2013-02-06 03:16:51 +08:00
|
|
|
module CurrentUser
|
|
|
|
|
2013-04-11 14:24:08 +08:00
|
|
|
def self.has_auth_cookie?(env)
|
|
|
|
request = Rack::Request.new(env)
|
|
|
|
cookie = request.cookies["_t"]
|
|
|
|
!cookie.nil? && cookie.length == 32
|
|
|
|
end
|
|
|
|
|
2013-02-15 16:23:40 +08:00
|
|
|
def self.lookup_from_env(env)
|
|
|
|
request = Rack::Request.new(env)
|
2013-02-24 18:42:04 +08:00
|
|
|
lookup_from_auth_token(request.cookies["_t"])
|
|
|
|
end
|
|
|
|
|
|
|
|
def self.lookup_from_auth_token(auth_token)
|
2013-02-15 16:23:40 +08:00
|
|
|
if auth_token && auth_token.length == 32
|
2013-02-26 00:42:20 +08:00
|
|
|
User.where(auth_token: auth_token).first
|
2013-02-24 18:42:04 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-07-29 13:13:13 +08:00
|
|
|
# can be used to pretend current user does no exist, for CSRF attacks
|
|
|
|
def clear_current_user
|
|
|
|
@current_user = nil
|
|
|
|
@not_logged_in = true
|
|
|
|
end
|
|
|
|
|
2013-02-24 18:42:04 +08:00
|
|
|
def log_on_user(user)
|
|
|
|
session[:current_user_id] = user.id
|
2013-03-23 01:33:56 +08:00
|
|
|
unless user.auth_token && user.auth_token.length == 32
|
2013-02-24 18:42:04 +08:00
|
|
|
user.auth_token = SecureRandom.hex(16)
|
|
|
|
user.save!
|
2013-02-15 16:23:40 +08:00
|
|
|
end
|
2013-02-24 18:50:34 +08:00
|
|
|
set_permanent_cookie!(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
def set_permanent_cookie!(user)
|
2013-03-23 23:02:59 +08:00
|
|
|
cookies.permanent["_t"] = { value: user.auth_token, httponly: true }
|
2013-02-15 16:23:40 +08:00
|
|
|
end
|
|
|
|
|
2013-07-29 13:13:13 +08:00
|
|
|
def is_api?
|
|
|
|
# ensure current user has been called
|
|
|
|
# otherwise
|
|
|
|
current_user
|
|
|
|
@is_api
|
|
|
|
end
|
|
|
|
|
2013-02-06 03:16:51 +08:00
|
|
|
def current_user
|
|
|
|
return @current_user if @current_user || @not_logged_in
|
|
|
|
|
|
|
|
if session[:current_user_id].blank?
|
2013-02-26 00:42:20 +08:00
|
|
|
# maybe we have a cookie?
|
2013-02-24 18:42:04 +08:00
|
|
|
@current_user = CurrentUser.lookup_from_auth_token(cookies["_t"])
|
|
|
|
session[:current_user_id] = @current_user.id if @current_user
|
2013-02-06 03:16:51 +08:00
|
|
|
else
|
|
|
|
@current_user ||= User.where(id: session[:current_user_id]).first
|
2013-02-26 00:42:20 +08:00
|
|
|
|
2013-02-24 19:56:08 +08:00
|
|
|
# I have flip flopped on this (sam), if our permanent cookie
|
|
|
|
# conflicts with our current session assume session is bust
|
|
|
|
# kill it
|
2013-02-24 18:50:34 +08:00
|
|
|
if @current_user && cookies["_t"] != @current_user.auth_token
|
2013-02-24 19:56:08 +08:00
|
|
|
@current_user = nil
|
2013-02-24 18:50:34 +08:00
|
|
|
end
|
|
|
|
|
2013-02-06 03:16:51 +08:00
|
|
|
end
|
|
|
|
|
2013-02-26 00:42:20 +08:00
|
|
|
if @current_user && @current_user.is_banned?
|
2013-02-06 03:16:51 +08:00
|
|
|
@current_user = nil
|
|
|
|
end
|
|
|
|
|
|
|
|
@not_logged_in = session[:current_user_id].blank?
|
|
|
|
if @current_user
|
2013-02-26 00:42:20 +08:00
|
|
|
@current_user.update_last_seen!
|
2013-02-24 18:42:04 +08:00
|
|
|
@current_user.update_ip_address!(request.remote_ip)
|
2013-02-06 03:16:51 +08:00
|
|
|
end
|
2013-03-26 09:04:28 +08:00
|
|
|
|
2013-07-11 09:21:39 +08:00
|
|
|
# possible we have an api call, impersonate
|
2013-03-26 09:04:28 +08:00
|
|
|
unless @current_user
|
2013-07-11 09:21:39 +08:00
|
|
|
if api_key = request["api_key"]
|
2013-03-26 09:04:28 +08:00
|
|
|
if api_username = request["api_username"]
|
|
|
|
if SiteSetting.api_key_valid?(api_key)
|
2013-07-29 13:13:13 +08:00
|
|
|
@is_api = true
|
2013-03-26 09:04:28 +08:00
|
|
|
@current_user = User.where(username_lower: api_username.downcase).first
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-02-06 03:16:51 +08:00
|
|
|
@current_user
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|