discourse/lib/current_user.rb

91 lines
2.3 KiB
Ruby
Raw Normal View History

2013-02-05 14:16:51 -05:00
module CurrentUser
def self.has_auth_cookie?(env)
request = Rack::Request.new(env)
cookie = request.cookies["_t"]
!cookie.nil? && cookie.length == 32
end
2013-02-15 03:23:40 -05:00
def self.lookup_from_env(env)
request = Rack::Request.new(env)
lookup_from_auth_token(request.cookies["_t"])
end
def self.lookup_from_auth_token(auth_token)
2013-02-15 03:23:40 -05:00
if auth_token && auth_token.length == 32
2013-02-25 11:42:20 -05:00
User.where(auth_token: auth_token).first
end
end
# can be used to pretend current user does no exist, for CSRF attacks
def clear_current_user
@current_user = nil
@not_logged_in = true
end
def log_on_user(user)
session[:current_user_id] = user.id
unless user.auth_token && user.auth_token.length == 32
user.auth_token = SecureRandom.hex(16)
user.save!
2013-02-15 03:23:40 -05:00
end
set_permanent_cookie!(user)
end
def set_permanent_cookie!(user)
cookies.permanent["_t"] = { value: user.auth_token, httponly: true }
2013-02-15 03:23:40 -05:00
end
def is_api?
# ensure current user has been called
# otherwise
current_user
@is_api
end
2013-02-05 14:16:51 -05:00
def current_user
return @current_user if @current_user || @not_logged_in
if session[:current_user_id].blank?
2013-02-25 11:42:20 -05:00
# maybe we have a cookie?
@current_user = CurrentUser.lookup_from_auth_token(cookies["_t"])
session[:current_user_id] = @current_user.id if @current_user
2013-02-05 14:16:51 -05:00
else
@current_user ||= User.where(id: session[:current_user_id]).first
2013-02-25 11:42:20 -05:00
# I have flip flopped on this (sam), if our permanent cookie
# conflicts with our current session assume session is bust
# kill it
if @current_user && cookies["_t"] != @current_user.auth_token
@current_user = nil
end
2013-02-05 14:16:51 -05:00
end
2013-02-25 11:42:20 -05:00
if @current_user && @current_user.is_banned?
2013-02-05 14:16:51 -05:00
@current_user = nil
end
@not_logged_in = session[:current_user_id].blank?
if @current_user
2013-02-25 11:42:20 -05:00
@current_user.update_last_seen!
@current_user.update_ip_address!(request.remote_ip)
2013-02-05 14:16:51 -05:00
end
2013-03-25 21:04:28 -04:00
# possible we have an api call, impersonate
2013-03-25 21:04:28 -04:00
unless @current_user
if api_key = request["api_key"]
2013-03-25 21:04:28 -04:00
if api_username = request["api_username"]
if SiteSetting.api_key_valid?(api_key)
@is_api = true
2013-03-25 21:04:28 -04:00
@current_user = User.where(username_lower: api_username.downcase).first
end
end
end
end
2013-02-05 14:16:51 -05:00
@current_user
end
end