discourse/lib/current_user.rb

# frozen_string_literal: true

module CurrentUser
  def self.has_auth_cookie?(env)
    Discourse.current_user_provider.new(env).has_auth_cookie?
  end

  def self.lookup_from_env(env)
    Discourse.current_user_provider.new(env).current_user
  end

  # can be used to pretend current user does no exist, for CSRF attacks
  def clear_current_user
    @current_user_provider = Discourse.current_user_provider.new({})
  end

  def log_on_user(user, opts = {})
    current_user_provider.log_on_user(user, session, cookies, opts)
    user.logged_in
  end

  def log_off_user
    current_user_provider.log_off_user(session, cookies)
  end

  def is_api?
    current_user_provider.is_api?
  end

  def is_user_api?
    current_user_provider.is_user_api?
  end

  def current_user
    current_user_provider.current_user
  end

  def refresh_session(user)
    current_user_provider.refresh_session(user, session, cookies)
  end

  private

  def current_user_provider
    @current_user_provider ||= Discourse.current_user_provider.new(request.env)
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-03 06:17:27 +08:00			`# frozen_string_literal: true`

Initial release of Discourse 2013-02-06 03:16:51 +08:00			`module CurrentUser`
introduce rack:cache as a default, so users don't need to configure apache or nginx under rack cache we are able to serve 620reqs a second per thin (on my machine) before it 12 (on my machine) reorganised so mini profilers can be cleanly disabled from config file added caching for categories index move production.rb to production.sample.rb 2013-04-11 14:24:08 +08:00			`def self.has_auth_cookie?(env)`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`Discourse.current_user_provider.new(env).has_auth_cookie?`
introduce rack:cache as a default, so users don't need to configure apache or nginx under rack cache we are able to serve 620reqs a second per thin (on my machine) before it 12 (on my machine) reorganised so mini profilers can be cleanly disabled from config file added caching for categories index move production.rb to production.sample.rb 2013-04-11 14:24:08 +08:00			`end`

started work on message bus diags 2013-02-15 16:23:40 +08:00			`def self.lookup_from_env(env)`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`Discourse.current_user_provider.new(env).current_user`
refactor and organise current_user better 2013-02-24 18:42:04 +08:00			`end`

SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 13:13:13 +08:00			`# can be used to pretend current user does no exist, for CSRF attacks`
			`def clear_current_user`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`@current_user_provider = Discourse.current_user_provider.new({})`
SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 13:13:13 +08:00			`end`

FIX: Do not check for suspicious login when impersonating. (#6534) * FIX: Do not check for suspicious login when impersonating. * DEV: Add 'impersonate' parameter to log_on_user. 2018-11-12 22:34:12 +08:00			`def log_on_user(user, opts = {})`
			`current_user_provider.log_on_user(user, session, cookies, opts)`
FEATURE: Add DiscourseEvent trigger when a user logs in. * Also adds a event trigger when user logs in for the first time. 2017-06-01 16:19:42 +08:00			`user.logged_in`
cookie recovery cause we have been messing with it. 2013-02-24 18:50:34 +08:00			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`def log_off_user`
			`current_user_provider.log_off_user(session, cookies)`
started work on message bus diags 2013-02-15 16:23:40 +08:00			`end`

SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 13:13:13 +08:00			`def is_api?`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`current_user_provider.is_api?`
SECURITY: correct our CSRF implementation to be much more aggressive 2013-07-29 13:13:13 +08:00			`end`

SECURITY: don't grant same privileges to user_api and api access User API is no longer gets bypasses that standard API gets. Only bypasses are CSRF and XHR requirements. 2016-12-16 09:05:20 +08:00			`def is_user_api?`
			`current_user_provider.is_user_api?`
			`end`

Initial release of Discourse 2013-02-06 03:16:51 +08:00			`def current_user`
FEATURE: logging out logs you out everywhere can be disabled by changing the setting "log_out_strict" to false 2015-01-28 09:56:25 +08:00			`current_user_provider.current_user`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`end`
basic api support 2013-03-26 09:04:28 +08:00
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions. 2016-07-25 10:07:31 +08:00			`def refresh_session(user)`
			`current_user_provider.refresh_session(user, session, cookies)`
			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`private`
basic api support 2013-03-26 09:04:28 +08:00
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 12:10:37 +08:00			`def current_user_provider`
			`@current_user_provider \|\|= Discourse.current_user_provider.new(request.env)`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`
			`end`