#-- encoding: UTF-8
#-- copyright
# OpenProject is a project management system.
# Copyright (C) 2012-2013 the OpenProject Foundation (OPF)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See doc/COPYRIGHT.rdoc for more details.
#++
require " digest/sha1 "
class User < Principal
include Redmine :: SafeAttributes
# Account statuses
# Code accessing the keys assumes they are ordered, which they are since Ruby 1.9
STATUSES = {
:builtin = > 0 ,
:active = > 1 ,
:registered = > 2 ,
:locked = > 3
}
USER_FORMATS_STRUCTURE = {
:firstname_lastname = > [ :firstname , :lastname ] ,
:firstname = > [ :firstname ] ,
:lastname_firstname = > [ :lastname , :firstname ] ,
:lastname_coma_firstname = > [ :lastname , :firstname ] ,
:username = > [ :login ]
}
def self . user_format_structure_to_format ( key , delimiter = " " )
USER_FORMATS_STRUCTURE [ key ] . map { | elem | " \# { #{ elem . to_s } } " } . join ( delimiter )
end
USER_FORMATS = {
:firstname_lastname = > User . user_format_structure_to_format ( :firstname_lastname , " " ) ,
:firstname = > User . user_format_structure_to_format ( :firstname ) ,
:lastname_firstname = > User . user_format_structure_to_format ( :lastname_firstname , " " ) ,
:lastname_coma_firstname = > User . user_format_structure_to_format ( :lastname_coma_firstname , " , " ) ,
:username = > User . user_format_structure_to_format ( :username )
}
USER_MAIL_OPTION_ALL = [ 'all' , :label_user_mail_option_all ]
USER_MAIL_OPTION_SELECTED = [ 'selected' , :label_user_mail_option_selected ]
USER_MAIL_OPTION_ONLY_MY_EVENTS = [ 'only_my_events' , :label_user_mail_option_only_my_events ]
USER_MAIL_OPTION_ONLY_ASSIGNED = [ 'only_assigned' , :label_user_mail_option_only_assigned ]
USER_MAIL_OPTION_ONLY_OWNER = [ 'only_owner' , :label_user_mail_option_only_owner ]
USER_MAIL_OPTION_NON = [ 'none' , :label_user_mail_option_none ]
MAIL_NOTIFICATION_OPTIONS = [
USER_MAIL_OPTION_ALL ,
USER_MAIL_OPTION_SELECTED ,
USER_MAIL_OPTION_ONLY_MY_EVENTS ,
USER_MAIL_OPTION_ONLY_ASSIGNED ,
USER_MAIL_OPTION_ONLY_OWNER ,
USER_MAIL_OPTION_NON
]
has_many :group_users
has_many :groups , :through = > :group_users ,
:after_add = > Proc . new { | user , group | group . user_added ( user ) } ,
:after_remove = > Proc . new { | user , group | group . user_removed ( user ) }
has_many :categories , :foreign_key = > 'assigned_to_id' ,
:dependent = > :nullify
has_many :assigned_issues , :foreign_key = > 'assigned_to_id' ,
:class_name = > 'WorkPackage' ,
:dependent = > :nullify
has_many :watches , :class_name = > 'Watcher' ,
:dependent = > :delete_all
has_many :changesets , :dependent = > :nullify
has_many :passwords , :class_name = > 'UserPassword' ,
:order = > 'id DESC' ,
:readonly = > true ,
:dependent = > :destroy ,
:inverse_of = > :user
has_one :preference , :dependent = > :destroy , :class_name = > 'UserPreference'
has_one :rss_token , :dependent = > :destroy , :class_name = > 'Token' , :conditions = > " action='feeds' "
has_one :api_token , :dependent = > :destroy , :class_name = > 'Token' , :conditions = > " action='api' "
belongs_to :auth_source
# TODO: this is from Principal. the inheritance doesn't work correctly
# note: it doesn't fail in development mode
# see: https://github.com/rails/rails/issues/3847
has_many :members , :foreign_key = > 'user_id' , :dependent = > :destroy
has_many :memberships , :class_name = > 'Member' , :foreign_key = > 'user_id' , :include = > [ :project , :roles ] , :conditions = > " #{ Project . table_name } .status= #{ Project :: STATUS_ACTIVE } " , :order = > " #{ Project . table_name } .name "
has_many :projects , :through = > :memberships
# Active non-anonymous users scope
scope :not_builtin ,
:conditions = > " #{ User . table_name } .status <> #{ STATUSES [ :builtin ] } "
# Users blocked via brute force prevention
# use lambda here, so time is evaluated on each query
scope :blocked , lambda { create_blocked_scope ( true ) }
scope :not_blocked , lambda { create_blocked_scope ( false ) }
def self . create_blocked_scope ( blocked )
block_duration = Setting . brute_force_block_minutes . to_i . minutes
blocked_if_login_since = Time . now - block_duration
negation = blocked ? '' : 'NOT'
where ( " #{ negation } (failed_login_count >= ? AND last_failed_login_on > ?) " ,
Setting . brute_force_block_after_failed_logins . to_i ,
blocked_if_login_since )
end
acts_as_customizable
attr_accessor :password , :password_confirmation
attr_accessor :last_before_login_on
# Prevents unauthorized assignments
attr_protected :login , :admin , :password , :password_confirmation
validates_presence_of :login ,
:firstname ,
:lastname ,
:mail ,
:unless = > Proc . new { | user | user . is_a? ( AnonymousUser ) || user . is_a? ( DeletedUser ) || user . is_a? ( SystemUser ) }
validates_uniqueness_of :login , :if = > Proc . new { | user | ! user . login . blank? } , :case_sensitive = > false
validates_uniqueness_of :mail , :allow_blank = > true , :case_sensitive = > false
# Login must contain lettres, numbers, underscores only
validates_format_of :login , :with = > / ^[a-z0-9_ \ -@ \ .]*$ /i
validates_length_of :login , :maximum = > 256
validates_length_of :firstname , :lastname , :maximum = > 30
validates_format_of :mail , :with = > / ^([^@ \ s]+)@((?:[-a-z0-9]+ \ .)+[a-z]{2,})$ /i , :allow_blank = > true
validates_length_of :mail , :maximum = > 60 , :allow_nil = > true
validates_confirmation_of :password , :allow_nil = > true
validates_inclusion_of :mail_notification , :in = > MAIL_NOTIFICATION_OPTIONS . collect ( & :first ) , :allow_blank = > true
validate :password_meets_requirements
after_save :update_password
before_create :sanitize_mail_notification_setting
before_destroy :delete_associated_public_queries
before_destroy :reassign_associated
scope :in_group , lambda { | group |
group_id = group . is_a? ( Group ) ? group . id : group . to_i
{ :conditions = > [ " #{ User . table_name } .id IN (SELECT gu.user_id FROM #{ table_name_prefix } group_users #{ table_name_suffix } gu WHERE gu.group_id = ?) " , group_id ] }
}
scope :not_in_group , lambda { | group |
group_id = group . is_a? ( Group ) ? group . id : group . to_i
{ :conditions = > [ " #{ User . table_name } .id NOT IN (SELECT gu.user_id FROM #{ table_name_prefix } group_users #{ table_name_suffix } gu WHERE gu.group_id = ?) " , group_id ] }
}
scope :admin , :conditions = > { :admin = > true }
def sanitize_mail_notification_setting
self . mail_notification = Setting . default_notification_option if self . mail_notification . blank?
true
end
def current_password
self . passwords . first
end
def password_expired?
current_password . expired?
end
# create new password if password was set
def update_password
if password && auth_source_id . blank?
new_password = passwords . build ( )
new_password . plain_password = password
new_password . save
# force reload of passwords, so the new password is sorted to the top
passwords ( true )
clean_up_former_passwords
end
end
def reload ( * args )
@name = nil
@projects_by_role = nil
super
end
def mail = ( arg )
write_attribute ( :mail , arg . to_s . strip )
end
def identity_url = ( url )
if url . blank?
write_attribute ( :identity_url , '' )
else
begin
write_attribute ( :identity_url , OpenIdAuthentication . normalize_identifier ( url ) )
rescue OpenIdAuthentication :: InvalidOpenId
# Invlaid url, don't save
end
end
self . read_attribute ( :identity_url )
end
def self . register_allowance_evaluator ( filter )
self . registered_allowance_evaluators || = [ ]
registered_allowance_evaluators << filter
end
# replace by class_attribute when on rails 3.x
class_eval do
def self . registered_allowance_evaluators ( ) nil end
def self . registered_allowance_evaluators = ( val )
singleton_class . class_eval do
define_method ( :registered_allowance_evaluators ) do
val
end
end
end
end
register_allowance_evaluator ChiliProject :: PrincipalAllowanceEvaluator :: Default
# Returns the user that matches provided login and password, or nil
def self . try_to_login ( login , password )
# Make sure no one can sign in with an empty password
return nil if password . to_s . empty?
user = find_by_login ( login )
user = if user
try_authentication_for_existing_user ( user , password )
else
try_authentication_and_create_user ( login , password )
end
unless prevent_brute_force_attack ( user , login ) . nil?
user . update_attribute ( :last_login_on , Time . now ) if user && ! user . new_record?
return user
end
nil
end
# Tries to authenticate a user in the database via external auth source
# or password stored in the database
def self . try_authentication_for_existing_user ( user , password )
return nil if ! user . active?
if user . auth_source
# user has an external authentication method
return nil unless user . auth_source . authenticate ( user . login , password )
else
# authentication with local password
return nil unless user . check_password? ( password )
return nil if user . force_password_change
return nil if user . password_expired?
end
user
end
# Tries to authenticate with available sources and creates user on success
def self . try_authentication_and_create_user ( login , password )
user = nil
attrs = AuthSource . authenticate ( login , password )
if attrs
# login is both safe and protected in chilis core code
# in case it's intentional we keep it that way
user = new ( attrs . except ( :login ) )
user . login = login
user . language = Setting . default_language
if user . save
user . reload
logger . info ( " User ' #{ user . login } ' created from external auth source: #{ user . auth_source . type } - #{ user . auth_source . name } " ) if logger && user . auth_source
end
end
user
end
# Returns the user who matches the given autologin +key+ or nil
def self . try_to_autologin ( key )
tokens = Token . find_all_by_action_and_value ( 'autologin' , key )
# Make sure there's only 1 token that matches the key
if tokens . size == 1
token = tokens . first
if ( token . created_on > Setting . autologin . to_i . day . ago ) && token . user && token . user . active?
token . user . update_attribute ( :last_login_on , Time . now )
token . user
end
end
end
# Return user's full name for display
def name ( formatter = nil )
if formatter
eval ( '"' + ( USER_FORMATS [ formatter ] || USER_FORMATS [ :firstname_lastname ] ) + '"' )
else
@name || = eval ( '"' + ( USER_FORMATS [ Setting . user_format ] || USER_FORMATS [ :firstname_lastname ] ) + '"' )
end
end
def status_name
STATUSES . keys [ self . status ] . to_s
end
def active?
self . status == STATUSES [ :active ]
end
def registered?
self . status == STATUSES [ :registered ]
end
def locked?
self . status == STATUSES [ :locked ]
end
def activate
self . status = STATUSES [ :active ]
end
def register
self . status = STATUSES [ :registered ]
end
def lock
self . status = STATUSES [ :locked ]
end
def activate!
update_attribute ( :status , STATUSES [ :active ] )
end
def register!
update_attribute ( :status , STATUSES [ :registered ] )
end
def lock!
update_attribute ( :status , STATUSES [ :locked ] )
end
# Returns true if +clear_password+ is the correct user's password, otherwise false
def check_password? ( clear_password )
if auth_source_id . present?
auth_source . authenticate ( self . login , clear_password )
else
return false if current_password . nil?
current_password . same_as_plain_password? ( clear_password )
end
end
# Does the backend storage allow this user to change their password?
def change_password_allowed?
return true if auth_source_id . blank?
return auth_source . allow_password_changes?
end
#
# Generate and set a random password.
#
# Also force a password change on the next login, since random passwords
# are at some point given to the user, we do this via email. These passwords
# are stored unencrypted in mail accounts, so they must only be valid for
# a short time.
def random_password!
self . password = OpenProject :: Passwords :: Generator . random_password
self . password_confirmation = self . password
self . force_password_change = true
self
end
##
# Brute force prevention - public instance methods
#
def failed_too_many_recent_login_attempts?
block_threshold = Setting . brute_force_block_after_failed_logins . to_i
return false if block_threshold == 0 # disabled
return ( last_failed_login_within_block_time? and
self . failed_login_count > = block_threshold )
end
def log_failed_login
log_failed_login_count
log_failed_login_timestamp
save
end
def pref
preference || build_preference
end
def time_zone
@time_zone || = ( self . pref . time_zone . blank? ? nil : ActiveSupport :: TimeZone [ self . pref . time_zone ] )
end
def impaired = ( value )
self . pref . update_attribute ( :impaired , ! ! value )
! ! value
end
def impaired
anonymous? || ! ! self . pref . impaired
end
def impaired?
impaired
end
def wants_comments_in_reverse_order?
self . pref [ :comments_sorting ] == 'desc'
end
# Return user's RSS key (a 40 chars long string), used to access feeds
def rss_key
token = self . rss_token || Token . create ( :user = > self , :action = > 'feeds' )
token . value
end
# Return user's API key (a 40 chars long string), used to access the API
def api_key
token = self . api_token || self . create_api_token ( :action = > 'api' )
token . value
end
# Return an array of project ids for which the user has explicitly turned mail notifications on
def notified_projects_ids
@notified_projects_ids || = memberships . select { | m | m . mail_notification? } . collect ( & :project_id )
end
def notified_project_ids = ( ids )
Member . update_all ( " mail_notification = #{ connection . quoted_false } " , [ 'user_id = ?' , id ] )
Member . update_all ( " mail_notification = #{ connection . quoted_true } " , [ 'user_id = ? AND project_id IN (?)' , id , ids ] ) if ids && ! ids . empty?
@notified_projects_ids = nil
notified_projects_ids
end
def valid_notification_options
self . class . valid_notification_options ( self )
end
# Only users that belong to more than 1 project can select projects for which they are notified
def self . valid_notification_options ( user = nil )
# Note that @user.membership.size would fail since AR ignores
# :include association option when doing a count
if user . nil? || user . memberships . length < 1
MAIL_NOTIFICATION_OPTIONS . reject { | option | option . first == 'selected' }
else
MAIL_NOTIFICATION_OPTIONS
end
end
# Find a user account by matching the exact login and then a case-insensitive
# version. Exact matches will be given priority.
def self . find_by_login ( login )
# force string comparison to be case sensitive on MySQL
type_cast = ( ChiliProject :: Database . mysql? ) ? 'BINARY' : ''
# First look for an exact match
user = first ( :conditions = > [ " #{ type_cast } login = ? " , login ] )
# Fail over to case-insensitive if none was found
user || = first ( :conditions = > [ " #{ type_cast } LOWER(login) = ? " , login . to_s . downcase ] )
end
def self . find_by_rss_key ( key )
token = Token . find_by_value ( key )
token && token . user . active? && Setting . feeds_enabled? ? token . user : nil
end
def self . find_by_api_key ( key )
token = Token . find_by_action_and_value ( 'api' , key )
token && token . user . active? ? token . user : nil
end
# Makes find_by_mail case-insensitive
def self . find_by_mail ( mail )
find ( :first , :conditions = > [ " LOWER(mail) = ? " , mail . to_s . downcase ] )
end
def self . find_all_by_mails ( mails )
find ( :all , :conditions = > [ 'LOWER(mail) IN (?)' , mails ] )
end
def to_s
name
end
# Returns the current day according to user's time zone
def today
if time_zone . nil?
Date . today
else
Time . now . in_time_zone ( time_zone ) . to_date
end
end
def logged?
true
end
def anonymous?
! logged?
end
# Return user's roles for project
def roles_for_project ( project )
roles = [ ]
# No role on archived projects
return roles unless project && project . active?
if logged?
# Find project membership
membership = memberships . detect { | m | m . project_id == project . id }
if membership
roles = membership . roles
else
@role_non_member || = Role . non_member
roles << @role_non_member
end
else
@role_anonymous || = Role . anonymous
roles << @role_anonymous
end
roles
end
# Cheap version of Project.visible.count
def number_of_known_projects
if admin?
Project . count
else
Project . public . count + memberships . size
end
end
# Return true if the user is a member of project
def member_of? ( project )
roles_for_project ( project ) . any? ( & :member? )
end
# Returns a hash of user's projects grouped by roles
def projects_by_role
return @projects_by_role if @projects_by_role
@projects_by_role = Hash . new { | h , k | h [ k ] = [ ] }
memberships . each do | membership |
membership . roles . each do | role |
@projects_by_role [ role ] << membership . project if membership . project
end
end
@projects_by_role . each do | role , projects |
projects . uniq!
end
@projects_by_role
end
# Returns true if user is arg or belongs to arg
def is_or_belongs_to? ( arg )
if arg . is_a? ( User )
self == arg
elsif arg . is_a? ( Group )
arg . users . include? ( self )
else
false
end
end
# Return true if the user is allowed to do the specified action on a specific context
# Action can be:
# * a parameter-like Hash (eg. :controller => '/projects', :action => 'edit')
# * a permission Symbol (eg. :edit_project)
# Context can be:
# * a project : returns true if user is allowed to do the specified action on this project
# * a group of projects : returns true if user is allowed on every project
# * nil with options[:global] set : check if user has at least one role allowed for this action,
# or falls back to Non Member / Anonymous permissions depending if the user is logged
def allowed_to? ( action , context , options = { } )
if action . is_a? ( Hash ) && action [ :controller ] && action [ :controller ] . to_s . starts_with? ( " / " )
action = action . dup
action [ :controller ] = action [ :controller ] [ 1 .. - 1 ]
end
if context . is_a? ( Project )
allowed_to_in_project? ( action , context , options )
elsif context . is_a? ( Array )
# Authorize if user is authorized on every element of the array
context . present? && context . all? do | project |
allowed_to? ( action , project , options )
end
elsif options [ :global ]
allowed_to_globally? ( action , options )
else
false
end
end
def allowed_to_in_project? ( action , project , options = { } )
initialize_allowance_evaluators
# No action allowed on archived projects
return false unless project . active?
# No action allowed on disabled modules
return false unless project . allows_to? ( action )
# Admin users are authorized for anything else
return true if admin?
candidates_for_project_allowance ( project ) . any? do | candidate |
denied = @registered_allowance_evaluators . any? do | filter |
filter . denied_for_project? candidate , action , project , options
end
! denied && @registered_allowance_evaluators . any? do | filter |
filter . granted_for_project? candidate , action , project , options
end
end
end
# Is the user allowed to do the specified action on any project?
# See allowed_to? for the actions and valid options.
def allowed_to_globally? ( action , options = { } )
# Admin users are always authorized
return true if admin?
initialize_allowance_evaluators
# authorize if user has at least one membership granting this permission
candidates_for_global_allowance . any? do | candidate |
denied = @registered_allowance_evaluators . any? do | evaluator |
evaluator . denied_for_global? candidate , action , options
end
! denied && @registered_allowance_evaluators . any? do | evaluator |
evaluator . granted_for_global? candidate , action , options
end
end
end
# These are also implemented as strong_parameters, so also see
# app/modles/permitted_params.rb
# Delete these if everything in the UsersController uses strong_parameters.
safe_attributes 'firstname' , 'lastname' , 'mail' , 'mail_notification' , 'language' ,
'custom_field_values' , 'custom_fields' , 'identity_url'
safe_attributes 'auth_source_id' , 'force_password_change' ,
:if = > lambda { | user , current_user | current_user . admin? }
safe_attributes 'group_ids' ,
:if = > lambda { | user , current_user | current_user . admin? && ! user . new_record? }
# Utility method to help check if a user should be notified about an
# event.
def notify_about? ( object )
case mail_notification
when 'all'
true
when 'selected'
# user receives notifications for created/assigned issues on unselected projects
if object . is_a? ( WorkPackage ) && ( object . author == self || is_or_belongs_to? ( object . assigned_to ) )
true
else
false
end
when 'none'
false
when 'only_my_events'
if object . is_a? ( WorkPackage ) && ( object . author == self || is_or_belongs_to? ( object . assigned_to ) )
true
else
false
end
when 'only_assigned'
if object . is_a? ( WorkPackage ) && is_or_belongs_to? ( object . assigned_to )
true
else
false
end
when 'only_owner'
if object . is_a? ( WorkPackage ) && object . author == self
true
else
false
end
else
false
end
end
def self . current = ( user )
@current_user = user
end
def self . current
@current_user || = User . anonymous
end
# Returns the anonymous user. If the anonymous user does not exist, it is created. There can be only
# one anonymous user per database.
def self . anonymous
anonymous_user = AnonymousUser . find ( :first )
if anonymous_user . nil?
( anonymous_user = AnonymousUser . new . tap do | u |
u . lastname = 'Anonymous'
u . login = ''
u . firstname = ''
u . mail = ''
u . status = 0
end ) . save
raise 'Unable to create the anonymous user.' if anonymous_user . new_record?
end
anonymous_user
end
def self . system
system_user = SystemUser . find ( :first )
if system_user . nil?
( system_user = SystemUser . new . tap do | u |
u . lastname = 'System'
u . login = ''
u . firstname = ''
u . mail = ''
u . admin = false
u . status = User :: STATUSES [ :locked ]
u . first_login = false
u . random_password!
end ) . save
raise 'Unable to create the automatic migration user.' if system_user . new_record?
end
system_user
end
def latest_news ( options = { } )
News . latest_for self , options
end
def latest_projects ( options = { } )
Project . latest_for self , options
end
protected
# Password requirement validation based on settings
def password_meets_requirements
# Passwords are stored hashed as UserPasswords,
# self.password is only set when it was changed after the last
# save. Otherwise, password is nil.
unless password . nil? or anonymous?
password_errors = OpenProject :: Passwords :: Evaluator . errors_for_password ( self . password )
password_errors . each { | error | errors . add ( :password , error ) }
if former_passwords_include? ( self . password )
errors . add ( :password ,
I18n . t ( :reused ,
:count = > Setting [ :password_count_former_banned ] . to_i ,
:scope = > [ :activerecord ,
:errors ,
:models ,
:user ,
:attributes ,
:password ] ) )
end
end
end
private
def initialize_allowance_evaluators
@registered_allowance_evaluators || = self . class . registered_allowance_evaluators . collect do | evaluator |
evaluator . new ( self )
end
end
def candidates_for_global_allowance
@registered_allowance_evaluators . map ( & :global_granting_candidates ) . flatten . uniq
end
def candidates_for_project_allowance project
@registered_allowance_evaluators . map { | f | f . project_granting_candidates ( project ) } . flatten . uniq
end
def former_passwords_include? ( password )
return false if Setting [ :password_count_former_banned ] . to_i == 0
ban_count = Setting [ :password_count_former_banned ] . to_i
# make reducing the number of banned former passwords immediately effective
# by only checking this number of former passwords
passwords [ 0 , ban_count ] . any? { | f | f . same_as_plain_password? ( password ) }
end
def clean_up_former_passwords
# minimum 1 to keep the actual user password
keep_count = [ 1 , Setting [ :password_count_former_banned ] . to_i ] . max
( passwords [ keep_count .. - 1 ] || [ ] ) . each { | p | p . destroy }
end
def reassign_associated
substitute = DeletedUser . first
[ WorkPackage , Attachment , WikiContent , News , Comment , Message ] . each do | klass |
klass . update_all [ 'author_id = ?' , substitute . id ] , [ 'author_id = ?' , id ]
end
[ TimeEntry , Journal , :: Query ] . each do | klass |
klass . update_all [ 'user_id = ?' , substitute . id ] , [ 'user_id = ?' , id ]
end
JournalManager . update_user_references id , substitute . id
end
def delete_associated_public_queries
:: Query . delete_all [ 'user_id = ? AND is_public = ?' , id , false ]
end
##
# Brute force prevention - class methods
#
def self . prevent_brute_force_attack ( user , login )
if user . nil?
register_failed_login_attempt_if_user_exists_for ( login )
else
block_user_if_too_many_recent_attempts_failed ( user )
end
end
def self . register_failed_login_attempt_if_user_exists_for ( login )
user = User . find_by_login ( login )
user . log_failed_login if user . present?
nil
end
def self . reset_failed_login_count_for ( user )
user . update_attribute ( :failed_login_count , 0 ) unless user . new_record?
end
def self . block_user_if_too_many_recent_attempts_failed ( user )
if user . failed_too_many_recent_login_attempts?
user = nil
else
reset_failed_login_count_for user
end
user
end
##
# Brute force prevention - instance methods
#
def last_failed_login_within_block_time?
block_duration = Setting . brute_force_block_minutes . to_i . minutes
self . last_failed_login_on and
Time . now - self . last_failed_login_on < block_duration
end
def log_failed_login_count
if last_failed_login_within_block_time?
self . failed_login_count += 1
else
self . failed_login_count = 1
end
end
def log_failed_login_timestamp
self . last_failed_login_on = Time . now
end
def self . default_admin_account_changed?
! User . active . find_by_login ( 'admin' ) . try ( :current_password ) . try ( :same_as_plain_password? , 'admin' )
end
end
class AnonymousUser < User
validate :validate_unique_anonymous_user , :on = > :create
# There should be only one AnonymousUser in the database
def validate_unique_anonymous_user
errors . add :base , 'An anonymous user already exists.' if AnonymousUser . find ( :first )
end
def available_custom_fields
[ ]
end
# Overrides a few properties
def logged? ; false end
def admin ; false end
def name ( * args ) ; I18n . t ( :label_user_anonymous ) end
def mail ; nil end
def time_zone ; nil end
def rss_key ; nil end
def destroy ; false end
end
class DeletedUser < User
validate :validate_unique_deleted_user , :on = > :create
# There should be only one DeletedUser in the database
def validate_unique_deleted_user
errors . add :base , 'A DeletedUser already exists.' if DeletedUser . find ( :first )
end
def self . first
find_or_create_by_type_and_status ( self . to_s , STATUSES [ :builtin ] )
end
# Overrides a few properties
def logged? ; false end
def admin ; false end
def name ( * args ) ; I18n . t ( 'user.deleted' ) end
def mail ; nil end
def time_zone ; nil end
def rss_key ; nil end
def destroy ; false end
end