| @@ -1,259 +1,270 | |||||
| 1 | # redMine - project management software |
|
1 | # redMine - project management software | |
| 2 | # Copyright (C) 2006-2007 Jean-Philippe Lang |
|
2 | # Copyright (C) 2006-2007 Jean-Philippe Lang | |
| 3 | # |
|
3 | # | |
| 4 | # This program is free software; you can redistribute it and/or |
|
4 | # This program is free software; you can redistribute it and/or | |
| 5 | # modify it under the terms of the GNU General Public License |
|
5 | # modify it under the terms of the GNU General Public License | |
| 6 | # as published by the Free Software Foundation; either version 2 |
|
6 | # as published by the Free Software Foundation; either version 2 | |
| 7 | # of the License, or (at your option) any later version. |
|
7 | # of the License, or (at your option) any later version. | |
| 8 | # |
|
8 | # | |
| 9 | # This program is distributed in the hope that it will be useful, |
|
9 | # This program is distributed in the hope that it will be useful, | |
| 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 12 | # GNU General Public License for more details. |
|
12 | # GNU General Public License for more details. | |
| 13 | # |
|
13 | # | |
| 14 | # You should have received a copy of the GNU General Public License |
|
14 | # You should have received a copy of the GNU General Public License | |
| 15 | # along with this program; if not, write to the Free Software |
|
15 | # along with this program; if not, write to the Free Software | |
| 16 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
|
16 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | |
| 17 |
|
17 | |||
| 18 | require 'uri' |
|
18 | require 'uri' | |
| 19 | require 'cgi' |
|
19 | require 'cgi' | |
| 20 |
|
20 | |||
| 21 | class ApplicationController < ActionController::Base |
|
21 | class ApplicationController < ActionController::Base | |
| 22 | include Redmine::I18n |
|
22 | include Redmine::I18n | |
| 23 |
|
23 | |||
| 24 | layout 'base' |
|
24 | layout 'base' | |
| 25 |
|
25 | |||
|
|
26 | # Remove broken cookie after upgrade from 0.8.x (#4292) | |||
|
|
27 | # See https://rails.lighthouseapp.com/projects/8994/tickets/3360 | |||
|
|
28 | # TODO: remove it when Rails is fixed | |||
|
|
29 | before_filter :delete_broken_cookies | |||
|
|
30 | def delete_broken_cookies | |||
|
|
31 | if cookies['_redmine_session'] && cookies['_redmine_session'] !~ /--/ | |||
|
|
32 | cookies.delete '_redmine_session' | |||
|
|
33 | redirect_to home_path and return false | |||
|
|
34 | end | |||
|
|
35 | end | |||
|
|
36 | ||||
| 26 | before_filter :user_setup, :check_if_login_required, :set_localization |
|
37 | before_filter :user_setup, :check_if_login_required, :set_localization | |
| 27 | filter_parameter_logging :password |
|
38 | filter_parameter_logging :password | |
| 28 | protect_from_forgery |
|
39 | protect_from_forgery | |
| 29 |
|
40 | |||
| 30 | include Redmine::Search::Controller |
|
41 | include Redmine::Search::Controller | |
| 31 | include Redmine::MenuManager::MenuController |
|
42 | include Redmine::MenuManager::MenuController | |
| 32 | helper Redmine::MenuManager::MenuHelper |
|
43 | helper Redmine::MenuManager::MenuHelper | |
| 33 |
|
44 | |||
| 34 | REDMINE_SUPPORTED_SCM.each do |scm| |
|
45 | REDMINE_SUPPORTED_SCM.each do |scm| | |
| 35 | require_dependency "repository/#{scm.underscore}" |
|
46 | require_dependency "repository/#{scm.underscore}" | |
| 36 | end |
|
47 | end | |
| 37 |
|
48 | |||
| 38 | def user_setup |
|
49 | def user_setup | |
| 39 | # Check the settings cache for each request |
|
50 | # Check the settings cache for each request | |
| 40 | Setting.check_cache |
|
51 | Setting.check_cache | |
| 41 | # Find the current user |
|
52 | # Find the current user | |
| 42 | User.current = find_current_user |
|
53 | User.current = find_current_user | |
| 43 | end |
|
54 | end | |
| 44 |
|
55 | |||
| 45 | # Returns the current user or nil if no user is logged in |
|
56 | # Returns the current user or nil if no user is logged in | |
| 46 | # and starts a session if needed |
|
57 | # and starts a session if needed | |
| 47 | def find_current_user |
|
58 | def find_current_user | |
| 48 | if session[:user_id] |
|
59 | if session[:user_id] | |
| 49 | # existing session |
|
60 | # existing session | |
| 50 | (User.active.find(session[:user_id]) rescue nil) |
|
61 | (User.active.find(session[:user_id]) rescue nil) | |
| 51 | elsif cookies[:autologin] && Setting.autologin? |
|
62 | elsif cookies[:autologin] && Setting.autologin? | |
| 52 | # auto-login feature starts a new session |
|
63 | # auto-login feature starts a new session | |
| 53 | user = User.try_to_autologin(cookies[:autologin]) |
|
64 | user = User.try_to_autologin(cookies[:autologin]) | |
| 54 | session[:user_id] = user.id if user |
|
65 | session[:user_id] = user.id if user | |
| 55 | user |
|
66 | user | |
| 56 | elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action]) |
|
67 | elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action]) | |
| 57 | # RSS key authentication does not start a session |
|
68 | # RSS key authentication does not start a session | |
| 58 | User.find_by_rss_key(params[:key]) |
|
69 | User.find_by_rss_key(params[:key]) | |
| 59 | end |
|
70 | end | |
| 60 | end |
|
71 | end | |
| 61 |
|
72 | |||
| 62 | # Sets the logged in user |
|
73 | # Sets the logged in user | |
| 63 | def logged_user=(user) |
|
74 | def logged_user=(user) | |
| 64 | reset_session |
|
75 | reset_session | |
| 65 | if user && user.is_a?(User) |
|
76 | if user && user.is_a?(User) | |
| 66 | User.current = user |
|
77 | User.current = user | |
| 67 | session[:user_id] = user.id |
|
78 | session[:user_id] = user.id | |
| 68 | else |
|
79 | else | |
| 69 | User.current = User.anonymous |
|
80 | User.current = User.anonymous | |
| 70 | end |
|
81 | end | |
| 71 | end |
|
82 | end | |
| 72 |
|
83 | |||
| 73 | # check if login is globally required to access the application |
|
84 | # check if login is globally required to access the application | |
| 74 | def check_if_login_required |
|
85 | def check_if_login_required | |
| 75 | # no check needed if user is already logged in |
|
86 | # no check needed if user is already logged in | |
| 76 | return true if User.current.logged? |
|
87 | return true if User.current.logged? | |
| 77 | require_login if Setting.login_required? |
|
88 | require_login if Setting.login_required? | |
| 78 | end |
|
89 | end | |
| 79 |
|
90 | |||
| 80 | def set_localization |
|
91 | def set_localization | |
| 81 | lang = nil |
|
92 | lang = nil | |
| 82 | if User.current.logged? |
|
93 | if User.current.logged? | |
| 83 | lang = find_language(User.current.language) |
|
94 | lang = find_language(User.current.language) | |
| 84 | end |
|
95 | end | |
| 85 | if lang.nil? && request.env['HTTP_ACCEPT_LANGUAGE'] |
|
96 | if lang.nil? && request.env['HTTP_ACCEPT_LANGUAGE'] | |
| 86 | accept_lang = parse_qvalues(request.env['HTTP_ACCEPT_LANGUAGE']).first.downcase |
|
97 | accept_lang = parse_qvalues(request.env['HTTP_ACCEPT_LANGUAGE']).first.downcase | |
| 87 | if !accept_lang.blank? |
|
98 | if !accept_lang.blank? | |
| 88 | lang = find_language(accept_lang) || find_language(accept_lang.split('-').first) |
|
99 | lang = find_language(accept_lang) || find_language(accept_lang.split('-').first) | |
| 89 | end |
|
100 | end | |
| 90 | end |
|
101 | end | |
| 91 | lang ||= Setting.default_language |
|
102 | lang ||= Setting.default_language | |
| 92 | set_language_if_valid(lang) |
|
103 | set_language_if_valid(lang) | |
| 93 | end |
|
104 | end | |
| 94 |
|
105 | |||
| 95 | def require_login |
|
106 | def require_login | |
| 96 | if !User.current.logged? |
|
107 | if !User.current.logged? | |
| 97 | # Extract only the basic url parameters on non-GET requests |
|
108 | # Extract only the basic url parameters on non-GET requests | |
| 98 | if request.get? |
|
109 | if request.get? | |
| 99 | url = url_for(params) |
|
110 | url = url_for(params) | |
| 100 | else |
|
111 | else | |
| 101 | url = url_for(:controller => params[:controller], :action => params[:action], :id => params[:id], :project_id => params[:project_id]) |
|
112 | url = url_for(:controller => params[:controller], :action => params[:action], :id => params[:id], :project_id => params[:project_id]) | |
| 102 | end |
|
113 | end | |
| 103 | redirect_to :controller => "account", :action => "login", :back_url => url |
|
114 | redirect_to :controller => "account", :action => "login", :back_url => url | |
| 104 | return false |
|
115 | return false | |
| 105 | end |
|
116 | end | |
| 106 | true |
|
117 | true | |
| 107 | end |
|
118 | end | |
| 108 |
|
119 | |||
| 109 | def require_admin |
|
120 | def require_admin | |
| 110 | return unless require_login |
|
121 | return unless require_login | |
| 111 | if !User.current.admin? |
|
122 | if !User.current.admin? | |
| 112 | render_403 |
|
123 | render_403 | |
| 113 | return false |
|
124 | return false | |
| 114 | end |
|
125 | end | |
| 115 | true |
|
126 | true | |
| 116 | end |
|
127 | end | |
| 117 |
|
128 | |||
| 118 | def deny_access |
|
129 | def deny_access | |
| 119 | User.current.logged? ? render_403 : require_login |
|
130 | User.current.logged? ? render_403 : require_login | |
| 120 | end |
|
131 | end | |
| 121 |
|
132 | |||
| 122 | # Authorize the user for the requested action |
|
133 | # Authorize the user for the requested action | |
| 123 | def authorize(ctrl = params[:controller], action = params[:action], global = false) |
|
134 | def authorize(ctrl = params[:controller], action = params[:action], global = false) | |
| 124 | allowed = User.current.allowed_to?({:controller => ctrl, :action => action}, @project, :global => global) |
|
135 | allowed = User.current.allowed_to?({:controller => ctrl, :action => action}, @project, :global => global) | |
| 125 | allowed ? true : deny_access |
|
136 | allowed ? true : deny_access | |
| 126 | end |
|
137 | end | |
| 127 |
|
138 | |||
| 128 | # Authorize the user for the requested action outside a project |
|
139 | # Authorize the user for the requested action outside a project | |
| 129 | def authorize_global(ctrl = params[:controller], action = params[:action], global = true) |
|
140 | def authorize_global(ctrl = params[:controller], action = params[:action], global = true) | |
| 130 | authorize(ctrl, action, global) |
|
141 | authorize(ctrl, action, global) | |
| 131 | end |
|
142 | end | |
| 132 |
|
143 | |||
| 133 | # make sure that the user is a member of the project (or admin) if project is private |
|
144 | # make sure that the user is a member of the project (or admin) if project is private | |
| 134 | # used as a before_filter for actions that do not require any particular permission on the project |
|
145 | # used as a before_filter for actions that do not require any particular permission on the project | |
| 135 | def check_project_privacy |
|
146 | def check_project_privacy | |
| 136 | if @project && @project.active? |
|
147 | if @project && @project.active? | |
| 137 | if @project.is_public? || User.current.member_of?(@project) || User.current.admin? |
|
148 | if @project.is_public? || User.current.member_of?(@project) || User.current.admin? | |
| 138 | true |
|
149 | true | |
| 139 | else |
|
150 | else | |
| 140 | User.current.logged? ? render_403 : require_login |
|
151 | User.current.logged? ? render_403 : require_login | |
| 141 | end |
|
152 | end | |
| 142 | else |
|
153 | else | |
| 143 | @project = nil |
|
154 | @project = nil | |
| 144 | render_404 |
|
155 | render_404 | |
| 145 | false |
|
156 | false | |
| 146 | end |
|
157 | end | |
| 147 | end |
|
158 | end | |
| 148 |
|
159 | |||
| 149 | def redirect_back_or_default(default) |
|
160 | def redirect_back_or_default(default) | |
| 150 | back_url = CGI.unescape(params[:back_url].to_s) |
|
161 | back_url = CGI.unescape(params[:back_url].to_s) | |
| 151 | if !back_url.blank? |
|
162 | if !back_url.blank? | |
| 152 | begin |
|
163 | begin | |
| 153 | uri = URI.parse(back_url) |
|
164 | uri = URI.parse(back_url) | |
| 154 | # do not redirect user to another host or to the login or register page |
|
165 | # do not redirect user to another host or to the login or register page | |
| 155 | if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) |
|
166 | if (uri.relative? || (uri.host == request.host)) && !uri.path.match(%r{/(login|account/register)}) | |
| 156 | redirect_to(back_url) and return |
|
167 | redirect_to(back_url) and return | |
| 157 | end |
|
168 | end | |
| 158 | rescue URI::InvalidURIError |
|
169 | rescue URI::InvalidURIError | |
| 159 | # redirect to default |
|
170 | # redirect to default | |
| 160 | end |
|
171 | end | |
| 161 | end |
|
172 | end | |
| 162 | redirect_to default |
|
173 | redirect_to default | |
| 163 | end |
|
174 | end | |
| 164 |
|
175 | |||
| 165 | def render_403 |
|
176 | def render_403 | |
| 166 | @project = nil |
|
177 | @project = nil | |
| 167 | render :template => "common/403", :layout => !request.xhr?, :status => 403 |
|
178 | render :template => "common/403", :layout => !request.xhr?, :status => 403 | |
| 168 | return false |
|
179 | return false | |
| 169 | end |
|
180 | end | |
| 170 |
|
181 | |||
| 171 | def render_404 |
|
182 | def render_404 | |
| 172 | render :template => "common/404", :layout => !request.xhr?, :status => 404 |
|
183 | render :template => "common/404", :layout => !request.xhr?, :status => 404 | |
| 173 | return false |
|
184 | return false | |
| 174 | end |
|
185 | end | |
| 175 |
|
186 | |||
| 176 | def render_error(msg) |
|
187 | def render_error(msg) | |
| 177 | flash.now[:error] = msg |
|
188 | flash.now[:error] = msg | |
| 178 | render :text => '', :layout => !request.xhr?, :status => 500 |
|
189 | render :text => '', :layout => !request.xhr?, :status => 500 | |
| 179 | end |
|
190 | end | |
| 180 |
|
191 | |||
| 181 | def render_feed(items, options={}) |
|
192 | def render_feed(items, options={}) | |
| 182 | @items = items || [] |
|
193 | @items = items || [] | |
| 183 | @items.sort! {|x,y| y.event_datetime <=> x.event_datetime } |
|
194 | @items.sort! {|x,y| y.event_datetime <=> x.event_datetime } | |
| 184 | @items = @items.slice(0, Setting.feeds_limit.to_i) |
|
195 | @items = @items.slice(0, Setting.feeds_limit.to_i) | |
| 185 | @title = options[:title] || Setting.app_title |
|
196 | @title = options[:title] || Setting.app_title | |
| 186 | render :template => "common/feed.atom.rxml", :layout => false, :content_type => 'application/atom+xml' |
|
197 | render :template => "common/feed.atom.rxml", :layout => false, :content_type => 'application/atom+xml' | |
| 187 | end |
|
198 | end | |
| 188 |
|
199 | |||
| 189 | def self.accept_key_auth(*actions) |
|
200 | def self.accept_key_auth(*actions) | |
| 190 | actions = actions.flatten.map(&:to_s) |
|
201 | actions = actions.flatten.map(&:to_s) | |
| 191 | write_inheritable_attribute('accept_key_auth_actions', actions) |
|
202 | write_inheritable_attribute('accept_key_auth_actions', actions) | |
| 192 | end |
|
203 | end | |
| 193 |
|
204 | |||
| 194 | def accept_key_auth_actions |
|
205 | def accept_key_auth_actions | |
| 195 | self.class.read_inheritable_attribute('accept_key_auth_actions') || [] |
|
206 | self.class.read_inheritable_attribute('accept_key_auth_actions') || [] | |
| 196 | end |
|
207 | end | |
| 197 |
|
208 | |||
| 198 | # TODO: move to model |
|
209 | # TODO: move to model | |
| 199 | def attach_files(obj, attachments) |
|
210 | def attach_files(obj, attachments) | |
| 200 | attached = [] |
|
211 | attached = [] | |
| 201 | unsaved = [] |
|
212 | unsaved = [] | |
| 202 | if attachments && attachments.is_a?(Hash) |
|
213 | if attachments && attachments.is_a?(Hash) | |
| 203 | attachments.each_value do |attachment| |
|
214 | attachments.each_value do |attachment| | |
| 204 | file = attachment['file'] |
|
215 | file = attachment['file'] | |
| 205 | next unless file && file.size > 0 |
|
216 | next unless file && file.size > 0 | |
| 206 | a = Attachment.create(:container => obj, |
|
217 | a = Attachment.create(:container => obj, | |
| 207 | :file => file, |
|
218 | :file => file, | |
| 208 | :description => attachment['description'].to_s.strip, |
|
219 | :description => attachment['description'].to_s.strip, | |
| 209 | :author => User.current) |
|
220 | :author => User.current) | |
| 210 | a.new_record? ? (unsaved << a) : (attached << a) |
|
221 | a.new_record? ? (unsaved << a) : (attached << a) | |
| 211 | end |
|
222 | end | |
| 212 | if unsaved.any? |
|
223 | if unsaved.any? | |
| 213 | flash[:warning] = l(:warning_attachments_not_saved, unsaved.size) |
|
224 | flash[:warning] = l(:warning_attachments_not_saved, unsaved.size) | |
| 214 | end |
|
225 | end | |
| 215 | end |
|
226 | end | |
| 216 | attached |
|
227 | attached | |
| 217 | end |
|
228 | end | |
| 218 |
|
229 | |||
| 219 | # Returns the number of objects that should be displayed |
|
230 | # Returns the number of objects that should be displayed | |
| 220 | # on the paginated list |
|
231 | # on the paginated list | |
| 221 | def per_page_option |
|
232 | def per_page_option | |
| 222 | per_page = nil |
|
233 | per_page = nil | |
| 223 | if params[:per_page] && Setting.per_page_options_array.include?(params[:per_page].to_s.to_i) |
|
234 | if params[:per_page] && Setting.per_page_options_array.include?(params[:per_page].to_s.to_i) | |
| 224 | per_page = params[:per_page].to_s.to_i |
|
235 | per_page = params[:per_page].to_s.to_i | |
| 225 | session[:per_page] = per_page |
|
236 | session[:per_page] = per_page | |
| 226 | elsif session[:per_page] |
|
237 | elsif session[:per_page] | |
| 227 | per_page = session[:per_page] |
|
238 | per_page = session[:per_page] | |
| 228 | else |
|
239 | else | |
| 229 | per_page = Setting.per_page_options_array.first || 25 |
|
240 | per_page = Setting.per_page_options_array.first || 25 | |
| 230 | end |
|
241 | end | |
| 231 | per_page |
|
242 | per_page | |
| 232 | end |
|
243 | end | |
| 233 |
|
244 | |||
| 234 | # qvalues http header parser |
|
245 | # qvalues http header parser | |
| 235 | # code taken from webrick |
|
246 | # code taken from webrick | |
| 236 | def parse_qvalues(value) |
|
247 | def parse_qvalues(value) | |
| 237 | tmp = [] |
|
248 | tmp = [] | |
| 238 | if value |
|
249 | if value | |
| 239 | parts = value.split(/,\s*/) |
|
250 | parts = value.split(/,\s*/) | |
| 240 | parts.each {|part| |
|
251 | parts.each {|part| | |
| 241 | if m = %r{^([^\s,]+?)(?:;\s*q=(\d+(?:\.\d+)?))?$}.match(part) |
|
252 | if m = %r{^([^\s,]+?)(?:;\s*q=(\d+(?:\.\d+)?))?$}.match(part) | |
| 242 | val = m[1] |
|
253 | val = m[1] | |
| 243 | q = (m[2] or 1).to_f |
|
254 | q = (m[2] or 1).to_f | |
| 244 | tmp.push([val, q]) |
|
255 | tmp.push([val, q]) | |
| 245 | end |
|
256 | end | |
| 246 | } |
|
257 | } | |
| 247 | tmp = tmp.sort_by{|val, q| -q} |
|
258 | tmp = tmp.sort_by{|val, q| -q} | |
| 248 | tmp.collect!{|val, q| val} |
|
259 | tmp.collect!{|val, q| val} | |
| 249 | end |
|
260 | end | |
| 250 | return tmp |
|
261 | return tmp | |
| 251 | rescue |
|
262 | rescue | |
| 252 | nil |
|
263 | nil | |
| 253 | end |
|
264 | end | |
| 254 |
|
265 | |||
| 255 | # Returns a string that can be used as filename value in Content-Disposition header |
|
266 | # Returns a string that can be used as filename value in Content-Disposition header | |
| 256 | def filename_for_content_disposition(name) |
|
267 | def filename_for_content_disposition(name) | |
| 257 | request.env['HTTP_USER_AGENT'] =~ %r{MSIE} ? ERB::Util.url_encode(name) : name |
|
268 | request.env['HTTP_USER_AGENT'] =~ %r{MSIE} ? ERB::Util.url_encode(name) : name | |
| 258 | end |
|
269 | end | |
| 259 | end |
|
270 | end | |
General Comments 0
You need to be logged in to leave comments.
Login now