sessions_controller.rb 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334
  1. # Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
  2. class SessionsController < ApplicationController
  3. prepend_before_action :authentication_check, only: %i[switch_to_user list delete]
  4. skip_before_action :verify_csrf_token, only: %i[create show destroy create_omniauth failure_omniauth create_sso]
  5. # "Create" a login, aka "log the user in"
  6. def create
  7. # in case, remove switched_from_user_id
  8. session[:switched_from_user_id] = nil
  9. # authenticate user
  10. user = User.authenticate(params[:username], params[:password])
  11. # check maintenance mode
  12. check_maintenance(user)
  13. # auth failed
  14. raise Exceptions::NotAuthorized, 'Wrong Username or Password combination.' if !user
  15. # remember me - set session cookie to expire later
  16. expire_after = nil
  17. if params[:remember_me]
  18. expire_after = 1.year
  19. end
  20. request.env['rack.session.options'][:expire_after] = expire_after
  21. # set session user
  22. current_user_set(user)
  23. # log device
  24. return if !user_device_log(user, 'session')
  25. # log new session
  26. user.activity_stream_log('session started', user.id, true)
  27. # add session user assets
  28. assets = {}
  29. assets = user.assets(assets)
  30. # auto population of default collections
  31. collections, assets = SessionHelper.default_collections(user, assets)
  32. # get models
  33. models = SessionHelper.models(user)
  34. # sessions created via this
  35. # controller are persistent
  36. session[:persistent] = true
  37. # return new session data
  38. render status: :created,
  39. json: {
  40. session: user,
  41. config: config_frontend,
  42. models: models,
  43. collections: collections,
  44. assets: assets,
  45. }
  46. end
  47. def show
  48. user_id = nil
  49. # no valid sessions
  50. if session[:user_id]
  51. user_id = session[:user_id]
  52. end
  53. if !user_id || !User.exists?(user_id)
  54. # get models
  55. models = SessionHelper.models()
  56. render json: {
  57. error: 'no valid session',
  58. config: config_frontend,
  59. models: models,
  60. collections: {
  61. Locale.to_app_model => Locale.where(active: true)
  62. },
  63. }
  64. return
  65. end
  66. # Save the user ID in the session so it can be used in
  67. # subsequent requests
  68. user = User.find(user_id)
  69. # log device
  70. return if !user_device_log(user, 'session')
  71. # add session user assets
  72. assets = {}
  73. assets = user.assets(assets)
  74. # auto population of default collections
  75. collections, assets = SessionHelper.default_collections(user, assets)
  76. # get models
  77. models = SessionHelper.models(user)
  78. # return current session
  79. render json: {
  80. session: user,
  81. config: config_frontend,
  82. models: models,
  83. collections: collections,
  84. assets: assets,
  85. }
  86. end
  87. # "Delete" a login, aka "log the user out"
  88. def destroy
  89. reset_session
  90. # Remove the user id from the session
  91. @_current_user = nil
  92. # reset session
  93. request.env['rack.session.options'][:expire_after] = nil
  94. render json: {}
  95. end
  96. def create_omniauth
  97. # in case, remove switched_from_user_id
  98. session[:switched_from_user_id] = nil
  99. auth = request.env['omniauth.auth']
  100. if !auth
  101. logger.info('AUTH IS NULL, SERVICE NOT LINKED TO ACCOUNT')
  102. # redirect to app
  103. redirect_to '/'
  104. end
  105. # Create a new user or add an auth to existing user, depending on
  106. # whether there is already a user signed in.
  107. authorization = Authorization.find_from_hash(auth)
  108. if !authorization
  109. authorization = Authorization.create_from_hash(auth, current_user)
  110. end
  111. # check maintenance mode
  112. if check_maintenance_only(authorization.user)
  113. redirect_to '/#'
  114. return
  115. end
  116. # set current session user
  117. current_user_set(authorization.user)
  118. # log new session
  119. authorization.user.activity_stream_log('session started', authorization.user.id, true)
  120. # remember last login date
  121. authorization.user.update_last_login
  122. # redirect to app
  123. redirect_to '/'
  124. end
  125. def failure_omniauth
  126. raise Exceptions::UnprocessableEntity, "Message from #{params[:strategy]}: #{params[:message]}"
  127. end
  128. def create_sso
  129. # in case, remove switched_from_user_id
  130. session[:switched_from_user_id] = nil
  131. user = User.sso(params)
  132. # Log the authorizing user in.
  133. if user
  134. # check maintenance mode
  135. if check_maintenance_only(user)
  136. redirect_to '/#'
  137. return
  138. end
  139. # set current session user
  140. current_user_set(user)
  141. # log new session
  142. user.activity_stream_log('session started', user.id, true)
  143. # remember last login date
  144. user.update_last_login
  145. end
  146. # redirect to app
  147. redirect_to '/#'
  148. end
  149. # "switch" to user
  150. def switch_to_user
  151. permission_check(['admin.session', 'admin.user'])
  152. # check user
  153. if !params[:id]
  154. render(
  155. json: { message: 'no user given' },
  156. status: :not_found
  157. )
  158. return false
  159. end
  160. user = User.find(params[:id])
  161. if !user
  162. render(
  163. json: {},
  164. status: :not_found
  165. )
  166. return false
  167. end
  168. # remember old user
  169. session[:switched_from_user_id] = current_user.id
  170. # log new session
  171. user.activity_stream_log('switch to', current_user.id, true)
  172. # set session user
  173. current_user_set(user)
  174. render(
  175. json: {
  176. success: true,
  177. location: '',
  178. },
  179. )
  180. end
  181. # "switch" back to user
  182. def switch_back_to_user
  183. # check if it's a swich back
  184. if !session[:switched_from_user_id]
  185. response_access_deny
  186. return false
  187. end
  188. user = User.lookup(id: session[:switched_from_user_id])
  189. if !user
  190. render(
  191. json: {},
  192. status: :not_found
  193. )
  194. return false
  195. end
  196. # rememeber current user
  197. current_session_user = current_user
  198. # remove switched_from_user_id
  199. session[:switched_from_user_id] = nil
  200. # set old session user again
  201. current_user_set(user)
  202. # log end session
  203. current_session_user.activity_stream_log('ended switch to', user.id, true)
  204. render(
  205. json: {
  206. success: true,
  207. location: '',
  208. },
  209. )
  210. end
  211. def available
  212. render json: {
  213. app_version: AppVersion.get
  214. }
  215. end
  216. def list
  217. permission_check('admin.session')
  218. assets = {}
  219. sessions_clean = []
  220. SessionHelper.list.each do |session|
  221. next if session.data['user_id'].blank?
  222. sessions_clean.push session
  223. next if session.data['user_id']
  224. user = User.lookup(id: session.data['user_id'])
  225. next if !user
  226. assets = user.assets(assets)
  227. end
  228. render json: {
  229. sessions: sessions_clean,
  230. assets: assets,
  231. }
  232. end
  233. def delete
  234. permission_check('admin.session')
  235. SessionHelper.destroy(params[:id])
  236. render json: {}
  237. end
  238. private
  239. def config_frontend
  240. # config
  241. config = {}
  242. Setting.select('name, preferences').where(frontend: true).each do |setting|
  243. next if setting.preferences[:authentication] == true && !current_user
  244. value = Setting.get(setting.name)
  245. next if !current_user && (value == false || value.nil?)
  246. config[setting.name] = value
  247. end
  248. # remember if we can to swich back to user
  249. if session[:switched_from_user_id]
  250. config['switch_back_to_possible'] = true
  251. end
  252. # remember session_id for websocket logon
  253. if current_user
  254. config['session_id'] = session.id
  255. end
  256. config
  257. end
  258. end