123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329 |
- # Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
- class SessionsController < ApplicationController
- prepend_before_action :authentication_check, only: %i[switch_to_user list delete]
- skip_before_action :verify_csrf_token, only: %i[create show destroy create_omniauth create_sso]
- # "Create" a login, aka "log the user in"
- def create
- # in case, remove switched_from_user_id
- session[:switched_from_user_id] = nil
- # authenticate user
- user = User.authenticate(params[:username], params[:password])
- # check maintenance mode
- check_maintenance(user)
- # auth failed
- raise Exceptions::NotAuthorized, 'Wrong Username or Password combination.' if !user
- # remember me - set session cookie to expire later
- expire_after = nil
- if params[:remember_me]
- expire_after = 1.year
- end
- request.env['rack.session.options'][:expire_after] = expire_after
- # set session user
- current_user_set(user)
- # log device
- return if !user_device_log(user, 'session')
- # log new session
- user.activity_stream_log('session started', user.id, true)
- # add session user assets
- assets = {}
- assets = user.assets(assets)
- # auto population of default collections
- collections, assets = SessionHelper.default_collections(user, assets)
- # get models
- models = SessionHelper.models(user)
- # sessions created via this
- # controller are persistent
- session[:persistent] = true
- # return new session data
- render status: :created,
- json: {
- session: user,
- config: config_frontend,
- models: models,
- collections: collections,
- assets: assets,
- }
- end
- def show
- user_id = nil
- # no valid sessions
- if session[:user_id]
- user_id = session[:user_id]
- end
- if !user_id
- # get models
- models = SessionHelper.models()
- render json: {
- error: 'no valid session',
- config: config_frontend,
- models: models,
- collections: {
- Locale.to_app_model => Locale.where(active: true)
- },
- }
- return
- end
- # Save the user ID in the session so it can be used in
- # subsequent requests
- user = User.find(user_id)
- # log device
- return if !user_device_log(user, 'session')
- # add session user assets
- assets = {}
- assets = user.assets(assets)
- # auto population of default collections
- collections, assets = SessionHelper.default_collections(user, assets)
- # get models
- models = SessionHelper.models(user)
- # return current session
- render json: {
- session: user,
- config: config_frontend,
- models: models,
- collections: collections,
- assets: assets,
- }
- end
- # "Delete" a login, aka "log the user out"
- def destroy
- # Remove the user id from the session
- @_current_user = nil
- # reset session
- request.env['rack.session.options'][:expire_after] = nil
- session.clear
- render json: {}
- end
- def create_omniauth
- # in case, remove switched_from_user_id
- session[:switched_from_user_id] = nil
- auth = request.env['omniauth.auth']
- if !auth
- logger.info('AUTH IS NULL, SERVICE NOT LINKED TO ACCOUNT')
- # redirect to app
- redirect_to '/'
- end
- # Create a new user or add an auth to existing user, depending on
- # whether there is already a user signed in.
- authorization = Authorization.find_from_hash(auth)
- if !authorization
- authorization = Authorization.create_from_hash(auth, current_user)
- end
- # check maintenance mode
- if check_maintenance_only(authorization.user)
- redirect_to '/#'
- return
- end
- # set current session user
- current_user_set(authorization.user)
- # log new session
- authorization.user.activity_stream_log('session started', authorization.user.id, true)
- # remember last login date
- authorization.user.update_last_login
- # redirect to app
- redirect_to '/'
- end
- def create_sso
- # in case, remove switched_from_user_id
- session[:switched_from_user_id] = nil
- user = User.sso(params)
- # Log the authorizing user in.
- if user
- # check maintenance mode
- if check_maintenance_only(user)
- redirect_to '/#'
- return
- end
- # set current session user
- current_user_set(user)
- # log new session
- user.activity_stream_log('session started', user.id, true)
- # remember last login date
- user.update_last_login
- end
- # redirect to app
- redirect_to '/#'
- end
- # "switch" to user
- def switch_to_user
- permission_check(['admin.session', 'admin.user'])
- # check user
- if !params[:id]
- render(
- json: { message: 'no user given' },
- status: :not_found
- )
- return false
- end
- user = User.find(params[:id])
- if !user
- render(
- json: {},
- status: :not_found
- )
- return false
- end
- # remember old user
- session[:switched_from_user_id] = current_user.id
- # log new session
- user.activity_stream_log('switch to', current_user.id, true)
- # set session user
- current_user_set(user)
- render(
- json: {
- success: true,
- location: '',
- },
- )
- end
- # "switch" back to user
- def switch_back_to_user
- # check if it's a swich back
- if !session[:switched_from_user_id]
- response_access_deny
- return false
- end
- user = User.lookup(id: session[:switched_from_user_id])
- if !user
- render(
- json: {},
- status: :not_found
- )
- return false
- end
- # rememeber current user
- current_session_user = current_user
- # remove switched_from_user_id
- session[:switched_from_user_id] = nil
- # set old session user again
- current_user_set(user)
- # log end session
- current_session_user.activity_stream_log('ended switch to', user.id, true)
- render(
- json: {
- success: true,
- location: '',
- },
- )
- end
- def available
- render json: {
- app_version: AppVersion.get
- }
- end
- def list
- permission_check('admin.session')
- assets = {}
- sessions_clean = []
- SessionHelper.list.each do |session|
- next if session.data['user_id'].blank?
- sessions_clean.push session
- next if session.data['user_id']
- user = User.lookup(id: session.data['user_id'])
- next if !user
- assets = user.assets(assets)
- end
- render json: {
- sessions: sessions_clean,
- assets: assets,
- }
- end
- def delete
- permission_check('admin.session')
- SessionHelper.destroy(params[:id])
- render json: {}
- end
- private
- def config_frontend
- # config
- config = {}
- Setting.select('name, preferences').where(frontend: true).each do |setting|
- next if setting.preferences[:authentication] == true && !current_user
- value = Setting.get(setting.name)
- next if !current_user && (value == false || value.nil?)
- config[setting.name] = value
- end
- # remember if we can to swich back to user
- if session[:switched_from_user_id]
- config['switch_back_to_possible'] = true
- end
- # remember session_id for websocket logon
- if current_user
- config['session_id'] = session.id
- end
- config
- end
- end
|