Revision bdc34694
Added by Brad Buckingham about 10 years ago
app/controllers/application_controller.rb | ||
---|---|---|
class ApplicationController < ActionController::Base
|
||
include Foreman::Controller::Authentication
|
||
include Foreman::Controller::Session
|
||
include Foreman::ThreadSession::Cleaner
|
||
|
||
protect_from_forgery # See ActionController::RequestForgeryProtection for details
|
||
... | ... | |
end
|
||
end
|
||
|
||
def session_expiry
|
||
if session[:expires_at].blank? or (session[:expires_at].utc - Time.now.utc).to_i < 0
|
||
session[:original_uri] = request.fullpath
|
||
backup_session_content { expire_session }
|
||
end
|
||
rescue => e
|
||
logger.warn "failed to determine if user sessions needs to be expired, expiring anyway: #{e}"
|
||
expire_session
|
||
end
|
||
|
||
# Backs up some state from a user's session around a supplied block, which
|
||
# will usually expire or reset the session in some way
|
||
def backup_session_content
|
||
save_items = session.to_hash.slice('organization_id', 'location_id', 'original_uri').symbolize_keys
|
||
yield if block_given?
|
||
session.merge!(save_items)
|
||
end
|
||
|
||
def update_activity_time
|
||
session[:expires_at] = Setting[:idle_timeout].minutes.from_now.utc
|
||
end
|
||
|
||
def expire_session
|
||
logger.info "Session for #{current_user} is expired."
|
||
sso = get_sso_method
|
||
reset_session
|
||
if sso.nil? || !sso.support_expiration?
|
||
flash[:warning] = _("Your session has expired, please login again")
|
||
redirect_to main_app.login_users_path
|
||
else
|
||
redirect_to sso.expiration_url
|
||
end
|
||
end
|
||
|
||
# returns current SSO method object according to session
|
||
# nil is returned if nothing was found or invalid method is stored
|
||
def get_sso_method
|
Also available in: Unified diff
fixes #4776 - support session[:expires_at] for api requests
There are situations where the UI needs to invoke requests
on the API controllers; therefore, we need to ensure that
the session expiration accounts for them. This is a common
for plugins, such as Katello, which leverage the
APIs extensively to support both the web UI and CLI.
With these changes, if an API request is received with
session[:expires_at], it will be evaluated and updated by the
server. This will be the case for requests from the web-UI.
If an API request is received without session[:expires_at],
no evaluation or updating of an expiration timer will
be performed. This latter case is the existing behavior
for the API requests (e.g via API or CLI) and will continue
to be supported.