application_controller.rb 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398
  1. # Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
  2. class ApplicationController < ActionController::Base
  3. # http_basic_authenticate_with :name => "test", :password => "ttt"
  4. helper_method :current_user,
  5. :authentication_check,
  6. :config_frontend,
  7. :role?,
  8. :model_create_render,
  9. :model_update_render,
  10. :model_restory_render,
  11. :mode_show_rendeder,
  12. :model_index_render
  13. skip_before_action :verify_authenticity_token
  14. before_action :set_user, :session_update, :check_user_device
  15. before_action :cors_preflight_check
  16. after_action :set_access_control_headers
  17. after_action :trigger_events
  18. # For all responses in this controller, return the CORS access control headers.
  19. def set_access_control_headers
  20. headers['Access-Control-Allow-Origin'] = '*'
  21. headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
  22. headers['Access-Control-Max-Age'] = '1728000'
  23. headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
  24. headers['Access-Control-Allow-Credentials'] = 'true'
  25. end
  26. # If this is a preflight OPTIONS request, then short-circuit the
  27. # request, return only the necessary headers and return an empty
  28. # text/plain.
  29. def cors_preflight_check
  30. return if request.method != 'OPTIONS'
  31. headers['Access-Control-Allow-Origin'] = '*'
  32. headers['Access-Control-Allow-Methods'] = 'POST, GET, PUT, DELETE, OPTIONS'
  33. headers['Access-Control-Allow-Headers'] = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language'
  34. headers['Access-Control-Max-Age'] = '1728000'
  35. headers['Access-Control-Allow-Credentials'] = 'true'
  36. render text: '', content_type: 'text/plain'
  37. false
  38. end
  39. private
  40. # execute events
  41. def trigger_events
  42. Observer::Ticket::Notification.transaction
  43. end
  44. # Finds the User with the ID stored in the session with the key
  45. # :current_user_id This is a common way to handle user login in
  46. # a Rails application; logging in sets the session value and
  47. # logging out removes it.
  48. def current_user
  49. return @_current_user if @_current_user
  50. return if !session[:user_id]
  51. @_current_user = User.find( session[:user_id] )
  52. end
  53. def current_user_set(user)
  54. session[:user_id] = user.id
  55. @_current_user = user
  56. set_user
  57. end
  58. # Sets the current user into a named Thread location so that it can be accessed
  59. # by models and observers
  60. def set_user
  61. return if !current_user
  62. UserInfo.current_user_id = current_user.id
  63. end
  64. # update session updated_at
  65. def session_update
  66. #sleep 0.6
  67. session[:ping] = Time.zone.now.iso8601
  68. # check if remote ip need to be updated
  69. if !session[:remote_id] || session[:remote_id] != request.remote_ip
  70. session[:remote_id] = request.remote_ip
  71. session[:geo] = Service::GeoIp.location( request.remote_ip )
  72. end
  73. # fill user agent
  74. return if session[:user_agent]
  75. session[:user_agent] = request.env['HTTP_USER_AGENT']
  76. end
  77. # check user device
  78. def check_user_device
  79. # return if we are in switch to user mode
  80. return if session[:switched_from_user_id]
  81. # only if user_id exists
  82. return if !session[:user_id]
  83. # only if write action
  84. return if request.method == 'GET' || request.method == 'OPTIONS'
  85. # only update if needed
  86. return if session[:check_user_device_at] && session[:check_user_device_at] > Time.zone.now - 5.minutes
  87. session[:check_user_device_at] = Time.zone.now
  88. user_device = UserDevice.add(
  89. session[:user_agent],
  90. session[:remote_id],
  91. session[:user_id],
  92. )
  93. if user_device.id != session[:check_user_device_id]
  94. session[:check_user_device_id] = user_device.id
  95. end
  96. end
  97. def authentication_check_only(auth_param)
  98. logger.debug 'authentication_check'
  99. #logger.debug params.inspect
  100. #logger.debug session.inspect
  101. #logger.debug cookies.inspect
  102. # already logged in, early exit
  103. if session.id && session[:user_id]
  104. userdata = User.find( session[:user_id] )
  105. current_user_set(userdata)
  106. return {
  107. auth: true
  108. }
  109. end
  110. error_message = 'authentication failed'
  111. # check logon session
  112. if params['logon_session']
  113. logon_session = ActiveRecord::SessionStore::Session.where( session_id: params['logon_session'] ).first
  114. # set logon session user to current user
  115. if logon_session
  116. userdata = User.find( logon_session.data[:user_id] )
  117. current_user_set(userdata)
  118. session[:persistent] = true
  119. return {
  120. auth: true
  121. }
  122. end
  123. error_message = 'no valid session, user_id'
  124. end
  125. # check sso
  126. sso_userdata = User.sso(params)
  127. if sso_userdata
  128. current_user_set(sso_userdata)
  129. session[:persistent] = true
  130. return {
  131. auth: true
  132. }
  133. end
  134. # check http basic auth
  135. authenticate_with_http_basic do |username, password|
  136. logger.debug "http basic auth check '#{username}'"
  137. userdata = User.authenticate( username, password )
  138. next if !userdata
  139. # set basic auth user to current user
  140. current_user_set(userdata)
  141. return {
  142. auth: true
  143. }
  144. end
  145. # check token
  146. if auth_param[:token_action]
  147. authenticate_with_http_token do |token, _options|
  148. logger.debug "token auth check #{token}"
  149. userdata = Token.check(
  150. action: auth_param[:token_action],
  151. name: token,
  152. )
  153. next if !userdata
  154. # set token user to current user
  155. current_user_set(userdata)
  156. return {
  157. auth: true
  158. }
  159. end
  160. end
  161. logger.debug error_message
  162. {
  163. auth: false,
  164. message: error_message,
  165. }
  166. end
  167. def authentication_check( auth_param = {} )
  168. result = authentication_check_only(auth_param)
  169. # check if basic_auth fallback is possible
  170. if auth_param[:basic_auth_promt] && result[:auth] == false
  171. return request_http_basic_authentication
  172. end
  173. # return auth not ok
  174. if result[:auth] == false
  175. render(
  176. json: {
  177. error: result[:message],
  178. },
  179. status: :unauthorized
  180. )
  181. return false
  182. end
  183. # store current user id into the session
  184. session[:user_id] = current_user.id
  185. # return auth ok
  186. true
  187. end
  188. def role?( role_name )
  189. return false if !current_user
  190. current_user.role?( role_name )
  191. end
  192. def ticket_permission(ticket)
  193. return true if ticket.permission( current_user: current_user )
  194. response_access_deny
  195. false
  196. end
  197. def deny_if_not_role( role_name )
  198. return false if role?( role_name )
  199. response_access_deny
  200. true
  201. end
  202. def valid_session_with_user
  203. return true if current_user
  204. render json: { message: 'No session user!' }, status: :unprocessable_entity
  205. false
  206. end
  207. def response_access_deny
  208. render(
  209. json: {},
  210. status: :unauthorized
  211. )
  212. false
  213. end
  214. def config_frontend
  215. # config
  216. config = {}
  217. Setting.select('name').where( frontend: true ).each { |setting|
  218. config[setting.name] = Setting.get(setting.name)
  219. }
  220. # get all time zones
  221. config['timezones'] = {}
  222. TZInfo::Timezone.all.each { |t|
  223. # ignore the following time zones
  224. next if t.name =~ /^GMT/
  225. next if t.name =~ /^Etc/
  226. next if t.name =~ /^MET/
  227. next if t.name =~ /^MST/
  228. next if t.name =~ /^ROC/
  229. next if t.name =~ /^ROK/
  230. diff = t.current_period.utc_total_offset / 60 / 60
  231. config['timezones'][ t.name ] = diff
  232. }
  233. if session[:switched_from_user_id]
  234. config['switch_back_to_possible'] = true
  235. end
  236. config
  237. end
  238. # model helper
  239. def model_create_render (object, params)
  240. # create object
  241. generic_object = object.new( object.param_cleanup( params[object.to_app_model_url], true ) )
  242. # save object
  243. generic_object.save!
  244. # set relations
  245. generic_object.param_set_associations( params )
  246. model_create_render_item(generic_object)
  247. rescue => e
  248. logger.error e.message
  249. logger.error e.backtrace.inspect
  250. render json: { error: e.message }, status: :unprocessable_entity
  251. end
  252. def model_create_render_item (generic_object)
  253. render json: generic_object.attributes_with_associations, status: :created
  254. end
  255. def model_update_render (object, params)
  256. # find object
  257. generic_object = object.find( params[:id] )
  258. # save object
  259. generic_object.update_attributes!( object.param_cleanup( params[object.to_app_model_url] ) )
  260. # set relations
  261. generic_object.param_set_associations( params )
  262. model_update_render_item( generic_object )
  263. rescue => e
  264. logger.error e.message
  265. logger.error e.backtrace.inspect
  266. render json: { error: e.message }, status: :unprocessable_entity
  267. end
  268. def model_update_render_item (generic_object)
  269. render json: generic_object.attributes_with_associations, status: :ok
  270. end
  271. def model_destory_render (object, params)
  272. generic_object = object.find( params[:id] )
  273. generic_object.destroy
  274. model_destory_render_item()
  275. rescue => e
  276. logger.error e.message
  277. logger.error e.backtrace.inspect
  278. render json: { error: e.message }, status: :unprocessable_entity
  279. end
  280. def model_destory_render_item ()
  281. render json: {}, status: :ok
  282. end
  283. def model_show_render (object, params)
  284. if params[:full]
  285. generic_object_full = object.full( params[:id] )
  286. render json: generic_object_full, status: :ok
  287. return
  288. end
  289. generic_object = object.find( params[:id] )
  290. model_show_render_item(generic_object)
  291. rescue => e
  292. logger.error e.message
  293. logger.error e.backtrace.inspect
  294. render json: { error: e.message }, status: :unprocessable_entity
  295. end
  296. def model_show_render_item (generic_object)
  297. render json: generic_object.attributes_with_associations, status: :ok
  298. end
  299. def model_index_render (object, _params)
  300. generic_objects = object.all
  301. model_index_render_result( generic_objects )
  302. rescue => e
  303. logger.error e.message
  304. logger.error e.backtrace.inspect
  305. render json: { error: e.message }, status: :unprocessable_entity
  306. end
  307. def model_index_render_result (generic_objects)
  308. render json: generic_objects, status: :ok
  309. end
  310. end