From 065859b90cc5ef403b8f47bd5394b343e556cc4d Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 23 Mar 2016 21:48:52 +0100 Subject: upgrade: remove references to RestClient CouchRest > 1.2 does not use RestClient anymore. So we should not try to catch its errors. --- app/controllers/application_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 079dc18..2af2f29 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -5,7 +5,7 @@ class ApplicationController < ActionController::Base before_filter :no_frame_header before_filter :language_header rescue_from StandardError, :with => :default_error_handler - rescue_from RestClient::Exception, :with => :default_error_handler + rescue_from CouchRest::Exception, :with => :default_error_handler ActiveSupport.run_load_hooks(:application_controller, self) -- cgit v1.2.3 From 00fba5114ae2c6176c88ff0ea152576c5bff657d Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 25 Mar 2016 11:06:55 +0100 Subject: upgrade: {File,Dir}.exists? -> exist? exists? is deprecated in ruby 2.1 --- app/controllers/controller_extension/json_file.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/controller_extension/json_file.rb b/app/controllers/controller_extension/json_file.rb index 6be919a..5b5e55e 100644 --- a/app/controllers/controller_extension/json_file.rb +++ b/app/controllers/controller_extension/json_file.rb @@ -12,7 +12,7 @@ module ControllerExtension::JsonFile end def fetch_file - if File.exists?(@filename) + if File.exist?(@filename) @file = File.new(@filename) else not_found -- cgit v1.2.3 From fc066a42ec5a3271b0d476ff2c5ab771f1ab726d Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 3 May 2016 10:24:11 -0300 Subject: fix failing unit and functional tests --- app/controllers/controller_extension/fetch_user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/controller_extension/fetch_user.rb b/app/controllers/controller_extension/fetch_user.rb index 97f92fa..632291d 100644 --- a/app/controllers/controller_extension/fetch_user.rb +++ b/app/controllers/controller_extension/fetch_user.rb @@ -22,7 +22,7 @@ module ControllerExtension::FetchUser @user = User.find(params[:user_id] || params[:id]) if current_user.is_admin? || current_user.is_monitor? if @user.nil? - not_found(t(:no_such_thing, :thing => 'user'), users_url) + not_found(t(:no_such_user), users_url) elsif current_user.is_monitor? access_denied unless @user.is_test? end -- cgit v1.2.3 From 33e2a52f683697ca8489d856df90b39bfbbe7373 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 3 May 2016 11:29:45 -0300 Subject: use APP_CONFIG[config_file_paths] for provider.json This avoids overwriting the PROVIDER_JSON constant in the StaticConfigController and thus fixes test warnings. Also moved away from using instance variables in the ControllerExtension::JsonFile - instead querying the corresponding functions now - less sideeffects and easier stubbing. --- app/controllers/controller_extension/json_file.rb | 23 ++++++++++++++--------- app/controllers/static_config_controller.rb | 11 ++++------- app/controllers/v1/configs_controller.rb | 6 ++---- 3 files changed, 20 insertions(+), 20 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/controller_extension/json_file.rb b/app/controllers/controller_extension/json_file.rb index 5b5e55e..df9cf55 100644 --- a/app/controllers/controller_extension/json_file.rb +++ b/app/controllers/controller_extension/json_file.rb @@ -4,20 +4,25 @@ module ControllerExtension::JsonFile protected - def send_file - if stale?(:last_modified => @file.mtime) - response.content_type = 'application/json' - render :text => @file.read + def send_file(filename) + file = fetch_file(filename) + if file.present? + send_file_or_cache_hit(file) + else + not_found end end - def fetch_file - if File.exist?(@filename) - @file = File.new(@filename) - else - not_found + def send_file_or_cache_hit(file) + if stale?(:last_modified => file.mtime) + response.content_type = 'application/json' + render :text => file.read end end + def fetch_file(filename) + File.new(filename) if File.exist?(filename) + end + end diff --git a/app/controllers/static_config_controller.rb b/app/controllers/static_config_controller.rb index c78e006..46e7cd2 100644 --- a/app/controllers/static_config_controller.rb +++ b/app/controllers/static_config_controller.rb @@ -5,13 +5,9 @@ class StaticConfigController < ActionController::Base include ControllerExtension::JsonFile before_filter :set_minimum_client_version - before_filter :set_filename - before_filter :fetch_file - - PROVIDER_JSON = Rails.root.join('config', 'provider', 'provider.json') def provider - send_file + send_file provider_json end protected @@ -23,7 +19,8 @@ class StaticConfigController < ActionController::Base APP_CONFIG[:minimum_client_version].to_s end - def set_filename - @filename = PROVIDER_JSON + def provider_json + Rails.root.join APP_CONFIG[:config_file_paths]['provider'] end + end diff --git a/app/controllers/v1/configs_controller.rb b/app/controllers/v1/configs_controller.rb index 4a6f455..f0b284e 100644 --- a/app/controllers/v1/configs_controller.rb +++ b/app/controllers/v1/configs_controller.rb @@ -3,15 +3,13 @@ class V1::ConfigsController < ApiController before_filter :require_login, :unless => :anonymous_access_allowed? before_filter :sanitize_id, only: :show - before_filter :lookup_file, only: :show - before_filter :fetch_file, only: :show def index render json: {services: service_paths} end def show - send_file + send_file lookup_file end protected @@ -34,6 +32,6 @@ class V1::ConfigsController < ApiController def lookup_file path = APP_CONFIG[:config_file_paths][@id] not_found if path.blank? - @filename = Rails.root.join path + Rails.root.join path end end -- cgit v1.2.3 From e05a1b0f5ae40a2aa17976b3009cd563b8e4660a Mon Sep 17 00:00:00 2001 From: Azul Date: Sun, 1 May 2016 10:55:33 -0300 Subject: api: allow version bumping - bump to 2 --- app/controllers/api/certs_controller.rb | 31 +++++++ app/controllers/api/configs_controller.rb | 37 +++++++++ app/controllers/api/identities_controller.rb | 16 ++++ app/controllers/api/messages_controller.rb | 119 +++++++++++++++++++++++++++ app/controllers/api/services_controller.rb | 8 ++ app/controllers/api/sessions_controller.rb | 44 ++++++++++ app/controllers/api/smtp_certs_controller.rb | 42 ++++++++++ app/controllers/api/users_controller.rb | 83 +++++++++++++++++++ app/controllers/v1/certs_controller.rb | 31 ------- app/controllers/v1/configs_controller.rb | 37 --------- app/controllers/v1/identities_controller.rb | 16 ---- app/controllers/v1/messages_controller.rb | 119 --------------------------- app/controllers/v1/services_controller.rb | 8 -- app/controllers/v1/sessions_controller.rb | 44 ---------- app/controllers/v1/smtp_certs_controller.rb | 42 ---------- app/controllers/v1/users_controller.rb | 83 ------------------- 16 files changed, 380 insertions(+), 380 deletions(-) create mode 100644 app/controllers/api/certs_controller.rb create mode 100644 app/controllers/api/configs_controller.rb create mode 100644 app/controllers/api/identities_controller.rb create mode 100644 app/controllers/api/messages_controller.rb create mode 100644 app/controllers/api/services_controller.rb create mode 100644 app/controllers/api/sessions_controller.rb create mode 100644 app/controllers/api/smtp_certs_controller.rb create mode 100644 app/controllers/api/users_controller.rb delete mode 100644 app/controllers/v1/certs_controller.rb delete mode 100644 app/controllers/v1/configs_controller.rb delete mode 100644 app/controllers/v1/identities_controller.rb delete mode 100644 app/controllers/v1/messages_controller.rb delete mode 100644 app/controllers/v1/services_controller.rb delete mode 100644 app/controllers/v1/sessions_controller.rb delete mode 100644 app/controllers/v1/smtp_certs_controller.rb delete mode 100644 app/controllers/v1/users_controller.rb (limited to 'app/controllers') diff --git a/app/controllers/api/certs_controller.rb b/app/controllers/api/certs_controller.rb new file mode 100644 index 0000000..46a84d3 --- /dev/null +++ b/app/controllers/api/certs_controller.rb @@ -0,0 +1,31 @@ +class Api::CertsController < ApiController + + before_filter :require_login, :unless => :anonymous_access_allowed? + before_filter :require_enabled + + # GET /cert + # deprecated - we actually create a new cert and that can + # be reflected in the action. GET /cert will eventually go + # away and be replaced by POST /cert + def show + create + end + + # POST /cert + def create + @cert = ClientCertificate.new(:prefix => service_level.cert_prefix) + render text: @cert.to_s, content_type: 'text/plain' + end + + protected + + def require_enabled + if !current_user.is_anonymous? && !current_user.enabled? + access_denied + end + end + + def service_level + current_user.effective_service_level + end +end diff --git a/app/controllers/api/configs_controller.rb b/app/controllers/api/configs_controller.rb new file mode 100644 index 0000000..55ceb4f --- /dev/null +++ b/app/controllers/api/configs_controller.rb @@ -0,0 +1,37 @@ +class Api::ConfigsController < ApiController + include ControllerExtension::JsonFile + + before_filter :require_login, :unless => :anonymous_access_allowed? + before_filter :sanitize_id, only: :show + + def index + render json: {services: service_paths} + end + + def show + send_file lookup_file + end + + protected + + SERVICE_IDS = { + soledad: "soledad-service", + eip: "eip-service", + smtp: "smtp-service" + } + + def service_paths + Hash[SERVICE_IDS.map{|k,v| [k,"/1/configs/#{v}.json"] } ] + end + + def sanitize_id + @id = params[:id].downcase + access_denied unless SERVICE_IDS.values.include? @id + end + + def lookup_file + path = APP_CONFIG[:config_file_paths][@id] + not_found if path.blank? + Rails.root.join path + end +end diff --git a/app/controllers/api/identities_controller.rb b/app/controllers/api/identities_controller.rb new file mode 100644 index 0000000..ab2ac00 --- /dev/null +++ b/app/controllers/api/identities_controller.rb @@ -0,0 +1,16 @@ +module Api + class IdentitiesController < ApiController + before_filter :token_authenticate + before_filter :require_monitor + + def show + @identity = Identity.find_by_address(params[:id]) + if @identity + respond_with @identity + else + render_not_found + end + end + + end +end diff --git a/app/controllers/api/messages_controller.rb b/app/controllers/api/messages_controller.rb new file mode 100644 index 0000000..a69a40a --- /dev/null +++ b/app/controllers/api/messages_controller.rb @@ -0,0 +1,119 @@ +module Api + class MessagesController < ApiController + + before_filter :require_login + + def index + if Dir.exist?(motd_dir) + if !CommonLanguages::available_code?(params[:locale]) + locale = 'en' + else + locale = params[:locale] + end + render json: motd_files_for_locale(locale) + else + render json: [] + end + end + + # disable per-user messages for now, not supported in the client + #def update + # if message = Message.find(params[:id]) + # message.mark_as_read_by(current_user) + # message.save + # render json: success(:marked_as_read) + # else + # render json: error(:not_found), status: :not_found + # end + #end + + private + + # + # returns list of messages, for example: + # + # [ + # {"id": 1, "locale": "en", "text": ""}, + # {"id": 2, "locale": "en", "text": ""} + # ] + # + # Each message is present only once, using the best choice + # for the locale. The order is determined by the id. + # + def motd_files_for_locale(locale) + files = [] + motd_files.keys.each do |id| + if motd_files[id].key?(locale) + msg_locale = locale + elsif motd_files[id].key?('en') + msg_locale = 'en' + else + msg_locale = motd_files[id].keys.first + end + files << { + "id" => id, + "locale" => msg_locale, + "text" => motd_files[id][msg_locale] + } + end + files.sort! {|a,b| a["id"].to_i <=> b["id"].to_i } + return files + end + + # + # returns messages of the day as a hash: + # { "1": {"en": "message"}, "2": {"en": "message"} } + # + def motd_files + if motd_changed? || @motd_files.nil? + @motd_files = load_motd_files + else + @motd_files + end + end + + def motd_changed? + newest = Dir.glob(File.join(motd_dir, '*.{html,md}')).collect{|file| File.mtime(file)}.max + if @timestamp.nil? + @timestamp = newest + return true + elsif @timestamp < newest + @timestamp = newest + return true + else + return false + end + end + + def load_motd_files + files = {} + Dir.glob(File.join(motd_dir, '*.{html,md}')).each do |file| + id, locale, msg = parse_motd_file(file) + next unless id + files[id] ||= {} + files[id][locale] = msg + end + files + end + + def parse_motd_file(file) + id, locale, ext = File.basename(file).split('.') + if id.nil? || locale.nil? || ext.nil? || id.to_i.to_s != id || !['md', 'html'].include?(ext) + Rails.logger.error "ERROR: Could not parse MOTD file #{file}" + return nil + end + contents = File.read(file) + if ext == "md" + msg = RDiscount.new(contents, :autolink).to_html + elsif ext == "html" + msg = File.read(file) + end + return id, locale, msg + end + + def motd_dir + File.join(APP_CONFIG['customization_directory'], 'motd') + end + + end +end diff --git a/app/controllers/api/services_controller.rb b/app/controllers/api/services_controller.rb new file mode 100644 index 0000000..da2774b --- /dev/null +++ b/app/controllers/api/services_controller.rb @@ -0,0 +1,8 @@ +class Api::ServicesController < ApiController + + before_filter :require_login, :unless => :anonymous_access_allowed? + + def show + respond_with current_user.effective_service_level + end +end diff --git a/app/controllers/api/sessions_controller.rb b/app/controllers/api/sessions_controller.rb new file mode 100644 index 0000000..c8deb7a --- /dev/null +++ b/app/controllers/api/sessions_controller.rb @@ -0,0 +1,44 @@ +module Api + class SessionsController < ApiController + + before_filter :require_login, only: :destroy + + def new + @session = Session.new + if authentication_errors + @errors = authentication_errors + render :status => 422 + end + end + + def create + logout if logged_in? + if params['A'] + authenticate! + else + @user = User.find_by_login(params['login']) + render :json => {salt: @user.salt} + end + end + + def update + authenticate! + @token = Token.create(:user_id => current_user.id) + session[:token] = @token.id + render :json => login_response + end + + def destroy + logout + head :no_content + end + + protected + + def login_response + handshake = session.delete(:handshake) || {} + handshake.to_hash.merge(:id => current_user.id, :token => @token.to_s) + end + + end +end diff --git a/app/controllers/api/smtp_certs_controller.rb b/app/controllers/api/smtp_certs_controller.rb new file mode 100644 index 0000000..d9eab7d --- /dev/null +++ b/app/controllers/api/smtp_certs_controller.rb @@ -0,0 +1,42 @@ +class Api::SmtpCertsController < ApiController + + before_filter :require_login + before_filter :require_email_account + before_filter :fetch_identity + before_filter :require_enabled + + # POST /1/smtp_cert + def create + @cert = ClientCertificate.new common_name: current_user.email_address + @identity.register_cert(@cert) + @identity.save + render text: @cert.to_s, content_type: 'text/plain' + end + + protected + + # + # Filters + # + + def require_email_account + access_denied unless service_level.provides? 'email' + end + + def require_enabled + access_denied unless current_user.enabled? + end + + def fetch_identity + @identity = current_user.identity + end + + # + # Helper methods + # + + def service_level + current_user.effective_service_level + end + +end diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb new file mode 100644 index 0000000..e64d21f --- /dev/null +++ b/app/controllers/api/users_controller.rb @@ -0,0 +1,83 @@ +module Api + class UsersController < ApiController + include ControllerExtension::FetchUser + + # allow optional access to this controller using API auth tokens: + before_filter :token_authenticate + + before_filter :fetch_user, :only => [:update, :destroy] + before_filter :require_monitor, :only => [:index, :show] + before_filter :require_login, :only => [:index, :update, :destroy] + + respond_to :json + + # used for autocomplete for admins in the web ui + def index + if params[:query] + @users = User.login_starts_with(params[:query]) + respond_with @users.map(&:login).sort + else + render :json => {'error' => 'query required', 'status' => :unprocessable_entity} + end + end + + def show + if params[:login] + @user = User.find_by_login(params[:login]) + elsif params[:id] + @user = User.find(params[:id]) + end + if @user + respond_with @user + else + not_found + end + end + + def create + if current_user.is_monitor? + create_test_account + elsif APP_CONFIG[:allow_registration] + create_account + else + head :forbidden + end + end + + def update + @user.account.update params[:user] + respond_with @user + end + + def destroy + destroy_identity = current_user.is_monitor? || params[:identities] == "destroy" + @user.account.destroy(destroy_identity) + if @user == current_user + logout + end + render :json => {'success' => 'user deleted'} + end + + private + + # tester auth can only create test users. + def create_test_account + if User::is_test?(params[:user][:login]) + @user = Account.create(params[:user], :invite_required => false) + respond_with @user + else + head :forbidden + end + end + + def create_account + if APP_CONFIG[:allow_registration] + @user = Account.create(params[:user]) + respond_with @user # return ID instead? + else + head :forbidden + end + end + + end +end diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb deleted file mode 100644 index ffa6e35..0000000 --- a/app/controllers/v1/certs_controller.rb +++ /dev/null @@ -1,31 +0,0 @@ -class V1::CertsController < ApiController - - before_filter :require_login, :unless => :anonymous_access_allowed? - before_filter :require_enabled - - # GET /cert - # deprecated - we actually create a new cert and that can - # be reflected in the action. GET /cert will eventually go - # away and be replaced by POST /cert - def show - create - end - - # POST /cert - def create - @cert = ClientCertificate.new(:prefix => service_level.cert_prefix) - render text: @cert.to_s, content_type: 'text/plain' - end - - protected - - def require_enabled - if !current_user.is_anonymous? && !current_user.enabled? - access_denied - end - end - - def service_level - current_user.effective_service_level - end -end diff --git a/app/controllers/v1/configs_controller.rb b/app/controllers/v1/configs_controller.rb deleted file mode 100644 index f0b284e..0000000 --- a/app/controllers/v1/configs_controller.rb +++ /dev/null @@ -1,37 +0,0 @@ -class V1::ConfigsController < ApiController - include ControllerExtension::JsonFile - - before_filter :require_login, :unless => :anonymous_access_allowed? - before_filter :sanitize_id, only: :show - - def index - render json: {services: service_paths} - end - - def show - send_file lookup_file - end - - protected - - SERVICE_IDS = { - soledad: "soledad-service", - eip: "eip-service", - smtp: "smtp-service" - } - - def service_paths - Hash[SERVICE_IDS.map{|k,v| [k,"/1/configs/#{v}.json"] } ] - end - - def sanitize_id - @id = params[:id].downcase - access_denied unless SERVICE_IDS.values.include? @id - end - - def lookup_file - path = APP_CONFIG[:config_file_paths][@id] - not_found if path.blank? - Rails.root.join path - end -end diff --git a/app/controllers/v1/identities_controller.rb b/app/controllers/v1/identities_controller.rb deleted file mode 100644 index 4efd1f5..0000000 --- a/app/controllers/v1/identities_controller.rb +++ /dev/null @@ -1,16 +0,0 @@ -module V1 - class IdentitiesController < ApiController - before_filter :token_authenticate - before_filter :require_monitor - - def show - @identity = Identity.find_by_address(params[:id]) - if @identity - respond_with @identity - else - render_not_found - end - end - - end -end diff --git a/app/controllers/v1/messages_controller.rb b/app/controllers/v1/messages_controller.rb deleted file mode 100644 index c0ca0c7..0000000 --- a/app/controllers/v1/messages_controller.rb +++ /dev/null @@ -1,119 +0,0 @@ -module V1 - class MessagesController < ApiController - - before_filter :require_login - - def index - if Dir.exist?(motd_dir) - if !CommonLanguages::available_code?(params[:locale]) - locale = 'en' - else - locale = params[:locale] - end - render json: motd_files_for_locale(locale) - else - render json: [] - end - end - - # disable per-user messages for now, not supported in the client - #def update - # if message = Message.find(params[:id]) - # message.mark_as_read_by(current_user) - # message.save - # render json: success(:marked_as_read) - # else - # render json: error(:not_found), status: :not_found - # end - #end - - private - - # - # returns list of messages, for example: - # - # [ - # {"id": 1, "locale": "en", "text": ""}, - # {"id": 2, "locale": "en", "text": ""} - # ] - # - # Each message is present only once, using the best choice - # for the locale. The order is determined by the id. - # - def motd_files_for_locale(locale) - files = [] - motd_files.keys.each do |id| - if motd_files[id].key?(locale) - msg_locale = locale - elsif motd_files[id].key?('en') - msg_locale = 'en' - else - msg_locale = motd_files[id].keys.first - end - files << { - "id" => id, - "locale" => msg_locale, - "text" => motd_files[id][msg_locale] - } - end - files.sort! {|a,b| a["id"].to_i <=> b["id"].to_i } - return files - end - - # - # returns messages of the day as a hash: - # { "1": {"en": "message"}, "2": {"en": "message"} } - # - def motd_files - if motd_changed? || @motd_files.nil? - @motd_files = load_motd_files - else - @motd_files - end - end - - def motd_changed? - newest = Dir.glob(File.join(motd_dir, '*.{html,md}')).collect{|file| File.mtime(file)}.max - if @timestamp.nil? - @timestamp = newest - return true - elsif @timestamp < newest - @timestamp = newest - return true - else - return false - end - end - - def load_motd_files - files = {} - Dir.glob(File.join(motd_dir, '*.{html,md}')).each do |file| - id, locale, msg = parse_motd_file(file) - next unless id - files[id] ||= {} - files[id][locale] = msg - end - files - end - - def parse_motd_file(file) - id, locale, ext = File.basename(file).split('.') - if id.nil? || locale.nil? || ext.nil? || id.to_i.to_s != id || !['md', 'html'].include?(ext) - Rails.logger.error "ERROR: Could not parse MOTD file #{file}" - return nil - end - contents = File.read(file) - if ext == "md" - msg = RDiscount.new(contents, :autolink).to_html - elsif ext == "html" - msg = File.read(file) - end - return id, locale, msg - end - - def motd_dir - File.join(APP_CONFIG['customization_directory'], 'motd') - end - - end -end diff --git a/app/controllers/v1/services_controller.rb b/app/controllers/v1/services_controller.rb deleted file mode 100644 index 523eb44..0000000 --- a/app/controllers/v1/services_controller.rb +++ /dev/null @@ -1,8 +0,0 @@ -class V1::ServicesController < ApiController - - before_filter :require_login, :unless => :anonymous_access_allowed? - - def show - respond_with current_user.effective_service_level - end -end diff --git a/app/controllers/v1/sessions_controller.rb b/app/controllers/v1/sessions_controller.rb deleted file mode 100644 index a343d9b..0000000 --- a/app/controllers/v1/sessions_controller.rb +++ /dev/null @@ -1,44 +0,0 @@ -module V1 - class SessionsController < ApiController - - before_filter :require_login, only: :destroy - - def new - @session = Session.new - if authentication_errors - @errors = authentication_errors - render :status => 422 - end - end - - def create - logout if logged_in? - if params['A'] - authenticate! - else - @user = User.find_by_login(params['login']) - render :json => {salt: @user.salt} - end - end - - def update - authenticate! - @token = Token.create(:user_id => current_user.id) - session[:token] = @token.id - render :json => login_response - end - - def destroy - logout - head :no_content - end - - protected - - def login_response - handshake = session.delete(:handshake) || {} - handshake.to_hash.merge(:id => current_user.id, :token => @token.to_s) - end - - end -end diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb deleted file mode 100644 index 5760645..0000000 --- a/app/controllers/v1/smtp_certs_controller.rb +++ /dev/null @@ -1,42 +0,0 @@ -class V1::SmtpCertsController < ApiController - - before_filter :require_login - before_filter :require_email_account - before_filter :fetch_identity - before_filter :require_enabled - - # POST /1/smtp_cert - def create - @cert = ClientCertificate.new common_name: current_user.email_address - @identity.register_cert(@cert) - @identity.save - render text: @cert.to_s, content_type: 'text/plain' - end - - protected - - # - # Filters - # - - def require_email_account - access_denied unless service_level.provides? 'email' - end - - def require_enabled - access_denied unless current_user.enabled? - end - - def fetch_identity - @identity = current_user.identity - end - - # - # Helper methods - # - - def service_level - current_user.effective_service_level - end - -end diff --git a/app/controllers/v1/users_controller.rb b/app/controllers/v1/users_controller.rb deleted file mode 100644 index 6640d10..0000000 --- a/app/controllers/v1/users_controller.rb +++ /dev/null @@ -1,83 +0,0 @@ -module V1 - class UsersController < ApiController - include ControllerExtension::FetchUser - - # allow optional access to this controller using API auth tokens: - before_filter :token_authenticate - - before_filter :fetch_user, :only => [:update, :destroy] - before_filter :require_monitor, :only => [:index, :show] - before_filter :require_login, :only => [:index, :update, :destroy] - - respond_to :json - - # used for autocomplete for admins in the web ui - def index - if params[:query] - @users = User.login_starts_with(params[:query]) - respond_with @users.map(&:login).sort - else - render :json => {'error' => 'query required', 'status' => :unprocessable_entity} - end - end - - def show - if params[:login] - @user = User.find_by_login(params[:login]) - elsif params[:id] - @user = User.find(params[:id]) - end - if @user - respond_with @user - else - not_found - end - end - - def create - if current_user.is_monitor? - create_test_account - elsif APP_CONFIG[:allow_registration] - create_account - else - head :forbidden - end - end - - def update - @user.account.update params[:user] - respond_with @user - end - - def destroy - destroy_identity = current_user.is_monitor? || params[:identities] == "destroy" - @user.account.destroy(destroy_identity) - if @user == current_user - logout - end - render :json => {'success' => 'user deleted'} - end - - private - - # tester auth can only create test users. - def create_test_account - if User::is_test?(params[:user][:login]) - @user = Account.create(params[:user], :invite_required => false) - respond_with @user - else - head :forbidden - end - end - - def create_account - if APP_CONFIG[:allow_registration] - @user = Account.create(params[:user]) - respond_with @user # return ID instead? - else - head :forbidden - end - end - - end -end -- cgit v1.2.3 From 83f59164fc069f2593cf6babbc18638d9a68c9a3 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 18 May 2016 20:21:04 +0200 Subject: features for API version 2 - keep old ones Now we test both api versions. We want this for backwards compatibility. --- app/controllers/api/configs_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/api/configs_controller.rb b/app/controllers/api/configs_controller.rb index 55ceb4f..0f9b8a6 100644 --- a/app/controllers/api/configs_controller.rb +++ b/app/controllers/api/configs_controller.rb @@ -21,7 +21,11 @@ class Api::ConfigsController < ApiController } def service_paths - Hash[SERVICE_IDS.map{|k,v| [k,"/1/configs/#{v}.json"] } ] + Hash[SERVICE_IDS.map{|k,v| [k,"/#{api_version}/configs/#{v}.json"] } ] + end + + def api_version + ["1", "2"].include?(params[:version]) ? params[:version] : "2" end def sanitize_id -- cgit v1.2.3 From 0ba0eb633e8c24086405c53f3d8a8e747f3382e4 Mon Sep 17 00:00:00 2001 From: Azul Date: Sun, 22 May 2016 21:12:42 +0200 Subject: restrict user_params in user_controller Actually this should live in a service_level_controller. For now fix the security issue. --- app/controllers/users_controller.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1404b0e..225584f 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -39,7 +39,7 @@ class UsersController < ApplicationController ## added so updating service level works, but not sure we will actually want this. also not sure that this is place to prevent user from updating own effective service level, but here as placeholder: def update - @user.update_attributes(params[:user]) unless (!admin? and params[:user][:effective_service_level]) + @user.update_attributes(user_params) if @user.valid? flash[:notice] = I18n.t(:changes_saved) end @@ -79,4 +79,11 @@ class UsersController < ApplicationController end end + def user_params + if admin? + params.require(:user).permit(:effective_service_level) + else + params.require(:user).permit(:password, :password_confirmation) + end + end end -- cgit v1.2.3 From 7f0c42a5fa6d6c1952e53b9b73bad0202f746f3e Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 23 May 2016 11:59:41 +0200 Subject: cleanup: remove service level code from users_controller There's no route to this right now and it also seems to be tested nowhere. Since i am about to split up the users_controller let's get rid of this and put it in the place we want it once we actually finish the implementation --- app/controllers/users_controller.rb | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 225584f..2816a64 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -8,7 +8,7 @@ class UsersController < ApplicationController before_filter :require_login, :except => [:new] before_filter :redirect_if_logged_in, :only => [:new] before_filter :require_admin, :only => [:index, :deactivate, :enable] - before_filter :fetch_user, :only => [:show, :edit, :update, :destroy, :deactivate, :enable] + before_filter :fetch_user, :only => [:show, :edit, :destroy, :deactivate, :enable] before_filter :require_registration_allowed, only: :new respond_to :html @@ -37,15 +37,6 @@ class UsersController < ApplicationController def edit end - ## added so updating service level works, but not sure we will actually want this. also not sure that this is place to prevent user from updating own effective service level, but here as placeholder: - def update - @user.update_attributes(user_params) - if @user.valid? - flash[:notice] = I18n.t(:changes_saved) - end - respond_with @user, :location => edit_user_path(@user) - end - def deactivate @user.account.disable flash[:notice] = I18n.t("actions.user_disabled_message", username: @user.username) -- cgit v1.2.3 From f47fc9d6522886cf81cfea26ec1f396219c539ba Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 23 May 2016 12:17:31 +0200 Subject: move signup from users to account_controller There was a lot of special case handling going on in the users_controller for this. Lot simpler this way. --- app/controllers/account_controller.rb | 17 +++++++++++++++++ app/controllers/users_controller.rb | 14 +------------- 2 files changed, 18 insertions(+), 13 deletions(-) create mode 100644 app/controllers/account_controller.rb (limited to 'app/controllers') diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb new file mode 100644 index 0000000..ee7cca4 --- /dev/null +++ b/app/controllers/account_controller.rb @@ -0,0 +1,17 @@ +class AccountController < ApplicationController + + before_filter :require_registration_allowed + before_filter :redirect_if_logged_in + + def new + @user = User.new + end + + protected + + def require_registration_allowed + unless APP_CONFIG[:allow_registration] + redirect_to home_path + end + end +end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 2816a64..4d198b9 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -5,11 +5,9 @@ class UsersController < ApplicationController include ControllerExtension::FetchUser - before_filter :require_login, :except => [:new] - before_filter :redirect_if_logged_in, :only => [:new] + before_filter :require_login before_filter :require_admin, :only => [:index, :deactivate, :enable] before_filter :fetch_user, :only => [:show, :edit, :destroy, :deactivate, :enable] - before_filter :require_registration_allowed, only: :new respond_to :html @@ -27,10 +25,6 @@ class UsersController < ApplicationController @users = @users.limit(100) end - def new - @user = User.new - end - def show end @@ -64,12 +58,6 @@ class UsersController < ApplicationController protected - def require_registration_allowed - unless APP_CONFIG[:allow_registration] - redirect_to home_path - end - end - def user_params if admin? params.require(:user).permit(:effective_service_level) -- cgit v1.2.3 From ad208ae3625e67c2551744df7906ebdda94d215e Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 23 May 2016 12:27:14 +0200 Subject: rename destroy_identity to release_handles This expresses the intent rather than the implementation. Also replace temp with query refactoring. --- app/controllers/api/users_controller.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb index e64d21f..c79a729 100644 --- a/app/controllers/api/users_controller.rb +++ b/app/controllers/api/users_controller.rb @@ -50,8 +50,7 @@ module Api end def destroy - destroy_identity = current_user.is_monitor? || params[:identities] == "destroy" - @user.account.destroy(destroy_identity) + @user.account.destroy(release_handles) if @user == current_user logout end @@ -60,6 +59,10 @@ module Api private + def release_handles + current_user.is_monitor? || params[:identities] == "destroy" + end + # tester auth can only create test users. def create_test_account if User::is_test?(params[:user][:login]) -- cgit v1.2.3 From ab1917c5fe0f03e7719863a5598ad575d9fef302 Mon Sep 17 00:00:00 2001 From: NavaL Date: Thu, 14 Jul 2016 15:06:20 +0200 Subject: [feature] restrict is_admin in the user api, to only allow querying for him/herself So that it we do not expose the is_admin property to anyone else including other admins. --- app/controllers/api/users_controller.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb index c79a729..709e076 100644 --- a/app/controllers/api/users_controller.rb +++ b/app/controllers/api/users_controller.rb @@ -28,12 +28,20 @@ module Api @user = User.find(params[:id]) end if @user - respond_with @user + respond_with user_response else not_found end end + def user_response + @user.to_hash.tap do |user_hash| + if @user == current_user + user_hash['is_admin'] = @user.is_admin? + end + end + end + def create if current_user.is_monitor? create_test_account -- cgit v1.2.3 From 20bb76848b852bba9ab3c99b1c2a68464585bd56 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 17 Aug 2016 16:11:46 +0200 Subject: bugfix: send 406 if an unexpected format is asked for It used to run the action and then trigger a 500 because the template was not found. fixes !3 . --- app/controllers/application_controller.rb | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'app/controllers') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 2af2f29..61ced21 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,5 +1,6 @@ class ApplicationController < ActionController::Base protect_from_forgery + before_action :check_mime_types before_filter :set_locale before_filter :no_cache_header before_filter :no_frame_header @@ -9,8 +10,26 @@ class ApplicationController < ActionController::Base ActiveSupport.run_load_hooks(:application_controller, self) + # by default we only respond to html. + # If you want to respond with json you are probably working on + # an ApiController. + respond_to :html + protected + # UPGRADE: this won't be needed in Rails 5 anymore as it's the default + # behavior if a template is present but a different format would be + # rendered and that template is not present + def check_mime_types + mimes = collect_mimes_from_class_level() + return if mimes.empty? + + collector = ActionController::MimeResponds::Collector.new(mimes, request.variant) + unless collector.negotiate_format(request) + raise ActionController::UnknownFormat + end + end + def default_error_handler(exc) respond_to do |format| format.json { render_json_error(exc) } -- cgit v1.2.3 From fbad882075e745ab7afbe5f89c67544fb3c607c3 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 18 Aug 2016 11:00:16 +0200 Subject: respond_to on a per controller basis If you inherit respond to and call it again in your controller it will not overwrite the previous but add to it. Since we always have some exceptions from the rules it's probably easiest to be explicit in the controllers that require it themselves. --- app/controllers/account_controller.rb | 2 ++ app/controllers/account_settings_controller.rb | 0 app/controllers/api/identities_controller.rb | 2 ++ app/controllers/api/services_controller.rb | 2 ++ app/controllers/api/sessions_controller.rb | 1 + app/controllers/api_controller.rb | 1 - app/controllers/application_controller.rb | 26 +++++++++----------------- app/controllers/errors_controller.rb | 2 ++ app/controllers/home_controller.rb | 2 ++ app/controllers/pages_controller.rb | 2 ++ app/controllers/sessions_controller.rb | 3 ++- app/controllers/users_controller.rb | 2 +- 12 files changed, 25 insertions(+), 20 deletions(-) delete mode 100644 app/controllers/account_settings_controller.rb (limited to 'app/controllers') diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb index ee7cca4..42e8983 100644 --- a/app/controllers/account_controller.rb +++ b/app/controllers/account_controller.rb @@ -3,6 +3,8 @@ class AccountController < ApplicationController before_filter :require_registration_allowed before_filter :redirect_if_logged_in + respond_to :html + def new @user = User.new end diff --git a/app/controllers/account_settings_controller.rb b/app/controllers/account_settings_controller.rb deleted file mode 100644 index e69de29..0000000 diff --git a/app/controllers/api/identities_controller.rb b/app/controllers/api/identities_controller.rb index ab2ac00..de4910a 100644 --- a/app/controllers/api/identities_controller.rb +++ b/app/controllers/api/identities_controller.rb @@ -3,6 +3,8 @@ module Api before_filter :token_authenticate before_filter :require_monitor + respond_to :json + def show @identity = Identity.find_by_address(params[:id]) if @identity diff --git a/app/controllers/api/services_controller.rb b/app/controllers/api/services_controller.rb index da2774b..58e129c 100644 --- a/app/controllers/api/services_controller.rb +++ b/app/controllers/api/services_controller.rb @@ -2,6 +2,8 @@ class Api::ServicesController < ApiController before_filter :require_login, :unless => :anonymous_access_allowed? + respond_to :json + def show respond_with current_user.effective_service_level end diff --git a/app/controllers/api/sessions_controller.rb b/app/controllers/api/sessions_controller.rb index c8deb7a..178f86e 100644 --- a/app/controllers/api/sessions_controller.rb +++ b/app/controllers/api/sessions_controller.rb @@ -2,6 +2,7 @@ module Api class SessionsController < ApiController before_filter :require_login, only: :destroy + respond_to :json def new @session = Session.new diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 70b3cac..95c8f57 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -1,7 +1,6 @@ class ApiController < ApplicationController skip_before_filter :verify_authenticity_token - respond_to :json protected diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 61ced21..8d08a2c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,33 +1,25 @@ class ApplicationController < ActionController::Base protect_from_forgery - before_action :check_mime_types before_filter :set_locale before_filter :no_cache_header before_filter :no_frame_header before_filter :language_header + + # UPGRADE: this won't be needed in Rails 5 anymore as it's the default + # behavior if a template is present but a different format would be + # rendered and that template is not present + before_filter :verify_request_format!, if: :mime_types_specified + rescue_from StandardError, :with => :default_error_handler rescue_from CouchRest::Exception, :with => :default_error_handler ActiveSupport.run_load_hooks(:application_controller, self) - # by default we only respond to html. - # If you want to respond with json you are probably working on - # an ApiController. - respond_to :html - protected - # UPGRADE: this won't be needed in Rails 5 anymore as it's the default - # behavior if a template is present but a different format would be - # rendered and that template is not present - def check_mime_types - mimes = collect_mimes_from_class_level() - return if mimes.empty? - - collector = ActionController::MimeResponds::Collector.new(mimes, request.variant) - unless collector.negotiate_format(request) - raise ActionController::UnknownFormat - end + def mime_types_specified + mimes = collect_mimes_from_class_level + mimes.present? end def default_error_handler(exc) diff --git a/app/controllers/errors_controller.rb b/app/controllers/errors_controller.rb index d869ab5..80c270f 100644 --- a/app/controllers/errors_controller.rb +++ b/app/controllers/errors_controller.rb @@ -1,5 +1,7 @@ # We render http errors ourselves so we can customize them class ErrorsController < ApplicationController + respond_to :html + # 404 def not_found render status: 404 diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb index 1d62178..86c36e9 100644 --- a/app/controllers/home_controller.rb +++ b/app/controllers/home_controller.rb @@ -1,6 +1,8 @@ class HomeController < ApplicationController layout 'home' + respond_to :html + def index if logged_in? redirect_to current_user diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb index e0f39e3..b9c601a 100644 --- a/app/controllers/pages_controller.rb +++ b/app/controllers/pages_controller.rb @@ -2,7 +2,9 @@ # Render static pages # + class PagesController < ApplicationController + respond_to :html def show @show_navigation = false diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 34d4f53..18e5216 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -1,6 +1,7 @@ class SessionsController < ApplicationController before_filter :redirect_if_logged_in, :only => [:new] + respond_to :html, :json def new @session = Session.new @@ -16,7 +17,7 @@ class SessionsController < ApplicationController end # - # Warden will catch all 401s and run this instead: + # Warden will catch all 401s and triggers this action: # def unauthenticated login_required diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 4d198b9..0a0f551 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -7,7 +7,7 @@ class UsersController < ApplicationController before_filter :require_login before_filter :require_admin, :only => [:index, :deactivate, :enable] - before_filter :fetch_user, :only => [:show, :edit, :destroy, :deactivate, :enable] + before_filter :fetch_user, :except => [:index] respond_to :html -- cgit v1.2.3