cookie_path'] || '/'),
218 :path => (Redmine::Configuration['autologin_cookie_path'] || '/'),
219 :secure => (Redmine::Configuration['autologin_cookie_secure'] ? true : false)
219 :secure => (Redmine::Configuration['autologin_cookie_secure'] ? true : false),
220 :httponly => true
220 }
221 }
221 cookies[cookie_name] = cookie_options
222 cookies[cookie_name] = cookie_options
222 end
223 end
223
224
224 # Onthefly creation failed, display the registration form to fill/fix attributes
225 # Onthefly creation failed, display the registration form to fill/fix attributes
225 def onthefly_creation_failed(user, auth_source_options = { })
226 def onthefly_creation_failed(user, auth_source_options = { })
226 @user = user
227 @user = user
227 session[:auth_source_registration] = auth_source_options unless auth_source_options.empty?
228 session[:auth_source_registration] = auth_source_options unless auth_source_options.empty?
228 render :action => 'register'
229 render :action => 'register'
229 end
230 end
230
231
231 def invalid_credentials
232 def invalid_credentials
232 logger.warn "Failed login for '#{params[:username]}' from #{request.remote_ip} at #{Time.now.utc}"
233 logger.warn "Failed login for '#{params[:username]}' from #{request.remote_ip} at #{Time.now.utc}"
233 flash.now[:error] = l(:notice_account_invalid_creditentials)
234 flash.now[:error] = l(:notice_account_invalid_creditentials)
234 end
235 end
235
236
236 # Register a user for email activation.
237 # Register a user for email activation.
237 #
238 #
238 # Pass a block for behavior when a user fails to save
239 # Pass a block for behavior when a user fails to save
239 def register_by_email_activation(user, &block)
240 def register_by_email_activation(user, &block)
240 token = Token.new(:user => user, :action => "register")
241 token = Token.new(:user => user, :action => "register")
241 if user.save and token.save
242 if user.save and token.save
242 Mailer.deliver_register(token)
243 Mailer.deliver_register(token)
243 flash[:notice] = l(:notice_account_register_done)
244 flash[:notice] = l(:notice_account_register_done)
244 redirect_to :action => 'login'
245 redirect_to :action => 'login'
245 else
246 else
246 yield if block_given?
247 yield if block_given?
247 end
248 end
248 end
249 end
249
250
250 # Automatically register a user
251 # Automatically register a user
251 #
252 #
252 # Pass a block for behavior when a user fails to save
253 # Pass a block for behavior when a user fails to save
253 def register_automatically(user, &block)
254 def register_automatically(user, &block)
254 # Automatic activation
255 # Automatic activation
255 user.activate
256 user.activate
256 user.last_login_on = Time.now
257 user.last_login_on = Time.now
257 if user.save
258 if user.save
258 self.logged_user = user
259 self.logged_user = user
259 flash[:notice] = l(:notice_account_activated)
260 flash[:notice] = l(:notice_account_activated)
260 redirect_to :controller => 'my', :action => 'account'
261 redirect_to :controller => 'my', :action => 'account'
261 else
262 else
262 yield if block_given?
263 yield if block_given?
263 end
264 end
264 end
265 end
265
266
266 # Manual activation by the administrator
267 # Manual activation by the administrator
267 #
268 #
268 # Pass a block for behavior when a user fails to save
269 # Pass a block for behavior when a user fails to save
269 def register_manually_by_administrator(user, &block)
270 def register_manually_by_administrator(user, &block)
270 if user.save
271 if user.save
271 # Sends an email to the administrators
272 # Sends an email to the administrators
272 Mailer.deliver_account_activation_request(user)
273 Mailer.deliver_account_activation_request(user)
273 account_pending
274 account_pending
274 else
275 else
275 yield if block_given?
276 yield if block_given?
276 end
277 end
277 end
278 end
278
279
279 def account_pending
280 def account_pending
280 flash[:notice] = l(:notice_account_pending)
281 flash[:notice] = l(:notice_account_pending)
281 redirect_to :action => 'login'
282 redirect_to :action => 'login'
282 end
283 end
283 end
284 end
General Comments 0
You need to be logged in to leave comments. Login now