application_controller.rb 9.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372
  1. # Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
  2. class ApplicationController < ActionController::Base
  3. # http_basic_authenticate_with :name => "test", :password => "ttt"
  4. helper_method :current_user,
  5. :authentication_check,
  6. :config_frontend,
  7. :role?,
  8. :model_create_render,
  9. :model_update_render,
  10. :model_restory_render,
  11. :mode_show_rendeder,
  12. :model_index_render
  13. skip_before_action :verify_authenticity_token
  14. before_action :set_user, :session_update
  15. before_action :cors_preflight_check
  16. after_action :set_access_control_headers
  17. after_action :trigger_events
  18. # For all responses in this controller, return the CORS access control headers.
  19. def set_access_control_headers
  20. headers['Access-Control-Allow-Origin'] = '*'
  21. headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
  22. headers['Access-Control-Max-Age'] = '1728000'
  23. headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
  24. headers['Access-Control-Allow-Credentials'] = 'true'
  25. end
  26. # If this is a preflight OPTIONS request, then short-circuit the
  27. # request, return only the necessary headers and return an empty
  28. # text/plain.
  29. def cors_preflight_check
  30. return if request.method != 'OPTIONS'
  31. headers['Access-Control-Allow-Origin'] = '*'
  32. headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
  33. headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
  34. headers['Access-Control-Max-Age'] = '1728000'
  35. headers['Access-Control-Allow-Credentials'] = 'true'
  36. render text: '', content_type: 'text/plain'
  37. false
  38. end
  39. private
  40. # execute events
  41. def trigger_events
  42. Observer::Ticket::Notification.transaction
  43. end
  44. # Finds the User with the ID stored in the session with the key
  45. # :current_user_id This is a common way to handle user login in
  46. # a Rails application; logging in sets the session value and
  47. # logging out removes it.
  48. def current_user
  49. return @_current_user if @_current_user
  50. return if !session[:user_id]
  51. @_current_user = User.find( session[:user_id] )
  52. end
  53. def current_user_set(user)
  54. session[:user_id] = user.id
  55. @_current_user = user
  56. set_user
  57. end
  58. # Sets the current user into a named Thread location so that it can be accessed
  59. # by models and observers
  60. def set_user
  61. return if !current_user
  62. UserInfo.current_user_id = current_user.id
  63. end
  64. # update session updated_at
  65. def session_update
  66. #sleep 0.6
  67. session[:ping] = Time.zone.now.iso8601
  68. # check if remote ip need to be updated
  69. if !session[:remote_id] || session[:remote_id] != request.remote_ip
  70. session[:remote_id] = request.remote_ip
  71. session[:geo] = Service::GeoIp.location( request.remote_ip )
  72. end
  73. # fill user agent
  74. return if session[:user_agent]
  75. session[:user_agent] = request.env['HTTP_USER_AGENT']
  76. end
  77. def authentication_check_only(auth_param)
  78. logger.debug 'authentication_check'
  79. #logger.debug params.inspect
  80. #logger.debug session.inspect
  81. #logger.debug cookies.inspect
  82. # already logged in, early exit
  83. if session.id && session[:user_id]
  84. userdata = User.find( session[:user_id] )
  85. current_user_set(userdata)
  86. return {
  87. auth: true
  88. }
  89. end
  90. error_message = 'authentication failed'
  91. # check logon session
  92. if params['logon_session']
  93. logon_session = ActiveRecord::SessionStore::Session.where( session_id: params['logon_session'] ).first
  94. # set logon session user to current user
  95. if logon_session
  96. userdata = User.find( logon_session.data[:user_id] )
  97. current_user_set(userdata)
  98. session[:persistent] = true
  99. return {
  100. auth: true
  101. }
  102. end
  103. error_message = 'no valid session, user_id'
  104. end
  105. # check sso
  106. sso_userdata = User.sso(params)
  107. if sso_userdata
  108. current_user_set(sso_userdata)
  109. session[:persistent] = true
  110. return {
  111. auth: true
  112. }
  113. end
  114. # check http basic auth
  115. authenticate_with_http_basic do |username, password|
  116. logger.debug "http basic auth check '#{username}'"
  117. userdata = User.authenticate( username, password )
  118. next if !userdata
  119. # set basic auth user to current user
  120. current_user_set(userdata)
  121. return {
  122. auth: true
  123. }
  124. end
  125. # check token
  126. if auth_param[:token_action]
  127. authenticate_with_http_token do |token, _options|
  128. logger.debug "token auth check #{token}"
  129. userdata = Token.check(
  130. action: auth_param[:token_action],
  131. name: token,
  132. )
  133. next if !userdata
  134. # set token user to current user
  135. current_user_set(userdata)
  136. return {
  137. auth: true
  138. }
  139. end
  140. end
  141. logger.debug error_message
  142. {
  143. auth: false,
  144. message: error_message,
  145. }
  146. end
  147. def authentication_check( auth_param = {} )
  148. result = authentication_check_only(auth_param)
  149. # check if basic_auth fallback is possible
  150. if auth_param[:basic_auth_promt] && result[:auth] == false
  151. return request_http_basic_authentication
  152. end
  153. # return auth not ok
  154. if result[:auth] == false
  155. render(
  156. json: {
  157. error: result[:message],
  158. },
  159. status: :unauthorized
  160. )
  161. return false
  162. end
  163. # store current user id into the session
  164. session[:user_id] = current_user.id
  165. # return auth ok
  166. true
  167. end
  168. def role?( role_name )
  169. return false if !current_user
  170. current_user.role?( role_name )
  171. end
  172. def ticket_permission(ticket)
  173. return true if ticket.permission( current_user: current_user )
  174. response_access_deny
  175. false
  176. end
  177. def deny_if_not_role( role_name )
  178. return false if role?( role_name )
  179. response_access_deny
  180. true
  181. end
  182. def valid_session_with_user
  183. return true if current_user
  184. render json: { message: 'No session user!' }, status: :unprocessable_entity
  185. false
  186. end
  187. def response_access_deny
  188. render(
  189. json: {},
  190. status: :unauthorized
  191. )
  192. false
  193. end
  194. def config_frontend
  195. # config
  196. config = {}
  197. Setting.select('name').where( frontend: true ).each { |setting|
  198. config[setting.name] = Setting.get(setting.name)
  199. }
  200. # get all time zones
  201. config['timezones'] = {}
  202. TZInfo::Timezone.all.each { |t|
  203. # ignore the following time zones
  204. next if t.name =~ /^GMT/
  205. next if t.name =~ /^Etc/
  206. next if t.name =~ /^MET/
  207. next if t.name =~ /^MST/
  208. next if t.name =~ /^ROC/
  209. next if t.name =~ /^ROK/
  210. diff = t.current_period.utc_total_offset / 60 / 60
  211. config['timezones'][ t.name ] = diff
  212. }
  213. if session[:switched_from_user_id]
  214. config['switch_back_to_possible'] = true
  215. end
  216. config
  217. end
  218. # model helper
  219. def model_create_render (object, params)
  220. # create object
  221. generic_object = object.new( object.param_cleanup( params[object.to_app_model_url], true ) )
  222. # save object
  223. generic_object.save!
  224. # set relations
  225. generic_object.param_set_associations( params )
  226. model_create_render_item(generic_object)
  227. rescue => e
  228. logger.error e.message
  229. logger.error e.backtrace.inspect
  230. render json: { error: e.message }, status: :unprocessable_entity
  231. end
  232. def model_create_render_item (generic_object)
  233. render json: generic_object.attributes_with_associations, status: :created
  234. end
  235. def model_update_render (object, params)
  236. # find object
  237. generic_object = object.find( params[:id] )
  238. # save object
  239. generic_object.update_attributes!( object.param_cleanup( params[object.to_app_model_url] ) )
  240. # set relations
  241. generic_object.param_set_associations( params )
  242. model_update_render_item( generic_object )
  243. rescue => e
  244. logger.error e.message
  245. logger.error e.backtrace.inspect
  246. render json: { error: e.message }, status: :unprocessable_entity
  247. end
  248. def model_update_render_item (generic_object)
  249. render json: generic_object.attributes_with_associations, status: :ok
  250. end
  251. def model_destory_render (object, params)
  252. generic_object = object.find( params[:id] )
  253. generic_object.destroy
  254. model_destory_render_item()
  255. rescue => e
  256. logger.error e.message
  257. logger.error e.backtrace.inspect
  258. render json: { error: e.message }, status: :unprocessable_entity
  259. end
  260. def model_destory_render_item ()
  261. render json: {}, status: :ok
  262. end
  263. def model_show_render (object, params)
  264. if params[:full]
  265. generic_object_full = object.full( params[:id] )
  266. render json: generic_object_full, status: :ok
  267. return
  268. end
  269. generic_object = object.find( params[:id] )
  270. model_show_render_item(generic_object)
  271. rescue => e
  272. logger.error e.message
  273. logger.error e.backtrace.inspect
  274. render json: { error: e.message }, status: :unprocessable_entity
  275. end
  276. def model_show_render_item (generic_object)
  277. render json: generic_object.attributes_with_associations, status: :ok
  278. end
  279. def model_index_render (object, _params)
  280. generic_objects = object.all
  281. model_index_render_result( generic_objects )
  282. rescue => e
  283. logger.error e.message
  284. logger.error e.backtrace.inspect
  285. render json: { error: e.message }, status: :unprocessable_entity
  286. end
  287. def model_index_render_result (generic_objects)
  288. render json: generic_objects, status: :ok
  289. end
  290. end