##// END OF EJS Templates
jro_apps » redmine
RSS
Use safe_attributes for auth sources....
Jean-Philippe Lang -
r15310:d7a6c09822bc
parent child
Show More
Side by Side Unified
Context file:
r15310:d7a6c09822bc Loading diff...:
Show file before | Show file after | Hide comments
@@ -1,97 +1,104
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2016 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 class AuthSourcesController < ApplicationController
19 19 layout 'admin'
20 20 menu_item :ldap_authentication
21 21
22 22 before_action :require_admin
23 before_action :build_new_auth_source, :only => [:new, :create]
23 24 before_action :find_auth_source, :only => [:edit, :update, :test_connection, :destroy]
24 25 require_sudo_mode :update, :destroy
25 26
26 27 def index
27 28 @auth_source_pages, @auth_sources = paginate AuthSource, :per_page => 25
28 29 end
29 30
30 31 def new
31 klass_name = params[:type] || 'AuthSourceLdap'
32 @auth_source = AuthSource.new_subclass_instance(klass_name, params[:auth_source])
33 render_404 unless @auth_source
34 32 end
35 33
36 34 def create
37 @auth_source = AuthSource.new_subclass_instance(params[:type], params[:auth_source])
38 35 if @auth_source.save
39 36 flash[:notice] = l(:notice_successful_create)
40 37 redirect_to auth_sources_path
41 38 else
42 39 render :action => 'new'
43 40 end
44 41 end
45 42
46 43 def edit
47 44 end
48 45
49 46 def update
50 if @auth_source.update_attributes(params[:auth_source])
47 @auth_source.safe_attributes = params[:auth_source]
48 if @auth_source.save
51 49 flash[:notice] = l(:notice_successful_update)
52 50 redirect_to auth_sources_path
53 51 else
54 52 render :action => 'edit'
55 53 end
56 54 end
57 55
58 56 def test_connection
59 57 begin
60 58 @auth_source.test_connection
61 59 flash[:notice] = l(:notice_successful_connection)
62 60 rescue Exception => e
63 61 flash[:error] = l(:error_unable_to_connect, e.message)
64 62 end
65 63 redirect_to auth_sources_path
66 64 end
67 65
68 66 def destroy
69 67 unless @auth_source.users.exists?
70 68 @auth_source.destroy
71 69 flash[:notice] = l(:notice_successful_delete)
72 70 end
73 71 redirect_to auth_sources_path
74 72 end
75 73
76 74 def autocomplete_for_new_user
77 75 results = AuthSource.search(params[:term])
78 76
79 77 render :json => results.map {|result| {
80 78 'value' => result[:login],
81 79 'label' => "#{result[:login]} (#{result[:firstname]} #{result[:lastname]})",
82 80 'login' => result[:login].to_s,
83 81 'firstname' => result[:firstname].to_s,
84 82 'lastname' => result[:lastname].to_s,
85 83 'mail' => result[:mail].to_s,
86 84 'auth_source_id' => result[:auth_source_id].to_s
87 85 }}
88 86 end
89 87
90 88 private
91 89
90 def build_new_auth_source
91 @auth_source = AuthSource.new_subclass_instance(params[:type] || 'AuthSourceLdap')
92 if @auth_source
93 @auth_source.safe_attributes = params[:auth_source]
94 else
95 render_404
96 end
97 end
98
92 99 def find_auth_source
93 100 @auth_source = AuthSource.find(params[:id])
94 101 rescue ActiveRecord::RecordNotFound
95 102 render_404
96 103 end
97 104 end
Show file before | Show file after | Hide comments
@@ -1,93 +1,109
1 1 # Redmine - project management software
2 2 # Copyright (C) 2006-2016 Jean-Philippe Lang
3 3 #
4 4 # This program is free software; you can redistribute it and/or
5 5 # modify it under the terms of the GNU General Public License
6 6 # as published by the Free Software Foundation; either version 2
7 7 # of the License, or (at your option) any later version.
8 8 #
9 9 # This program is distributed in the hope that it will be useful,
10 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 12 # GNU General Public License for more details.
13 13 #
14 14 # You should have received a copy of the GNU General Public License
15 15 # along with this program; if not, write to the Free Software
16 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
17 17
18 18 # Generic exception for when the AuthSource can not be reached
19 19 # (eg. can not connect to the LDAP)
20 20 class AuthSourceException < Exception; end
21 21 class AuthSourceTimeoutException < AuthSourceException; end
22 22
23 23 class AuthSource < ActiveRecord::Base
24 include Redmine::SafeAttributes
24 25 include Redmine::SubclassFactory
25 26 include Redmine::Ciphering
26 27
27 28 has_many :users
28 29
29 30 validates_presence_of :name
30 31 validates_uniqueness_of :name
31 32 validates_length_of :name, :maximum => 60
32 33 attr_protected :id
33 34
35 safe_attributes 'name',
36 'host',
37 'port',
38 'account',
39 'account_password',
40 'base_dn',
41 'attr_login',
42 'attr_firstname',
43 'attr_lastname',
44 'attr_mail',
45 'onthefly_register',
46 'tls',
47 'filter',
48 'timeout'
49
34 50 def authenticate(login, password)
35 51 end
36 52
37 53 def test_connection
38 54 end
39 55
40 56 def auth_method_name
41 57 "Abstract"
42 58 end
43 59
44 60 def account_password
45 61 read_ciphered_attribute(:account_password)
46 62 end
47 63
48 64 def account_password=(arg)
49 65 write_ciphered_attribute(:account_password, arg)
50 66 end
51 67
52 68 def searchable?
53 69 false
54 70 end
55 71
56 72 def self.search(q)
57 73 results = []
58 74 AuthSource.all.each do |source|
59 75 begin
60 76 if source.searchable?
61 77 results += source.search(q)
62 78 end
63 79 rescue AuthSourceException => e
64 80 logger.error "Error while searching users in #{source.name}: #{e.message}"
65 81 end
66 82 end
67 83 results
68 84 end
69 85
70 86 def allow_password_changes?
71 87 self.class.allow_password_changes?
72 88 end
73 89
74 90 # Does this auth source backend allow password changes?
75 91 def self.allow_password_changes?
76 92 false
77 93 end
78 94
79 95 # Try to authenticate a user not yet registered against available sources
80 96 def self.authenticate(login, password)
81 97 AuthSource.where(:onthefly_register => true).each do |source|
82 98 begin
83 99 logger.debug "Authenticating '#{login}' against '#{source.name}'" if logger && logger.debug?
84 100 attrs = source.authenticate(login, password)
85 101 rescue => e
86 102 logger.error "Error during authentication: #{e.message}"
87 103 attrs = nil
88 104 end
89 105 return attrs if attrs
90 106 end
91 107 return nil
92 108 end
93 109 end
General Comments 0
You need to be logged in to leave comments. Login now