2019-05-02 17:17:27 -05:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
class UsersController < ApplicationController
|
2017-08-30 23:06:56 -05:00
|
|
|
skip_before_action :authorize_mini_profiler, only: [:avatar]
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2018-01-31 22:17:59 -06:00
|
|
|
requires_login only: [
|
2018-01-31 19:26:45 -06:00
|
|
|
:username, :update, :user_preferences_redirect, :upload_user_image,
|
2018-07-18 05:57:43 -05:00
|
|
|
:pick_avatar, :destroy_user_image, :destroy, :check_emails,
|
2019-06-26 18:58:06 -05:00
|
|
|
:topic_tracking_state, :preferences, :create_second_factor_totp,
|
|
|
|
:enable_second_factor_totp, :disable_second_factor, :list_second_factors,
|
2018-08-31 03:18:06 -05:00
|
|
|
:update_second_factor, :create_second_factor_backup, :select_avatar,
|
2019-10-01 21:08:41 -05:00
|
|
|
:notification_level, :revoke_auth_token, :register_second_factor_security_key,
|
2019-12-09 13:15:47 -06:00
|
|
|
:create_second_factor_security_key, :feature_topic, :clear_featured_topic
|
2018-01-31 19:26:45 -06:00
|
|
|
]
|
|
|
|
|
|
|
|
skip_before_action :check_xhr, only: [
|
2020-01-15 04:27:12 -06:00
|
|
|
:show, :badges, :password_reset_show, :password_reset_update, :update, :account_created,
|
2018-01-31 19:26:45 -06:00
|
|
|
:activate_account, :perform_account_activation, :user_preferences_redirect, :avatar,
|
2019-12-09 13:15:47 -06:00
|
|
|
:my_redirect, :toggle_anon, :admin_login, :confirm_admin, :email_login, :summary,
|
|
|
|
:feature_topic, :clear_featured_topic
|
2018-01-31 19:26:45 -06:00
|
|
|
]
|
2016-08-12 01:35:10 -05:00
|
|
|
|
2019-06-26 18:58:06 -05:00
|
|
|
before_action :second_factor_check_confirmed_password, only: [
|
|
|
|
:create_second_factor_totp, :enable_second_factor_totp,
|
2019-10-01 21:08:41 -05:00
|
|
|
:disable_second_factor, :update_second_factor, :create_second_factor_backup,
|
|
|
|
:register_second_factor_security_key, :create_second_factor_security_key
|
|
|
|
]
|
2019-06-26 18:58:06 -05:00
|
|
|
|
2017-08-30 23:06:56 -05:00
|
|
|
before_action :respond_to_suspicious_request, only: [:create]
|
2013-02-07 09:45:24 -06:00
|
|
|
|
2013-05-22 10:20:16 -05:00
|
|
|
# we need to allow account creation with bad CSRF tokens, if people are caching, the CSRF token on the
|
2013-05-03 01:43:11 -05:00
|
|
|
# page is going to be empty, this means that server will see an invalid CSRF and blow the session
|
|
|
|
# once that happens you can't log in with social
|
2017-08-30 23:06:56 -05:00
|
|
|
skip_before_action :verify_authenticity_token, only: [:create]
|
|
|
|
skip_before_action :redirect_to_login_if_required, only: [:check_username,
|
2013-07-15 11:12:54 -05:00
|
|
|
:create,
|
|
|
|
:get_honeypot_value,
|
2014-09-23 08:50:57 -05:00
|
|
|
:account_created,
|
2013-07-15 11:12:54 -05:00
|
|
|
:activate_account,
|
2014-07-15 12:47:47 -05:00
|
|
|
:perform_account_activation,
|
2013-07-15 11:12:54 -05:00
|
|
|
:send_activation_email,
|
2017-04-05 15:14:22 -05:00
|
|
|
:update_activation_email,
|
2020-01-15 04:27:12 -06:00
|
|
|
:password_reset_show,
|
|
|
|
:password_reset_update,
|
2016-01-04 10:48:54 -06:00
|
|
|
:confirm_email_token,
|
2017-04-20 10:17:24 -05:00
|
|
|
:email_login,
|
2017-04-04 12:59:22 -05:00
|
|
|
:admin_login,
|
|
|
|
:confirm_admin]
|
2013-05-03 01:43:11 -05:00
|
|
|
|
2020-01-23 22:00:27 -06:00
|
|
|
after_action :add_noindex_header, only: [:show]
|
|
|
|
|
2015-03-19 10:48:16 -05:00
|
|
|
def index
|
|
|
|
end
|
|
|
|
|
2020-01-28 05:55:46 -06:00
|
|
|
def show(for_card: false)
|
2017-04-20 02:30:45 -05:00
|
|
|
return redirect_to path('/login') if SiteSetting.hide_user_profiles_from_public && !current_user
|
2015-10-28 13:56:08 -05:00
|
|
|
|
2016-09-22 23:44:08 -05:00
|
|
|
@user = fetch_user_from_params(
|
2018-04-24 08:46:57 -05:00
|
|
|
include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts)
|
2016-09-22 23:44:08 -05:00
|
|
|
)
|
|
|
|
|
2018-10-10 12:00:08 -05:00
|
|
|
user_serializer = nil
|
|
|
|
if guardian.can_see_profile?(@user)
|
2020-01-28 05:55:46 -06:00
|
|
|
serializer_class = for_card ? UserCardSerializer : UserSerializer
|
|
|
|
user_serializer = serializer_class.new(@user, scope: guardian, root: 'user')
|
2018-10-10 12:00:08 -05:00
|
|
|
|
|
|
|
topic_id = params[:include_post_count_for].to_i
|
|
|
|
if topic_id != 0
|
|
|
|
user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count }
|
|
|
|
end
|
|
|
|
else
|
|
|
|
user_serializer = HiddenProfileSerializer.new(@user, scope: guardian, root: 'user')
|
2015-03-24 11:33:17 -05:00
|
|
|
end
|
|
|
|
|
2015-09-14 02:51:17 -05:00
|
|
|
if !params[:skip_track_visit] && (@user != current_user)
|
|
|
|
track_visit_to_user_profile
|
|
|
|
end
|
|
|
|
|
2015-02-02 11:55:32 -06:00
|
|
|
# This is a hack to get around a Rails issue where values with periods aren't handled correctly
|
|
|
|
# when used as part of a route.
|
2017-07-27 20:20:09 -05:00
|
|
|
if params[:external_id] && params[:external_id].ends_with?('.json')
|
2015-02-02 11:55:32 -06:00
|
|
|
return render_json_dump(user_serializer)
|
|
|
|
end
|
|
|
|
|
2013-03-08 14:04:37 -06:00
|
|
|
respond_to do |format|
|
|
|
|
format.html do
|
2014-11-27 12:51:13 -06:00
|
|
|
@restrict_fields = guardian.restrict_user_fields?(@user)
|
2013-03-08 14:04:37 -06:00
|
|
|
store_preloaded("user_#{@user.username}", MultiJson.dump(user_serializer))
|
2017-11-21 11:22:24 -06:00
|
|
|
render :show
|
2013-03-08 14:04:37 -06:00
|
|
|
end
|
|
|
|
|
|
|
|
format.json do
|
|
|
|
render_json_dump(user_serializer)
|
|
|
|
end
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-01-28 05:55:46 -06:00
|
|
|
def show_card
|
|
|
|
show(for_card: true)
|
|
|
|
end
|
|
|
|
|
2017-11-21 11:22:24 -06:00
|
|
|
def badges
|
|
|
|
raise Discourse::NotFound unless SiteSetting.enable_badges?
|
|
|
|
show
|
|
|
|
end
|
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
def user_preferences_redirect
|
|
|
|
redirect_to email_preferences_path(current_user.username_lower)
|
|
|
|
end
|
|
|
|
|
|
|
|
def update
|
2013-10-07 05:19:45 -05:00
|
|
|
user = fetch_user_from_params
|
2013-02-05 13:16:51 -06:00
|
|
|
guardian.ensure_can_edit!(user)
|
2018-08-30 06:59:36 -05:00
|
|
|
attributes = user_params
|
2014-09-26 13:48:34 -05:00
|
|
|
|
2018-01-26 15:53:10 -06:00
|
|
|
# We can't update the username via this route. Use the username route
|
|
|
|
attributes.delete(:username)
|
|
|
|
|
2014-09-26 13:48:34 -05:00
|
|
|
if params[:user_fields].present?
|
2018-09-04 05:45:36 -05:00
|
|
|
attributes[:custom_fields] ||= {}
|
2015-03-20 14:18:43 -05:00
|
|
|
|
|
|
|
fields = UserField.all
|
|
|
|
fields = fields.where(editable: true) unless current_user.staff?
|
|
|
|
fields.each do |f|
|
2017-12-15 20:16:22 -06:00
|
|
|
field_id = f.id.to_s
|
|
|
|
next unless params[:user_fields].has_key?(field_id)
|
|
|
|
|
|
|
|
val = params[:user_fields][field_id]
|
2014-10-02 14:56:28 -05:00
|
|
|
val = nil if val === "false"
|
2015-02-23 12:02:30 -06:00
|
|
|
val = val[0...UserField.max_length] if val
|
2014-10-08 13:38:18 -05:00
|
|
|
|
|
|
|
return render_json_error(I18n.t("login.missing_user_field")) if val.blank? && f.required?
|
2018-09-06 17:02:47 -05:00
|
|
|
attributes[:custom_fields]["#{User::USER_FIELD_PREFIX}#{f.id}"] = val
|
2014-09-26 13:48:34 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-11-24 18:49:27 -06:00
|
|
|
json_result(user, serializer: UserSerializer, additional_errors: [:user_profile, :user_option]) do |u|
|
2013-12-10 11:46:35 -06:00
|
|
|
updater = UserUpdater.new(current_user, user)
|
2017-08-30 23:06:56 -05:00
|
|
|
updater.update(attributes.permit!)
|
2013-02-07 09:45:24 -06:00
|
|
|
end
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
|
|
|
|
def username
|
2013-06-06 02:14:32 -05:00
|
|
|
params.require(:new_username)
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2019-09-13 13:11:27 -05:00
|
|
|
if clashing_with_existing_route?(params[:new_username]) || User.reserved_username?(params[:new_username])
|
|
|
|
return render_json_error(I18n.t("login.reserved_username"))
|
|
|
|
end
|
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
user = fetch_user_from_params
|
2013-08-12 13:54:52 -05:00
|
|
|
guardian.ensure_can_edit_username!(user)
|
2013-02-07 09:45:24 -06:00
|
|
|
|
2015-03-06 15:44:54 -06:00
|
|
|
result = UsernameChanger.change(user, params[:new_username], current_user)
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2017-06-06 20:45:27 -05:00
|
|
|
if result
|
|
|
|
render json: { id: user.id, username: user.username }
|
|
|
|
else
|
|
|
|
render_json_error(user.errors.full_messages.join(','))
|
|
|
|
end
|
2019-07-31 23:49:53 -05:00
|
|
|
rescue Discourse::InvalidAccess
|
|
|
|
if current_user&.staff?
|
|
|
|
render_json_error(I18n.t('errors.messages.sso_overrides_username'))
|
|
|
|
else
|
|
|
|
render json: failed_json, status: 403
|
|
|
|
end
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
|
2014-09-29 15:31:05 -05:00
|
|
|
def check_emails
|
2014-10-28 19:06:59 -05:00
|
|
|
user = fetch_user_from_params(include_inactive: true)
|
2014-09-29 15:31:05 -05:00
|
|
|
|
2019-02-05 12:01:19 -06:00
|
|
|
unless user == current_user
|
|
|
|
guardian.ensure_can_check_emails!(user)
|
|
|
|
StaffActionLogger.new(current_user).log_check_email(user, context: params[:context])
|
|
|
|
end
|
2014-09-29 15:31:05 -05:00
|
|
|
|
2018-07-03 06:51:22 -05:00
|
|
|
email, *secondary_emails = user.emails
|
|
|
|
|
2014-09-29 15:31:05 -05:00
|
|
|
render json: {
|
2018-07-03 06:51:22 -05:00
|
|
|
email: email,
|
|
|
|
secondary_emails: secondary_emails,
|
2014-09-29 15:31:05 -05:00
|
|
|
associated_accounts: user.associated_accounts
|
|
|
|
}
|
2014-10-07 18:26:18 -05:00
|
|
|
rescue Discourse::InvalidAccess
|
2014-09-29 15:31:05 -05:00
|
|
|
render json: failed_json, status: 403
|
|
|
|
end
|
|
|
|
|
2016-08-12 01:35:10 -05:00
|
|
|
def topic_tracking_state
|
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
|
|
|
|
2016-12-02 00:03:31 -06:00
|
|
|
report = TopicTrackingState.report(user)
|
2016-08-12 01:35:10 -05:00
|
|
|
serializer = ActiveModel::ArraySerializer.new(report, each_serializer: TopicTrackingStateSerializer)
|
|
|
|
|
|
|
|
render json: MultiJson.dump(serializer)
|
|
|
|
end
|
|
|
|
|
2014-04-17 22:10:53 -05:00
|
|
|
def badge_title
|
|
|
|
params.require(:user_badge_id)
|
|
|
|
|
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
|
|
|
|
2014-07-14 03:06:50 -05:00
|
|
|
user_badge = UserBadge.find_by(id: params[:user_badge_id])
|
2019-11-07 23:34:24 -06:00
|
|
|
previous_title = user.title
|
2014-07-14 03:06:50 -05:00
|
|
|
if user_badge && user_badge.user == user && user_badge.badge.allow_title?
|
2018-01-05 09:58:15 -06:00
|
|
|
user.title = user_badge.badge.display_name
|
2014-04-17 22:10:53 -05:00
|
|
|
user.save!
|
2019-11-07 23:34:24 -06:00
|
|
|
|
|
|
|
log_params = {
|
|
|
|
details: "title matching badge id #{user_badge.badge.id}",
|
|
|
|
previous_value: previous_title,
|
|
|
|
new_value: user.title
|
|
|
|
}
|
|
|
|
|
|
|
|
if current_user.staff? && current_user != user
|
|
|
|
StaffActionLogger.new(current_user).log_title_change(user, log_params)
|
|
|
|
else
|
|
|
|
UserHistory.create!(log_params.merge(target_user_id: user.id, action: UserHistory.actions[:change_title]))
|
|
|
|
end
|
2014-07-14 03:06:50 -05:00
|
|
|
else
|
|
|
|
user.title = ''
|
|
|
|
user.save!
|
2019-11-07 23:34:24 -06:00
|
|
|
|
|
|
|
log_params = {
|
|
|
|
previous_value: previous_title
|
|
|
|
}
|
|
|
|
|
|
|
|
if current_user.staff? && current_user != user
|
2019-12-23 15:03:51 -06:00
|
|
|
StaffActionLogger
|
|
|
|
.new(current_user)
|
|
|
|
.log_title_revoke(user, log_params.merge(revoke_reason: 'user title was same as revoked badge name or custom badge name'))
|
2019-11-07 23:34:24 -06:00
|
|
|
else
|
|
|
|
UserHistory.create!(log_params.merge(target_user_id: user.id, action: UserHistory.actions[:revoke_title]))
|
|
|
|
end
|
2014-04-17 22:10:53 -05:00
|
|
|
end
|
|
|
|
|
2017-08-30 23:06:56 -05:00
|
|
|
render body: nil
|
2014-04-17 22:10:53 -05:00
|
|
|
end
|
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
def preferences
|
2017-08-30 23:06:56 -05:00
|
|
|
render body: nil
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
|
2014-04-21 10:52:11 -05:00
|
|
|
def my_redirect
|
2016-03-19 07:03:10 -05:00
|
|
|
raise Discourse::NotFound if params[:path] !~ /^[a-z_\-\/]+$/
|
2015-10-14 11:40:13 -05:00
|
|
|
|
|
|
|
if current_user.blank?
|
2019-12-05 15:34:42 -06:00
|
|
|
cookies[:destination_url] = path("/my/#{params[:path]}")
|
|
|
|
redirect_to path("/login-preferences")
|
2015-10-14 11:40:13 -05:00
|
|
|
else
|
2017-03-28 13:27:54 -05:00
|
|
|
redirect_to(path("/u/#{current_user.username}/#{params[:path]}"))
|
2014-04-21 10:52:11 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-10-10 12:00:08 -05:00
|
|
|
def profile_hidden
|
|
|
|
render nothing: true
|
|
|
|
end
|
|
|
|
|
2016-01-19 22:11:52 -06:00
|
|
|
def summary
|
2019-01-14 08:15:25 -06:00
|
|
|
@user = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
|
|
|
|
raise Discourse::NotFound unless guardian.can_see_profile?(@user)
|
2018-10-10 12:00:08 -05:00
|
|
|
|
2019-01-14 08:15:25 -06:00
|
|
|
summary = UserSummary.new(@user, guardian)
|
2016-01-19 22:11:52 -06:00
|
|
|
serializer = UserSummarySerializer.new(summary, scope: guardian)
|
2019-01-14 08:15:25 -06:00
|
|
|
respond_to do |format|
|
|
|
|
format.html do
|
|
|
|
@restrict_fields = guardian.restrict_user_fields?(@user)
|
|
|
|
render :show
|
|
|
|
end
|
|
|
|
format.json do
|
|
|
|
render_json_dump(serializer)
|
|
|
|
end
|
|
|
|
end
|
2016-01-19 22:11:52 -06:00
|
|
|
end
|
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
def invited
|
2020-03-04 10:10:23 -06:00
|
|
|
guardian.ensure_can_invite_to_forum!
|
|
|
|
|
2017-12-07 00:23:27 -06:00
|
|
|
inviter = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
|
2014-08-01 06:06:31 -05:00
|
|
|
offset = params[:offset].to_i || 0
|
2015-07-11 07:09:12 -05:00
|
|
|
filter_by = params[:filter]
|
2013-11-05 16:52:50 -06:00
|
|
|
|
2015-07-11 07:09:12 -05:00
|
|
|
invites = if guardian.can_see_invite_details?(inviter) && filter_by == "pending"
|
|
|
|
Invite.find_pending_invites_from(inviter, offset)
|
2013-11-08 13:11:41 -06:00
|
|
|
else
|
2014-08-01 06:06:31 -05:00
|
|
|
Invite.find_redeemed_invites_from(inviter, offset)
|
2013-11-05 16:52:50 -06:00
|
|
|
end
|
|
|
|
|
2020-03-04 10:47:09 -06:00
|
|
|
show_emails = guardian.can_see_invite_emails?(inviter)
|
|
|
|
if params[:search].present?
|
|
|
|
filter_sql = '(LOWER(users.username) LIKE :filter)'
|
|
|
|
filter_sql = '(LOWER(invites.email) LIKE :filter) or (LOWER(users.username) LIKE :filter)' if show_emails
|
|
|
|
invites = invites.where(filter_sql, filter: "%#{params[:search].downcase}%")
|
|
|
|
end
|
|
|
|
render_json_dump invites: serialize_data(invites.to_a, InviteSerializer, show_emails: show_emails),
|
2014-03-21 13:13:04 -05:00
|
|
|
can_see_invite_details: guardian.can_see_invite_details?(inviter)
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
|
2015-08-24 14:03:25 -05:00
|
|
|
def invited_count
|
2020-03-04 10:10:23 -06:00
|
|
|
guardian.ensure_can_invite_to_forum!
|
|
|
|
|
2017-12-07 00:23:27 -06:00
|
|
|
inviter = fetch_user_from_params(include_inactive: current_user.try(:staff?) || (current_user && SiteSetting.show_inactive_accounts))
|
2015-08-24 14:03:25 -05:00
|
|
|
|
|
|
|
pending_count = Invite.find_pending_invites_count(inviter)
|
|
|
|
redeemed_count = Invite.find_redeemed_invites_count(inviter)
|
|
|
|
|
2017-07-27 20:20:09 -05:00
|
|
|
render json: { counts: { pending: pending_count, redeemed: redeemed_count,
|
|
|
|
total: (pending_count.to_i + redeemed_count.to_i) } }
|
2015-08-24 14:03:25 -05:00
|
|
|
end
|
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
def is_local_username
|
2020-02-03 04:34:36 -06:00
|
|
|
usernames = params[:usernames] if params[:usernames].present?
|
|
|
|
usernames = [params[:username]] if params[:username].present?
|
|
|
|
|
|
|
|
raise Discourse::InvalidParameters.new(:usernames) if !usernames.kind_of?(Array)
|
2015-06-11 09:31:43 -05:00
|
|
|
|
2015-11-30 00:12:51 -06:00
|
|
|
groups = Group.where(name: usernames).pluck(:name)
|
2015-12-03 20:40:38 -06:00
|
|
|
mentionable_groups =
|
|
|
|
if current_user
|
2020-02-14 11:27:46 -06:00
|
|
|
Group.mentionable(current_user, include_public: false)
|
2015-12-03 20:40:38 -06:00
|
|
|
.where(name: usernames)
|
|
|
|
.pluck(:name, :user_count)
|
2017-12-20 23:13:57 -06:00
|
|
|
.map do |name, user_count|
|
|
|
|
{
|
|
|
|
name: name,
|
|
|
|
user_count: user_count
|
|
|
|
}
|
|
|
|
end
|
2015-12-03 20:40:38 -06:00
|
|
|
end
|
|
|
|
|
2015-11-30 00:12:51 -06:00
|
|
|
usernames -= groups
|
2016-05-22 08:01:46 -05:00
|
|
|
usernames.each(&:downcase!)
|
2015-11-30 00:12:51 -06:00
|
|
|
|
2016-11-14 21:03:16 -06:00
|
|
|
cannot_see = []
|
|
|
|
topic_id = params[:topic_id]
|
|
|
|
unless topic_id.blank?
|
|
|
|
topic = Topic.find_by(id: topic_id)
|
2017-07-27 20:20:09 -05:00
|
|
|
usernames.each { |username| cannot_see.push(username) unless Guardian.new(User.find_by_username(username)).can_see?(topic) }
|
2016-11-14 21:03:16 -06:00
|
|
|
end
|
|
|
|
|
2015-11-30 00:12:51 -06:00
|
|
|
result = User.where(staged: false)
|
2017-07-27 20:20:09 -05:00
|
|
|
.where(username_lower: usernames)
|
|
|
|
.pluck(:username_lower)
|
2015-11-27 11:16:50 -06:00
|
|
|
|
2017-12-20 23:13:57 -06:00
|
|
|
render json: {
|
|
|
|
valid: result,
|
|
|
|
valid_groups: groups,
|
|
|
|
mentionable_groups: mentionable_groups,
|
|
|
|
cannot_see: cannot_see,
|
|
|
|
max_users_notified_per_group_mention: SiteSetting.max_users_notified_per_group_mention
|
|
|
|
}
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
|
2013-08-25 03:57:12 -05:00
|
|
|
def render_available_true
|
|
|
|
render(json: { available: true })
|
|
|
|
end
|
|
|
|
|
|
|
|
def changing_case_of_own_username(target_user, username)
|
2017-07-27 20:20:09 -05:00
|
|
|
target_user && username.downcase == (target_user.username.downcase)
|
2013-08-25 03:57:12 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
# Used for checking availability of a username and will return suggestions
|
|
|
|
# if the username is not available.
|
2013-02-05 13:16:51 -06:00
|
|
|
def check_username
|
2013-11-19 13:15:05 -06:00
|
|
|
if !params[:username].present?
|
|
|
|
params.require(:username) if !params[:email].present?
|
2014-07-16 11:25:24 -05:00
|
|
|
return render(json: success_json)
|
2013-11-19 13:15:05 -06:00
|
|
|
end
|
2019-04-23 05:22:47 -05:00
|
|
|
username = params[:username]&.unicode_normalize
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2013-08-25 03:57:12 -05:00
|
|
|
target_user = user_from_params_or_current_user
|
2013-07-30 13:13:56 -05:00
|
|
|
|
2013-06-28 15:21:46 -05:00
|
|
|
# The special case where someone is changing the case of their own username
|
2013-08-25 03:57:12 -05:00
|
|
|
return render_available_true if changing_case_of_own_username(target_user, username)
|
2013-06-28 15:21:46 -05:00
|
|
|
|
2013-09-06 04:35:29 -05:00
|
|
|
checker = UsernameCheckerService.new
|
|
|
|
email = params[:email] || target_user.try(:email)
|
2013-11-19 13:15:05 -06:00
|
|
|
render json: checker.check_username(username, email)
|
2013-08-25 03:57:12 -05:00
|
|
|
end
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2013-08-25 03:57:12 -05:00
|
|
|
def user_from_params_or_current_user
|
|
|
|
params[:for_user_id] ? User.find(params[:for_user_id]) : current_user
|
|
|
|
end
|
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
def create
|
2017-06-12 03:48:32 -05:00
|
|
|
params.require(:email)
|
2019-05-03 11:17:06 -05:00
|
|
|
params.require(:username)
|
2014-09-26 13:48:34 -05:00
|
|
|
params.permit(:user_fields)
|
|
|
|
|
2014-07-14 14:42:14 -05:00
|
|
|
unless SiteSetting.allow_new_registrations
|
2014-09-26 13:48:34 -05:00
|
|
|
return fail_with("login.new_registrations_disabled")
|
2014-07-14 14:42:14 -05:00
|
|
|
end
|
|
|
|
|
2014-09-11 14:22:11 -05:00
|
|
|
if params[:password] && params[:password].length > User.max_password_length
|
2014-09-26 13:48:34 -05:00
|
|
|
return fail_with("login.password_too_long")
|
2014-09-11 14:22:11 -05:00
|
|
|
end
|
|
|
|
|
2017-06-12 03:48:32 -05:00
|
|
|
if params[:email].length > 254 + 1 + 253
|
2015-07-13 15:40:52 -05:00
|
|
|
return fail_with("login.email_too_long")
|
|
|
|
end
|
|
|
|
|
2019-09-13 13:11:27 -05:00
|
|
|
if clashing_with_existing_route?(params[:username]) || User.reserved_username?(params[:username])
|
2015-07-01 15:44:53 -05:00
|
|
|
return fail_with("login.reserved_username")
|
|
|
|
end
|
|
|
|
|
2019-06-07 10:51:58 -05:00
|
|
|
params[:locale] ||= I18n.locale unless current_user
|
|
|
|
|
2019-11-24 18:49:27 -06:00
|
|
|
new_user_params = user_params.except(:timezone)
|
2018-01-19 08:29:15 -06:00
|
|
|
user = User.unstage(new_user_params)
|
|
|
|
user = User.new(new_user_params) if user.nil?
|
2013-02-06 18:25:21 -06:00
|
|
|
|
2017-08-28 14:36:46 -05:00
|
|
|
# Handle API approval
|
2019-01-03 11:03:01 -06:00
|
|
|
ReviewableUser.set_approved_fields!(user, current_user) if user.approved?
|
2017-08-28 14:36:46 -05:00
|
|
|
|
2014-09-26 13:48:34 -05:00
|
|
|
# Handle custom fields
|
2014-10-08 13:38:18 -05:00
|
|
|
user_fields = UserField.all
|
|
|
|
if user_fields.present?
|
2015-01-27 03:48:27 -06:00
|
|
|
field_params = params[:user_fields] || {}
|
|
|
|
fields = user.custom_fields
|
|
|
|
|
|
|
|
user_fields.each do |f|
|
|
|
|
field_val = field_params[f.id.to_s]
|
|
|
|
if field_val.blank?
|
|
|
|
return fail_with("login.missing_user_field") if f.required?
|
|
|
|
else
|
2018-09-06 17:02:47 -05:00
|
|
|
fields["#{User::USER_FIELD_PREFIX}#{f.id}"] = field_val[0...UserField.max_length]
|
2014-09-26 13:48:34 -05:00
|
|
|
end
|
|
|
|
end
|
2015-01-27 03:48:27 -06:00
|
|
|
|
|
|
|
user.custom_fields = fields
|
2014-09-26 13:48:34 -05:00
|
|
|
end
|
|
|
|
|
2013-11-12 16:37:38 -06:00
|
|
|
authentication = UserAuthenticator.new(user, session)
|
2014-03-25 23:39:44 -05:00
|
|
|
|
|
|
|
if !authentication.has_authenticator? && !SiteSetting.enable_local_logins
|
2018-05-25 21:18:19 -05:00
|
|
|
return render body: nil, status: :forbidden
|
2014-03-25 23:39:44 -05:00
|
|
|
end
|
|
|
|
|
2013-11-12 16:37:38 -06:00
|
|
|
authentication.start
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2017-10-16 12:51:35 -05:00
|
|
|
if authentication.email_valid? && !authentication.authenticated?
|
|
|
|
# posted email is different that the already validated one?
|
|
|
|
return fail_with('login.incorrect_username_email_or_password')
|
|
|
|
end
|
|
|
|
|
2013-11-12 16:37:38 -06:00
|
|
|
activation = UserActivator.new(user, request, session, cookies)
|
|
|
|
activation.start
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2014-03-19 22:49:25 -05:00
|
|
|
# just assign a password if we have an authenticator and no password
|
|
|
|
# this is the case for Twitter
|
|
|
|
user.password = SecureRandom.hex if user.password.blank? && authentication.has_authenticator?
|
|
|
|
|
2013-11-12 16:37:38 -06:00
|
|
|
if user.save
|
|
|
|
authentication.finish
|
|
|
|
activation.finish
|
2019-11-24 18:49:27 -06:00
|
|
|
user.update_timezone_if_missing(params[:timezone])
|
2013-11-12 16:37:38 -06:00
|
|
|
|
2019-10-16 00:53:31 -05:00
|
|
|
secure_session[HONEYPOT_KEY] = nil
|
|
|
|
secure_session[CHALLENGE_KEY] = nil
|
|
|
|
|
2014-10-01 12:33:49 -05:00
|
|
|
# save user email in session, to show on account-created page
|
2014-11-04 14:47:32 -06:00
|
|
|
session["user_created_message"] = activation.message
|
2017-05-02 14:57:55 -05:00
|
|
|
session[SessionController::ACTIVATE_USER_KEY] = user.id
|
2014-09-26 13:48:34 -05:00
|
|
|
|
2019-04-12 14:25:02 -05:00
|
|
|
# If the user was created as active, they might need to be approved
|
|
|
|
user.create_reviewable if user.active?
|
|
|
|
|
2013-11-12 16:37:38 -06:00
|
|
|
render json: {
|
|
|
|
success: true,
|
|
|
|
active: user.active?,
|
2014-09-22 18:06:19 -05:00
|
|
|
message: activation.message,
|
|
|
|
user_id: user.id
|
2017-10-03 13:08:37 -05:00
|
|
|
}
|
2017-10-03 14:28:15 -05:00
|
|
|
elsif SiteSetting.hide_email_address_taken && user.errors[:primary_email]&.include?(I18n.t('errors.messages.taken'))
|
2017-10-03 13:08:37 -05:00
|
|
|
session["user_created_message"] = activation.success_message
|
|
|
|
|
|
|
|
if existing_user = User.find_by_email(user.primary_email&.email)
|
|
|
|
Jobs.enqueue(:critical_user_email, type: :account_exists, user_id: existing_user.id)
|
|
|
|
end
|
|
|
|
|
|
|
|
render json: {
|
|
|
|
success: true,
|
|
|
|
active: user.active?,
|
|
|
|
message: activation.success_message,
|
|
|
|
user_id: user.id
|
2013-11-12 16:37:38 -06:00
|
|
|
}
|
|
|
|
else
|
2017-09-11 12:22:04 -05:00
|
|
|
errors = user.errors.to_hash
|
|
|
|
errors[:email] = errors.delete(:primary_email) if errors[:primary_email]
|
|
|
|
|
2013-11-12 16:37:38 -06:00
|
|
|
render json: {
|
|
|
|
success: false,
|
|
|
|
message: I18n.t(
|
|
|
|
'login.errors',
|
|
|
|
errors: user.errors.full_messages.join("\n")
|
|
|
|
),
|
2017-09-11 12:22:04 -05:00
|
|
|
errors: errors,
|
|
|
|
values: {
|
|
|
|
name: user.name,
|
|
|
|
username: user.username,
|
|
|
|
email: user.primary_email&.email
|
|
|
|
},
|
2016-08-05 10:57:13 -05:00
|
|
|
is_developer: UsernameCheckerService.is_developer?(user.email)
|
2013-11-12 16:37:38 -06:00
|
|
|
}
|
|
|
|
end
|
2013-03-07 13:56:28 -06:00
|
|
|
rescue ActiveRecord::StatementInvalid
|
2013-11-12 16:37:38 -06:00
|
|
|
render json: {
|
|
|
|
success: false,
|
|
|
|
message: I18n.t("login.something_already_taken")
|
|
|
|
}
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
|
2013-02-06 18:25:21 -06:00
|
|
|
def get_honeypot_value
|
2019-10-16 00:53:31 -05:00
|
|
|
secure_session.set(HONEYPOT_KEY, honeypot_value, expires: 1.hour)
|
|
|
|
secure_session.set(CHALLENGE_KEY, challenge_value, expires: 1.hour)
|
|
|
|
|
|
|
|
render json: {
|
|
|
|
value: honeypot_value,
|
|
|
|
challenge: challenge_value,
|
|
|
|
expires_in: SecureSession.expiry
|
|
|
|
}
|
2013-02-06 18:25:21 -06:00
|
|
|
end
|
|
|
|
|
2020-01-15 04:27:12 -06:00
|
|
|
def password_reset_show
|
2015-02-19 17:28:38 -06:00
|
|
|
expires_now
|
2016-12-19 01:00:22 -06:00
|
|
|
token = params[:token]
|
2020-01-15 04:27:12 -06:00
|
|
|
password_reset_find_user(token, committing_change: false)
|
|
|
|
|
|
|
|
if !@error
|
|
|
|
security_params = {
|
|
|
|
is_developer: UsernameCheckerService.is_developer?(@user.email),
|
|
|
|
admin: @user.admin?,
|
|
|
|
second_factor_required: @user.totp_enabled?,
|
|
|
|
security_key_required: @user.security_keys_enabled?,
|
|
|
|
backup_enabled: @user.backup_codes_enabled?,
|
|
|
|
multiple_second_factor_methods: @user.has_multiple_second_factor_methods?
|
|
|
|
}
|
|
|
|
end
|
2016-12-19 01:00:22 -06:00
|
|
|
|
2020-01-15 04:27:12 -06:00
|
|
|
respond_to do |format|
|
|
|
|
format.html do
|
|
|
|
return render 'password_reset', layout: 'no_ember' if @error
|
|
|
|
|
|
|
|
Webauthn.stage_challenge(@user, secure_session)
|
|
|
|
store_preloaded(
|
|
|
|
"password_reset",
|
|
|
|
MultiJson.dump(security_params.merge(Webauthn.allowed_credentials(@user, secure_session)))
|
|
|
|
)
|
|
|
|
|
|
|
|
render 'password_reset'
|
2018-10-22 12:00:30 -05:00
|
|
|
end
|
2014-08-25 14:30:52 -05:00
|
|
|
|
2020-01-15 04:27:12 -06:00
|
|
|
format.json do
|
|
|
|
return render json: { message: @error } if @error
|
|
|
|
|
|
|
|
Webauthn.stage_challenge(@user, secure_session)
|
|
|
|
render json: security_params.merge(Webauthn.allowed_credentials(@user, secure_session))
|
2014-08-25 14:30:52 -05:00
|
|
|
end
|
2014-07-01 22:06:55 -05:00
|
|
|
end
|
2020-01-15 04:27:12 -06:00
|
|
|
end
|
2014-07-01 22:06:55 -05:00
|
|
|
|
2020-01-15 04:27:12 -06:00
|
|
|
def password_reset_update
|
|
|
|
expires_now
|
|
|
|
token = params[:token]
|
|
|
|
password_reset_find_user(token, committing_change: true)
|
2018-10-22 12:00:30 -05:00
|
|
|
|
2020-01-15 04:27:12 -06:00
|
|
|
if params[:second_factor_token].present?
|
2018-10-22 12:00:30 -05:00
|
|
|
RateLimiter.new(nil, "second-factor-min-#{request.remote_ip}", 3, 1.minute).performed!
|
2020-01-15 04:27:12 -06:00
|
|
|
end
|
|
|
|
|
|
|
|
# no point doing anything else if we can't even find
|
|
|
|
# a user from the token
|
|
|
|
if @user
|
|
|
|
|
|
|
|
if !secure_session["second-factor-#{token}"]
|
|
|
|
second_factor_authentication_result = @user.authenticate_second_factor(params, secure_session)
|
|
|
|
if !second_factor_authentication_result.ok
|
|
|
|
user_error_key = second_factor_authentication_result.reason == "invalid_security_key" ? :user_second_factors : :security_keys
|
|
|
|
@user.errors.add(user_error_key, :invalid)
|
|
|
|
@error = second_factor_authentication_result.error
|
|
|
|
else
|
|
|
|
|
|
|
|
# this must be set because the first call we authenticate e.g. TOTP, and we do
|
|
|
|
# not want to re-authenticate on the second call to change the password as this
|
|
|
|
# will cause a TOTP error saying the code has already been used
|
|
|
|
secure_session["second-factor-#{token}"] = true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if @invalid_password = params[:password].blank? || params[:password].size > User.max_password_length
|
2014-09-11 14:22:11 -05:00
|
|
|
@user.errors.add(:password, :invalid)
|
2020-01-15 04:27:12 -06:00
|
|
|
end
|
|
|
|
|
|
|
|
# if we have run into no errors then the user is a-ok to
|
|
|
|
# change the password
|
|
|
|
if @user.errors.empty?
|
2014-09-11 14:22:11 -05:00
|
|
|
@user.password = params[:password]
|
|
|
|
@user.password_required!
|
2017-01-31 16:21:37 -06:00
|
|
|
@user.user_auth_tokens.destroy_all
|
2014-09-11 14:22:11 -05:00
|
|
|
if @user.save
|
|
|
|
Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
|
2016-12-19 01:00:22 -06:00
|
|
|
secure_session["password-#{token}"] = nil
|
2017-12-21 19:18:12 -06:00
|
|
|
secure_session["second-factor-#{token}"] = nil
|
2018-11-13 18:32:42 -06:00
|
|
|
UserHistory.create!(
|
|
|
|
target_user: @user,
|
|
|
|
acting_user: @user,
|
|
|
|
action: UserHistory.actions[:change_password]
|
|
|
|
)
|
2014-09-11 14:22:11 -05:00
|
|
|
logon_after_password_reset
|
2017-01-31 14:42:12 -06:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
respond_to do |format|
|
|
|
|
format.html do
|
2020-01-15 04:27:12 -06:00
|
|
|
return render 'password_reset', layout: 'no_ember' if @error
|
2018-02-20 00:44:51 -06:00
|
|
|
|
2020-01-15 04:27:12 -06:00
|
|
|
Webauthn.stage_challenge(@user, secure_session)
|
|
|
|
|
|
|
|
security_params = {
|
|
|
|
is_developer: UsernameCheckerService.is_developer?(@user.email),
|
|
|
|
admin: @user.admin?,
|
|
|
|
second_factor_required: @user.totp_enabled?,
|
|
|
|
security_key_required: @user.security_keys_enabled?,
|
|
|
|
backup_enabled: @user.backup_codes_enabled?,
|
|
|
|
multiple_second_factor_methods: @user.has_multiple_second_factor_methods?
|
|
|
|
}.merge(Webauthn.allowed_credentials(@user, secure_session))
|
|
|
|
|
|
|
|
store_preloaded("password_reset", MultiJson.dump(security_params))
|
|
|
|
|
|
|
|
return redirect_to(wizard_path) if Wizard.user_requires_completion?(@user)
|
|
|
|
|
|
|
|
render 'password_reset'
|
2017-01-31 14:42:12 -06:00
|
|
|
end
|
2016-10-18 10:44:25 -05:00
|
|
|
|
2017-01-31 14:42:12 -06:00
|
|
|
format.json do
|
2020-01-15 04:27:12 -06:00
|
|
|
if @error || @user&.errors&.any?
|
|
|
|
render json: {
|
|
|
|
success: false,
|
|
|
|
message: @error,
|
|
|
|
errors: @user&.errors&.to_hash,
|
|
|
|
is_developer: UsernameCheckerService.is_developer?(@user&.email),
|
|
|
|
admin: @user&.admin?
|
|
|
|
}
|
2017-01-31 14:42:12 -06:00
|
|
|
else
|
2020-01-15 04:27:12 -06:00
|
|
|
render json: {
|
|
|
|
success: true,
|
|
|
|
message: @success,
|
|
|
|
requires_approval: !Guardian.new(@user).can_access_forum?,
|
|
|
|
redirect_to: Wizard.user_requires_completion?(@user) ? wizard_path : nil
|
|
|
|
}
|
2014-09-11 14:22:11 -05:00
|
|
|
end
|
2014-01-21 15:53:46 -06:00
|
|
|
end
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
end
|
2013-02-07 09:45:24 -06:00
|
|
|
|
2016-01-04 10:48:54 -06:00
|
|
|
def confirm_email_token
|
|
|
|
expires_now
|
|
|
|
EmailToken.confirm(params[:token])
|
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2013-10-07 05:19:45 -05:00
|
|
|
def logon_after_password_reset
|
2017-07-27 20:20:09 -05:00
|
|
|
message =
|
|
|
|
if Guardian.new(@user).can_access_forum?
|
|
|
|
# Log in the user
|
|
|
|
log_on_user(@user)
|
|
|
|
'password_reset.success'
|
|
|
|
else
|
|
|
|
@requires_approval = true
|
|
|
|
'password_reset.success_unapproved'
|
|
|
|
end
|
2013-11-11 11:51:14 -06:00
|
|
|
|
2015-02-19 17:28:38 -06:00
|
|
|
@success = I18n.t(message)
|
2014-07-03 02:29:44 -05:00
|
|
|
end
|
2013-10-07 05:19:45 -05:00
|
|
|
|
2015-04-27 05:59:48 -05:00
|
|
|
def admin_login
|
2018-01-22 05:20:53 -06:00
|
|
|
return redirect_to(path("/")) if current_user
|
2015-04-27 05:59:48 -05:00
|
|
|
|
2017-12-21 19:18:12 -06:00
|
|
|
if request.put? && params[:email].present?
|
2015-04-27 05:59:48 -05:00
|
|
|
RateLimiter.new(nil, "admin-login-hr-#{request.remote_ip}", 6, 1.hour).performed!
|
|
|
|
RateLimiter.new(nil, "admin-login-min-#{request.remote_ip}", 3, 1.minute).performed!
|
|
|
|
|
2018-01-22 05:20:53 -06:00
|
|
|
if user = User.with_email(params[:email]).admins.human_users.first
|
2015-04-27 05:59:48 -05:00
|
|
|
email_token = user.email_tokens.create(email: user.email)
|
2016-04-06 23:38:43 -05:00
|
|
|
Jobs.enqueue(:critical_user_email, type: :admin_login, user_id: user.id, email_token: email_token.token)
|
2015-04-27 05:59:48 -05:00
|
|
|
@message = I18n.t("admin_login.success")
|
|
|
|
else
|
2018-01-22 05:20:53 -06:00
|
|
|
@message = I18n.t("admin_login.errors.unknown_email_address")
|
2015-04-27 05:59:48 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-10-01 21:08:41 -05:00
|
|
|
render layout: 'no_ember'
|
2015-04-27 05:59:48 -05:00
|
|
|
rescue RateLimiter::LimitExceeded
|
|
|
|
@message = I18n.t("rate_limiter.slow_down")
|
2019-10-01 21:08:41 -05:00
|
|
|
render layout: 'no_ember'
|
2015-04-27 05:59:48 -05:00
|
|
|
end
|
|
|
|
|
2017-04-20 10:17:24 -05:00
|
|
|
def email_login
|
|
|
|
raise Discourse::NotFound if !SiteSetting.enable_local_logins_via_email
|
|
|
|
return redirect_to path("/") if current_user
|
|
|
|
|
|
|
|
expires_now
|
|
|
|
params.require(:login)
|
|
|
|
|
|
|
|
RateLimiter.new(nil, "email-login-hour-#{request.remote_ip}", 6, 1.hour).performed!
|
|
|
|
RateLimiter.new(nil, "email-login-min-#{request.remote_ip}", 3, 1.minute).performed!
|
|
|
|
user = User.human_users.find_by_username_or_email(params[:login])
|
|
|
|
user_presence = user.present? && !user.staged
|
|
|
|
|
|
|
|
if user
|
|
|
|
RateLimiter.new(nil, "email-login-hour-#{user.id}", 6, 1.hour).performed!
|
|
|
|
RateLimiter.new(nil, "email-login-min-#{user.id}", 3, 1.minute).performed!
|
|
|
|
|
|
|
|
if user_presence
|
|
|
|
email_token = user.email_tokens.create!(email: user.email)
|
|
|
|
|
|
|
|
Jobs.enqueue(:critical_user_email,
|
|
|
|
type: :email_login,
|
|
|
|
user_id: user.id,
|
|
|
|
email_token: email_token.token
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-02-14 17:46:33 -06:00
|
|
|
json = success_json
|
2017-04-20 10:17:24 -05:00
|
|
|
json[:user_found] = user_presence unless SiteSetting.hide_email_address_taken
|
|
|
|
render json: json
|
|
|
|
rescue RateLimiter::LimitExceeded
|
|
|
|
render_json_error(I18n.t("rate_limiter.slow_down"))
|
|
|
|
end
|
|
|
|
|
2015-04-07 03:02:10 -05:00
|
|
|
def toggle_anon
|
|
|
|
user = AnonymousShadowCreator.get_master(current_user) ||
|
|
|
|
AnonymousShadowCreator.get(current_user)
|
|
|
|
|
|
|
|
if user
|
|
|
|
log_on_user(user)
|
|
|
|
render json: success_json
|
|
|
|
else
|
|
|
|
render json: failed_json, status: 403
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-09-23 08:50:57 -05:00
|
|
|
def account_created
|
2018-05-13 09:03:11 -05:00
|
|
|
if current_user.present?
|
|
|
|
if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
|
|
|
|
return redirect_to(session_sso_provider_url + "?" + payload)
|
2018-09-04 14:16:54 -05:00
|
|
|
elsif destination_url = cookies.delete(:destination_url)
|
|
|
|
return redirect_to(destination_url)
|
2018-05-13 09:03:11 -05:00
|
|
|
else
|
2018-08-24 09:34:31 -05:00
|
|
|
return redirect_to(path('/'))
|
2018-05-13 09:03:11 -05:00
|
|
|
end
|
|
|
|
end
|
2017-05-03 10:15:54 -05:00
|
|
|
|
2016-05-05 13:37:09 -05:00
|
|
|
@custom_body_class = "static-account-created"
|
2015-05-06 20:00:22 -05:00
|
|
|
@message = session['user_created_message'] || I18n.t('activation.missing_session')
|
2018-05-13 09:03:11 -05:00
|
|
|
@account_created = { message: @message, show_controls: false }
|
2017-05-02 12:21:46 -05:00
|
|
|
|
2017-05-02 14:57:55 -05:00
|
|
|
if session_user_id = session[SessionController::ACTIVATE_USER_KEY]
|
2018-05-11 15:55:45 -05:00
|
|
|
if user = User.where(id: session_user_id.to_i).first
|
2017-05-02 14:57:55 -05:00
|
|
|
@account_created[:username] = user.username
|
|
|
|
@account_created[:email] = user.email
|
2018-01-19 08:29:15 -06:00
|
|
|
@account_created[:show_controls] = !user.from_staged?
|
2017-05-02 14:57:55 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
store_preloaded("accountCreated", MultiJson.dump(@account_created))
|
2014-09-23 08:50:57 -05:00
|
|
|
expires_now
|
2017-05-04 11:30:13 -05:00
|
|
|
|
|
|
|
respond_to do |format|
|
|
|
|
format.html { render "default/empty" }
|
|
|
|
format.json { render json: success_json }
|
|
|
|
end
|
2014-09-23 08:50:57 -05:00
|
|
|
end
|
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
def activate_account
|
2014-07-15 12:47:47 -05:00
|
|
|
expires_now
|
2015-01-15 14:56:53 -06:00
|
|
|
render layout: 'no_ember'
|
2014-07-14 11:25:42 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def perform_account_activation
|
2014-07-15 13:07:19 -05:00
|
|
|
raise Discourse::InvalidAccess.new if honeypot_or_challenge_fails?(params)
|
2018-05-11 15:55:45 -05:00
|
|
|
|
2018-05-11 17:41:27 -05:00
|
|
|
if @user = EmailToken.confirm(params[:token])
|
2013-02-05 13:16:51 -06:00
|
|
|
# Log in the user unless they need to be approved
|
2013-04-03 11:23:28 -05:00
|
|
|
if Guardian.new(@user).can_access_forum?
|
2013-02-05 13:16:51 -06:00
|
|
|
@user.enqueue_welcome_message('welcome_user') if @user.send_welcome_message
|
|
|
|
log_on_user(@user)
|
2017-03-15 20:48:51 -05:00
|
|
|
|
|
|
|
if Wizard.user_requires_completion?(@user)
|
|
|
|
return redirect_to(wizard_path)
|
|
|
|
elsif destination_url = cookies[:destination_url]
|
|
|
|
cookies[:destination_url] = nil
|
|
|
|
return redirect_to(destination_url)
|
2018-05-11 17:41:27 -05:00
|
|
|
elsif SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
|
|
|
|
return redirect_to(session_sso_provider_url + "?" + payload)
|
2017-03-15 20:48:51 -05:00
|
|
|
end
|
2013-04-03 11:23:28 -05:00
|
|
|
else
|
|
|
|
@needs_approval = true
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
else
|
2015-08-23 13:59:16 -05:00
|
|
|
flash.now[:error] = I18n.t('activation.already_done')
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
2018-05-11 17:41:27 -05:00
|
|
|
|
2015-01-15 14:56:53 -06:00
|
|
|
render layout: 'no_ember'
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
|
2017-04-05 15:14:22 -05:00
|
|
|
def update_activation_email
|
|
|
|
RateLimiter.new(nil, "activate-edit-email-hr-#{request.remote_ip}", 5, 1.hour).performed!
|
|
|
|
|
2017-05-02 14:57:55 -05:00
|
|
|
if params[:username].present?
|
|
|
|
@user = User.find_by_username_or_email(params[:username])
|
|
|
|
raise Discourse::InvalidAccess.new unless @user.present?
|
|
|
|
raise Discourse::InvalidAccess.new unless @user.confirm_password?(params[:password])
|
|
|
|
elsif user_key = session[SessionController::ACTIVATE_USER_KEY]
|
|
|
|
@user = User.where(id: user_key.to_i).first
|
|
|
|
end
|
|
|
|
|
2018-01-19 08:29:15 -06:00
|
|
|
if @user.blank? || @user.active? || current_user.present? || @user.from_staged?
|
2017-12-14 00:16:49 -06:00
|
|
|
raise Discourse::InvalidAccess.new
|
|
|
|
end
|
|
|
|
|
2017-04-05 15:14:22 -05:00
|
|
|
User.transaction do
|
2017-09-12 09:03:33 -05:00
|
|
|
primary_email = @user.primary_email
|
|
|
|
primary_email.email = params[:email]
|
2017-10-25 00:02:18 -05:00
|
|
|
primary_email.skip_validate_email = false
|
2017-09-12 09:03:33 -05:00
|
|
|
|
|
|
|
if primary_email.save
|
2017-11-07 22:02:33 -06:00
|
|
|
@user.email_tokens.create!(email: @user.email)
|
2017-04-05 15:14:22 -05:00
|
|
|
enqueue_activation_email
|
|
|
|
render json: success_json
|
|
|
|
else
|
2018-05-30 23:15:28 -05:00
|
|
|
render_json_error(primary_email)
|
2017-04-05 15:14:22 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-02-22 10:49:48 -06:00
|
|
|
def send_activation_email
|
2015-10-27 15:25:30 -05:00
|
|
|
if current_user.blank? || !current_user.staff?
|
|
|
|
RateLimiter.new(nil, "activate-hr-#{request.remote_ip}", 30, 1.hour).performed!
|
|
|
|
RateLimiter.new(nil, "activate-min-#{request.remote_ip}", 6, 1.minute).performed!
|
|
|
|
end
|
2014-09-25 02:42:48 -05:00
|
|
|
|
2017-05-25 14:28:39 -05:00
|
|
|
raise Discourse::InvalidAccess.new if SiteSetting.must_approve_users?
|
|
|
|
|
2017-05-02 14:57:55 -05:00
|
|
|
if params[:username].present?
|
|
|
|
@user = User.find_by_username_or_email(params[:username].to_s)
|
|
|
|
end
|
2017-03-13 07:20:25 -05:00
|
|
|
raise Discourse::NotFound unless @user
|
|
|
|
|
2017-03-13 09:32:24 -05:00
|
|
|
if !current_user&.staff? &&
|
2017-03-13 07:20:25 -05:00
|
|
|
@user.id != session[SessionController::ACTIVATE_USER_KEY]
|
2017-03-13 06:19:42 -05:00
|
|
|
|
2017-05-25 14:28:39 -05:00
|
|
|
raise Discourse::InvalidAccess.new
|
2017-03-13 06:19:42 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
session.delete(SessionController::ACTIVATE_USER_KEY)
|
|
|
|
|
2017-03-20 04:40:48 -05:00
|
|
|
if @user.active && @user.email_confirmed?
|
2017-03-13 06:19:42 -05:00
|
|
|
render_json_error(I18n.t('activation.activated'), status: 409)
|
2017-03-13 09:22:23 -05:00
|
|
|
else
|
2017-03-13 06:19:42 -05:00
|
|
|
@email_token = @user.email_tokens.unconfirmed.active.first
|
|
|
|
enqueue_activation_email
|
2017-08-30 23:06:56 -05:00
|
|
|
render body: nil
|
2017-03-13 06:19:42 -05:00
|
|
|
end
|
2013-02-22 10:49:48 -06:00
|
|
|
end
|
|
|
|
|
2013-10-07 05:19:45 -05:00
|
|
|
def enqueue_activation_email
|
2017-11-07 22:02:33 -06:00
|
|
|
@email_token ||= @user.email_tokens.create!(email: @user.email)
|
2017-07-31 12:27:39 -05:00
|
|
|
Jobs.enqueue(:critical_user_email, type: :signup, user_id: @user.id, email_token: @email_token.token, to_address: @user.email)
|
2013-10-07 05:19:45 -05:00
|
|
|
end
|
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
def search_users
|
2013-02-07 04:59:25 -06:00
|
|
|
term = params[:term].to_s.strip
|
2019-08-06 02:57:45 -05:00
|
|
|
|
2013-02-05 13:16:51 -06:00
|
|
|
topic_id = params[:topic_id]
|
|
|
|
topic_id = topic_id.to_i if topic_id
|
2019-08-06 02:57:45 -05:00
|
|
|
|
2019-10-28 08:18:47 -05:00
|
|
|
category_id = params[:category_id].to_i if category_id.present?
|
2019-08-06 02:57:45 -05:00
|
|
|
|
2015-04-13 10:03:13 -05:00
|
|
|
topic_allowed_users = params[:topic_allowed_users] || false
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2019-05-10 10:35:36 -05:00
|
|
|
group_names = params[:groups] || []
|
|
|
|
group_names << params[:group] if params[:group]
|
|
|
|
if group_names.present?
|
|
|
|
@groups = Group.where(name: group_names)
|
2017-02-09 17:45:39 -06:00
|
|
|
end
|
|
|
|
|
2019-08-06 02:57:45 -05:00
|
|
|
options = {
|
|
|
|
topic_allowed_users: topic_allowed_users,
|
|
|
|
searching_user: current_user,
|
|
|
|
groups: @groups
|
|
|
|
}
|
|
|
|
|
|
|
|
if topic_id
|
|
|
|
options[:topic_id] = topic_id
|
|
|
|
end
|
|
|
|
|
|
|
|
if category_id
|
|
|
|
options[:category_id] = category_id
|
|
|
|
end
|
|
|
|
|
|
|
|
results = UserSearch.new(term, options).search
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2015-09-11 08:04:29 -05:00
|
|
|
user_fields = [:username, :upload_avatar_template]
|
2013-10-30 14:45:13 -05:00
|
|
|
user_fields << :name if SiteSetting.enable_names?
|
|
|
|
|
2015-09-11 03:14:34 -05:00
|
|
|
to_render = { users: results.as_json(only: user_fields, methods: [:avatar_template]) }
|
2013-12-23 08:46:00 -06:00
|
|
|
|
2017-11-01 21:20:14 -05:00
|
|
|
groups =
|
|
|
|
if current_user
|
2020-02-12 02:11:10 -06:00
|
|
|
if params[:include_groups] == 'true'
|
|
|
|
Group.visible_groups(current_user)
|
|
|
|
elsif params[:include_mentionable_groups] == 'true'
|
2017-10-02 04:45:58 -05:00
|
|
|
Group.mentionable(current_user)
|
|
|
|
elsif params[:include_messageable_groups] == 'true'
|
|
|
|
Group.messageable(current_user)
|
|
|
|
end
|
2017-10-03 05:49:45 -05:00
|
|
|
end
|
2017-11-01 21:20:14 -05:00
|
|
|
|
2019-02-20 00:28:12 -06:00
|
|
|
# blank term is only handy for in-topic search of users after @
|
|
|
|
# we do not want group results ever if term is blank
|
2020-02-12 02:11:10 -06:00
|
|
|
groups = nil if term.blank?
|
2019-02-20 00:28:12 -06:00
|
|
|
|
2020-02-12 02:11:10 -06:00
|
|
|
if groups
|
2017-11-03 08:39:55 -05:00
|
|
|
groups = Group.search_groups(term, groups: groups)
|
2018-02-12 20:28:29 -06:00
|
|
|
groups = groups.order('groups.name asc')
|
2017-11-03 08:39:55 -05:00
|
|
|
|
|
|
|
to_render[:groups] = groups.map do |m|
|
|
|
|
{ name: m.name, full_name: m.full_name }
|
|
|
|
end
|
2015-12-01 22:49:43 -06:00
|
|
|
end
|
|
|
|
|
2013-12-23 08:46:00 -06:00
|
|
|
render json: to_render
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|
|
|
|
|
2015-09-17 12:42:44 -05:00
|
|
|
AVATAR_TYPES_WITH_UPLOAD ||= %w{uploaded custom gravatar}
|
|
|
|
|
2014-05-26 04:46:43 -05:00
|
|
|
def pick_avatar
|
2013-08-13 15:08:29 -05:00
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
2015-05-29 03:21:41 -05:00
|
|
|
|
2015-09-11 08:04:29 -05:00
|
|
|
type = params[:type]
|
2015-09-11 08:47:48 -05:00
|
|
|
upload_id = params[:upload_id]
|
2014-05-26 04:46:43 -05:00
|
|
|
|
2015-11-12 03:26:45 -06:00
|
|
|
if SiteSetting.sso_overrides_avatar
|
|
|
|
return render json: failed_json, status: 422
|
|
|
|
end
|
|
|
|
|
|
|
|
if !SiteSetting.allow_uploaded_avatars
|
|
|
|
if type == "uploaded" || type == "custom"
|
|
|
|
return render json: failed_json, status: 422
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-09-20 00:33:10 -05:00
|
|
|
upload = Upload.find_by(id: upload_id)
|
|
|
|
|
|
|
|
# old safeguard
|
|
|
|
user.create_user_avatar unless user.user_avatar
|
|
|
|
|
|
|
|
guardian.ensure_can_pick_avatar!(user.user_avatar, upload)
|
2015-09-11 08:47:48 -05:00
|
|
|
|
2015-09-17 12:42:44 -05:00
|
|
|
if AVATAR_TYPES_WITH_UPLOAD.include?(type)
|
2018-09-20 00:33:10 -05:00
|
|
|
|
|
|
|
if !upload
|
2015-09-17 12:42:44 -05:00
|
|
|
return render_json_error I18n.t("avatar.missing")
|
|
|
|
end
|
|
|
|
|
|
|
|
if type == "gravatar"
|
|
|
|
user.user_avatar.gravatar_upload_id = upload_id
|
|
|
|
else
|
|
|
|
user.user_avatar.custom_upload_id = upload_id
|
|
|
|
end
|
2015-09-11 08:47:48 -05:00
|
|
|
end
|
2015-05-29 03:21:41 -05:00
|
|
|
|
2018-09-20 00:33:10 -05:00
|
|
|
user.uploaded_avatar_id = upload_id
|
2013-08-13 15:08:29 -05:00
|
|
|
user.save!
|
2015-05-29 03:21:41 -05:00
|
|
|
user.user_avatar.save!
|
2013-08-13 15:08:29 -05:00
|
|
|
|
2014-12-06 10:26:32 -06:00
|
|
|
render json: success_json
|
2013-08-13 15:08:29 -05:00
|
|
|
end
|
2014-04-14 15:55:57 -05:00
|
|
|
|
2018-07-18 05:57:43 -05:00
|
|
|
def select_avatar
|
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
|
|
|
|
|
|
|
url = params[:url]
|
|
|
|
|
|
|
|
if url.blank?
|
|
|
|
return render json: failed_json, status: 422
|
|
|
|
end
|
|
|
|
|
|
|
|
unless SiteSetting.selectable_avatars_enabled
|
|
|
|
return render json: failed_json, status: 422
|
|
|
|
end
|
|
|
|
|
|
|
|
if SiteSetting.selectable_avatars.blank?
|
|
|
|
return render json: failed_json, status: 422
|
|
|
|
end
|
|
|
|
|
|
|
|
unless SiteSetting.selectable_avatars[url]
|
|
|
|
return render json: failed_json, status: 422
|
|
|
|
end
|
|
|
|
|
|
|
|
unless upload = Upload.find_by(url: url)
|
|
|
|
return render json: failed_json, status: 422
|
|
|
|
end
|
|
|
|
|
|
|
|
user.uploaded_avatar_id = upload.id
|
|
|
|
user.save!
|
|
|
|
|
|
|
|
avatar = user.user_avatar || user.create_user_avatar
|
|
|
|
avatar.custom_upload_id = upload.id
|
|
|
|
avatar.save!
|
|
|
|
|
|
|
|
render json: {
|
|
|
|
avatar_template: user.avatar_template,
|
|
|
|
custom_avatar_template: user.avatar_template,
|
|
|
|
uploaded_avatar_id: upload.id,
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
2014-06-27 13:48:39 -05:00
|
|
|
def destroy_user_image
|
2014-02-28 14:12:51 -06:00
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
2014-04-14 15:55:57 -05:00
|
|
|
|
2015-05-19 18:39:58 -05:00
|
|
|
case params.require(:type)
|
|
|
|
when "profile_background"
|
2014-06-27 13:48:39 -05:00
|
|
|
user.user_profile.clear_profile_background
|
2015-05-19 18:39:58 -05:00
|
|
|
when "card_background"
|
2014-10-20 11:11:36 -05:00
|
|
|
user.user_profile.clear_card_background
|
2014-06-27 13:48:39 -05:00
|
|
|
else
|
2015-05-19 18:39:58 -05:00
|
|
|
raise Discourse::InvalidParameters.new(:type)
|
2014-06-27 13:48:39 -05:00
|
|
|
end
|
2014-04-14 15:55:57 -05:00
|
|
|
|
2015-05-19 18:39:58 -05:00
|
|
|
render json: success_json
|
2014-02-28 14:12:51 -06:00
|
|
|
end
|
2014-04-14 15:55:57 -05:00
|
|
|
|
2014-02-13 10:42:35 -06:00
|
|
|
def destroy
|
|
|
|
@user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_delete_user!(@user)
|
2014-04-14 15:55:57 -05:00
|
|
|
|
2017-07-27 20:20:09 -05:00
|
|
|
UserDestroyer.new(current_user).destroy(@user, delete_posts: true, context: params[:context])
|
2014-04-14 15:55:57 -05:00
|
|
|
|
2014-02-13 10:42:35 -06:00
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2019-03-27 04:41:50 -05:00
|
|
|
def notification_level
|
|
|
|
user = fetch_user_from_params
|
2019-02-27 07:49:07 -06:00
|
|
|
|
2019-03-27 04:41:50 -05:00
|
|
|
if params[:notification_level] == "ignore"
|
2020-01-02 07:04:08 -06:00
|
|
|
guardian.ensure_can_ignore_user!(user)
|
2019-03-27 04:41:50 -05:00
|
|
|
MutedUser.where(user: current_user, muted_user: user).delete_all
|
2019-03-29 05:14:53 -05:00
|
|
|
ignored_user = IgnoredUser.find_by(user: current_user, ignored_user: user)
|
|
|
|
if ignored_user.present?
|
|
|
|
ignored_user.update(expiring_at: DateTime.parse(params[:expiring_at]))
|
|
|
|
else
|
|
|
|
IgnoredUser.create!(user: current_user, ignored_user: user, expiring_at: Time.parse(params[:expiring_at]))
|
|
|
|
end
|
2019-03-27 04:41:50 -05:00
|
|
|
elsif params[:notification_level] == "mute"
|
2020-01-02 07:04:08 -06:00
|
|
|
guardian.ensure_can_mute_user!(user)
|
2019-03-27 04:41:50 -05:00
|
|
|
IgnoredUser.where(user: current_user, ignored_user: user).delete_all
|
|
|
|
MutedUser.find_or_create_by!(user: current_user, muted_user: user)
|
|
|
|
elsif params[:notification_level] == "normal"
|
|
|
|
MutedUser.where(user: current_user, muted_user: user).delete_all
|
|
|
|
IgnoredUser.where(user: current_user, ignored_user: user).delete_all
|
|
|
|
end
|
2019-02-27 07:49:07 -06:00
|
|
|
|
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2014-07-11 02:32:29 -05:00
|
|
|
def read_faq
|
2015-09-04 15:56:02 -05:00
|
|
|
if user = current_user
|
2014-07-11 02:32:29 -05:00
|
|
|
user.user_stat.read_faq = 1.second.ago
|
|
|
|
user.user_stat.save
|
|
|
|
end
|
|
|
|
|
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2015-01-05 12:49:32 -06:00
|
|
|
def staff_info
|
2015-11-27 13:02:24 -06:00
|
|
|
@user = fetch_user_from_params(include_inactive: true)
|
2015-01-05 12:49:32 -06:00
|
|
|
guardian.ensure_can_see_staff_info!(@user)
|
|
|
|
|
|
|
|
result = {}
|
|
|
|
|
2017-04-14 23:11:02 -05:00
|
|
|
%W{number_of_deleted_posts number_of_flagged_posts number_of_flags_given number_of_suspensions warnings_received_count}.each do |info|
|
2019-05-06 20:27:05 -05:00
|
|
|
result[info] = @user.public_send(info)
|
2015-01-05 12:49:32 -06:00
|
|
|
end
|
|
|
|
|
|
|
|
render json: result
|
|
|
|
end
|
|
|
|
|
2017-04-04 12:59:22 -05:00
|
|
|
def confirm_admin
|
|
|
|
@confirmation = AdminConfirmation.find_by_code(params[:token])
|
|
|
|
|
|
|
|
raise Discourse::NotFound unless @confirmation
|
|
|
|
raise Discourse::InvalidAccess.new unless
|
|
|
|
@confirmation.performed_by.id == (current_user&.id || @confirmation.performed_by.id)
|
|
|
|
|
|
|
|
if request.post?
|
|
|
|
@confirmation.email_confirmed!
|
|
|
|
@confirmed = true
|
|
|
|
end
|
|
|
|
|
2019-07-23 12:17:44 -05:00
|
|
|
respond_to do |format|
|
|
|
|
format.json { render json: success_json }
|
|
|
|
format.html { render layout: 'no_ember' }
|
|
|
|
end
|
2017-04-04 12:59:22 -05:00
|
|
|
end
|
|
|
|
|
2019-06-26 18:58:06 -05:00
|
|
|
def list_second_factors
|
2018-03-01 20:37:13 -06:00
|
|
|
raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins
|
2018-02-20 00:44:51 -06:00
|
|
|
|
2019-06-26 18:58:06 -05:00
|
|
|
unless params[:password].empty?
|
|
|
|
RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed!
|
|
|
|
RateLimiter.new(nil, "login-min-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_minute, 1.minute).performed!
|
|
|
|
unless current_user.confirm_password?(params[:password])
|
|
|
|
return render json: failed_json.merge(
|
|
|
|
error: I18n.t("login.incorrect_password")
|
|
|
|
)
|
|
|
|
end
|
2020-01-09 18:45:56 -06:00
|
|
|
confirm_secure_session
|
2018-02-20 00:44:51 -06:00
|
|
|
end
|
|
|
|
|
2020-01-09 18:45:56 -06:00
|
|
|
if secure_session_confirmed?
|
2019-10-01 21:08:41 -05:00
|
|
|
totp_second_factors = current_user.totps
|
|
|
|
.select(:id, :name, :last_used, :created_at, :method)
|
|
|
|
.where(enabled: true).order(:created_at)
|
|
|
|
|
|
|
|
security_keys = current_user.security_keys.where(factor_type: UserSecurityKey.factor_types[:second_factor]).order(:created_at)
|
|
|
|
|
2019-06-26 18:58:06 -05:00
|
|
|
render json: success_json.merge(
|
2019-10-01 21:08:41 -05:00
|
|
|
totps: totp_second_factors,
|
|
|
|
security_keys: security_keys
|
2019-06-26 18:58:06 -05:00
|
|
|
)
|
|
|
|
else
|
|
|
|
render json: success_json.merge(
|
|
|
|
password_required: true
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def create_second_factor_backup
|
|
|
|
backup_codes = current_user.generate_backup_codes
|
|
|
|
|
|
|
|
render json: success_json.merge(
|
|
|
|
backup_codes: backup_codes
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def create_second_factor_totp
|
2019-12-16 18:33:51 -06:00
|
|
|
require 'rotp' if !defined? ROTP
|
2019-12-08 22:29:48 -06:00
|
|
|
totp_data = ROTP::Base32.random
|
2019-06-26 18:58:06 -05:00
|
|
|
secure_session["staged-totp-#{current_user.id}"] = totp_data
|
|
|
|
qrcode_svg = RQRCode::QRCode.new(current_user.totp_provisioning_uri(totp_data)).as_svg(
|
2018-02-20 00:44:51 -06:00
|
|
|
offset: 0,
|
|
|
|
color: '000',
|
|
|
|
shape_rendering: 'crispEdges',
|
|
|
|
module_size: 4
|
|
|
|
)
|
|
|
|
|
|
|
|
render json: success_json.merge(
|
2019-06-26 18:58:06 -05:00
|
|
|
key: totp_data.scan(/.{4}/).join(" "),
|
|
|
|
qr: qrcode_svg
|
|
|
|
)
|
2018-02-20 00:44:51 -06:00
|
|
|
end
|
|
|
|
|
2019-10-01 21:08:41 -05:00
|
|
|
def create_second_factor_security_key
|
2020-01-09 18:45:56 -06:00
|
|
|
challenge_session = Webauthn.stage_challenge(current_user, secure_session)
|
2019-10-01 21:08:41 -05:00
|
|
|
render json: success_json.merge(
|
2020-01-09 18:45:56 -06:00
|
|
|
challenge: challenge_session.challenge,
|
|
|
|
rp_id: challenge_session.rp_id,
|
|
|
|
rp_name: challenge_session.rp_name,
|
2019-10-01 21:08:41 -05:00
|
|
|
supported_algoriths: ::Webauthn::SUPPORTED_ALGORITHMS,
|
|
|
|
user_secure_id: current_user.create_or_fetch_secure_identifier,
|
|
|
|
existing_active_credential_ids: current_user.second_factor_security_key_credential_ids
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
def register_second_factor_security_key
|
|
|
|
params.require(:name)
|
|
|
|
params.require(:attestation)
|
|
|
|
params.require(:clientData)
|
|
|
|
|
|
|
|
::Webauthn::SecurityKeyRegistrationService.new(
|
|
|
|
current_user,
|
|
|
|
params,
|
2020-01-09 18:45:56 -06:00
|
|
|
challenge: Webauthn.challenge(current_user, secure_session),
|
|
|
|
rp_id: Webauthn.rp_id(current_user, secure_session),
|
2019-10-01 21:08:41 -05:00
|
|
|
origin: Discourse.base_url
|
|
|
|
).register_second_factor_security_key
|
|
|
|
render json: success_json
|
|
|
|
rescue ::Webauthn::SecurityKeyError => err
|
2020-01-09 18:45:56 -06:00
|
|
|
render json: failed_json.merge(error: err.message)
|
2019-10-01 21:08:41 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def update_security_key
|
|
|
|
user_security_key = current_user.security_keys.find_by(id: params[:id].to_i)
|
|
|
|
raise Discourse::InvalidParameters unless user_security_key
|
|
|
|
|
|
|
|
if params[:name] && !params[:name].blank?
|
|
|
|
user_security_key.update!(name: params[:name])
|
|
|
|
end
|
|
|
|
if params[:disable] == "true"
|
|
|
|
user_security_key.update!(enabled: false)
|
|
|
|
end
|
|
|
|
|
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2019-06-26 18:58:06 -05:00
|
|
|
def enable_second_factor_totp
|
2020-03-05 22:37:40 -06:00
|
|
|
if params[:second_factor_token].blank?
|
|
|
|
return render json: failed_json.merge(error: I18n.t("login.missing_second_factor_code"))
|
|
|
|
end
|
|
|
|
if params[:name].blank?
|
|
|
|
return render json: failed_json.merge(error: I18n.t("login.missing_second_factor_name"))
|
|
|
|
end
|
2019-06-26 18:58:06 -05:00
|
|
|
auth_token = params[:second_factor_token]
|
|
|
|
|
|
|
|
totp_data = secure_session["staged-totp-#{current_user.id}"]
|
|
|
|
totp_object = current_user.get_totp_object(totp_data)
|
|
|
|
|
|
|
|
[request.remote_ip, current_user.id].each do |key|
|
|
|
|
RateLimiter.new(nil, "second-factor-min-#{key}", 3, 1.minute).performed!
|
|
|
|
end
|
2018-06-28 03:12:32 -05:00
|
|
|
|
2019-12-08 22:29:48 -06:00
|
|
|
authenticated = !auth_token.blank? && totp_object.verify(
|
|
|
|
auth_token,
|
|
|
|
drift_ahead: SecondFactorManager::TOTP_ALLOWED_DRIFT_SECONDS,
|
|
|
|
drift_behind: SecondFactorManager::TOTP_ALLOWED_DRIFT_SECONDS
|
|
|
|
)
|
2019-06-26 18:58:06 -05:00
|
|
|
unless authenticated
|
2018-06-28 03:12:32 -05:00
|
|
|
return render json: failed_json.merge(
|
2019-06-26 18:58:06 -05:00
|
|
|
error: I18n.t("login.invalid_second_factor_code")
|
|
|
|
)
|
2018-06-28 03:12:32 -05:00
|
|
|
end
|
2019-06-26 18:58:06 -05:00
|
|
|
current_user.create_totp(data: totp_data, name: params[:name], enabled: true)
|
|
|
|
render json: success_json
|
|
|
|
end
|
2018-06-28 03:12:32 -05:00
|
|
|
|
2019-06-26 18:58:06 -05:00
|
|
|
def disable_second_factor
|
|
|
|
# delete all second factors for a user
|
|
|
|
current_user.user_second_factors.destroy_all
|
2018-06-28 03:12:32 -05:00
|
|
|
|
2019-06-26 18:58:06 -05:00
|
|
|
Jobs.enqueue(
|
|
|
|
:critical_user_email,
|
|
|
|
type: :account_second_factor_disabled,
|
|
|
|
user_id: current_user.id
|
2018-06-28 03:12:32 -05:00
|
|
|
)
|
2019-06-26 18:58:06 -05:00
|
|
|
|
|
|
|
render json: success_json
|
2018-06-28 03:12:32 -05:00
|
|
|
end
|
|
|
|
|
2018-02-20 00:44:51 -06:00
|
|
|
def update_second_factor
|
2019-02-27 03:37:33 -06:00
|
|
|
params.require(:second_factor_target)
|
|
|
|
update_second_factor_method = params[:second_factor_target].to_i
|
2018-02-20 00:44:51 -06:00
|
|
|
|
2019-02-27 03:37:33 -06:00
|
|
|
if update_second_factor_method == UserSecondFactor.methods[:totp]
|
2019-06-26 18:58:06 -05:00
|
|
|
params.require(:id)
|
|
|
|
second_factor_id = params[:id].to_i
|
|
|
|
user_second_factor = current_user.user_second_factors.totps.find_by(id: second_factor_id)
|
2019-02-27 03:37:33 -06:00
|
|
|
elsif update_second_factor_method == UserSecondFactor.methods[:backup_codes]
|
2018-06-28 03:12:32 -05:00
|
|
|
user_second_factor = current_user.user_second_factors.backup_codes
|
|
|
|
end
|
|
|
|
|
2018-02-20 00:44:51 -06:00
|
|
|
raise Discourse::InvalidParameters unless user_second_factor
|
|
|
|
|
2019-06-26 18:58:06 -05:00
|
|
|
if params[:name] && !params[:name].blank?
|
|
|
|
user_second_factor.update!(name: params[:name])
|
2018-02-20 00:44:51 -06:00
|
|
|
end
|
2019-06-26 18:58:06 -05:00
|
|
|
if params[:disable] == "true"
|
|
|
|
# Disabling backup codes deletes *all* backup codes
|
|
|
|
if update_second_factor_method == UserSecondFactor.methods[:backup_codes]
|
2018-06-28 03:12:32 -05:00
|
|
|
current_user.user_second_factors.where(method: UserSecondFactor.methods[:backup_codes]).destroy_all
|
2019-06-26 18:58:06 -05:00
|
|
|
else
|
|
|
|
user_second_factor.update!(enabled: false)
|
2018-06-28 03:12:32 -05:00
|
|
|
end
|
2019-06-26 18:58:06 -05:00
|
|
|
|
2018-02-20 00:44:51 -06:00
|
|
|
end
|
|
|
|
|
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2019-06-26 18:58:06 -05:00
|
|
|
def second_factor_check_confirmed_password
|
|
|
|
raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins
|
|
|
|
|
2020-01-09 18:45:56 -06:00
|
|
|
raise Discourse::InvalidAccess.new unless current_user && secure_session_confirmed?
|
2019-06-26 18:58:06 -05:00
|
|
|
end
|
|
|
|
|
2018-07-23 10:51:57 -05:00
|
|
|
def revoke_account
|
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
|
|
|
provider_name = params.require(:provider_name)
|
|
|
|
|
|
|
|
# Using Discourse.authenticators rather than Discourse.enabled_authenticators so users can
|
|
|
|
# revoke permissions even if the admin has temporarily disabled that type of login
|
2018-08-09 23:53:55 -05:00
|
|
|
authenticator = Discourse.authenticators.find { |a| a.name == provider_name }
|
2018-07-31 10:18:50 -05:00
|
|
|
raise Discourse::NotFound if authenticator.nil? || !authenticator.can_revoke?
|
2018-07-23 10:51:57 -05:00
|
|
|
|
|
|
|
skip_remote = params.permit(:skip_remote)
|
|
|
|
|
|
|
|
# We're likely going to contact the remote auth provider, so hijack request
|
|
|
|
hijack do
|
2019-06-10 20:28:42 -05:00
|
|
|
DiscourseEvent.trigger(:before_auth_revoke, authenticator, user)
|
2018-07-23 10:51:57 -05:00
|
|
|
result = authenticator.revoke(user, skip_remote: skip_remote)
|
|
|
|
if result
|
2018-08-09 23:53:55 -05:00
|
|
|
render json: success_json
|
2018-07-23 10:51:57 -05:00
|
|
|
else
|
2018-08-09 23:53:55 -05:00
|
|
|
render json: {
|
2018-07-23 10:51:57 -05:00
|
|
|
success: false,
|
|
|
|
message: I18n.t("associated_accounts.revoke_failed", provider_name: provider_name)
|
|
|
|
}
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-08-31 03:18:06 -05:00
|
|
|
def revoke_auth_token
|
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
|
|
|
|
2018-10-11 18:40:48 -05:00
|
|
|
if params[:token_id]
|
|
|
|
token = UserAuthToken.find_by(id: params[:token_id], user_id: user.id)
|
|
|
|
# The user should not be able to revoke the auth token of current session.
|
2018-10-11 18:51:41 -05:00
|
|
|
raise Discourse::InvalidParameters.new(:token_id) if guardian.auth_token == token.auth_token
|
2018-10-09 09:21:41 -05:00
|
|
|
UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!)
|
2019-07-19 05:54:58 -05:00
|
|
|
|
|
|
|
MessageBus.publish "/file-change", ["refresh"], user_ids: [user.id]
|
2018-10-09 09:21:41 -05:00
|
|
|
else
|
|
|
|
UserAuthToken.where(user_id: user.id).each(&:destroy!)
|
|
|
|
end
|
2018-08-31 03:18:06 -05:00
|
|
|
|
2018-10-14 22:42:45 -05:00
|
|
|
render json: success_json
|
2018-08-31 03:18:06 -05:00
|
|
|
end
|
|
|
|
|
2019-12-09 13:15:47 -06:00
|
|
|
def feature_topic
|
|
|
|
user = fetch_user_from_params
|
|
|
|
topic = Topic.find(params[:topic_id].to_i)
|
|
|
|
|
|
|
|
raise Discourse::InvalidAccess.new unless topic && guardian.can_feature_topic?(user, topic)
|
|
|
|
user.user_profile.update(featured_topic_id: topic.id)
|
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
|
|
|
def clear_featured_topic
|
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
|
|
|
user.user_profile.update(featured_topic_id: nil)
|
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2019-10-16 00:53:31 -05:00
|
|
|
HONEYPOT_KEY ||= 'HONEYPOT_KEY'
|
|
|
|
CHALLENGE_KEY ||= 'CHALLENGE_KEY'
|
|
|
|
|
|
|
|
protected
|
2013-02-05 13:16:51 -06:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
def honeypot_value
|
2019-10-16 00:53:31 -05:00
|
|
|
secure_session[HONEYPOT_KEY] ||= SecureRandom.hex
|
2018-06-07 00:28:18 -05:00
|
|
|
end
|
2013-08-23 01:19:23 -05:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
def challenge_value
|
2019-10-16 00:53:31 -05:00
|
|
|
secure_session[CHALLENGE_KEY] ||= SecureRandom.hex
|
2018-06-07 00:28:18 -05:00
|
|
|
end
|
2013-11-12 16:37:38 -06:00
|
|
|
|
2019-10-16 00:53:31 -05:00
|
|
|
private
|
|
|
|
|
2020-01-15 04:27:12 -06:00
|
|
|
def password_reset_find_user(token, committing_change:)
|
|
|
|
if EmailToken.valid_token_format?(token)
|
|
|
|
@user = committing_change ? EmailToken.confirm(token) : EmailToken.confirmable(token)&.user
|
|
|
|
if @user
|
|
|
|
secure_session["password-#{token}"] = @user.id
|
|
|
|
else
|
|
|
|
user_id = secure_session["password-#{token}"].to_i
|
|
|
|
@user = User.find(user_id) if user_id > 0
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
@error = I18n.t('password_reset.no_token') if !@user
|
|
|
|
end
|
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
def respond_to_suspicious_request
|
|
|
|
if suspicious?(params)
|
|
|
|
render json: {
|
|
|
|
success: true,
|
|
|
|
active: false,
|
|
|
|
message: I18n.t("login.activate_email", email: params[:email])
|
|
|
|
}
|
2013-11-12 16:37:38 -06:00
|
|
|
end
|
2018-06-07 00:28:18 -05:00
|
|
|
end
|
2013-11-12 16:37:38 -06:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
def suspicious?(params)
|
|
|
|
return false if current_user && is_api? && current_user.admin?
|
|
|
|
honeypot_or_challenge_fails?(params) || SiteSetting.invite_only?
|
|
|
|
end
|
2013-11-12 16:37:38 -06:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
def honeypot_or_challenge_fails?(params)
|
|
|
|
return false if is_api?
|
|
|
|
params[:password_confirmation] != honeypot_value ||
|
|
|
|
params[:challenge] != challenge_value.try(:reverse)
|
|
|
|
end
|
2016-08-05 10:57:13 -05:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
def user_params
|
|
|
|
permitted = [
|
|
|
|
:name,
|
|
|
|
:email,
|
|
|
|
:password,
|
|
|
|
:username,
|
|
|
|
:title,
|
|
|
|
:date_of_birth,
|
|
|
|
:muted_usernames,
|
2019-03-06 05:21:58 -06:00
|
|
|
:ignored_usernames,
|
2018-07-11 23:18:21 -05:00
|
|
|
:theme_ids,
|
2018-06-07 00:28:18 -05:00
|
|
|
:locale,
|
|
|
|
:bio_raw,
|
|
|
|
:location,
|
|
|
|
:website,
|
|
|
|
:dismissed_banner_key,
|
2019-04-28 22:58:52 -05:00
|
|
|
:profile_background_upload_url,
|
2019-10-28 12:46:27 -05:00
|
|
|
:card_background_upload_url,
|
2019-12-09 13:15:47 -06:00
|
|
|
:primary_group_id,
|
|
|
|
:featured_topic_id
|
2018-06-07 00:28:18 -05:00
|
|
|
]
|
|
|
|
|
2019-10-11 03:57:55 -05:00
|
|
|
editable_custom_fields = User.editable_user_custom_fields(by_staff: current_user.try(:staff?))
|
|
|
|
permitted << { custom_fields: editable_custom_fields } unless editable_custom_fields.blank?
|
2018-06-07 00:28:18 -05:00
|
|
|
permitted.concat UserUpdater::OPTION_ATTR
|
|
|
|
permitted.concat UserUpdater::CATEGORY_IDS.keys.map { |k| { k => [] } }
|
|
|
|
permitted.concat UserUpdater::TAG_NAMES.keys
|
|
|
|
|
|
|
|
result = params
|
2018-07-11 23:18:21 -05:00
|
|
|
.permit(permitted, theme_ids: [])
|
2018-06-07 00:28:18 -05:00
|
|
|
.reverse_merge(
|
|
|
|
ip_address: request.remote_ip,
|
2019-06-07 10:51:58 -05:00
|
|
|
registration_ip_address: request.remote_ip
|
2018-06-07 00:28:18 -05:00
|
|
|
)
|
2016-08-05 10:57:13 -05:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
if !UsernameCheckerService.is_developer?(result['email']) &&
|
|
|
|
is_api? &&
|
|
|
|
current_user.present? &&
|
|
|
|
current_user.admin?
|
2016-08-05 10:57:13 -05:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
result.merge!(params.permit(:active, :staged, :approved))
|
2018-02-16 18:11:41 -06:00
|
|
|
end
|
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
modify_user_params(result)
|
|
|
|
end
|
2016-02-06 13:49:39 -06:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
# Plugins can use this to modify user parameters
|
|
|
|
def modify_user_params(attrs)
|
|
|
|
attrs
|
|
|
|
end
|
2014-09-26 13:48:34 -05:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
def fail_with(key)
|
|
|
|
render json: { success: false, message: I18n.t(key) }
|
|
|
|
end
|
2014-09-26 13:48:34 -05:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
def track_visit_to_user_profile
|
|
|
|
user_profile_id = @user.user_profile.id
|
|
|
|
ip = request.remote_ip
|
|
|
|
user_id = (current_user.id if current_user)
|
2015-09-14 02:51:17 -05:00
|
|
|
|
2018-06-07 00:28:18 -05:00
|
|
|
Scheduler::Defer.later 'Track profile view visit' do
|
|
|
|
UserProfileView.add(user_profile_id, ip, user_id)
|
2015-09-14 02:51:17 -05:00
|
|
|
end
|
2018-06-07 00:28:18 -05:00
|
|
|
end
|
2015-09-14 02:51:17 -05:00
|
|
|
|
2019-09-13 13:11:27 -05:00
|
|
|
def clashing_with_existing_route?(username)
|
|
|
|
normalized_username = User.normalize_username(username)
|
|
|
|
http_verbs = %w[GET POST PUT DELETE PATCH]
|
|
|
|
allowed_actions = %w[show update destroy]
|
|
|
|
|
|
|
|
http_verbs.any? do |verb|
|
|
|
|
begin
|
|
|
|
path = Rails.application.routes.recognize_path("/u/#{normalized_username}", method: verb)
|
|
|
|
allowed_actions.exclude?(path[:action])
|
|
|
|
rescue ActionController::RoutingError
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2019-10-01 21:08:41 -05:00
|
|
|
|
2020-01-09 18:45:56 -06:00
|
|
|
def confirm_secure_session
|
|
|
|
secure_session["confirmed-password-#{current_user.id}"] = "true"
|
2019-10-01 21:08:41 -05:00
|
|
|
end
|
|
|
|
|
2020-01-09 18:45:56 -06:00
|
|
|
def secure_session_confirmed?
|
|
|
|
secure_session["confirmed-password-#{current_user.id}"] == "true"
|
2019-10-01 21:08:41 -05:00
|
|
|
end
|
2013-02-05 13:16:51 -06:00
|
|
|
end
|