2016-11-15 16:56:29 +01:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2016-02-20 22:53:20 +01:00
|
|
|
class ApplicationController < ActionController::Base
|
|
|
|
|
# Prevent CSRF attacks by raising an exception.
|
|
|
|
|
# For APIs, you may want to use :null_session instead.
|
|
|
|
|
protect_from_forgery with: :exception
|
2016-03-25 14:12:24 +01:00
|
|
|
|
2017-04-08 02:30:50 +02:00
|
|
|
include Localized
|
2017-04-29 18:28:16 -04:00
|
|
|
include UserTrackingConcern
|
2018-05-11 13:20:58 +02:00
|
|
|
include SessionTrackingConcern
|
2019-07-21 22:32:16 +02:00
|
|
|
include CacheConcern
|
2026-03-09 07:30:41 -04:00
|
|
|
include ErrorResponses
|
2024-05-16 04:03:46 -04:00
|
|
|
include PreloadingConcern
|
2019-07-30 11:10:46 +02:00
|
|
|
include DomainControlHelper
|
2023-07-12 17:06:00 +02:00
|
|
|
include DatabaseHelper
|
2023-09-01 15:41:10 +02:00
|
|
|
include AuthorizedFetchHelper
|
2023-10-23 17:46:21 +02:00
|
|
|
include SelfDestructHelper
|
2017-04-16 12:51:30 +02:00
|
|
|
|
|
|
|
|
helper_method :current_account
|
2017-06-25 23:51:32 +02:00
|
|
|
helper_method :current_session
|
2017-04-16 12:51:30 +02:00
|
|
|
helper_method :single_user_mode?
|
2018-02-28 19:04:53 +01:00
|
|
|
helper_method :use_seamless_external_login?
|
2023-03-17 10:09:01 +01:00
|
|
|
helper_method :sso_account_settings
|
2023-08-02 19:32:48 +02:00
|
|
|
helper_method :limited_federation_mode?
|
2023-04-25 16:51:38 +02:00
|
|
|
helper_method :skip_csrf_meta_tags?
|
2016-08-24 17:56:44 +02:00
|
|
|
|
2023-10-23 17:46:21 +02:00
|
|
|
before_action :check_self_destruct!
|
|
|
|
|
|
2023-04-25 16:51:38 +02:00
|
|
|
before_action :store_referrer, except: :raise_not_found, if: :devise_controller?
|
Change unconfirmed user login behaviour (#11375)
Allow access to account settings, 2FA, authorized applications, and
account deletions to unconfirmed and pending users, as well as
users who had their accounts disabled. Suspended users cannot update
their e-mail or password or delete their account.
Display account status on account settings page, for example, when
an account is frozen, limited, unconfirmed or pending review.
After sign up, login users straight away and show a simple page that
tells them the status of their account with links to account settings
and logout, to reduce onboarding friction and allow users to correct
wrongly typed e-mail addresses.
Move the final sign-up step of SSO integrations to be the same
as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
|
|
|
before_action :require_functional!, if: :user_signed_in?
|
2016-10-02 17:11:08 +02:00
|
|
|
|
2023-04-23 22:27:24 +02:00
|
|
|
before_action :set_cache_control_defaults
|
|
|
|
|
|
2019-08-16 02:08:35 +02:00
|
|
|
skip_before_action :verify_authenticity_token, only: :raise_not_found
|
|
|
|
|
|
2016-09-08 02:40:51 +02:00
|
|
|
def raise_not_found
|
2016-09-29 21:28:21 +02:00
|
|
|
raise ActionController::RoutingError, "No route matches #{params[:unmatched_route]}"
|
2016-09-08 02:40:51 +02:00
|
|
|
end
|
|
|
|
|
|
2016-10-02 17:11:08 +02:00
|
|
|
private
|
|
|
|
|
|
2019-07-11 20:11:09 +02:00
|
|
|
def public_fetch_mode?
|
|
|
|
|
!authorized_fetch_mode?
|
|
|
|
|
end
|
|
|
|
|
|
2023-04-25 16:51:38 +02:00
|
|
|
def store_referrer
|
|
|
|
|
return if request.referer.blank?
|
|
|
|
|
|
|
|
|
|
redirect_uri = URI(request.referer)
|
2026-02-11 15:34:09 +01:00
|
|
|
return if redirect_uri.path.start_with?('/auth', '/settings/two_factor_authentication', '/settings/otp_authentication')
|
2023-04-25 16:51:38 +02:00
|
|
|
|
|
|
|
|
stored_url = redirect_uri.to_s if redirect_uri.host == request.host && redirect_uri.port == request.port
|
|
|
|
|
|
|
|
|
|
store_location_for(:user, stored_url)
|
2016-10-02 17:11:08 +02:00
|
|
|
end
|
|
|
|
|
|
2026-02-11 15:34:09 +01:00
|
|
|
def mfa_setup_path(path_params = {})
|
|
|
|
|
settings_two_factor_authentication_methods_path(path_params)
|
|
|
|
|
end
|
|
|
|
|
|
Change unconfirmed user login behaviour (#11375)
Allow access to account settings, 2FA, authorized applications, and
account deletions to unconfirmed and pending users, as well as
users who had their accounts disabled. Suspended users cannot update
their e-mail or password or delete their account.
Display account status on account settings page, for example, when
an account is frozen, limited, unconfirmed or pending review.
After sign up, login users straight away and show a simple page that
tells them the status of their account with links to account settings
and logout, to reduce onboarding friction and allow users to correct
wrongly typed e-mail addresses.
Move the final sign-up step of SSO integrations to be the same
as above to reduce code duplication.
2019-07-22 10:48:50 +02:00
|
|
|
def require_functional!
|
2024-12-09 09:31:56 +01:00
|
|
|
return if current_user.functional?
|
|
|
|
|
|
2025-04-25 13:24:57 +02:00
|
|
|
respond_to do |format|
|
|
|
|
|
format.any do
|
2026-02-11 15:34:09 +01:00
|
|
|
if current_user.missing_2fa?
|
|
|
|
|
redirect_to mfa_setup_path
|
|
|
|
|
elsif current_user.confirmed?
|
2025-04-25 13:24:57 +02:00
|
|
|
redirect_to edit_user_registration_path
|
|
|
|
|
else
|
|
|
|
|
redirect_to auth_setup_path
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
format.json do
|
|
|
|
|
if !current_user.confirmed?
|
|
|
|
|
render json: { error: 'Your login is missing a confirmed e-mail address' }, status: 403
|
|
|
|
|
elsif !current_user.approved?
|
|
|
|
|
render json: { error: 'Your login is currently pending approval' }, status: 403
|
2026-02-11 15:34:09 +01:00
|
|
|
elsif current_user.missing_2fa?
|
|
|
|
|
render json: { error: 'Your account requires two-factor authentication' }, status: 403
|
2025-04-25 13:24:57 +02:00
|
|
|
elsif !current_user.functional?
|
|
|
|
|
render json: { error: 'Your login is currently disabled' }, status: 403
|
|
|
|
|
end
|
|
|
|
|
end
|
2024-12-09 09:31:56 +01:00
|
|
|
end
|
2016-12-06 18:03:30 +01:00
|
|
|
end
|
|
|
|
|
|
2023-04-25 16:51:38 +02:00
|
|
|
def skip_csrf_meta_tags?
|
|
|
|
|
false
|
|
|
|
|
end
|
|
|
|
|
|
2017-08-05 04:24:58 +02:00
|
|
|
def after_sign_out_path_for(_resource_or_scope)
|
2025-06-24 05:32:13 -04:00
|
|
|
if ENV['OMNIAUTH_ONLY'] == 'true' && Rails.configuration.x.omniauth.oidc_enabled?
|
2023-03-15 03:52:40 +01:00
|
|
|
'/auth/auth/openid_connect/logout'
|
|
|
|
|
else
|
|
|
|
|
new_user_session_path
|
|
|
|
|
end
|
2017-08-05 04:24:58 +02:00
|
|
|
end
|
|
|
|
|
|
2016-08-18 17:13:41 +02:00
|
|
|
protected
|
|
|
|
|
|
2018-09-09 04:10:44 +02:00
|
|
|
def truthy_param?(key)
|
|
|
|
|
ActiveModel::Type::Boolean.new.cast(params[key])
|
|
|
|
|
end
|
|
|
|
|
|
2017-04-15 16:46:27 +02:00
|
|
|
def single_user_mode?
|
2024-03-13 10:11:23 -04:00
|
|
|
@single_user_mode ||= Rails.configuration.x.single_user_mode && Account.without_internal.exists?
|
2017-04-15 16:46:27 +02:00
|
|
|
end
|
|
|
|
|
|
2018-02-28 19:04:53 +01:00
|
|
|
def use_seamless_external_login?
|
|
|
|
|
Devise.pam_authentication || Devise.ldap_authentication
|
2018-02-02 10:18:55 +01:00
|
|
|
end
|
|
|
|
|
|
2023-03-17 10:09:01 +01:00
|
|
|
def sso_account_settings
|
2023-04-24 20:26:04 +02:00
|
|
|
ENV.fetch('SSO_ACCOUNT_SETTINGS', nil)
|
2023-03-17 10:09:01 +01:00
|
|
|
end
|
|
|
|
|
|
2016-08-18 17:13:41 +02:00
|
|
|
def current_account
|
2019-06-25 20:18:15 +02:00
|
|
|
return @current_account if defined?(@current_account)
|
|
|
|
|
|
|
|
|
|
@current_account = current_user&.account
|
2016-08-18 17:13:41 +02:00
|
|
|
end
|
2016-11-29 15:49:39 +01:00
|
|
|
|
2017-06-25 23:51:32 +02:00
|
|
|
def current_session
|
2019-06-25 20:18:15 +02:00
|
|
|
return @current_session if defined?(@current_session)
|
|
|
|
|
|
|
|
|
|
@current_session = SessionActivation.find_by(session_id: cookies.signed['_session_id']) if cookies.signed['_session_id'].present?
|
2017-06-25 23:51:32 +02:00
|
|
|
end
|
|
|
|
|
|
2023-10-23 17:46:21 +02:00
|
|
|
def check_self_destruct!
|
|
|
|
|
return unless self_destruct?
|
|
|
|
|
|
|
|
|
|
respond_to do |format|
|
|
|
|
|
format.any { render 'errors/self_destruct', layout: 'auth', status: 410, formats: [:html] }
|
2024-02-26 12:43:07 -10:00
|
|
|
format.json { render json: { error: Rack::Utils::HTTP_STATUS_CODES[410] }, status: 410 }
|
2023-10-23 17:46:21 +02:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2023-04-23 22:27:24 +02:00
|
|
|
def set_cache_control_defaults
|
|
|
|
|
response.cache_control.replace(private: true, no_store: true)
|
|
|
|
|
end
|
2016-02-20 22:53:20 +01:00
|
|
|
end
|
