2013-02-14 12:57:26 -05:00
|
|
|
require_dependency 'discourse_hub'
|
2013-06-06 10:40:10 -04:00
|
|
|
require_dependency 'user_name_suggester'
|
2014-09-18 10:48:56 -04:00
|
|
|
require_dependency 'rate_limiter'
|
2016-10-18 11:44:25 -04:00
|
|
|
require_dependency 'wizard'
|
|
|
|
require_dependency 'wizard/builder'
|
2013-02-05 14:16:51 -05:00
|
|
|
|
|
|
|
class UsersController < ApplicationController
|
|
|
|
|
2013-08-14 06:20:05 -04:00
|
|
|
skip_before_filter :authorize_mini_profiler, only: [:avatar]
|
2016-03-07 14:40:11 -05:00
|
|
|
skip_before_filter :check_xhr, only: [:show, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login]
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2016-08-12 02:35:10 -04:00
|
|
|
before_filter :ensure_logged_in, only: [:username, :update, :user_preferences_redirect, :upload_user_image,
|
|
|
|
:pick_avatar, :destroy_user_image, :destroy, :check_emails, :topic_tracking_state]
|
|
|
|
|
2013-11-12 17:37:38 -05:00
|
|
|
before_filter :respond_to_suspicious_request, only: [:create]
|
2013-02-07 10:45:24 -05:00
|
|
|
|
2013-05-22 11:20:16 -04:00
|
|
|
# we need to allow account creation with bad CSRF tokens, if people are caching, the CSRF token on the
|
2013-05-03 02:43:11 -04:00
|
|
|
# page is going to be empty, this means that server will see an invalid CSRF and blow the session
|
|
|
|
# once that happens you can't log in with social
|
2013-06-05 00:01:24 -04:00
|
|
|
skip_before_filter :verify_authenticity_token, only: [:create]
|
2013-07-15 12:12:54 -04:00
|
|
|
skip_before_filter :redirect_to_login_if_required, only: [:check_username,
|
|
|
|
:create,
|
|
|
|
:get_honeypot_value,
|
2014-09-23 09:50:57 -04:00
|
|
|
:account_created,
|
2013-07-15 12:12:54 -04:00
|
|
|
:activate_account,
|
2014-07-15 13:47:47 -04:00
|
|
|
:perform_account_activation,
|
2013-07-15 12:12:54 -04:00
|
|
|
:send_activation_email,
|
2015-04-27 06:59:48 -04:00
|
|
|
:password_reset,
|
2016-01-04 11:48:54 -05:00
|
|
|
:confirm_email_token,
|
2015-04-27 06:59:48 -04:00
|
|
|
:admin_login]
|
2013-05-03 02:43:11 -04:00
|
|
|
|
2015-03-19 11:48:16 -04:00
|
|
|
def index
|
|
|
|
end
|
|
|
|
|
2013-02-07 10:45:24 -05:00
|
|
|
def show
|
2015-10-28 14:56:08 -04:00
|
|
|
raise Discourse::InvalidAccess if SiteSetting.hide_user_profiles_from_public && !current_user
|
|
|
|
|
2016-09-23 00:44:08 -04:00
|
|
|
@user = fetch_user_from_params(
|
|
|
|
{ include_inactive: current_user.try(:staff?) },
|
|
|
|
[{ user_profile: :card_image_badge }]
|
|
|
|
)
|
|
|
|
|
2013-03-08 15:04:37 -05:00
|
|
|
user_serializer = UserSerializer.new(@user, scope: guardian, root: 'user')
|
2015-12-17 02:06:04 -05:00
|
|
|
|
|
|
|
# TODO remove this options from serializer
|
|
|
|
user_serializer.omit_stats = true
|
|
|
|
|
2015-03-24 12:33:17 -04:00
|
|
|
topic_id = params[:include_post_count_for].to_i
|
|
|
|
if topic_id != 0
|
|
|
|
user_serializer.topic_post_count = {topic_id => Post.where(topic_id: topic_id, user_id: @user.id).count }
|
|
|
|
end
|
|
|
|
|
2015-09-14 03:51:17 -04:00
|
|
|
if !params[:skip_track_visit] && (@user != current_user)
|
|
|
|
track_visit_to_user_profile
|
|
|
|
end
|
|
|
|
|
2015-02-02 12:55:32 -05:00
|
|
|
# This is a hack to get around a Rails issue where values with periods aren't handled correctly
|
|
|
|
# when used as part of a route.
|
|
|
|
if params[:external_id] and params[:external_id].ends_with? '.json'
|
|
|
|
return render_json_dump(user_serializer)
|
|
|
|
end
|
|
|
|
|
2013-03-08 15:04:37 -05:00
|
|
|
respond_to do |format|
|
|
|
|
format.html do
|
2014-11-27 13:51:13 -05:00
|
|
|
@restrict_fields = guardian.restrict_user_fields?(@user)
|
2013-03-08 15:04:37 -05:00
|
|
|
store_preloaded("user_#{@user.username}", MultiJson.dump(user_serializer))
|
|
|
|
end
|
|
|
|
|
|
|
|
format.json do
|
|
|
|
render_json_dump(user_serializer)
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-10-20 13:15:58 -04:00
|
|
|
def card_badge
|
|
|
|
end
|
|
|
|
|
|
|
|
def update_card_badge
|
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
|
|
|
|
|
|
|
user_badge = UserBadge.find_by(id: params[:user_badge_id].to_i)
|
|
|
|
if user_badge && user_badge.user == user && user_badge.badge.image.present?
|
|
|
|
user.user_profile.update_column(:card_image_badge_id, user_badge.badge.id)
|
|
|
|
else
|
|
|
|
user.user_profile.update_column(:card_image_badge_id, nil)
|
|
|
|
end
|
|
|
|
|
|
|
|
render nothing: true
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
def user_preferences_redirect
|
|
|
|
redirect_to email_preferences_path(current_user.username_lower)
|
|
|
|
end
|
|
|
|
|
|
|
|
def update
|
2013-10-07 06:19:45 -04:00
|
|
|
user = fetch_user_from_params
|
2013-02-05 14:16:51 -05:00
|
|
|
guardian.ensure_can_edit!(user)
|
2014-09-26 14:48:34 -04:00
|
|
|
|
|
|
|
if params[:user_fields].present?
|
2015-02-05 17:03:23 -05:00
|
|
|
params[:custom_fields] = {} unless params[:custom_fields].present?
|
2015-03-20 15:18:43 -04:00
|
|
|
|
|
|
|
fields = UserField.all
|
|
|
|
fields = fields.where(editable: true) unless current_user.staff?
|
|
|
|
fields.each do |f|
|
2014-10-08 14:38:18 -04:00
|
|
|
val = params[:user_fields][f.id.to_s]
|
2014-10-02 15:56:28 -04:00
|
|
|
val = nil if val === "false"
|
2015-02-23 13:02:30 -05:00
|
|
|
val = val[0...UserField.max_length] if val
|
2014-10-08 14:38:18 -04:00
|
|
|
|
|
|
|
return render_json_error(I18n.t("login.missing_user_field")) if val.blank? && f.required?
|
|
|
|
params[:custom_fields]["user_field_#{f.id}"] = val
|
2014-09-26 14:48:34 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-09-08 15:17:31 -04:00
|
|
|
json_result(user, serializer: UserSerializer, additional_errors: [:user_profile]) do |u|
|
2013-12-10 12:46:35 -05:00
|
|
|
updater = UserUpdater.new(current_user, user)
|
2013-11-01 17:06:20 -04:00
|
|
|
updater.update(params)
|
2013-02-07 10:45:24 -05:00
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def username
|
2013-06-06 03:14:32 -04:00
|
|
|
params.require(:new_username)
|
2013-02-05 14:16:51 -05:00
|
|
|
|
|
|
|
user = fetch_user_from_params
|
2013-08-12 14:54:52 -04:00
|
|
|
guardian.ensure_can_edit_username!(user)
|
2013-02-07 10:45:24 -05:00
|
|
|
|
2015-01-16 17:30:46 -05:00
|
|
|
# TODO proper error surfacing (result is a Model#save call)
|
2015-03-06 16:44:54 -05:00
|
|
|
result = UsernameChanger.change(user, params[:new_username], current_user)
|
2013-02-05 14:16:51 -05:00
|
|
|
raise Discourse::InvalidParameters.new(:new_username) unless result
|
|
|
|
|
2014-12-10 11:43:16 -05:00
|
|
|
render json: {
|
|
|
|
id: user.id,
|
|
|
|
username: user.username
|
|
|
|
}
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2014-09-29 16:31:05 -04:00
|
|
|
def check_emails
|
2014-10-28 20:06:59 -04:00
|
|
|
user = fetch_user_from_params(include_inactive: true)
|
2014-09-29 16:31:05 -04:00
|
|
|
guardian.ensure_can_check_emails!(user)
|
|
|
|
|
|
|
|
StaffActionLogger.new(current_user).log_check_email(user, context: params[:context])
|
|
|
|
|
|
|
|
render json: {
|
|
|
|
email: user.email,
|
|
|
|
associated_accounts: user.associated_accounts
|
|
|
|
}
|
2014-10-07 19:26:18 -04:00
|
|
|
rescue Discourse::InvalidAccess
|
2014-09-29 16:31:05 -04:00
|
|
|
render json: failed_json, status: 403
|
|
|
|
end
|
|
|
|
|
2016-08-12 02:35:10 -04:00
|
|
|
def topic_tracking_state
|
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
|
|
|
|
2016-12-02 01:03:31 -05:00
|
|
|
report = TopicTrackingState.report(user)
|
2016-08-12 02:35:10 -04:00
|
|
|
serializer = ActiveModel::ArraySerializer.new(report, each_serializer: TopicTrackingStateSerializer)
|
|
|
|
|
|
|
|
render json: MultiJson.dump(serializer)
|
|
|
|
end
|
|
|
|
|
2014-04-17 23:10:53 -04:00
|
|
|
def badge_title
|
|
|
|
params.require(:user_badge_id)
|
|
|
|
|
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
|
|
|
|
2014-07-14 04:06:50 -04:00
|
|
|
user_badge = UserBadge.find_by(id: params[:user_badge_id])
|
|
|
|
if user_badge && user_badge.user == user && user_badge.badge.allow_title?
|
2014-04-17 23:10:53 -04:00
|
|
|
user.title = user_badge.badge.name
|
2014-10-07 19:26:18 -04:00
|
|
|
user.user_profile.badge_granted_title = true
|
2014-04-17 23:10:53 -04:00
|
|
|
user.save!
|
2014-10-07 19:26:18 -04:00
|
|
|
user.user_profile.save!
|
2014-07-14 04:06:50 -04:00
|
|
|
else
|
|
|
|
user.title = ''
|
|
|
|
user.save!
|
2014-04-17 23:10:53 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
render nothing: true
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
def preferences
|
|
|
|
render nothing: true
|
|
|
|
end
|
|
|
|
|
2014-04-21 11:52:11 -04:00
|
|
|
def my_redirect
|
2016-03-19 08:03:10 -04:00
|
|
|
raise Discourse::NotFound if params[:path] !~ /^[a-z_\-\/]+$/
|
2015-10-14 12:40:13 -04:00
|
|
|
|
|
|
|
if current_user.blank?
|
|
|
|
cookies[:destination_url] = "/my/#{params[:path]}"
|
2015-10-14 13:39:31 -04:00
|
|
|
redirect_to "/login-preferences"
|
2015-10-14 12:40:13 -04:00
|
|
|
else
|
|
|
|
redirect_to(path("/users/#{current_user.username}/#{params[:path]}"))
|
2014-04-21 11:52:11 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-01-19 23:11:52 -05:00
|
|
|
def summary
|
|
|
|
user = fetch_user_from_params
|
|
|
|
summary = UserSummary.new(user, guardian)
|
|
|
|
serializer = UserSummarySerializer.new(summary, scope: guardian)
|
|
|
|
render_json_dump(serializer)
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
def invited
|
2013-11-08 14:11:41 -05:00
|
|
|
inviter = fetch_user_from_params
|
2014-08-01 07:06:31 -04:00
|
|
|
offset = params[:offset].to_i || 0
|
2015-07-11 08:09:12 -04:00
|
|
|
filter_by = params[:filter]
|
2013-11-05 17:52:50 -05:00
|
|
|
|
2015-07-11 08:09:12 -04:00
|
|
|
invites = if guardian.can_see_invite_details?(inviter) && filter_by == "pending"
|
|
|
|
Invite.find_pending_invites_from(inviter, offset)
|
2013-11-08 14:11:41 -05:00
|
|
|
else
|
2014-08-01 07:06:31 -04:00
|
|
|
Invite.find_redeemed_invites_from(inviter, offset)
|
2013-11-05 17:52:50 -05:00
|
|
|
end
|
|
|
|
|
2015-07-11 08:09:12 -04:00
|
|
|
invites = invites.filter_by(params[:search])
|
2014-03-21 14:13:04 -04:00
|
|
|
render_json_dump invites: serialize_data(invites.to_a, InviteSerializer),
|
|
|
|
can_see_invite_details: guardian.can_see_invite_details?(inviter)
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2015-08-24 15:03:25 -04:00
|
|
|
def invited_count
|
|
|
|
inviter = fetch_user_from_params
|
|
|
|
|
|
|
|
pending_count = Invite.find_pending_invites_count(inviter)
|
|
|
|
redeemed_count = Invite.find_redeemed_invites_count(inviter)
|
|
|
|
|
|
|
|
render json: {counts: { pending: pending_count, redeemed: redeemed_count,
|
|
|
|
total: (pending_count.to_i + redeemed_count.to_i) } }
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
def is_local_username
|
2015-11-27 12:16:50 -05:00
|
|
|
usernames = params[:usernames]
|
|
|
|
usernames = [params[:username]] if usernames.blank?
|
2015-06-11 10:31:43 -04:00
|
|
|
|
2015-11-30 01:12:51 -05:00
|
|
|
groups = Group.where(name: usernames).pluck(:name)
|
2015-12-03 21:40:38 -05:00
|
|
|
mentionable_groups =
|
|
|
|
if current_user
|
|
|
|
Group.mentionable(current_user)
|
|
|
|
.where(name: usernames)
|
|
|
|
.pluck(:name, :user_count)
|
|
|
|
.map{ |name,user_count| {name: name, user_count: user_count} }
|
|
|
|
end
|
|
|
|
|
2015-11-30 01:12:51 -05:00
|
|
|
usernames -= groups
|
2016-05-22 09:01:46 -04:00
|
|
|
usernames.each(&:downcase!)
|
2015-11-30 01:12:51 -05:00
|
|
|
|
2016-11-16 06:26:36 -05:00
|
|
|
# Create a New Topic Scenario is not supported (per conversation with codinghorror)
|
|
|
|
# https://meta.discourse.org/t/taking-another-1-7-release-task/51986/7
|
2016-11-14 22:03:16 -05:00
|
|
|
cannot_see = []
|
|
|
|
topic_id = params[:topic_id]
|
|
|
|
unless topic_id.blank?
|
|
|
|
topic = Topic.find_by(id: topic_id)
|
|
|
|
usernames.each{ |username| cannot_see.push(username) unless Guardian.new(User.find_by_username(username)).can_see?(topic) }
|
|
|
|
end
|
|
|
|
|
2015-11-30 01:12:51 -05:00
|
|
|
result = User.where(staged: false)
|
|
|
|
.where(username_lower: usernames)
|
|
|
|
.pluck(:username_lower)
|
2015-11-27 12:16:50 -05:00
|
|
|
|
2016-11-14 22:03:16 -05:00
|
|
|
render json: {valid: result, valid_groups: groups, mentionable_groups: mentionable_groups, cannot_see: cannot_see}
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-08-25 04:57:12 -04:00
|
|
|
def render_available_true
|
|
|
|
render(json: { available: true })
|
|
|
|
end
|
|
|
|
|
|
|
|
def changing_case_of_own_username(target_user, username)
|
|
|
|
target_user and username.downcase == target_user.username.downcase
|
|
|
|
end
|
|
|
|
|
|
|
|
# Used for checking availability of a username and will return suggestions
|
|
|
|
# if the username is not available.
|
2013-02-05 14:16:51 -05:00
|
|
|
def check_username
|
2013-11-19 14:15:05 -05:00
|
|
|
if !params[:username].present?
|
|
|
|
params.require(:username) if !params[:email].present?
|
2014-07-16 12:25:24 -04:00
|
|
|
return render(json: success_json)
|
2013-11-19 14:15:05 -05:00
|
|
|
end
|
2013-08-25 04:57:12 -04:00
|
|
|
username = params[:username]
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2013-08-25 04:57:12 -04:00
|
|
|
target_user = user_from_params_or_current_user
|
2013-07-30 14:13:56 -04:00
|
|
|
|
2013-06-28 16:21:46 -04:00
|
|
|
# The special case where someone is changing the case of their own username
|
2013-08-25 04:57:12 -04:00
|
|
|
return render_available_true if changing_case_of_own_username(target_user, username)
|
2013-06-28 16:21:46 -04:00
|
|
|
|
2013-09-06 05:35:29 -04:00
|
|
|
checker = UsernameCheckerService.new
|
|
|
|
email = params[:email] || target_user.try(:email)
|
2013-11-19 14:15:05 -05:00
|
|
|
render json: checker.check_username(username, email)
|
2013-08-25 04:57:12 -04:00
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2013-08-25 04:57:12 -04:00
|
|
|
def user_from_params_or_current_user
|
|
|
|
params[:for_user_id] ? User.find(params[:for_user_id]) : current_user
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
def create
|
2014-09-26 14:48:34 -04:00
|
|
|
params.permit(:user_fields)
|
|
|
|
|
2014-07-14 15:42:14 -04:00
|
|
|
unless SiteSetting.allow_new_registrations
|
2014-09-26 14:48:34 -04:00
|
|
|
return fail_with("login.new_registrations_disabled")
|
2014-07-14 15:42:14 -04:00
|
|
|
end
|
|
|
|
|
2014-09-11 15:22:11 -04:00
|
|
|
if params[:password] && params[:password].length > User.max_password_length
|
2014-09-26 14:48:34 -04:00
|
|
|
return fail_with("login.password_too_long")
|
2014-09-11 15:22:11 -04:00
|
|
|
end
|
|
|
|
|
2015-07-13 16:40:52 -04:00
|
|
|
if params[:email] && params[:email].length > 254 + 1 + 253
|
|
|
|
return fail_with("login.email_too_long")
|
|
|
|
end
|
|
|
|
|
2015-07-07 02:54:25 -04:00
|
|
|
if SiteSetting.reserved_usernames.split("|").include? params[:username].downcase
|
2015-07-01 16:44:53 -04:00
|
|
|
return fail_with("login.reserved_username")
|
|
|
|
end
|
|
|
|
|
2015-11-13 13:07:28 -05:00
|
|
|
if user = User.where(staged: true).find_by(email: params[:email].strip.downcase)
|
|
|
|
user_params.each { |k, v| user.send("#{k}=", v) }
|
|
|
|
user.staged = false
|
|
|
|
else
|
|
|
|
user = User.new(user_params)
|
|
|
|
end
|
2013-02-06 19:25:21 -05:00
|
|
|
|
2014-09-26 14:48:34 -04:00
|
|
|
# Handle custom fields
|
2014-10-08 14:38:18 -04:00
|
|
|
user_fields = UserField.all
|
|
|
|
if user_fields.present?
|
2015-01-27 04:48:27 -05:00
|
|
|
field_params = params[:user_fields] || {}
|
|
|
|
fields = user.custom_fields
|
|
|
|
|
|
|
|
user_fields.each do |f|
|
|
|
|
field_val = field_params[f.id.to_s]
|
|
|
|
if field_val.blank?
|
|
|
|
return fail_with("login.missing_user_field") if f.required?
|
|
|
|
else
|
2015-02-23 13:02:30 -05:00
|
|
|
fields["user_field_#{f.id}"] = field_val[0...UserField.max_length]
|
2014-09-26 14:48:34 -04:00
|
|
|
end
|
|
|
|
end
|
2015-01-27 04:48:27 -05:00
|
|
|
|
|
|
|
user.custom_fields = fields
|
2014-09-26 14:48:34 -04:00
|
|
|
end
|
|
|
|
|
2013-11-12 17:37:38 -05:00
|
|
|
authentication = UserAuthenticator.new(user, session)
|
2014-03-26 00:39:44 -04:00
|
|
|
|
|
|
|
if !authentication.has_authenticator? && !SiteSetting.enable_local_logins
|
2014-11-17 06:04:29 -05:00
|
|
|
return render nothing: true, status: 500
|
2014-03-26 00:39:44 -04:00
|
|
|
end
|
|
|
|
|
2013-11-12 17:37:38 -05:00
|
|
|
authentication.start
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2013-11-12 17:37:38 -05:00
|
|
|
activation = UserActivator.new(user, request, session, cookies)
|
|
|
|
activation.start
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2014-03-19 23:49:25 -04:00
|
|
|
# just assign a password if we have an authenticator and no password
|
|
|
|
# this is the case for Twitter
|
|
|
|
user.password = SecureRandom.hex if user.password.blank? && authentication.has_authenticator?
|
|
|
|
|
2013-11-12 17:37:38 -05:00
|
|
|
if user.save
|
|
|
|
authentication.finish
|
|
|
|
activation.finish
|
|
|
|
|
2014-10-01 13:33:49 -04:00
|
|
|
# save user email in session, to show on account-created page
|
2014-11-04 15:47:32 -05:00
|
|
|
session["user_created_message"] = activation.message
|
2014-09-26 14:48:34 -04:00
|
|
|
|
2013-11-12 17:37:38 -05:00
|
|
|
render json: {
|
|
|
|
success: true,
|
|
|
|
active: user.active?,
|
2014-09-22 19:06:19 -04:00
|
|
|
message: activation.message,
|
|
|
|
user_id: user.id
|
2013-11-12 17:37:38 -05:00
|
|
|
}
|
|
|
|
else
|
|
|
|
render json: {
|
|
|
|
success: false,
|
|
|
|
message: I18n.t(
|
|
|
|
'login.errors',
|
|
|
|
errors: user.errors.full_messages.join("\n")
|
|
|
|
),
|
|
|
|
errors: user.errors.to_hash,
|
2016-03-03 13:01:31 -05:00
|
|
|
values: user.attributes.slice('name', 'username', 'email'),
|
2016-08-05 11:57:13 -04:00
|
|
|
is_developer: UsernameCheckerService.is_developer?(user.email)
|
2013-11-12 17:37:38 -05:00
|
|
|
}
|
|
|
|
end
|
2013-03-07 14:56:28 -05:00
|
|
|
rescue ActiveRecord::StatementInvalid
|
2013-11-12 17:37:38 -05:00
|
|
|
render json: {
|
|
|
|
success: false,
|
|
|
|
message: I18n.t("login.something_already_taken")
|
|
|
|
}
|
2013-02-05 14:16:51 -05:00
|
|
|
rescue RestClient::Forbidden
|
2013-04-12 18:46:55 -04:00
|
|
|
render json: { errors: [I18n.t("discourse_hub.access_token_problem")] }
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-06 19:25:21 -05:00
|
|
|
def get_honeypot_value
|
|
|
|
render json: {value: honeypot_value, challenge: challenge_value}
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
def password_reset
|
2015-02-19 18:28:38 -05:00
|
|
|
expires_now
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2016-12-19 02:00:22 -05:00
|
|
|
token = params[:token]
|
|
|
|
|
|
|
|
if EmailToken.valid_token_format?(token)
|
2016-01-04 11:48:54 -05:00
|
|
|
if request.put?
|
2016-12-19 02:00:22 -05:00
|
|
|
@user = EmailToken.confirm(token)
|
2016-01-04 11:48:54 -05:00
|
|
|
else
|
2016-12-19 02:00:22 -05:00
|
|
|
email_token = EmailToken.confirmable(token)
|
2016-01-04 11:48:54 -05:00
|
|
|
@user = email_token.try(:user)
|
|
|
|
end
|
2014-08-25 15:30:52 -04:00
|
|
|
|
|
|
|
if @user
|
2016-12-19 02:00:22 -05:00
|
|
|
secure_session["password-#{token}"] = @user.id
|
2014-08-25 15:30:52 -04:00
|
|
|
else
|
2016-12-19 02:00:22 -05:00
|
|
|
user_id = secure_session["password-#{token}"].to_i
|
|
|
|
@user = User.find(user_id) if user_id > 0
|
2014-08-25 15:30:52 -04:00
|
|
|
end
|
2014-07-01 23:06:55 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
if !@user
|
2015-02-19 18:28:38 -05:00
|
|
|
@error = I18n.t('password_reset.no_token')
|
2013-11-11 06:28:26 -05:00
|
|
|
elsif request.put?
|
2014-09-11 15:22:11 -04:00
|
|
|
@invalid_password = params[:password].blank? || params[:password].length > User.max_password_length
|
|
|
|
|
|
|
|
if @invalid_password
|
|
|
|
@user.errors.add(:password, :invalid)
|
|
|
|
else
|
|
|
|
@user.password = params[:password]
|
|
|
|
@user.password_required!
|
2017-01-31 17:21:37 -05:00
|
|
|
@user.user_auth_tokens.destroy_all
|
2014-09-11 15:22:11 -04:00
|
|
|
if @user.save
|
|
|
|
Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
|
2016-12-19 02:00:22 -05:00
|
|
|
secure_session["password-#{token}"] = nil
|
2014-09-11 15:22:11 -04:00
|
|
|
logon_after_password_reset
|
2017-01-31 15:42:12 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
respond_to do |format|
|
|
|
|
format.html do
|
|
|
|
if @error
|
|
|
|
render layout: 'no_ember'
|
|
|
|
else
|
|
|
|
store_preloaded("password_reset", MultiJson.dump({ is_developer: UsernameCheckerService.is_developer?(@user.email) }))
|
|
|
|
end
|
|
|
|
return redirect_to(wizard_path) if Wizard.user_requires_completion?(@user)
|
|
|
|
end
|
2016-10-18 11:44:25 -04:00
|
|
|
|
2017-01-31 15:42:12 -05:00
|
|
|
format.json do
|
|
|
|
if request.put?
|
2017-02-13 16:19:41 -05:00
|
|
|
if @error || @user.errors&.any?
|
2017-01-31 15:42:12 -05:00
|
|
|
render json: {
|
|
|
|
success: false,
|
|
|
|
message: @error,
|
2017-02-13 16:19:41 -05:00
|
|
|
errors: @user.errors.to_hash,
|
2017-01-31 15:42:12 -05:00
|
|
|
is_developer: UsernameCheckerService.is_developer?(@user.email)
|
|
|
|
}
|
|
|
|
else
|
|
|
|
render json: {
|
|
|
|
success: true,
|
|
|
|
message: @success,
|
|
|
|
requires_approval: !Guardian.new(@user).can_access_forum?,
|
|
|
|
redirect_to: Wizard.user_requires_completion?(@user) ? wizard_path : nil
|
|
|
|
}
|
|
|
|
end
|
|
|
|
else
|
|
|
|
render json: {is_developer: UsernameCheckerService.is_developer?(@user.email)}
|
2014-09-11 15:22:11 -04:00
|
|
|
end
|
2014-01-21 16:53:46 -05:00
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
end
|
2013-02-07 10:45:24 -05:00
|
|
|
|
2016-01-04 11:48:54 -05:00
|
|
|
def confirm_email_token
|
|
|
|
expires_now
|
|
|
|
EmailToken.confirm(params[:token])
|
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2013-10-07 06:19:45 -04:00
|
|
|
def logon_after_password_reset
|
2013-11-11 12:51:14 -05:00
|
|
|
message = if Guardian.new(@user).can_access_forum?
|
|
|
|
# Log in the user
|
|
|
|
log_on_user(@user)
|
|
|
|
'password_reset.success'
|
|
|
|
else
|
|
|
|
@requires_approval = true
|
|
|
|
'password_reset.success_unapproved'
|
|
|
|
end
|
|
|
|
|
2015-02-19 18:28:38 -05:00
|
|
|
@success = I18n.t(message)
|
2014-07-03 03:29:44 -04:00
|
|
|
end
|
2013-10-07 06:19:45 -04:00
|
|
|
|
2015-04-27 06:59:48 -04:00
|
|
|
def admin_login
|
2015-06-05 04:43:59 -04:00
|
|
|
if current_user
|
2015-04-27 06:59:48 -04:00
|
|
|
return redirect_to path("/")
|
|
|
|
end
|
|
|
|
|
|
|
|
if request.put?
|
|
|
|
RateLimiter.new(nil, "admin-login-hr-#{request.remote_ip}", 6, 1.hour).performed!
|
|
|
|
RateLimiter.new(nil, "admin-login-min-#{request.remote_ip}", 3, 1.minute).performed!
|
|
|
|
|
|
|
|
user = User.where(email: params[:email], admin: true).where.not(id: Discourse::SYSTEM_USER_ID).first
|
|
|
|
if user
|
|
|
|
email_token = user.email_tokens.create(email: user.email)
|
2016-04-07 00:38:43 -04:00
|
|
|
Jobs.enqueue(:critical_user_email, type: :admin_login, user_id: user.id, email_token: email_token.token)
|
2015-04-27 06:59:48 -04:00
|
|
|
@message = I18n.t("admin_login.success")
|
|
|
|
else
|
|
|
|
@message = I18n.t("admin_login.error")
|
|
|
|
end
|
|
|
|
elsif params[:token].present?
|
|
|
|
# token recieved, try to login
|
|
|
|
if EmailToken.valid_token_format?(params[:token])
|
|
|
|
@user = EmailToken.confirm(params[:token])
|
|
|
|
if @user && @user.admin?
|
|
|
|
# Log in user
|
|
|
|
log_on_user(@user)
|
|
|
|
return redirect_to path("/")
|
|
|
|
else
|
|
|
|
@message = I18n.t("admin_login.error")
|
|
|
|
end
|
|
|
|
else
|
|
|
|
@message = I18n.t("admin_login.error")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
render layout: false
|
|
|
|
rescue RateLimiter::LimitExceeded
|
|
|
|
@message = I18n.t("rate_limiter.slow_down")
|
|
|
|
render layout: false
|
|
|
|
end
|
|
|
|
|
2015-04-07 04:02:10 -04:00
|
|
|
def toggle_anon
|
|
|
|
user = AnonymousShadowCreator.get_master(current_user) ||
|
|
|
|
AnonymousShadowCreator.get(current_user)
|
|
|
|
|
|
|
|
if user
|
|
|
|
log_on_user(user)
|
|
|
|
render json: success_json
|
|
|
|
else
|
|
|
|
render json: failed_json, status: 403
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-09-23 09:50:57 -04:00
|
|
|
def account_created
|
2016-05-05 14:37:09 -04:00
|
|
|
@custom_body_class = "static-account-created"
|
2015-05-06 21:00:22 -04:00
|
|
|
@message = session['user_created_message'] || I18n.t('activation.missing_session')
|
2014-09-23 09:50:57 -04:00
|
|
|
expires_now
|
2015-01-15 15:56:53 -05:00
|
|
|
render layout: 'no_ember'
|
2014-09-23 09:50:57 -04:00
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
def activate_account
|
2014-07-15 13:47:47 -04:00
|
|
|
expires_now
|
2015-01-15 15:56:53 -05:00
|
|
|
render layout: 'no_ember'
|
2014-07-14 12:25:42 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def perform_account_activation
|
2014-07-15 14:07:19 -04:00
|
|
|
raise Discourse::InvalidAccess.new if honeypot_or_challenge_fails?(params)
|
2013-02-05 14:16:51 -05:00
|
|
|
if @user = EmailToken.confirm(params[:token])
|
|
|
|
|
|
|
|
# Log in the user unless they need to be approved
|
2013-04-03 12:23:28 -04:00
|
|
|
if Guardian.new(@user).can_access_forum?
|
2013-02-05 14:16:51 -05:00
|
|
|
@user.enqueue_welcome_message('welcome_user') if @user.send_welcome_message
|
|
|
|
log_on_user(@user)
|
2016-10-18 11:44:25 -04:00
|
|
|
return redirect_to(wizard_path) if Wizard.user_requires_completion?(@user)
|
2013-04-03 12:23:28 -04:00
|
|
|
else
|
|
|
|
@needs_approval = true
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
else
|
2015-08-23 14:59:16 -04:00
|
|
|
flash.now[:error] = I18n.t('activation.already_done')
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
2015-01-15 15:56:53 -05:00
|
|
|
render layout: 'no_ember'
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-22 11:49:48 -05:00
|
|
|
def send_activation_email
|
2015-10-27 16:25:30 -04:00
|
|
|
if current_user.blank? || !current_user.staff?
|
|
|
|
RateLimiter.new(nil, "activate-hr-#{request.remote_ip}", 30, 1.hour).performed!
|
|
|
|
RateLimiter.new(nil, "activate-min-#{request.remote_ip}", 6, 1.minute).performed!
|
|
|
|
end
|
2014-09-25 03:42:48 -04:00
|
|
|
|
|
|
|
@user = User.find_by_username_or_email(params[:username].to_s)
|
2014-09-25 03:45:45 -04:00
|
|
|
|
|
|
|
raise Discourse::NotFound unless @user
|
|
|
|
|
2013-02-22 11:49:48 -05:00
|
|
|
@email_token = @user.email_tokens.unconfirmed.active.first
|
2013-10-07 06:19:45 -04:00
|
|
|
enqueue_activation_email if @user
|
2013-02-22 11:49:48 -05:00
|
|
|
render nothing: true
|
|
|
|
end
|
|
|
|
|
2013-10-07 06:19:45 -04:00
|
|
|
def enqueue_activation_email
|
|
|
|
@email_token ||= @user.email_tokens.create(email: @user.email)
|
2016-04-07 00:38:43 -04:00
|
|
|
Jobs.enqueue(:critical_user_email, type: :signup, user_id: @user.id, email_token: @email_token.token)
|
2013-10-07 06:19:45 -04:00
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
def search_users
|
2013-02-07 05:59:25 -05:00
|
|
|
term = params[:term].to_s.strip
|
2013-02-05 14:16:51 -05:00
|
|
|
topic_id = params[:topic_id]
|
|
|
|
topic_id = topic_id.to_i if topic_id
|
2015-04-13 11:03:13 -04:00
|
|
|
topic_allowed_users = params[:topic_allowed_users] || false
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2017-02-09 18:45:39 -05:00
|
|
|
if params[:group].present?
|
|
|
|
@group = Group.find_by(name: params[:group])
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
results = UserSearch.new(term,
|
|
|
|
topic_id: topic_id,
|
|
|
|
topic_allowed_users: topic_allowed_users,
|
|
|
|
searching_user: current_user,
|
|
|
|
group: @group
|
|
|
|
).search
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2015-09-11 09:04:29 -04:00
|
|
|
user_fields = [:username, :upload_avatar_template]
|
2013-10-30 15:45:13 -04:00
|
|
|
user_fields << :name if SiteSetting.enable_names?
|
|
|
|
|
2015-09-11 04:14:34 -04:00
|
|
|
to_render = { users: results.as_json(only: user_fields, methods: [:avatar_template]) }
|
2013-12-23 09:46:00 -05:00
|
|
|
|
|
|
|
if params[:include_groups] == "true"
|
2015-11-30 01:03:47 -05:00
|
|
|
to_render[:groups] = Group.search_group(term).map do |m|
|
2017-01-03 22:39:21 -05:00
|
|
|
{ name: m.name, full_name: m.full_name }
|
2015-11-30 01:03:47 -05:00
|
|
|
end
|
2013-12-23 09:46:00 -05:00
|
|
|
end
|
|
|
|
|
2015-12-01 23:49:43 -05:00
|
|
|
if params[:include_mentionable_groups] == "true" && current_user
|
|
|
|
to_render[:groups] = Group.mentionable(current_user)
|
|
|
|
.where("name ILIKE :term_like", term_like: "#{term}%")
|
|
|
|
.map do |m|
|
2017-01-03 22:39:21 -05:00
|
|
|
{ name: m.name, full_name: m.full_name }
|
2015-12-01 23:49:43 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-12-23 09:46:00 -05:00
|
|
|
render json: to_render
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2015-09-17 13:42:44 -04:00
|
|
|
AVATAR_TYPES_WITH_UPLOAD ||= %w{uploaded custom gravatar}
|
|
|
|
|
2014-05-26 05:46:43 -04:00
|
|
|
def pick_avatar
|
2013-08-13 16:08:29 -04:00
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
2015-05-29 04:21:41 -04:00
|
|
|
|
2015-09-11 09:04:29 -04:00
|
|
|
type = params[:type]
|
2015-09-11 09:47:48 -04:00
|
|
|
upload_id = params[:upload_id]
|
2014-05-26 05:46:43 -04:00
|
|
|
|
2015-11-12 04:26:45 -05:00
|
|
|
if SiteSetting.sso_overrides_avatar
|
|
|
|
return render json: failed_json, status: 422
|
|
|
|
end
|
|
|
|
|
|
|
|
if !SiteSetting.allow_uploaded_avatars
|
|
|
|
if type == "uploaded" || type == "custom"
|
|
|
|
return render json: failed_json, status: 422
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-09-11 09:04:29 -04:00
|
|
|
user.uploaded_avatar_id = upload_id
|
2015-09-11 09:47:48 -04:00
|
|
|
|
2015-09-17 13:42:44 -04:00
|
|
|
if AVATAR_TYPES_WITH_UPLOAD.include?(type)
|
|
|
|
# make sure the upload exists
|
|
|
|
unless Upload.where(id: upload_id).exists?
|
|
|
|
return render_json_error I18n.t("avatar.missing")
|
|
|
|
end
|
|
|
|
|
|
|
|
if type == "gravatar"
|
|
|
|
user.user_avatar.gravatar_upload_id = upload_id
|
|
|
|
else
|
|
|
|
user.user_avatar.custom_upload_id = upload_id
|
|
|
|
end
|
2015-09-11 09:47:48 -04:00
|
|
|
end
|
2015-05-29 04:21:41 -04:00
|
|
|
|
2013-08-13 16:08:29 -04:00
|
|
|
user.save!
|
2015-05-29 04:21:41 -04:00
|
|
|
user.user_avatar.save!
|
2013-08-13 16:08:29 -04:00
|
|
|
|
2014-12-06 11:26:32 -05:00
|
|
|
render json: success_json
|
2013-08-13 16:08:29 -04:00
|
|
|
end
|
2014-04-14 16:55:57 -04:00
|
|
|
|
2014-06-27 14:48:39 -04:00
|
|
|
def destroy_user_image
|
2014-02-28 15:12:51 -05:00
|
|
|
user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_edit!(user)
|
2014-04-14 16:55:57 -04:00
|
|
|
|
2015-05-19 19:39:58 -04:00
|
|
|
case params.require(:type)
|
|
|
|
when "profile_background"
|
2014-06-27 14:48:39 -04:00
|
|
|
user.user_profile.clear_profile_background
|
2015-05-19 19:39:58 -04:00
|
|
|
when "card_background"
|
2014-10-20 12:11:36 -04:00
|
|
|
user.user_profile.clear_card_background
|
2014-06-27 14:48:39 -04:00
|
|
|
else
|
2015-05-19 19:39:58 -04:00
|
|
|
raise Discourse::InvalidParameters.new(:type)
|
2014-06-27 14:48:39 -04:00
|
|
|
end
|
2014-04-14 16:55:57 -04:00
|
|
|
|
2015-05-19 19:39:58 -04:00
|
|
|
render json: success_json
|
2014-02-28 15:12:51 -05:00
|
|
|
end
|
2014-04-14 16:55:57 -04:00
|
|
|
|
2014-02-13 11:42:35 -05:00
|
|
|
def destroy
|
|
|
|
@user = fetch_user_from_params
|
|
|
|
guardian.ensure_can_delete_user!(@user)
|
2014-04-14 16:55:57 -04:00
|
|
|
|
2014-10-20 10:59:06 -04:00
|
|
|
UserDestroyer.new(current_user).destroy(@user, { delete_posts: true, context: params[:context] })
|
2014-04-14 16:55:57 -04:00
|
|
|
|
2014-02-13 11:42:35 -05:00
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2014-07-11 03:32:29 -04:00
|
|
|
def read_faq
|
2015-09-04 16:56:02 -04:00
|
|
|
if user = current_user
|
2014-07-11 03:32:29 -04:00
|
|
|
user.user_stat.read_faq = 1.second.ago
|
|
|
|
user.user_stat.save
|
|
|
|
end
|
|
|
|
|
|
|
|
render json: success_json
|
|
|
|
end
|
|
|
|
|
2015-01-05 13:49:32 -05:00
|
|
|
def staff_info
|
2015-11-27 14:02:24 -05:00
|
|
|
@user = fetch_user_from_params(include_inactive: true)
|
2015-01-05 13:49:32 -05:00
|
|
|
guardian.ensure_can_see_staff_info!(@user)
|
|
|
|
|
|
|
|
result = {}
|
|
|
|
|
|
|
|
%W{number_of_deleted_posts number_of_flagged_posts number_of_flags_given number_of_suspensions number_of_warnings}.each do |info|
|
|
|
|
result[info] = @user.send(info)
|
|
|
|
end
|
|
|
|
|
|
|
|
render json: result
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
private
|
|
|
|
|
2013-02-06 19:25:21 -05:00
|
|
|
def honeypot_value
|
2017-01-31 17:21:37 -05:00
|
|
|
Digest::SHA1::hexdigest("#{Discourse.current_hostname}:#{GlobalSetting.safe_secret_key_base}")[0,15]
|
2013-02-06 19:25:21 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def challenge_value
|
2013-08-23 02:19:23 -04:00
|
|
|
challenge = $redis.get('SECRET_CHALLENGE')
|
|
|
|
unless challenge && challenge.length == 16*2
|
|
|
|
challenge = SecureRandom.hex(16)
|
|
|
|
$redis.set('SECRET_CHALLENGE',challenge)
|
|
|
|
end
|
|
|
|
|
|
|
|
challenge
|
2013-02-06 19:25:21 -05:00
|
|
|
end
|
|
|
|
|
2013-11-12 17:37:38 -05:00
|
|
|
def respond_to_suspicious_request
|
|
|
|
if suspicious?(params)
|
2015-05-19 19:39:58 -04:00
|
|
|
render json: {
|
|
|
|
success: true,
|
|
|
|
active: false,
|
|
|
|
message: I18n.t("login.activate_email", email: params[:email])
|
|
|
|
}
|
2013-11-12 17:37:38 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def suspicious?(params)
|
2014-09-22 19:06:19 -04:00
|
|
|
return false if current_user && is_api? && current_user.admin?
|
2013-11-12 17:37:38 -05:00
|
|
|
honeypot_or_challenge_fails?(params) || SiteSetting.invite_only?
|
|
|
|
end
|
|
|
|
|
|
|
|
def honeypot_or_challenge_fails?(params)
|
2014-09-22 19:06:19 -04:00
|
|
|
return false if is_api?
|
2013-11-12 17:37:38 -05:00
|
|
|
params[:password_confirmation] != honeypot_value ||
|
2015-04-02 10:24:27 -04:00
|
|
|
params[:challenge] != challenge_value.try(:reverse)
|
2013-11-12 17:37:38 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def user_params
|
2016-11-15 03:10:20 -05:00
|
|
|
result = params.permit(:name, :email, :password, :username, :date_of_birth)
|
2016-08-05 11:57:13 -04:00
|
|
|
.merge(ip_address: request.remote_ip,
|
|
|
|
registration_ip_address: request.remote_ip,
|
|
|
|
locale: user_locale)
|
|
|
|
|
|
|
|
if !UsernameCheckerService.is_developer?(result['email']) &&
|
|
|
|
is_api? &&
|
|
|
|
current_user.present? &&
|
|
|
|
current_user.admin?
|
|
|
|
|
|
|
|
result.merge!(params.permit(:active, :staged))
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
result
|
2016-02-06 14:49:39 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def user_locale
|
|
|
|
I18n.locale
|
2013-11-12 17:37:38 -05:00
|
|
|
end
|
2014-09-26 14:48:34 -04:00
|
|
|
|
|
|
|
def fail_with(key)
|
|
|
|
render json: { success: false, message: I18n.t(key) }
|
|
|
|
end
|
|
|
|
|
2015-09-14 03:51:17 -04:00
|
|
|
def track_visit_to_user_profile
|
|
|
|
user_profile_id = @user.user_profile.id
|
|
|
|
ip = request.remote_ip
|
|
|
|
user_id = (current_user.id if current_user)
|
|
|
|
|
|
|
|
Scheduler::Defer.later 'Track profile view visit' do
|
|
|
|
UserProfileView.add(user_profile_id, ip, user_id)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|