##// END OF EJS Templates
jro_apps » redmine
RSS
Fixed: Openid registration form should not require user to enter password (#11331)....
Jean-Philippe Lang -
r9746:76a4b81cf3a9
parent child
Show More
Side by Side Unified
Context file:
r9746:76a4b81cf3a9 Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,279 +1,282
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2012 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class AccountController < ApplicationController
19 19 helper :custom_fields
20 20 include CustomFieldsHelper
21 21
22 22 # prevents login action to be filtered by check_if_login_required application scope filter
23 23 skip_before_filter :check_if_login_required
24 24
25 25 # Login request and validation
26 26 def login
27 27 if request.get?
28 28 logout_user
29 29 else
30 30 authenticate_user
31 31 end
32 32 rescue AuthSourceException => e
33 33 logger.error "An error occured when authenticating #{params[:username]}: #{e.message}"
34 34 render_error :message => e.message
35 35 end
36 36
37 37 # Log out current user and redirect to welcome page
38 38 def logout
39 39 logout_user
40 40 redirect_to home_url
41 41 end
42 42
43 43 # Enable user to choose a new password
44 44 def lost_password
45 45 redirect_to(home_url) && return unless Setting.lost_password?
46 46 if params[:token]
47 47 @token = Token.find_by_action_and_value("recovery", params[:token])
48 48 redirect_to(home_url) && return unless @token and !@token.expired?
49 49 @user = @token.user
50 50 if request.post?
51 51 @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]
52 52 if @user.save
53 53 @token.destroy
54 54 flash[:notice] = l(:notice_account_password_updated)
55 55 redirect_to :action => 'login'
56 56 return
57 57 end
58 58 end
59 59 render :template => "account/password_recovery"
60 60 return
61 61 else
62 62 if request.post?
63 63 user = User.find_by_mail(params[:mail])
64 64 # user not found in db
65 65 (flash.now[:error] = l(:notice_account_unknown_email); return) unless user
66 66 # user uses an external authentification
67 67 (flash.now[:error] = l(:notice_can_t_change_password); return) if user.auth_source_id
68 68 # create a new token for password recovery
69 69 token = Token.new(:user => user, :action => "recovery")
70 70 if token.save
71 71 Mailer.lost_password(token).deliver
72 72 flash[:notice] = l(:notice_account_lost_email_sent)
73 73 redirect_to :action => 'login'
74 74 return
75 75 end
76 76 end
77 77 end
78 78 end
79 79
80 80 # User self-registration
81 81 def register
82 82 redirect_to(home_url) && return unless Setting.self_registration? || session[:auth_source_registration]
83 83 if request.get?
84 84 session[:auth_source_registration] = nil
85 85 @user = User.new(:language => Setting.default_language)
86 86 else
87 user_params = params[:user] || {}
87 88 @user = User.new
88 @user.safe_attributes = params[:user]
89 @user.safe_attributes = user_params
89 90 @user.admin = false
90 91 @user.register
91 92 if session[:auth_source_registration]
92 93 @user.activate
93 94 @user.login = session[:auth_source_registration][:login]
94 95 @user.auth_source_id = session[:auth_source_registration][:auth_source_id]
95 96 if @user.save
96 97 session[:auth_source_registration] = nil
97 98 self.logged_user = @user
98 99 flash[:notice] = l(:notice_account_activated)
99 100 redirect_to :controller => 'my', :action => 'account'
100 101 end
101 102 else
102 103 @user.login = params[:user][:login]
103 @user.password, @user.password_confirmation = params[:user][:password], params[:user][:password_confirmation]
104 unless user_params[:identity_url].present? && user_params[:password].blank? && user_params[:password_confirmation].blank?
105 @user.password, @user.password_confirmation = user_params[:password], user_params[:password_confirmation]
106 end
104 107
105 108 case Setting.self_registration
106 109 when '1'
107 110 register_by_email_activation(@user)
108 111 when '3'
109 112 register_automatically(@user)
110 113 else
111 114 register_manually_by_administrator(@user)
112 115 end
113 116 end
114 117 end
115 118 end
116 119
117 120 # Token based account activation
118 121 def activate
119 122 redirect_to(home_url) && return unless Setting.self_registration? && params[:token]
120 123 token = Token.find_by_action_and_value('register', params[:token])
121 124 redirect_to(home_url) && return unless token and !token.expired?
122 125 user = token.user
123 126 redirect_to(home_url) && return unless user.registered?
124 127 user.activate
125 128 if user.save
126 129 token.destroy
127 130 flash[:notice] = l(:notice_account_activated)
128 131 end
129 132 redirect_to :action => 'login'
130 133 end
131 134
132 135 private
133 136
134 137 def authenticate_user
135 138 if Setting.openid? && using_open_id?
136 139 open_id_authenticate(params[:openid_url])
137 140 else
138 141 password_authentication
139 142 end
140 143 end
141 144
142 145 def password_authentication
143 146 user = User.try_to_login(params[:username], params[:password])
144 147
145 148 if user.nil?
146 149 invalid_credentials
147 150 elsif user.new_record?
148 151 onthefly_creation_failed(user, {:login => user.login, :auth_source_id => user.auth_source_id })
149 152 else
150 153 # Valid user
151 154 successful_authentication(user)
152 155 end
153 156 end
154 157
155 158 def open_id_authenticate(openid_url)
156 159 authenticate_with_open_id(openid_url, :required => [:nickname, :fullname, :email], :return_to => signin_url, :method => :post) do |result, identity_url, registration|
157 160 if result.successful?
158 161 user = User.find_or_initialize_by_identity_url(identity_url)
159 162 if user.new_record?
160 163 # Self-registration off
161 164 redirect_to(home_url) && return unless Setting.self_registration?
162 165
163 166 # Create on the fly
164 167 user.login = registration['nickname'] unless registration['nickname'].nil?
165 168 user.mail = registration['email'] unless registration['email'].nil?
166 169 user.firstname, user.lastname = registration['fullname'].split(' ') unless registration['fullname'].nil?
167 170 user.random_password
168 171 user.register
169 172
170 173 case Setting.self_registration
171 174 when '1'
172 175 register_by_email_activation(user) do
173 176 onthefly_creation_failed(user)
174 177 end
175 178 when '3'
176 179 register_automatically(user) do
177 180 onthefly_creation_failed(user)
178 181 end
179 182 else
180 183 register_manually_by_administrator(user) do
181 184 onthefly_creation_failed(user)
182 185 end
183 186 end
184 187 else
185 188 # Existing record
186 189 if user.active?
187 190 successful_authentication(user)
188 191 else
189 192 account_pending
190 193 end
191 194 end
192 195 end
193 196 end
194 197 end
195 198
196 199 def successful_authentication(user)
197 200 # Valid user
198 201 self.logged_user = user
199 202 # generate a key and set cookie if autologin
200 203 if params[:autologin] && Setting.autologin?
201 204 set_autologin_cookie(user)
202 205 end
203 206 call_hook(:controller_account_success_authentication_after, {:user => user })
204 207 redirect_back_or_default :controller => 'my', :action => 'page'
205 208 end
206 209
207 210 def set_autologin_cookie(user)
208 211 token = Token.create(:user => user, :action => 'autologin')
209 212 cookie_name = Redmine::Configuration['autologin_cookie_name'] || 'autologin'
210 213 cookie_options = {
211 214 :value => token.value,
212 215 :expires => 1.year.from_now,
213 216 :path => (Redmine::Configuration['autologin_cookie_path'] || '/'),
214 217 :secure => (Redmine::Configuration['autologin_cookie_secure'] ? true : false),
215 218 :httponly => true
216 219 }
217 220 cookies[cookie_name] = cookie_options
218 221 end
219 222
220 223 # Onthefly creation failed, display the registration form to fill/fix attributes
221 224 def onthefly_creation_failed(user, auth_source_options = { })
222 225 @user = user
223 226 session[:auth_source_registration] = auth_source_options unless auth_source_options.empty?
224 227 render :action => 'register'
225 228 end
226 229
227 230 def invalid_credentials
228 231 logger.warn "Failed login for '#{params[:username]}' from #{request.remote_ip} at #{Time.now.utc}"
229 232 flash.now[:error] = l(:notice_account_invalid_creditentials)
230 233 end
231 234
232 235 # Register a user for email activation.
233 236 #
234 237 # Pass a block for behavior when a user fails to save
235 238 def register_by_email_activation(user, &block)
236 239 token = Token.new(:user => user, :action => "register")
237 240 if user.save and token.save
238 241 Mailer.register(token).deliver
239 242 flash[:notice] = l(:notice_account_register_done)
240 243 redirect_to :action => 'login'
241 244 else
242 245 yield if block_given?
243 246 end
244 247 end
245 248
246 249 # Automatically register a user
247 250 #
248 251 # Pass a block for behavior when a user fails to save
249 252 def register_automatically(user, &block)
250 253 # Automatic activation
251 254 user.activate
252 255 user.last_login_on = Time.now
253 256 if user.save
254 257 self.logged_user = user
255 258 flash[:notice] = l(:notice_account_activated)
256 259 redirect_to :controller => 'my', :action => 'account'
257 260 else
258 261 yield if block_given?
259 262 end
260 263 end
261 264
262 265 # Manual activation by the administrator
263 266 #
264 267 # Pass a block for behavior when a user fails to save
265 268 def register_manually_by_administrator(user, &block)
266 269 if user.save
267 270 # Sends an email to the administrators
268 271 Mailer.account_activation_request(user).deliver
269 272 account_pending
270 273 else
271 274 yield if block_given?
272 275 end
273 276 end
274 277
275 278 def account_pending
276 279 flash[:notice] = l(:notice_account_pending)
277 280 redirect_to :action => 'login'
278 281 end
279 282 end
Show file before | Show file after | Hide comments
@@ -1,129 +1,165
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2012 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 require File.expand_path('../../test_helper', __FILE__)
19 19
20 20 class AccountControllerTest < ActionController::TestCase
21 21 tests AccountController
22 22 fixtures :users, :roles
23 23
24 24 def setup
25 25 User.current = nil
26 26 Setting.openid = '1'
27 27 end
28 28
29 29 def teardown
30 30 Setting.openid = '0'
31 31 end
32 32
33 33 if Object.const_defined?(:OpenID)
34 34
35 35 def test_login_with_openid_for_existing_user
36 36 Setting.self_registration = '3'
37 37 existing_user = User.new(:firstname => 'Cool',
38 38 :lastname => 'User',
39 39 :mail => 'user@somedomain.com',
40 40 :identity_url => 'http://openid.example.com/good_user')
41 41 existing_user.login = 'cool_user'
42 42 assert existing_user.save!
43 43
44 44 post :login, :openid_url => existing_user.identity_url
45 45 assert_redirected_to '/my/page'
46 46 end
47 47
48 48 def test_login_with_invalid_openid_provider
49 49 Setting.self_registration = '0'
50 50 post :login, :openid_url => 'http;//openid.example.com/good_user'
51 51 assert_redirected_to home_url
52 52 end
53 53
54 54 def test_login_with_openid_for_existing_non_active_user
55 55 Setting.self_registration = '2'
56 56 existing_user = User.new(:firstname => 'Cool',
57 57 :lastname => 'User',
58 58 :mail => 'user@somedomain.com',
59 59 :identity_url => 'http://openid.example.com/good_user',
60 60 :status => User::STATUS_REGISTERED)
61 61 existing_user.login = 'cool_user'
62 62 assert existing_user.save!
63 63
64 64 post :login, :openid_url => existing_user.identity_url
65 65 assert_redirected_to '/login'
66 66 end
67 67
68 68 def test_login_with_openid_with_new_user_created
69 69 Setting.self_registration = '3'
70 70 post :login, :openid_url => 'http://openid.example.com/good_user'
71 71 assert_redirected_to '/my/account'
72 72 user = User.find_by_login('cool_user')
73 73 assert user
74 74 assert_equal 'Cool', user.firstname
75 75 assert_equal 'User', user.lastname
76 76 end
77 77
78 78 def test_login_with_openid_with_new_user_and_self_registration_off
79 79 Setting.self_registration = '0'
80 80 post :login, :openid_url => 'http://openid.example.com/good_user'
81 81 assert_redirected_to home_url
82 82 user = User.find_by_login('cool_user')
83 83 assert_nil user
84 84 end
85 85
86 86 def test_login_with_openid_with_new_user_created_with_email_activation_should_have_a_token
87 87 Setting.self_registration = '1'
88 88 post :login, :openid_url => 'http://openid.example.com/good_user'
89 89 assert_redirected_to '/login'
90 90 user = User.find_by_login('cool_user')
91 91 assert user
92 92
93 93 token = Token.find_by_user_id_and_action(user.id, 'register')
94 94 assert token
95 95 end
96 96
97 97 def test_login_with_openid_with_new_user_created_with_manual_activation
98 98 Setting.self_registration = '2'
99 99 post :login, :openid_url => 'http://openid.example.com/good_user'
100 100 assert_redirected_to '/login'
101 101 user = User.find_by_login('cool_user')
102 102 assert user
103 103 assert_equal User::STATUS_REGISTERED, user.status
104 104 end
105 105
106 106 def test_login_with_openid_with_new_user_with_conflict_should_register
107 107 Setting.self_registration = '3'
108 108 existing_user = User.new(:firstname => 'Cool', :lastname => 'User', :mail => 'user@somedomain.com')
109 109 existing_user.login = 'cool_user'
110 110 assert existing_user.save!
111 111
112 112 post :login, :openid_url => 'http://openid.example.com/good_user'
113 113 assert_response :success
114 114 assert_template 'register'
115 115 assert assigns(:user)
116 116 assert_equal 'http://openid.example.com/good_user', assigns(:user)[:identity_url]
117 117 end
118 118
119 def test_login_with_openid_with_new_user_with_missing_information_should_register
120 Setting.self_registration = '3'
121
122 post :login, :openid_url => 'http://openid.example.com/good_blank_user'
123 assert_response :success
124 assert_template 'register'
125 assert assigns(:user)
126 assert_equal 'http://openid.example.com/good_blank_user', assigns(:user)[:identity_url]
127
128 assert_select 'input[name=?]', 'user[login]'
129 assert_select 'input[name=?]', 'user[password]'
130 assert_select 'input[name=?]', 'user[password_confirmation]'
131 assert_select 'input[name=?][value=?]', 'user[identity_url]', 'http://openid.example.com/good_blank_user'
132 end
133
134 def test_register_after_login_failure_should_not_require_user_to_enter_a_password
135 Setting.self_registration = '3'
136
137 assert_difference 'User.count' do
138 post :register, :user => {
139 :login => 'good_blank_user',
140 :password => '',
141 :password_confirmation => '',
142 :firstname => 'Cool',
143 :lastname => 'User',
144 :mail => 'user@somedomain.com',
145 :identity_url => 'http://openid.example.com/good_blank_user'
146 }
147 assert_response 302
148 end
149
150 user = User.first(:order => 'id DESC')
151 assert_equal 'http://openid.example.com/good_blank_user', user.identity_url
152 assert user.hashed_password.blank?, "Hashed password was #{user.hashed_password}"
153 end
154
119 155 def test_setting_openid_should_return_true_when_set_to_true
120 156 assert_equal true, Setting.openid?
121 157 end
122 158
123 159 else
124 160 puts "Skipping openid tests."
125 161
126 162 def test_dummy
127 163 end
128 164 end
129 165 end
Show file before | Show file after | Hide comments
@@ -1,45 +1,46
1 1 # Mocks out OpenID
2 2 #
3 3 # http://www.northpub.com/articles/2007/04/02/testing-openid-support
4 4 module OpenIdAuthentication
5 5
6 6 EXTENSION_FIELDS = {'email' => 'user@somedomain.com',
7 7 'nickname' => 'cool_user',
8 8 'country' => 'US',
9 9 'postcode' => '12345',
10 10 'fullname' => 'Cool User',
11 11 'dob' => '1970-04-01',
12 12 'language' => 'en',
13 13 'timezone' => 'America/New_York'}
14 14
15 15 protected
16 16
17 17 def authenticate_with_open_id(identity_url = params[:openid_url], options = {}) #:doc:
18 18 if User.find_by_identity_url(identity_url) || identity_url.include?('good')
19 extension_response_fields = {}
20
19 21 # Don't process registration fields unless it is requested.
20 22 unless identity_url.include?('blank') || (options[:required].nil? && options[:optional].nil?)
21 extension_response_fields = {}
22 23
23 24 options[:required].each do |field|
24 25 extension_response_fields[field.to_s] = EXTENSION_FIELDS[field.to_s]
25 26 end unless options[:required].nil?
26 27
27 28 options[:optional].each do |field|
28 29 extension_response_fields[field.to_s] = EXTENSION_FIELDS[field.to_s]
29 30 end unless options[:optional].nil?
30 31 end
31 32
32 33 yield Result[:successful], identity_url , extension_response_fields
33 34 else
34 35 logger.info "OpenID authentication failed: #{identity_url}"
35 36 yield Result[:failed], identity_url, nil
36 37 end
37 38 end
38 39
39 40 private
40 41
41 42 def add_simple_registration_fields(open_id_response, fields)
42 43 open_id_response.add_extension_arg('sreg', 'required', [ fields[:required] ].flatten * ',') if fields[:required]
43 44 open_id_response.add_extension_arg('sreg', 'optional', [ fields[:optional] ].flatten * ',') if fields[:optional]
44 45 end
45 46 end
General Comments 0
You need to be logged in to leave comments. Login now