discourse/lib/current_user.rb

module CurrentUser

  def self.has_auth_cookie?(env)
    request = Rack::Request.new(env)
    cookie = request.cookies["_t"]
    !cookie.nil? && cookie.length == 32
  end

  def self.lookup_from_env(env)
    request = Rack::Request.new(env)
    lookup_from_auth_token(request.cookies["_t"])
  end

  def self.lookup_from_auth_token(auth_token)
    if auth_token && auth_token.length == 32
      User.where(auth_token: auth_token).first
    end
  end

  def log_on_user(user)
    session[:current_user_id] = user.id
    unless user.auth_token && user.auth_token.length == 32
      user.auth_token = SecureRandom.hex(16)
      user.save!
    end
    set_permanent_cookie!(user)
  end

  def set_permanent_cookie!(user)
    cookies.permanent["_t"] = { value: user.auth_token, httponly: true }
  end

  def current_user
    return @current_user if @current_user || @not_logged_in

    if session[:current_user_id].blank?
      # maybe we have a cookie?
      @current_user = CurrentUser.lookup_from_auth_token(cookies["_t"])
      session[:current_user_id] = @current_user.id if @current_user
    else
      @current_user ||= User.where(id: session[:current_user_id]).first

      # I have flip flopped on this (sam), if our permanent cookie
      #  conflicts with our current session assume session is bust
      #  kill it
      if @current_user && cookies["_t"] != @current_user.auth_token
        @current_user = nil
      end

    end

    if @current_user && @current_user.is_banned?
      @current_user = nil
    end

    @not_logged_in = session[:current_user_id].blank?
    if @current_user
      @current_user.update_last_seen!
      @current_user.update_ip_address!(request.remote_ip)
    end

    # possible we have an api call, impersonate
    unless @current_user
      if api_key = request["api_key"]
        if api_username = request["api_username"]
          if SiteSetting.api_key_valid?(api_key)
            @current_user = User.where(username_lower: api_username.downcase).first
          end
        end
      end
    end

    @current_user
  end

end
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`module CurrentUser`

introduce rack:cache as a default, so users don't need to configure apache or nginx under rack cache we are able to serve 620reqs a second per thin (on my machine) before it 12 (on my machine) reorganised so mini profilers can be cleanly disabled from config file added caching for categories index move production.rb to production.sample.rb 2013-04-11 14:24:08 +08:00			`def self.has_auth_cookie?(env)`
			`request = Rack::Request.new(env)`
			`cookie = request.cookies["_t"]`
			`!cookie.nil? && cookie.length == 32`
			`end`

started work on message bus diags 2013-02-15 16:23:40 +08:00			`def self.lookup_from_env(env)`
			`request = Rack::Request.new(env)`
refactor and organise current_user better 2013-02-24 18:42:04 +08:00			`lookup_from_auth_token(request.cookies["_t"])`
			`end`

			`def self.lookup_from_auth_token(auth_token)`
started work on message bus diags 2013-02-15 16:23:40 +08:00			`if auth_token && auth_token.length == 32`
remove trailing whitespaces :heart: 2013-02-26 00:42:20 +08:00			`User.where(auth_token: auth_token).first`
refactor and organise current_user better 2013-02-24 18:42:04 +08:00			`end`
			`end`

			`def log_on_user(user)`
			`session[:current_user_id] = user.id`
fix duplicate auth_token in development database images 2013-03-23 01:33:56 +08:00			`unless user.auth_token && user.auth_token.length == 32`
refactor and organise current_user better 2013-02-24 18:42:04 +08:00			`user.auth_token = SecureRandom.hex(16)`
			`user.save!`
started work on message bus diags 2013-02-15 16:23:40 +08:00			`end`
cookie recovery cause we have been messing with it. 2013-02-24 18:50:34 +08:00			`set_permanent_cookie!(user)`
			`end`

			`def set_permanent_cookie!(user)`
Convert a lot of :a => b to a: b and bring peace to the world 2013-03-23 23:02:59 +08:00			`cookies.permanent["_t"] = { value: user.auth_token, httponly: true }`
started work on message bus diags 2013-02-15 16:23:40 +08:00			`end`

Initial release of Discourse 2013-02-06 03:16:51 +08:00			`def current_user`
			`return @current_user if @current_user \|\| @not_logged_in`

			`if session[:current_user_id].blank?`
remove trailing whitespaces :heart: 2013-02-26 00:42:20 +08:00			`# maybe we have a cookie?`
refactor and organise current_user better 2013-02-24 18:42:04 +08:00			`@current_user = CurrentUser.lookup_from_auth_token(cookies["_t"])`
			`session[:current_user_id] = @current_user.id if @current_user`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`else`
			`@current_user \|\|= User.where(id: session[:current_user_id]).first`
remove trailing whitespaces :heart: 2013-02-26 00:42:20 +08:00
correct breakage don't set permanent cookie, kill session if it conflicts 2013-02-24 19:56:08 +08:00			`# I have flip flopped on this (sam), if our permanent cookie`
			`# conflicts with our current session assume session is bust`
			`# kill it`
cookie recovery cause we have been messing with it. 2013-02-24 18:50:34 +08:00			`if @current_user && cookies["_t"] != @current_user.auth_token`
correct breakage don't set permanent cookie, kill session if it conflicts 2013-02-24 19:56:08 +08:00			`@current_user = nil`
cookie recovery cause we have been messing with it. 2013-02-24 18:50:34 +08:00			`end`

Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`

remove trailing whitespaces :heart: 2013-02-26 00:42:20 +08:00			`if @current_user && @current_user.is_banned?`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`@current_user = nil`
			`end`

			`@not_logged_in = session[:current_user_id].blank?`
			`if @current_user`
remove trailing whitespaces :heart: 2013-02-26 00:42:20 +08:00			`@current_user.update_last_seen!`
refactor and organise current_user better 2013-02-24 18:42:04 +08:00			`@current_user.update_ip_address!(request.remote_ip)`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`
basic api support 2013-03-26 09:04:28 +08:00
automatically approve invited users on forum where moderators must approve (keep in mind only moderators can invite) speed up specs a touch allow invite controller to accept an email in absence of user (cleans up API) 2013-07-11 09:21:39 +08:00			`# possible we have an api call, impersonate`
basic api support 2013-03-26 09:04:28 +08:00			`unless @current_user`
automatically approve invited users on forum where moderators must approve (keep in mind only moderators can invite) speed up specs a touch allow invite controller to accept an email in absence of user (cleans up API) 2013-07-11 09:21:39 +08:00			`if api_key = request["api_key"]`
basic api support 2013-03-26 09:04:28 +08:00			`if api_username = request["api_username"]`
			`if SiteSetting.api_key_valid?(api_key)`
			`@current_user = User.where(username_lower: api_username.downcase).first`
			`end`
			`end`
			`end`
			`end`

Initial release of Discourse 2013-02-06 03:16:51 +08:00			`@current_user`
			`end`

			`end`