discourse/app/controllers/users_controller.rb

452 lines
13 KiB
Ruby
Raw Normal View History

require_dependency 'discourse_hub'
require_dependency 'user_name_suggester'
require_dependency 'avatar_upload_service'
2013-02-06 03:16:51 +08:00
class UsersController < ApplicationController
skip_before_filter :authorize_mini_profiler, only: [:avatar]
skip_before_filter :check_xhr, only: [:show, :password_reset, :update, :activate_account, :authorize_email, :user_preferences_redirect, :avatar]
2013-02-06 03:16:51 +08:00
before_filter :ensure_logged_in, only: [:username, :update, :change_email, :user_preferences_redirect, :upload_user_image, :toggle_avatar, :clear_profile_background, :destroy]
before_filter :respond_to_suspicious_request, only: [:create]
2013-02-07 23:45:24 +08:00
# we need to allow account creation with bad CSRF tokens, if people are caching, the CSRF token on the
# page is going to be empty, this means that server will see an invalid CSRF and blow the session
# once that happens you can't log in with social
skip_before_filter :verify_authenticity_token, only: [:create]
skip_before_filter :redirect_to_login_if_required, only: [:check_username,
:create,
:get_honeypot_value,
:activate_account,
:send_activation_email,
:authorize_email,
:password_reset]
2013-02-07 23:45:24 +08:00
def show
2013-02-06 03:16:51 +08:00
@user = fetch_user_from_params
user_serializer = UserSerializer.new(@user, scope: guardian, root: 'user')
respond_to do |format|
format.html do
store_preloaded("user_#{@user.username}", MultiJson.dump(user_serializer))
end
format.json do
render_json_dump(user_serializer)
end
2013-02-06 03:16:51 +08:00
end
end
def user_preferences_redirect
redirect_to email_preferences_path(current_user.username_lower)
end
def update
user = fetch_user_from_params
2013-02-06 03:16:51 +08:00
guardian.ensure_can_edit!(user)
json_result(user, serializer: UserSerializer) do |u|
updater = UserUpdater.new(current_user, user)
updater.update(params)
2013-02-07 23:45:24 +08:00
end
2013-02-06 03:16:51 +08:00
end
def username
params.require(:new_username)
2013-02-06 03:16:51 +08:00
user = fetch_user_from_params
guardian.ensure_can_edit_username!(user)
2013-02-07 23:45:24 +08:00
2013-02-06 03:16:51 +08:00
result = user.change_username(params[:new_username])
raise Discourse::InvalidParameters.new(:new_username) unless result
2013-02-07 23:45:24 +08:00
render nothing: true
2013-02-06 03:16:51 +08:00
end
def preferences
render nothing: true
end
def invited
inviter = fetch_user_from_params
invites = if guardian.can_see_pending_invites_from?(inviter)
Invite.find_all_invites_from(inviter)
else
Invite.find_redeemed_invites_from(inviter)
end
invites = invites.filter_by(params[:filter])
render_serialized(invites.to_a, InviteSerializer)
2013-02-06 03:16:51 +08:00
end
def is_local_username
params.require(:username)
2013-02-06 03:16:51 +08:00
u = params[:username].downcase
r = User.exec_sql('select 1 from users where username_lower = ?', u).values
render json: {valid: r.length == 1}
end
def render_available_true
render(json: { available: true })
end
def changing_case_of_own_username(target_user, username)
target_user and username.downcase == target_user.username.downcase
end
# Used for checking availability of a username and will return suggestions
# if the username is not available.
2013-02-06 03:16:51 +08:00
def check_username
if !params[:username].present?
params.require(:username) if !params[:email].present?
return render(json: success_json) unless SiteSetting.call_discourse_hub?
end
username = params[:username]
2013-02-06 03:16:51 +08:00
target_user = user_from_params_or_current_user
# The special case where someone is changing the case of their own username
return render_available_true if changing_case_of_own_username(target_user, username)
checker = UsernameCheckerService.new
email = params[:email] || target_user.try(:email)
render json: checker.check_username(username, email)
rescue RestClient::Forbidden
render json: {errors: [I18n.t("discourse_hub.access_token_problem")]}
end
2013-02-06 03:16:51 +08:00
def user_from_params_or_current_user
params[:for_user_id] ? User.find(params[:for_user_id]) : current_user
end
2013-02-06 03:16:51 +08:00
def create
user = User.new(user_params)
authentication = UserAuthenticator.new(user, session)
authentication.start
2013-02-06 03:16:51 +08:00
activation = UserActivator.new(user, request, session, cookies)
activation.start
2013-02-06 03:16:51 +08:00
if user.save
authentication.finish
activation.finish
render json: {
success: true,
active: user.active?,
message: activation.message
}
else
render json: {
success: false,
message: I18n.t(
'login.errors',
errors: user.errors.full_messages.join("\n")
),
errors: user.errors.to_hash,
values: user.attributes.slice('name', 'username', 'email')
}
end
rescue ActiveRecord::StatementInvalid
render json: {
success: false,
message: I18n.t("login.something_already_taken")
}
rescue DiscourseHub::UsernameUnavailable => e
render json: e.response_message
2013-02-06 03:16:51 +08:00
rescue RestClient::Forbidden
render json: { errors: [I18n.t("discourse_hub.access_token_problem")] }
2013-02-06 03:16:51 +08:00
end
def get_honeypot_value
render json: {value: honeypot_value, challenge: challenge_value}
end
2013-02-06 03:16:51 +08:00
def password_reset
expires_now()
@user = EmailToken.confirm(params[:token])
if @user.blank?
flash[:error] = I18n.t('password_reset.no_token')
2013-11-11 19:28:26 +08:00
elsif request.put?
raise Discourse::InvalidParameters.new(:password) unless params[:password].present?
@user.password = params[:password]
@user.password_required!
if @user.save
Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
logon_after_password_reset
end
2013-02-06 03:16:51 +08:00
end
render layout: 'no_js'
2013-02-06 03:16:51 +08:00
end
2013-02-07 23:45:24 +08:00
def logon_after_password_reset
message = if Guardian.new(@user).can_access_forum?
# Log in the user
log_on_user(@user)
'password_reset.success'
else
@requires_approval = true
'password_reset.success_unapproved'
end
flash[:success] = I18n.t(message)
end
2013-02-06 03:16:51 +08:00
def change_email
params.require(:email)
2013-02-06 03:16:51 +08:00
user = fetch_user_from_params
guardian.ensure_can_edit_email!(user)
lower_email = Email.downcase(params[:email]).strip
2013-02-06 03:16:51 +08:00
# Raise an error if the email is already in use
if User.where("email = ?", lower_email).exists?
raise Discourse::InvalidParameters.new(:email)
end
2013-02-06 03:16:51 +08:00
email_token = user.email_tokens.create(email: lower_email)
Jobs.enqueue(
:user_email,
to_address: lower_email,
type: :authorize_email,
user_id: user.id,
email_token: email_token.token
)
2013-02-06 03:16:51 +08:00
2013-02-07 23:45:24 +08:00
render nothing: true
2013-02-06 03:16:51 +08:00
end
def authorize_email
expires_now()
if @user = EmailToken.confirm(params[:token])
log_on_user(@user)
else
flash[:error] = I18n.t('change_email.error')
end
render layout: 'no_js'
2013-02-06 03:16:51 +08:00
end
def activate_account
expires_now()
if @user = EmailToken.confirm(params[:token])
# Log in the user unless they need to be approved
if Guardian.new(@user).can_access_forum?
2013-02-06 03:16:51 +08:00
@user.enqueue_welcome_message('welcome_user') if @user.send_welcome_message
log_on_user(@user)
else
@needs_approval = true
2013-02-06 03:16:51 +08:00
end
else
flash[:error] = I18n.t('activation.already_done')
end
render layout: 'no_js'
2013-02-06 03:16:51 +08:00
end
def send_activation_email
@user = fetch_user_from_params
@email_token = @user.email_tokens.unconfirmed.active.first
enqueue_activation_email if @user
render nothing: true
end
def enqueue_activation_email
@email_token ||= @user.email_tokens.create(email: @user.email)
Jobs.enqueue(:user_email, type: :signup, user_id: @user.id, email_token: @email_token.token)
end
2013-02-06 03:16:51 +08:00
def search_users
2013-02-07 18:59:25 +08:00
term = params[:term].to_s.strip
2013-02-06 03:16:51 +08:00
topic_id = params[:topic_id]
topic_id = topic_id.to_i if topic_id
results = UserSearch.new(term, topic_id).search
2013-02-06 03:16:51 +08:00
user_fields = [:username, :use_uploaded_avatar, :upload_avatar_template, :uploaded_avatar_id]
user_fields << :name if SiteSetting.enable_names?
to_render = { users: results.as_json(only: user_fields, methods: :avatar_template) }
if params[:include_groups] == "true"
to_render[:groups] = Group.search_group(term, current_user).map {|m| {:name=>m.name, :usernames=> m.usernames.split(",")} }
end
render json: to_render
2013-02-06 03:16:51 +08:00
end
# [LEGACY] avatars in quotes/oneboxes might still be pointing to this route
# fixing it requires a rebake of all the posts
2013-08-14 04:08:29 +08:00
def avatar
2013-08-15 00:26:31 +08:00
user = User.where(username_lower: params[:username].downcase).first
if user.present?
size = determine_avatar_size(params[:size])
url = user.avatar_template.gsub("{size}", size.to_s)
expires_in 1.day
redirect_to url
else
raise ActiveRecord::RecordNotFound
end
end
def determine_avatar_size(size)
size = size.to_i
size = 64 if size == 0
size = 10 if size < 10
size = 128 if size > 128
size
end
def upload_avatar
params[:user_image_type] = "avatar"
upload_user_image
end
def upload_user_image
params.require(:user_image_type)
2013-08-14 04:08:29 +08:00
user = fetch_user_from_params
guardian.ensure_can_edit!(user)
file = params[:file] || params[:files].first
# Only allow url uploading for API users
# TODO: Does not protect from huge uploads
# https://github.com/discourse/discourse/pull/1512
2013-08-14 04:08:29 +08:00
# check the file size (note: this might also be done in the web server)
img = build_user_image_from(file)
upload_policy = AvatarUploadPolicy.new(img)
if upload_policy.too_big?
return render status: 413, text: I18n.t("upload.images.too_large",
max_size_kb: upload_policy.max_size_kb)
end
2013-08-14 04:08:29 +08:00
raise FastImage::UnknownImageType unless SiteSetting.authorized_image?(img.file)
upload_type = params[:user_image_type]
if upload_type == "avatar"
upload_avatar_for(user, img)
elsif upload_type == "profile_background"
upload_profile_background_for(user, img)
else
render status: 422, text: ""
end
2013-08-14 04:08:29 +08:00
rescue Discourse::InvalidParameters
render status: 422, text: I18n.t("upload.images.unknown_image_type")
2013-08-14 04:08:29 +08:00
rescue FastImage::ImageFetchFailure
render status: 422, text: I18n.t("upload.images.fetch_failure")
rescue FastImage::UnknownImageType
render status: 422, text: I18n.t("upload.images.unknown_image_type")
rescue FastImage::SizeNotFound
render status: 422, text: I18n.t("upload.images.size_not_found")
end
def toggle_avatar
params.require(:use_uploaded_avatar)
user = fetch_user_from_params
guardian.ensure_can_edit!(user)
user.use_uploaded_avatar = params[:use_uploaded_avatar]
user.save!
2013-08-17 06:29:54 +08:00
render nothing: true
2013-08-14 04:08:29 +08:00
end
def clear_profile_background
user = fetch_user_from_params
guardian.ensure_can_edit!(user)
user.profile_background = ""
user.save!
render nothing: true
end
def destroy
@user = fetch_user_from_params
guardian.ensure_can_delete_user!(@user)
UserDestroyer.new(current_user).destroy(@user, {delete_posts: true, context: params[:context]})
render json: success_json
end
2013-02-06 03:16:51 +08:00
private
def honeypot_value
Digest::SHA1::hexdigest("#{Discourse.current_hostname}:#{Discourse::Application.config.secret_token}")[0,15]
end
def challenge_value
challenge = $redis.get('SECRET_CHALLENGE')
unless challenge && challenge.length == 16*2
challenge = SecureRandom.hex(16)
$redis.set('SECRET_CHALLENGE',challenge)
end
challenge
end
def build_user_image_from(file)
source = if file.is_a?(String)
is_api? ? :url : (raise FastImage::UnknownImageType)
else
:image
end
AvatarUploadService.new(file, source)
end
def upload_avatar_for(user, avatar)
upload = Upload.create_for(user.id, avatar.file, avatar.filesize)
user.upload_avatar(upload)
Jobs.enqueue(:generate_avatars, user_id: user.id, upload_id: upload.id)
render json: { url: upload.url, width: upload.width, height: upload.height }
end
def upload_profile_background_for(user, background)
upload = Upload.create_for(user.id, background.file, background.filesize)
user.profile_background = upload.url
user.save!
# TODO: maybe add a resize job here
render json: { url: upload.url, width: upload.width, height: upload.height }
end
def respond_to_suspicious_request
if suspicious?(params)
render(
json: {
success: true,
active: false,
message: I18n.t("login.activate_email", email: params[:email])
}
)
end
end
def suspicious?(params)
honeypot_or_challenge_fails?(params) || SiteSetting.invite_only?
end
def honeypot_or_challenge_fails?(params)
params[:password_confirmation] != honeypot_value ||
params[:challenge] != challenge_value.try(:reverse)
end
def user_params
params.permit(
:name,
:email,
:password,
:username,
:active
).merge(ip_address: request.ip)
end
2013-02-06 03:16:51 +08:00
end