foreman/app/models/user.rb @ bb3572ff
| 1678e0e1 | Dominic Cleal | # encoding: UTF-8
|
|
| 686cb440 | Ohad Levy | require 'digest/sha1'
|
|
| 1ba05a93 | Ohad Levy | class User < ActiveRecord::Base
|
|
| acfbc458 | Marek Hulan | include Authorizable
|
|
| 8b737c9c | Joseph Magen | extend FriendlyId
|
|
friendly_id :login
|
|||
| 475cdc84 | Ohad Levy | include Foreman::ThreadSession::UserModel
|
|
| 611f5bff | Amos Benari | include Taxonomix
|
|
| 95239600 | Marek Hulan | include DirtyAssociations
|
|
| 9c864cb6 | Ohad Levy | audited :except => [:last_login_on, :password, :password_hash, :password_salt, :password_confirmation], :allow_mass_assignment => true
|
|
| 475cdc84 | Ohad Levy | ||
| e07f9a12 | Dominic Cleal | ANONYMOUS_ADMIN = 'foreman_admin'
|
|
ANONYMOUS_API_ADMIN = 'foreman_api_admin'
|
|||
| 3034e8e2 | Ori Rabin | validates_lengths_from_database :except => [:firstname, :lastname, :format, :mail, :login]
|
|
| 7a4ec5cf | Paul Kelly | attr_protected :password_hash, :password_salt, :admin
|
|
| 355bce36 | Ohad Levy | attr_accessor :password, :password_confirmation
|
|
| a0bd5bb2 | Maria Nita | after_save :ensure_default_role
|
|
| 54141ab9 | Daniel Lobato | before_destroy EnsureNotUsedBy.new(:direct_hosts), :ensure_hidden_users_are_not_deleted, :ensure_last_admin_is_not_deleted
|
|
| 7a4ec5cf | Paul Kelly | ||
| 1ba05a93 | Ohad Levy | belongs_to :auth_source
|
|
| 7e1f0c79 | Daniel Lobato | belongs_to :default_organization, :class_name => 'Organization'
|
|
belongs_to :default_location, :class_name => 'Location'
|
|||
| eec062e6 | Ohad Levy | has_many :auditable_changes, :class_name => '::Audit', :as => :user
|
|
| 7e1f0c79 | Daniel Lobato | has_many :direct_hosts, :class_name => 'Host', :as => :owner
|
|
has_many :usergroup_member, :dependent => :destroy, :as => :member
|
|||
has_many :user_roles, :dependent => :destroy, :foreign_key => 'owner_id', :conditions => {:owner_type => self.to_s}
|
|||
| acfbc458 | Marek Hulan | has_many :cached_user_roles, :dependent => :destroy
|
|
| 7e1f0c79 | Daniel Lobato | has_many :cached_usergroups, :through => :cached_usergroup_members, :source => :usergroup
|
|
has_many :cached_roles, :through => :cached_user_roles, :source => :role, :uniq => true
|
|||
| 5db9d353 | Marek Hulan | has_many :usergroups, :through => :usergroup_member, :dependent => :destroy
|
|
has_many :roles, :through => :user_roles, :dependent => :destroy
|
|||
| 7e1f0c79 | Daniel Lobato | has_many :filters, :through => :cached_roles
|
|
has_many :permissions, :through => :filters
|
|||
has_many :cached_usergroup_members
|
|||
| 42117380 | Tomer Brisker | has_many :widgets, :dependent => :destroy
|
|
| 7e1f0c79 | Daniel Lobato | ||
| 3a36bdf6 | Stephen Benjamin | has_many :user_mail_notifications, :dependent => :destroy
|
|
has_many :mail_notifications, :through => :user_mail_notifications
|
|||
accepts_nested_attributes_for :user_mail_notifications, :allow_destroy => true, :reject_if => :reject_empty_intervals
|
|||
| 3b656b8d | Joseph Mitchell Magen | attr_name :login
|
|
| 9fd7478e | Paul Kelly | ||
| acfbc458 | Marek Hulan | scope :except_admin, lambda {
|
|
includes(:cached_usergroups).
|
|||
where(["(#{self.table_name}.admin = ? OR #{self.table_name}.admin IS NULL) AND " +
|
|||
"(#{Usergroup.table_name}.admin = ? OR #{Usergroup.table_name}.admin IS NULL)",
|
|||
false, false])
|
|||
}
|
|||
scope :only_admin, lambda {
|
|||
includes(:cached_usergroups).
|
|||
where(["#{self.table_name}.admin = ? OR #{Usergroup.table_name}.admin = ?", true, true])
|
|||
}
|
|||
| e07f9a12 | Dominic Cleal | scope :except_hidden, lambda {
|
|
if (hidden = AuthSourceHidden.all).present?
|
|||
where("#{self.table_name}.auth_source_id <> ?", hidden)
|
|||
end
|
|||
}
|
|||
| bb3572ff | Daniel Lobato | scope :visible, -> { except_hidden }
|
|
scope :completer_scope, ->(opts) { visible }
|
|||
| 611f5bff | Amos Benari | ||
| bd6b4271 | Christine Fouant | validates :mail, :format => { :with => /\A(([\w!#\$%&\'\*\+\-\/=\?\^`\{\|\}~]+((\.\"[\w!#\$%&\'\*\+\-\/=\?\^`\{\|\}~\"\(\),:;<>@\[\\\] ]+(\.[\w!#\$%&\'\*\+\-\/=\?\^`\{\|\}~\"\(\),:;<>@\[\\\] ]+)*\")*\.[\w!#\$%&\'\*\+\-\/=\?\^`\{\|\}~]+)*)|(\"[\w !#\$%&\'\*\+\-\/=\?\^`\{\|\}~\"\(\),:;<>@\[\\\] ]+(\.[\w !#\$%&\'\*\+\-\/=\?\^`\{\|\}~\"\(\),:;<>@\[\\\] ]+)*\"))
|
|
@[a-z0-9]+((\.[a-z0-9]+)*|(\-[a-z0-9]+)*)*\z/ix },
|
|||
| 306ed25a | rbirnie | :length => { :maximum => 60 },
|
|
:allow_blank => true
|
|||
| e07f9a12 | Dominic Cleal | validates :mail, :presence => true, :on => :update,
|
|
| 564b322f | Tom Caspy | :if => Proc.new { |u| !AuthSourceHidden.where(:id => u.auth_source_id).any? && u.mail_was.present? }
|
|
| 306ed25a | rbirnie | ||
| a6b0eeb0 | Joseph Magen | validates :locale, :format => { :with => /\A\w{2}([_-]\w{2})?\Z/ }, :allow_blank => true, :if => Proc.new { |user| user.respond_to?(:locale) }
|
|
| e2c2abfe | Lukas Zapletal | before_validation :normalize_locale
|
|
| 1678e0e1 | Dominic Cleal | def self.name_format
|
|
| 51a88438 | Shlomi Zadok | /\A[[:alnum:]\s'_\-\.()<>;=,]*\z/
|
|
| 1678e0e1 | Dominic Cleal | end
|
|
| 6be0508b | Stephen Benjamin | validates :login, :presence => true, :uniqueness => {:case_sensitive => false, :message => N_("already exists")},
|
|
| a6b0eeb0 | Joseph Magen | :format => {:with => /\A[[:alnum:]_\-@\.]*\Z/}, :length => {:maximum => 100}
|
|
| f2c78d4a | Joseph Magen | validates :auth_source_id, :presence => true
|
|
validates :password_hash, :presence => true, :if => Proc.new {|user| user.manage_password?}
|
|||
| 96144a47 | Daniel Lobato | validates :password, :confirmation => true, :if => Proc.new {|user| user.manage_password?},
|
|
:unless => Proc.new {|user| user.password.empty?}
|
|||
| 1678e0e1 | Dominic Cleal | validates :firstname, :lastname, :format => {:with => name_format}, :length => {:maximum => 50}, :allow_nil => true
|
|
| e07f9a12 | Dominic Cleal | validate :name_used_in_a_usergroup, :ensure_hidden_users_are_not_renamed, :ensure_hidden_users_remain_admin,
|
|
:ensure_privileges_not_escalated, :default_organization_inclusion, :default_location_inclusion,
|
|||
| f97fbd6f | Shlomi Zadok | :ensure_last_admin_remains_admin, :hidden_authsource_restricted, :validate_timezone, :ensure_admin_password_changed_by_admin
|
|
| fe728c74 | Ohad Levy | before_validation :prepare_password, :normalize_mail
|
|
| 6be0508b | Stephen Benjamin | before_save :set_lower_login
|
|
| 9fd7478e | Paul Kelly | ||
| 3a36bdf6 | Stephen Benjamin | after_create :welcome_mail
|
|
| ad00a109 | Daniel Lobato | after_create :set_default_widgets
|
|
| 3a36bdf6 | Stephen Benjamin | ||
| 4a8190ef | Ohad Levy | scoped_search :on => :login, :complete_value => :true
|
|
scoped_search :on => :firstname, :complete_value => :true
|
|||
scoped_search :on => :lastname, :complete_value => :true
|
|||
scoped_search :on => :mail, :complete_value => :true
|
|||
| acfbc458 | Marek Hulan | scoped_search :on => :admin, :complete_value => { :true => true, :false => false }, :ext_method => :search_by_admin
|
|
| 273b110a | Amos Benari | scoped_search :on => :last_login_on, :complete_value => :true, :only_explicit => true
|
|
| 57280886 | Greg Sutcliffe | scoped_search :in => :roles, :on => :name, :rename => :role, :complete_value => true
|
|
| 1b784c5b | Tomer Brisker | scoped_search :in => :roles, :on => :id, :rename => :role_id, :complete_enabled => false, :only_explicit => true
|
|
| acfbc458 | Marek Hulan | scoped_search :in => :cached_usergroups, :on => :name, :rename => :usergroup, :complete_value => true
|
|
| 4a8190ef | Ohad Levy | ||
| 611f5bff | Amos Benari | default_scope lambda {
|
|
| cad9cce9 | Dominic Cleal | with_taxonomy_scope do
|
|
| 611f5bff | Amos Benari | order('firstname')
|
|
end
|
|||
}
|
|||
| 95239600 | Marek Hulan | dirty_has_many_associations :roles
|
|
| acfbc458 | Marek Hulan | def can?(permission, subject = nil)
|
|
if self.admin?
|
|||
true
|
|||
else
|
|||
@authorizer ||= Authorizer.new(self)
|
|||
@authorizer.can?(permission, subject)
|
|||
end
|
|||
end
|
|||
def self.search_by_admin(key, operator, value)
|
|||
value = value == 'true'
|
|||
value = !value if operator == '<>'
|
|||
conditions = [self.table_name, Usergroup.table_name].map do |base|
|
|||
"(#{base}.admin = ?" + (value ? ')' : " OR #{base}.admin IS NULL)")
|
|||
end
|
|||
conditions = conditions.join(value ? ' OR ' : ' AND ')
|
|||
{
|
|||
| 96144a47 | Daniel Lobato | :include => :cached_usergroups,
|
|
:conditions => sanitize_sql_for_conditions([conditions, value, value])
|
|||
| acfbc458 | Marek Hulan | }
|
|
end
|
|||
# note that if you assign user new usergroups which change the admin flag you must save
|
|||
# the record before #admin? will reflect this
|
|||
def admin?
|
|||
read_attribute(:admin) || cached_usergroups.any?(&:admin?)
|
|||
end
|
|||
| e07f9a12 | Dominic Cleal | def hidden?
|
|
| cd032085 | Daniel Lobato | auth_source.is_a? AuthSourceHidden
|
|
| e07f9a12 | Dominic Cleal | end
|
|
| 3a36bdf6 | Stephen Benjamin | def internal?
|
|
| cd032085 | Daniel Lobato | auth_source.is_a? AuthSourceInternal
|
|
| 3a36bdf6 | Stephen Benjamin | end
|
|
| 1ba05a93 | Ohad Levy | def to_label
|
|
| 6f85b289 | Joseph Mitchell Magen | (firstname.present? || lastname.present?) ? "#{firstname} #{lastname}" : login
|
|
| 1ba05a93 | Ohad Levy | end
|
|
| 9c0e127b | Paul Kelly | alias_method :name, :to_label
|
|
| 01984fb7 | Amos Benari | def to_param
|
|
| e768c976 | Tomas Strachota | Parameterizable.parameterize("#{id}-#{login}")
|
|
| 01984fb7 | Amos Benari | end
|
|
| 9c0e127b | Paul Kelly | def <=>(other)
|
|
| 9fd7478e | Paul Kelly | self.name.downcase <=> other.name.downcase
|
|
| 9c0e127b | Paul Kelly | end
|
|
# The text item to see in a select dropdown menu
|
|||
def select_title
|
|||
| 6874bbd9 | Paul Kelly | to_label + " (#{login})"
|
|
| 9c0e127b | Paul Kelly | end
|
|
| 1ba05a93 | Ohad Levy | ||
| e07f9a12 | Dominic Cleal | def self.anonymous_admin
|
|
| fbea42c9 | David Davis | unscoped.find_by_login ANONYMOUS_ADMIN or raise Foreman::Exception.new(N_("Anonymous admin user %s is missing, run foreman-rake db:seed"), ANONYMOUS_ADMIN)
|
|
| f5df7d44 | Paul Kelly | end
|
|
| e07f9a12 | Dominic Cleal | def self.anonymous_api_admin
|
|
| fbea42c9 | David Davis | unscoped.find_by_login ANONYMOUS_API_ADMIN or raise Foreman::Exception.new(N_("Anonymous admin user %s is missing, run foreman-rake db:seed"), ANONYMOUS_API_ADMIN)
|
|
| 518d50bb | Petr Chalupa | end
|
|
| 9fd7478e | Paul Kelly | # Tries to find the user in the DB and then authenticate against their authentication source
|
|
| 64ca11af | Ohad Levy | # If the user is not in the DB then try to login the user on each available authentication source
|
|
| 9fd7478e | Paul Kelly | # If this succeeds then copy the user's details from the authentication source into the User table
|
|
# Returns : User object OR nil
|
|||
| 1ba05a93 | Ohad Levy | def self.try_to_login(login, password)
|
|
# Make sure no one can sign in with an empty password
|
|||
return nil if password.to_s.empty?
|
|||
| 9fd7478e | Paul Kelly | ||
| 884c9b25 | Ohad Levy | # user is already in local database
|
|
| 9d0473aa | Ohad Levy | if (user = unscoped.find_by_login(login))
|
|
| 884c9b25 | Ohad Levy | # user has an authentication method and the authentication was successful
|
|
| d424cab5 | Stephen Benjamin | if user.auth_source and attrs=user.auth_source.authenticate(login, password)
|
|
| 516b5720 | Dominic Cleal | logger.debug "Authenticated user #{user.login} against #{user.auth_source} authentication source"
|
|
| d424cab5 | Stephen Benjamin | ||
# update with returned attrs, maybe some info changed in LDAP
|
|||
old_hash = user.avatar_hash
|
|||
| e07f9a12 | Dominic Cleal | User.as_anonymous_admin do
|
|
| 516b5720 | Dominic Cleal | if attrs.is_a? Hash
|
|
valid_attrs = attrs.slice(:firstname, :lastname, :mail, :avatar_hash).delete_if { |k, v| v.blank? }
|
|||
logger.debug("Updating user #{user.login} attributes from auth source: #{attrs.keys}")
|
|||
user.update_attributes(valid_attrs)
|
|||
end
|
|||
| 01f8b024 | Daniel Lobato | user.auth_source.update_usergroups(login)
|
|
end
|
|||
| d424cab5 | Stephen Benjamin | ||
# clean up old avatar if it exists and the image isn't in use by anyone else
|
|||
if old_hash.present? && user.avatar_hash != old_hash && !User.unscoped.where(:avatar_hash => old_hash).any?
|
|||
File.delete "#{Rails.public_path}/avatars/#{old_hash}.jpg" if File.exist? old_avatar
|
|||
end
|
|||
| 9fd7478e | Paul Kelly | else
|
|
| 516b5720 | Dominic Cleal | logger.debug "Failed to authenticate #{user.login} against #{user.auth_source} authentication source"
|
|
| 884c9b25 | Ohad Levy | user = nil
|
|
| 1ba05a93 | Ohad Levy | end
|
|
else
|
|||
| 884c9b25 | Ohad Levy | user = try_to_auto_create_user(login, password)
|
|
end
|
|||
if user
|
|||
| b7589c32 | Jan Pazdziora | user.post_successful_login
|
|
| 884c9b25 | Ohad Levy | else
|
|
logger.info "invalid user"
|
|||
User.current = nil
|
|||
| 1ba05a93 | Ohad Levy | end
|
|
| 884c9b25 | Ohad Levy | user
|
|
| 1ba05a93 | Ohad Levy | end
|
|
| b7589c32 | Jan Pazdziora | def post_successful_login
|
|
| 516b5720 | Dominic Cleal | logger.debug "Post-login processing for #{login}"
|
|
| e07f9a12 | Dominic Cleal | User.as_anonymous_admin do
|
|
| b7589c32 | Jan Pazdziora | self.update_attribute(:last_login_on, Time.now.utc)
|
|
anonymous = Role.find_by_name("Anonymous")
|
|||
self.roles << anonymous unless self.roles.include?(anonymous)
|
|||
end
|
|||
| e07f9a12 | Dominic Cleal | User.current = self
|
|
| b7589c32 | Jan Pazdziora | end
|
|
| 8ffa0b9a | Jan Pazdziora | def self.find_or_create_external_user(attrs, auth_source_name)
|
|
| 1e8a5084 | Jan Pazdziora | external_groups = attrs.delete(:groups)
|
|
auth_source = AuthSource.find_by_name(auth_source_name)
|
|||
# existing user, we'll update them
|
|||
| 8ffa0b9a | Jan Pazdziora | if (user = unscoped.find_by_login(attrs[:login]))
|
|
| 1e8a5084 | Jan Pazdziora | # we know this auth source and it's user's auth source, we'll update user attributes
|
|
if auth_source && (user.auth_source_id == auth_source.id)
|
|||
auth_source_external_groups = auth_source.external_usergroups.pluck(:usergroup_id)
|
|||
new_usergroups = user.usergroups.includes(:external_usergroups).where('usergroups.id NOT IN (?)', auth_source_external_groups)
|
|||
new_usergroups += auth_source.external_usergroups.includes(:usergroup).where(:name => external_groups).map(&:usergroup)
|
|||
user.update_attributes(Hash[attrs.select { |k, v| v.present? }])
|
|||
user.usergroups = new_usergroups.uniq
|
|||
end
|
|||
| b7589c32 | Jan Pazdziora | return true
|
|
| 1e8a5084 | Jan Pazdziora | # not existing user and creating is disabled by settings
|
|
| b7589c32 | Jan Pazdziora | elsif auth_source_name.nil?
|
|
return false
|
|||
| 1e8a5084 | Jan Pazdziora | # not existing user and auth source is set, we'll create the user and auth source if needed
|
|
| b7589c32 | Jan Pazdziora | else
|
|
| e07f9a12 | Dominic Cleal | User.as_anonymous_admin do
|
|
| 1e8a5084 | Jan Pazdziora | auth_source = AuthSourceExternal.create!(:name => auth_source_name) if auth_source.nil?
|
|
| 8ffa0b9a | Jan Pazdziora | user = User.create!(attrs.merge(:auth_source => auth_source))
|
|
| fdc476db | Jan Pazdziora | if external_groups.present?
|
|
| 1e8a5084 | Jan Pazdziora | user.usergroups = auth_source.external_usergroups.where(:name => external_groups).map(&:usergroup).uniq
|
|
| fdc476db | Jan Pazdziora | end
|
|
| b7589c32 | Jan Pazdziora | user.post_successful_login
|
|
end
|
|||
return true
|
|||
end
|
|||
end
|
|||
| 6be0508b | Stephen Benjamin | def self.find_by_login(login)
|
|
find_by_lower_login(login.to_s.downcase)
|
|||
end
|
|||
def set_lower_login
|
|||
self.lower_login = login.downcase unless login.blank?
|
|||
end
|
|||
| 7a4ec5cf | Paul Kelly | def matching_password?(pass)
|
|
self.password_hash == encrypt_password(pass)
|
|||
end
|
|||
| 9fd7478e | Paul Kelly | def my_usergroups
|
|
| 9c0e127b | Paul Kelly | all_groups = []
|
|
for usergroup in usergroups
|
|||
all_groups += usergroup.all_usergroups
|
|||
end
|
|||
| 9fd7478e | Paul Kelly | all_groups.uniq
|
|
end
|
|||
def indirect_hosts
|
|||
my_usergroups.map{|g| g.hosts}.flatten.uniq
|
|||
| 9c0e127b | Paul Kelly | end
|
|
def hosts
|
|||
direct_hosts + indirect_hosts
|
|||
end
|
|||
def recipients
|
|||
[mail]
|
|||
end
|
|||
| 3a36bdf6 | Stephen Benjamin | def mail_enabled?
|
|
mail_enabled && !mail.empty?
|
|||
end
|
|||
def recipients_for(notification)
|
|||
self.receives?(notification) ? [self] : []
|
|||
end
|
|||
def receives?(notification)
|
|||
return false unless mail_enabled?
|
|||
self.mail_notifications.include? MailNotification[notification]
|
|||
end
|
|||
| 7a4ec5cf | Paul Kelly | def manage_password?
|
|
| f97fbd6f | Shlomi Zadok | return false if self.admin? && !User.current.try(:admin?)
|
|
auth_source && auth_source.can_set_password?
|
|||
| 7a4ec5cf | Paul Kelly | end
|
|
| 9fd7478e | Paul Kelly | # Return true if the user is allowed to do the specified action
|
|
# action can be:
|
|||
# * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')
|
|||
# * a permission Symbol (eg. :edit_project)
|
|||
| 355bce36 | Ohad Levy | def allowed_to?(action)
|
|
| 9fd7478e | Paul Kelly | return true if admin?
|
|
| 355bce36 | Ohad Levy | if action.is_a? Hash
|
|
# normalize controller name
|
|||
action[:controller] = action[:controller].to_s.gsub(/::/, "_").sub(/^\//,'').underscore
|
|||
return true if editing_self?(action)
|
|||
end
|
|||
| acfbc458 | Marek Hulan | cached_roles.detect {|role| role.allowed_to?(action)}.present?
|
|
| 9fd7478e | Paul Kelly | end
|
|
def logged?
|
|||
true
|
|||
end
|
|||
| bae665de | Marek Hulan | # user must be assigned all given roles in order to delegate them
|
|
def can_assign?(roles)
|
|||
can_change_admin_flag? || roles.all? { |r| self.role_ids_was.include?(r) }
|
|||
end
|
|||
# only admin can change admin flag
|
|||
def can_change_admin_flag?
|
|||
self.admin?
|
|||
end
|
|||
| 355bce36 | Ohad Levy | def editing_self?(options = {})
|
|
options[:controller].to_s == 'users' &&
|
|||
options[:action] =~ /edit|update/ &&
|
|||
options[:id].to_i == self.id
|
|||
end
|
|||
| 1fa008a4 | Joseph Magen | def taxonomy_foreign_conditions
|
|
{ :owner_id => id }
|
|||
end
|
|||
| 7e1f0c79 | Daniel Lobato | def set_current_taxonomies
|
|
['location', 'organization'].each do |taxonomy|
|
|||
default_taxonomy = self.send "default_#{taxonomy}"
|
|||
if default_taxonomy.present?
|
|||
taxonomy.classify.constantize.send 'current=', default_taxonomy
|
|||
session["#{taxonomy}_id"] = default_taxonomy.id
|
|||
end
|
|||
end
|
|||
TopbarSweeper.expire_cache(self)
|
|||
end
|
|||
| 53516db7 | Joseph Magen | def taxonomy_and_child_ids(taxonomies)
|
|
ids = []
|
|||
send(taxonomies).each do |taxonomy|
|
|||
ids += taxonomy.subtree_ids
|
|||
end
|
|||
| 96144a47 | Daniel Lobato | ids.uniq
|
|
| 53516db7 | Joseph Magen | end
|
|
def location_and_child_ids
|
|||
taxonomy_and_child_ids(:locations)
|
|||
end
|
|||
def organization_and_child_ids
|
|||
taxonomy_and_child_ids(:organizations)
|
|||
end
|
|||
| e07f9a12 | Dominic Cleal | def self.random_password(size = 16)
|
|
set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a - %w(0 1 O I l)
|
|||
size.times.collect {|i| set[rand(set.size)] }.join
|
|||
end
|
|||
| 70acceb5 | Greg Sutcliffe | def expire_topbar_cache(sweeper)
|
|
sweeper.expire_fragment(TopbarSweeper.fragment_name(id))
|
|||
end
|
|||
| 01f8b024 | Daniel Lobato | def external_usergroups
|
|
usergroups.flat_map(&:external_usergroups).select { |group| group.auth_source == self.auth_source }
|
|||
end
|
|||
| 7a4ec5cf | Paul Kelly | private
|
|
def prepare_password
|
|||
unless password.blank?
|
|||
self.password_salt = Digest::SHA1.hexdigest([Time.now, rand].join)
|
|||
self.password_hash = encrypt_password(password)
|
|||
end
|
|||
end
|
|||
| 3a36bdf6 | Stephen Benjamin | def welcome_mail
|
|
return unless mail_enabled? && internal? && Setting[:send_welcome_email]
|
|||
| c8042418 | Dominic Cleal | MailNotification[:welcome].deliver(:user => self)
|
|
| 3a36bdf6 | Stephen Benjamin | end
|
|
| 7a4ec5cf | Paul Kelly | def encrypt_password(pass)
|
|
Digest::SHA1.hexdigest([pass, password_salt].join)
|
|||
end
|
|||
| 9c0e127b | Paul Kelly | ||
| 884c9b25 | Ohad Levy | def self.try_to_auto_create_user(login, password)
|
|
return nil if login.blank? or password.blank?
|
|||
# user is not yet registered, try to authenticate with available sources
|
|||
| 516b5720 | Dominic Cleal | logger.debug "Attempting to log into an auth source as #{login} for account auto-creation"
|
|
| 67799065 | Ohad Levy | if (attrs = AuthSource.authenticate(login, password))
|
|
| 6421fa1c | Daniel Lobato | attrs.delete(:dn)
|
|
| 64ca11af | Ohad Levy | user = new(attrs)
|
|
| 884c9b25 | Ohad Levy | user.login = login
|
|
# The default user can't auto create users, we need to change to Admin for this to work
|
|||
| e07f9a12 | Dominic Cleal | User.as_anonymous_admin do
|
|
| 884c9b25 | Ohad Levy | if user.save
|
|
| 01f8b024 | Daniel Lobato | AuthSource.find(attrs[:auth_source_id]).update_usergroups(login)
|
|
| 884c9b25 | Ohad Levy | logger.info "User '#{user.login}' auto-created from #{user.auth_source}"
|
|
else
|
|||
logger.info "Failed to save User '#{user.login}' #{user.errors.full_messages}"
|
|||
user = nil
|
|||
end
|
|||
end
|
|||
| 017e1049 | Ohad Levy | user
|
|
| 884c9b25 | Ohad Levy | end
|
|
end
|
|||
| e2c2abfe | Lukas Zapletal | def normalize_locale
|
|
| 111b0459 | Daniel Lobato | self.locale = nil if self.respond_to?(:locale) && locale.empty?
|
|
| e2c2abfe | Lukas Zapletal | end
|
|
| fe728c74 | Ohad Levy | def normalize_mail
|
|
| bd6b4271 | Christine Fouant | self.mail.strip! unless mail.blank?
|
|
| fe728c74 | Ohad Levy | end
|
|
| 3a36bdf6 | Stephen Benjamin | def reject_empty_intervals(attributes)
|
|
user_mail_notification_exists = attributes[:id].present?
|
|||
interval_empty = attributes[:interval].blank?
|
|||
attributes.merge!({:_destroy => 1}) if user_mail_notification_exists && interval_empty
|
|||
(!user_mail_notification_exists && interval_empty)
|
|||
end
|
|||
| ad00a109 | Daniel Lobato | def set_default_widgets
|
|
Dashboard::Manager.reset_user_to_default(self)
|
|||
end
|
|||
| 9fd7478e | Paul Kelly | protected
|
|
| 7a4ec5cf | Paul Kelly | def name_used_in_a_usergroup
|
|
| 9e312588 | Tomer Brisker | if Usergroup.where(:name => self.login).present?
|
|
| bfbf7ed8 | Lukas Zapletal | errors.add(:base, _("A user group already exists with this name"))
|
|
| 9c0e127b | Paul Kelly | end
|
|
end
|
|||
| e07f9a12 | Dominic Cleal | def ensure_last_admin_is_not_deleted
|
|
| 70966275 | David Davis | if admin && User.unscoped.only_admin.except_hidden.size <= 1
|
|
| e07f9a12 | Dominic Cleal | errors.add :base, _("Can't delete the last admin account")
|
|
logger.warn "Unable to delete the last admin account"
|
|||
false
|
|||
end
|
|||
end
|
|||
def ensure_last_admin_remains_admin
|
|||
if !new_record? && admin_changed? && !admin && User.unscoped.only_admin.except_hidden.size <= 1
|
|||
errors.add :admin, _("cannot be removed from the last admin account")
|
|||
logger.warn "Unable to remove admin privileges from the last admin account"
|
|||
false
|
|||
end
|
|||
end
|
|||
# The hidden/internal admin accounts are always required
|
|||
def ensure_hidden_users_are_not_deleted
|
|||
if auth_source.is_a? AuthSourceHidden
|
|||
| e52abb10 | Marek Hulan | errors.add :base, _("Can't delete internal admin account")
|
|
| 9fd7478e | Paul Kelly | logger.warn "Unable to delete internal admin account"
|
|
| 67799065 | Ohad Levy | false
|
|
| f5df7d44 | Paul Kelly | end
|
|
end
|
|||
| 48be0b11 | Ohad Levy | ||
| e07f9a12 | Dominic Cleal | # The hidden accounts must always retain the "Administrator" flag to function
|
|
def ensure_hidden_users_remain_admin
|
|||
if auth_source.is_a?(AuthSourceHidden) && admin_changed? && !admin
|
|||
errors.add :admin, _("cannot be removed from an internal protected account")
|
|||
| 6a26fecd | Dominic Cleal | end
|
|
end
|
|||
| e07f9a12 | Dominic Cleal | def ensure_hidden_users_are_not_renamed
|
|
if auth_source.is_a?(AuthSourceHidden) && login_changed? && !new_record?
|
|||
errors.add :login, _("cannot be changed on an internal protected account")
|
|||
| 48be0b11 | Ohad Levy | end
|
|
end
|
|||
| bae665de | Marek Hulan | ||
def ensure_privileges_not_escalated
|
|||
ensure_admin_not_escalated
|
|||
ensure_roles_not_escalated
|
|||
end
|
|||
def ensure_roles_not_escalated
|
|||
roles_check = self.new_record? ? self.role_ids.present? : self.role_ids_changed?
|
|||
if roles_check && !User.current.can_assign?(self.role_ids)
|
|||
| fb69591a | Lukas Zapletal | errors.add :role_ids, _("you can't assign some of roles you selected")
|
|
| bae665de | Marek Hulan | end
|
|
end
|
|||
def ensure_admin_not_escalated
|
|||
admin_check = self.new_record? ? self.admin? : self.admin_changed?
|
|||
if admin_check && !User.current.can_change_admin_flag?
|
|||
| fb69591a | Lukas Zapletal | errors.add :admin, _("you can't change administrator flag")
|
|
| bae665de | Marek Hulan | end
|
|
end
|
|||
| 355bce36 | Ohad Levy | ||
def ensure_default_role
|
|||
role = Role.find_by_name('Anonymous')
|
|||
| 111b0459 | Daniel Lobato | self.roles << role if role.present? && !self.role_ids.include?(role.id)
|
|
| 355bce36 | Ohad Levy | end
|
|
| 7e1f0c79 | Daniel Lobato | ||
| f97fbd6f | Shlomi Zadok | def ensure_admin_password_changed_by_admin
|
|
if (self.admin && !User.current.try(:admin?)) && password_hash_changed?
|
|||
errors.add :password, _('cannot be changed by a non-admin user')
|
|||
end
|
|||
end
|
|||
| 7e1f0c79 | Daniel Lobato | def default_location_inclusion
|
|
unless locations.include?(default_location) || default_location.blank? || self.admin?
|
|||
| fb69591a | Lukas Zapletal | errors.add :default_location, _("default locations need to be user locations first")
|
|
| 7e1f0c79 | Daniel Lobato | end
|
|
end
|
|||
def default_organization_inclusion
|
|||
unless organizations.include?(default_organization) || default_organization.blank? || self.admin?
|
|||
| fb69591a | Lukas Zapletal | errors.add :default_organization, _("default organizations need to be user organizations first")
|
|
| 7e1f0c79 | Daniel Lobato | end
|
|
end
|
|||
| e07f9a12 | Dominic Cleal | def hidden_authsource_restricted
|
|
if auth_source_id_changed? && hidden? && ![ANONYMOUS_ADMIN, ANONYMOUS_API_ADMIN].include?(self.login)
|
|||
errors.add :auth_source, _("is not permitted")
|
|||
end
|
|||
end
|
|||
| ad998ce7 | Shlomi Zadok | ||
def validate_timezone
|
|||
errors.add(:timezone, _("is not valid")) unless timezone.blank? || Time.find_zone(timezone)
|
|||
end
|
|||
| 1ba05a93 | Ohad Levy | end
|