OpenProject is the leading open source project management software.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
openproject/app/controllers/application_controller.rb

722 lines
24 KiB

#-- encoding: UTF-8
#-- copyright
# OpenProject is a project management system.
# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2017 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See docs/COPYRIGHT.rdoc for more details.
#++
require 'uri'
require 'cgi'
class ApplicationController < ActionController::Base
class_attribute :_model_object
class_attribute :_model_scope
class_attribute :accept_key_auth_actions
helper_method :render_to_string
protected
include I18n
include Redmine::I18n
include HookHelper
include ::OpenProject::Authentication::SessionExpiry
include AdditionalUrlHelpers
include OpenProjectErrorHelper
layout 'base'
protect_from_forgery
# CSRF protection prevents two things. It prevents an attacker from using a
# user's session to execute requests. It also prevents an attacker to log in
# a user with the attacker's account. API requests each contain their own
# authentication token, e.g. as key parameter or header, so they don't have
# to be protected by CSRF protection as long as they don't create a session
#
# We can't reliably determine here whether a request is an API
# request as this happens in our way too complex find_current_user method
# that is only executed after this method. E.g we might have to check that
# no session is active and that no autologin cookie is set.
#
# Thus, we always reset any active session and the autologin cookie to make
# sure find_current user doesn't find a user based on an active session.
#
# Nevertheless, API requests should not be aborted, which they would be
# if we raised an error here. Still, users should see an error message
# when sending a form with a wrong CSRF token (e.g. after session expiration).
# Thus, we show an error message unless the request probably is an API
# request.
def handle_unverified_request
cookies.delete(OpenProject::Configuration['autologin_cookie_name'])
self.logged_user = nil
# Don't render an error message for requests that appear to be API requests.
#
# The api_request? method uses the format parameter or a header
# to determine whether a request is an API request. Unfortunately, having
# an API request doesn't mean we don't use a session for authentication.
# Also, attackers can send CSRF requests with arbitrary headers using
# browser plugins. For more information on this, see:
# http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/
#
# Resetting the session above is enough for preventing an attacking from
# using a user's session to execute requests with the user's account.
#
# It's not enough to prevent login CSRF, so we have to explicitly deny requests
# with invalid CSRF token for all requests that create a session with a logged in
# user. This is implemented as a before filter on AccountController that disallows
# all requests classified as API calls by api_request (via disable_api). It's
# important that disable_api and handle_unverified_request both use the same method
# to determine whether a request is an API request to ensure that a request either
# has a valid CSRF token and is not classified as API request, so no error is raised
# here OR a request has an invalid CSRF token and is classified as API request, no error
# is raised here, but is denied by disable_api.
#
# See http://stackoverflow.com/a/15350123 for more information on login CSRF.
unless api_request?
# Check whether user have cookies enabled, otherwise they'll only be
# greeted with the CSRF error upon login.
message = I18n.t(:error_token_authenticity)
message << ' ' + I18n.t(:error_cookie_missing) if openproject_cookie_missing?
log_csrf_failure
render_error status: 422, message: message
end
end
rescue_from ActionController::ParameterMissing do |exception|
render body: "Required parameter missing: #{exception.param}",
status: :bad_request
end
before_action :user_setup,
:check_if_login_required,
:log_requesting_user,
:reset_i18n_fallbacks,
:set_localization,
:check_session_lifetime,
:stop_if_feeds_disabled,
:set_cache_buster,
:action_hooks,
:reload_mailer_configuration!
include Redmine::Search::Controller
include Redmine::MenuManager::MenuController
helper Redmine::MenuManager::MenuHelper
def default_url_options(_options = {})
{
layout: params['layout'],
protocol: Setting.protocol
}
end
# set http headers so that the browser does not store any
# data (caches) of this site
# see:
# https://websecuritytool.codeplex.com/wikipage?title=Checks#http-cache-control-header-no-store
# http://stackoverflow.com/questions/711418/how-to-prevent-browser-page-caching-in-rails
def set_cache_buster
if OpenProject::Configuration['disable_browser_cache']
response.cache_control.merge!(
max_age: 0,
public: false,
must_revalidate: true
)
end
end
def reload_mailer_configuration!
OpenProject::Configuration.reload_mailer_configuration!
end
# The current user is a per-session kind of thing and session stuff is controller responsibility.
# A globally accessible User.current is a big code smell. When used incorrectly it allows getting
# the current user outside of a session scope, i.e. in the model layer, from mailers or
# in the console which doesn't make any sense. For model code that needs to be aware of the
# current user, i.e. when returning all visible projects for <somebody>, the controller should
# pass the current user to the model, instead of letting it fetch it by itself through
# `User.current`. This method acts as a reminder and wants to encourage you to use it.
# Project.visible_by actually allows the controller to pass in a user but it falls back
# to `User.current` and there are other places in the session-unaware codebase,
# that rely on `User.current`.
def current_user
User.current
end
helper_method :current_user
def user_setup
# Find the current user
User.current = find_current_user
end
# Returns the current user or nil if no user is logged in
# and starts a session if needed
def find_current_user
if session[:user_id]
# existing session
User.active.find_by(id: session[:user_id])
elsif cookies[OpenProject::Configuration['autologin_cookie_name']] && Setting.autologin?
# auto-login feature starts a new session
user = User.try_to_autologin(cookies[OpenProject::Configuration['autologin_cookie_name']])
session[:user_id] = user.id if user
user
elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
# RSS key authentication does not start a session
User.find_by_rss_key(params[:key])
elsif Setting.rest_api_enabled? && api_request?
if (key = api_key_from_request) && accept_key_auth_actions.include?(params[:action])
# Use API key
User.find_by_api_key(key)
end
end
end
# Sets the logged in user
def logged_user=(user)
reset_session
if user && user.is_a?(User)
User.current = user
InitializeSessionService.call(user, session)
else
User.current = User.anonymous
end
end
# check if login is globally required to access the application
def check_if_login_required
# no check needed if user is already logged in
return true if User.current.logged?
require_login if Setting.login_required?
end
# Checks if the session cookie is missing.
# This is useful only on a second request
def openproject_cookie_missing?
request.cookies[OpenProject::Configuration['session_cookie_name']].nil?
end
helper_method :openproject_cookie_missing?
##
# Create CSRF issue
def log_csrf_failure
message = 'CSRF validation error'
message << ' (No session cookie present)' if openproject_cookie_missing?
op_handle_error message, reference: :csrf_validation_failed
end
def log_requesting_user
return unless Setting.log_requesting_user?
login_and_mail = " (#{escape_for_logging(User.current.login)} ID: #{User.current.id} " \
"<#{escape_for_logging(User.current.mail)}>)" unless User.current.anonymous?
logger.info "OpenProject User: #{escape_for_logging(User.current.name)}#{login_and_mail}"
end
# Escape string to prevent log injection
# e.g. setting the user name to contain \r allows overwriting a log line on console
# replaces all invalid characters with #
def escape_for_logging(string)
# only allow numbers, ASCII letters, space and the following characters: @.-"'!?=/
string.gsub(/[^0-9a-zA-Z@._\-"\'!\?=\/ ]{1}/, '#')
end
def reset_i18n_fallbacks
return if I18n.fallbacks.defaults == (fallbacks = [I18n.default_locale] + Setting.available_languages.map(&:to_sym))
I18n.fallbacks = nil
I18n.fallbacks.defaults = fallbacks
end
def set_localization
SetLocalizationService.new(User.current, request.env['HTTP_ACCEPT_LANGUAGE']).call
end
def require_login
unless User.current.logged?
# Ensure we reset the session to terminate any old session objects
reset_session
respond_to do |format|
format.any(:html, :atom) do redirect_to signin_path(back_url: login_back_url) end
auth_header = OpenProject::Authentication::WWWAuthenticate.response_header(
request_headers: request.headers)
format.any(:xml, :js, :json) do
head :unauthorized,
'X-Reason' => 'login needed',
'WWW-Authenticate' => auth_header
end
format.all { head :not_acceptable }
end
return false
end
true
end
def require_admin
return unless require_login
render_403 unless User.current.admin?
end
def deny_access
User.current.logged? ? render_403 : require_login
end
# Authorize the user for the requested action
def authorize(ctrl = params[:controller], action = params[:action], global = false)
context = @project || @projects
is_authorized = AuthorizationService.new({ controller: ctrl, action: action }, context: context, global: global).call
Initial foundations for API v3 User Story # 8769 Squashed commit of the following: commit fac82d68b6afa6a757b2ca1b71e7424c02666471 Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 11 15:53:21 2014 +0200 Removed cascade false call from root api commit fedff52220927830376939021d4a36df26dc854b Merge: 7b2942c e204fa9 Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 11 14:17:27 2014 +0200 Merge commit 7b2942c419864448d9416909f73d5aa23c8bea4a Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 11 14:11:58 2014 +0200 Generated new Gemfile.lock commit 7af2f77bbcd4c4871ccccb4211939d6e975fe607 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 15:03:47 2014 +0200 Removed print call commit bb19cddee90b7bd163004f1ed7009af29d8219e7 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 14:39:35 2014 +0200 Removed 'spec/factories/priority_factory.rb commit e8bbf476f148775654fb840e6219b40f955387de Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 14:38:31 2014 +0200 Replaced lambda calls with '->' commit 9d8a1c2423fd686e51f1a9b5e400444619e40685 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 19:19:40 2014 +0200 Clean up commit 08f80e8c91e6f10100ab7ced4af75edc9971b045 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 19:03:38 2014 +0200 Delete ::ConnectionManagement-call(env)> commit 190c2e2d867020373c1ae4d9ad6715bf81e99da4 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 17:40:34 2014 +0200 Reset Gemfile.lock commit 0a32dcaef08f603fdbfd57b65abfde7fc702ebb9 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 14:43:58 2014 +0200 Small refactoring of the API specs commit 963bb3e84851598e870fb52c7e01097fa554ea8c Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 4 17:10:15 2014 +0200 Basic implementation of APIv3 work package #get commit ffdb5641a7ecc6cbb4d5af7e0f6d04ba3493aee8 Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 4 17:08:48 2014 +0200 Basic implementation of APIv3 work package #get commit 8d64840f02b768338a1aa2721cc93a5d782f2295 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 16:33:02 2014 +0200 Clening up commit 2caf393c94f9a82739daaca79625db17e9096934 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 16:30:50 2014 +0200 Work package #patch - incomplete tests commit d6b9a4f263fa2843e3f44b6fb9caae2bbb36d093 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:42:26 2014 +0200 Renamed #done_ratio to #percentage_done commit 583ba0b52564da99d241ed07e112efb0ed22acf9 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:30:42 2014 +0200 Cleanup commit 34bfb883771ce41c8de5e641514835b07164a011 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:14:09 2014 +0200 Added basic test & improved patch work package commit 377070acfec5f8efe911dc9c1e898584f4ccfa63 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 15:38:58 2014 +0200 Implemented basic batch update for work packages commit 9df0ffb916aad624ffe71cc23c3f53136ef29e22 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 14:41:56 2014 +0200 Set default limit and offset for GET work packages resource commit f1ac16b23f2f6632daf6a5759403dcf5335c014f Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 14:18:00 2014 +0200 Created GET endpoint work work packages resource & N+1 query optimization commit 9a7bb32f4600fe04edb72c81af0b7ba9dd412b7b Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 19:29:04 2014 +0200 Basic authorization for work package GET and PATCH commit da4b778d51798df6eb2e80fbf85029a4b3c06b23 Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 15:51:10 2014 +0200 Completed basic implementation of get, patch, head and options requests for work package resource commit c8e8ab68af07412a999c16331af8f695cbd090af Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 10:47:43 2014 +0200 Added target version attributes to the work package resource commit 2ab0bea6ac174258c301d9ede38d1ec0128459aa Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 18:08:13 2014 +0200 Implemented work package update with some child resources commit 17edd10bb5c46d258d201ed426c6a7f86ea514e9 Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 16:31:18 2014 +0200 Minor refactoring of work packages api commit a63f17622c1258d3b90be39792cd84448c15dafa Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 16:28:48 2014 +0200 Created GET work package endpoint commit abcf2e50b48b64a23cb80fb087af50fa59c23cb7 Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 14:40:47 2014 +0200 Created OP API entry point commit 4564bae6f5613b7032b09086db197f12f79a4e46 Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 13:39:57 2014 +0200 Refactor authorize method (created service object) commit cb464d932917247c74df4b70e957c4011610331b Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 11:15:31 2014 +0200 Created basic structure for Work packages API commit 00f3b7a2919dfd80feb0332e87b82141b4785904 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 16:29:30 2014 +0200 WorkPackage mapper changes commit 622ebd04eb3892dee12a8b32586276fd4431b9f1 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 01:30:02 2014 +0200 Added relationships to WorkPackage mapper commit 80ebe54d9083967ef0db582a5ea8c489ce9e6df6 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 01:14:57 2014 +0200 Created WorkPackage mapper class commit 2da9225aef96c56fa478d6f0a822afb4569aadda Author: Marek Takac <m.takac@finn.de> Date: Mon May 12 19:21:07 2014 +0200 Mappers for Grape API commit 5cd59c4ad66652a58703f6c6bcf4557baf687b3b Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 16:54:24 2014 +0200 Created some decorators commit a5cb66e5b63813bd6bb3d776cb970c9649b995ba Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 15:31:25 2014 +0200 Added pundit for authorization commit f909e896879cb2c2c51df7393bfc0b2bfb6806fd Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 14:49:20 2014 +0200 Created work package representer & current_user helper method for API commit 5aad3c087a29ef5a70d5d58f22d374b90eb604d9 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 14:24:47 2014 +0200 Created basic structure for Work packages API commit b25a348619b5785b7004e8320f9b43cb249f5ca4 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 14:04:37 2014 +0200 Set up Grape API v3 commit be76a6500ed03ff4d2c14923179e70f825c0f413 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 13:58:38 2014 +0200 Added grape commit e204fa9de8f10200ed60205dd5529ec78cbd4bc9 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 15:03:47 2014 +0200 Removed print call commit 39b921adc7978b0ce4735eea54e3669f47a5f7fe Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 14:39:35 2014 +0200 Removed 'spec/factories/priority_factory.rb commit 94c64ab855b8f12dd50365445709c573f6ab5f28 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 14:38:31 2014 +0200 Replaced lambda calls with '->' commit c2101b035219d1336d425bcb5c9e423bc4a928b6 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 19:19:40 2014 +0200 Clean up commit a03bc0d84ce772192076731750c77da03b8400ba Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 19:03:38 2014 +0200 Delete ::ConnectionManagement-call(env)> commit 8b2fe0b01ecd4d447d60c4c22ba91126578c25c7 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 17:40:34 2014 +0200 Reset Gemfile.lock commit 5d6618eea42ba9b09985bb55fa9b0691ecf33065 Merge: f325a36 dab75c3 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 16:10:51 2014 +0200 Merge branch 'dev' into feature/api_v3_base commit f325a36d6fce4e43f4d0911710eaf1753bdd8b00 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 14:43:58 2014 +0200 Small refactoring of the API specs commit 84f78d669d3f748fe37be16a26fe9837e7666c5f Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 4 17:10:15 2014 +0200 Basic implementation of APIv3 work package #get commit 82786a97173b40169f09fe79bd30715b5acee064 Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 4 17:08:48 2014 +0200 Basic implementation of APIv3 work package #get commit b7dd82f85f1b7556a02a313a53fa06c18e8e7c25 Merge: f4ba4e8 5525bc3 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 17:15:48 2014 +0200 Merge commit 5525bc3d52001d550b85e95668f5b272ffb97378 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 16:33:02 2014 +0200 Clening up commit 9d27e3d412b093778f075870a577c523fe709589 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 16:30:50 2014 +0200 Work package #patch - incomplete tests commit 58ceeee83e59b30f7c755d2b7738f3d14e06bee8 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:42:26 2014 +0200 Renamed #done_ratio to #percentage_done commit 7165e32bc45f56571b570ffa03b9c1c34f06296c Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:30:42 2014 +0200 Cleanup commit 235ecdeabede44d8901c6fbc13bbdebb184c3cc8 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:14:09 2014 +0200 Added basic test & improved patch work package commit 625f273dc1e90cb5b2e206790f9700b0ac9248a0 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 15:38:58 2014 +0200 Implemented basic batch update for work packages commit 20239886d43386a975a449366e09ad8aed83d158 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 14:41:56 2014 +0200 Set default limit and offset for GET work packages resource commit ad79163fd3d97af62b9aa605cd8a5d211501f2c1 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 14:18:00 2014 +0200 Created GET endpoint work work packages resource & N+1 query optimization commit c3dcba77f02ed4688faf8baf68d8f1811351ec03 Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 19:29:04 2014 +0200 Basic authorization for work package GET and PATCH commit 73d8a8551da59c634cb3fffb2c7a581302263554 Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 15:51:10 2014 +0200 Completed basic implementation of get, patch, head and options requests for work package resource commit 479fc4b00579bd4c7ff3c64712322f0087f081ed Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 10:47:43 2014 +0200 Added target version attributes to the work package resource commit a72cff36a9e90efb01e5ccf7c394edc4a873cf46 Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 18:08:13 2014 +0200 Implemented work package update with some child resources commit 6689628a7419039a34f07d0edff0eb855eb8fb98 Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 16:31:18 2014 +0200 Minor refactoring of work packages api commit 97d4e9a1e6fcbdcda4ecb70d3f06d89936507019 Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 16:28:48 2014 +0200 Created GET work package endpoint commit 1490621af1cee15de310e052f57fc5a542e2ad1a Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 14:40:47 2014 +0200 Created OP API entry point commit 1e080b7936ae2d14ef324b70f95fafb15e9faa2c Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 13:39:57 2014 +0200 Refactor authorize method (created service object) commit 1b0b894456e1e1a22c7b0d759e277125be50e76b Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 11:15:31 2014 +0200 Created basic structure for Work packages API commit 6c8f83ae548fb1cca6049cfc2943301ac2e7cdb9 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 16:29:30 2014 +0200 WorkPackage mapper changes commit d2a7f29201f5d9922e7ec5a1e9c75852c55f84f6 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 01:30:02 2014 +0200 Added relationships to WorkPackage mapper commit 0122cd4392e587feef662e611cbf02f4bdb06a4d Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 01:14:57 2014 +0200 Created WorkPackage mapper class commit 6a40cdd6bfca7dbc17c02c8a59531d1c6f33e919 Author: Marek Takac <m.takac@finn.de> Date: Mon May 12 19:21:07 2014 +0200 Mappers for Grape API commit 0a4f39be58b3851c1dbfb39618e63e16ea4b05ec Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 16:54:24 2014 +0200 Created some decorators commit 21e1c42b54eee5704cf19a5a0e8abffa39a8d9a7 Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 15:31:25 2014 +0200 Added pundit for authorization commit a76f23ec51d6b04e01ab521a9252c41cb377d6ff Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 14:49:20 2014 +0200 Created work package representer & current_user helper method for API commit 4d92b359941367043e66e23373ead15ac92ba5d1 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 14:24:47 2014 +0200 Created basic structure for Work packages API commit d19a5d698a7d92c642011aac731a850106095057 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 14:04:37 2014 +0200 Set up Grape API v3 commit b270fa61643a3eba2d4a2d3828e90f5748dd9757 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 13:58:38 2014 +0200 Added grape Signed-off-by: Alex Coles <alex@alexbcoles.com>
11 years ago
unless is_authorized
if @project && @project.archived?
render_403 message: :notice_not_authorized_archived_project
else
deny_access
end
end
Initial foundations for API v3 User Story # 8769 Squashed commit of the following: commit fac82d68b6afa6a757b2ca1b71e7424c02666471 Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 11 15:53:21 2014 +0200 Removed cascade false call from root api commit fedff52220927830376939021d4a36df26dc854b Merge: 7b2942c e204fa9 Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 11 14:17:27 2014 +0200 Merge commit 7b2942c419864448d9416909f73d5aa23c8bea4a Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 11 14:11:58 2014 +0200 Generated new Gemfile.lock commit 7af2f77bbcd4c4871ccccb4211939d6e975fe607 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 15:03:47 2014 +0200 Removed print call commit bb19cddee90b7bd163004f1ed7009af29d8219e7 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 14:39:35 2014 +0200 Removed 'spec/factories/priority_factory.rb commit e8bbf476f148775654fb840e6219b40f955387de Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 14:38:31 2014 +0200 Replaced lambda calls with '->' commit 9d8a1c2423fd686e51f1a9b5e400444619e40685 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 19:19:40 2014 +0200 Clean up commit 08f80e8c91e6f10100ab7ced4af75edc9971b045 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 19:03:38 2014 +0200 Delete ::ConnectionManagement-call(env)> commit 190c2e2d867020373c1ae4d9ad6715bf81e99da4 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 17:40:34 2014 +0200 Reset Gemfile.lock commit 0a32dcaef08f603fdbfd57b65abfde7fc702ebb9 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 14:43:58 2014 +0200 Small refactoring of the API specs commit 963bb3e84851598e870fb52c7e01097fa554ea8c Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 4 17:10:15 2014 +0200 Basic implementation of APIv3 work package #get commit ffdb5641a7ecc6cbb4d5af7e0f6d04ba3493aee8 Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 4 17:08:48 2014 +0200 Basic implementation of APIv3 work package #get commit 8d64840f02b768338a1aa2721cc93a5d782f2295 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 16:33:02 2014 +0200 Clening up commit 2caf393c94f9a82739daaca79625db17e9096934 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 16:30:50 2014 +0200 Work package #patch - incomplete tests commit d6b9a4f263fa2843e3f44b6fb9caae2bbb36d093 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:42:26 2014 +0200 Renamed #done_ratio to #percentage_done commit 583ba0b52564da99d241ed07e112efb0ed22acf9 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:30:42 2014 +0200 Cleanup commit 34bfb883771ce41c8de5e641514835b07164a011 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:14:09 2014 +0200 Added basic test & improved patch work package commit 377070acfec5f8efe911dc9c1e898584f4ccfa63 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 15:38:58 2014 +0200 Implemented basic batch update for work packages commit 9df0ffb916aad624ffe71cc23c3f53136ef29e22 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 14:41:56 2014 +0200 Set default limit and offset for GET work packages resource commit f1ac16b23f2f6632daf6a5759403dcf5335c014f Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 14:18:00 2014 +0200 Created GET endpoint work work packages resource & N+1 query optimization commit 9a7bb32f4600fe04edb72c81af0b7ba9dd412b7b Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 19:29:04 2014 +0200 Basic authorization for work package GET and PATCH commit da4b778d51798df6eb2e80fbf85029a4b3c06b23 Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 15:51:10 2014 +0200 Completed basic implementation of get, patch, head and options requests for work package resource commit c8e8ab68af07412a999c16331af8f695cbd090af Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 10:47:43 2014 +0200 Added target version attributes to the work package resource commit 2ab0bea6ac174258c301d9ede38d1ec0128459aa Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 18:08:13 2014 +0200 Implemented work package update with some child resources commit 17edd10bb5c46d258d201ed426c6a7f86ea514e9 Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 16:31:18 2014 +0200 Minor refactoring of work packages api commit a63f17622c1258d3b90be39792cd84448c15dafa Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 16:28:48 2014 +0200 Created GET work package endpoint commit abcf2e50b48b64a23cb80fb087af50fa59c23cb7 Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 14:40:47 2014 +0200 Created OP API entry point commit 4564bae6f5613b7032b09086db197f12f79a4e46 Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 13:39:57 2014 +0200 Refactor authorize method (created service object) commit cb464d932917247c74df4b70e957c4011610331b Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 11:15:31 2014 +0200 Created basic structure for Work packages API commit 00f3b7a2919dfd80feb0332e87b82141b4785904 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 16:29:30 2014 +0200 WorkPackage mapper changes commit 622ebd04eb3892dee12a8b32586276fd4431b9f1 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 01:30:02 2014 +0200 Added relationships to WorkPackage mapper commit 80ebe54d9083967ef0db582a5ea8c489ce9e6df6 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 01:14:57 2014 +0200 Created WorkPackage mapper class commit 2da9225aef96c56fa478d6f0a822afb4569aadda Author: Marek Takac <m.takac@finn.de> Date: Mon May 12 19:21:07 2014 +0200 Mappers for Grape API commit 5cd59c4ad66652a58703f6c6bcf4557baf687b3b Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 16:54:24 2014 +0200 Created some decorators commit a5cb66e5b63813bd6bb3d776cb970c9649b995ba Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 15:31:25 2014 +0200 Added pundit for authorization commit f909e896879cb2c2c51df7393bfc0b2bfb6806fd Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 14:49:20 2014 +0200 Created work package representer & current_user helper method for API commit 5aad3c087a29ef5a70d5d58f22d374b90eb604d9 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 14:24:47 2014 +0200 Created basic structure for Work packages API commit b25a348619b5785b7004e8320f9b43cb249f5ca4 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 14:04:37 2014 +0200 Set up Grape API v3 commit be76a6500ed03ff4d2c14923179e70f825c0f413 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 13:58:38 2014 +0200 Added grape commit e204fa9de8f10200ed60205dd5529ec78cbd4bc9 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 15:03:47 2014 +0200 Removed print call commit 39b921adc7978b0ce4735eea54e3669f47a5f7fe Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 14:39:35 2014 +0200 Removed 'spec/factories/priority_factory.rb commit 94c64ab855b8f12dd50365445709c573f6ab5f28 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 10 14:38:31 2014 +0200 Replaced lambda calls with '->' commit c2101b035219d1336d425bcb5c9e423bc4a928b6 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 19:19:40 2014 +0200 Clean up commit a03bc0d84ce772192076731750c77da03b8400ba Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 19:03:38 2014 +0200 Delete ::ConnectionManagement-call(env)> commit 8b2fe0b01ecd4d447d60c4c22ba91126578c25c7 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 17:40:34 2014 +0200 Reset Gemfile.lock commit 5d6618eea42ba9b09985bb55fa9b0691ecf33065 Merge: f325a36 dab75c3 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 16:10:51 2014 +0200 Merge branch 'dev' into feature/api_v3_base commit f325a36d6fce4e43f4d0911710eaf1753bdd8b00 Author: Marek Takac <m.takac@finn.de> Date: Fri Jun 6 14:43:58 2014 +0200 Small refactoring of the API specs commit 84f78d669d3f748fe37be16a26fe9837e7666c5f Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 4 17:10:15 2014 +0200 Basic implementation of APIv3 work package #get commit 82786a97173b40169f09fe79bd30715b5acee064 Author: Marek Takac <m.takac@finn.de> Date: Wed Jun 4 17:08:48 2014 +0200 Basic implementation of APIv3 work package #get commit b7dd82f85f1b7556a02a313a53fa06c18e8e7c25 Merge: f4ba4e8 5525bc3 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 17:15:48 2014 +0200 Merge commit 5525bc3d52001d550b85e95668f5b272ffb97378 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 16:33:02 2014 +0200 Clening up commit 9d27e3d412b093778f075870a577c523fe709589 Author: Marek Takac <m.takac@finn.de> Date: Tue Jun 3 16:30:50 2014 +0200 Work package #patch - incomplete tests commit 58ceeee83e59b30f7c755d2b7738f3d14e06bee8 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:42:26 2014 +0200 Renamed #done_ratio to #percentage_done commit 7165e32bc45f56571b570ffa03b9c1c34f06296c Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:30:42 2014 +0200 Cleanup commit 235ecdeabede44d8901c6fbc13bbdebb184c3cc8 Author: Marek Takac <m.takac@finn.de> Date: Wed May 28 17:14:09 2014 +0200 Added basic test & improved patch work package commit 625f273dc1e90cb5b2e206790f9700b0ac9248a0 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 15:38:58 2014 +0200 Implemented basic batch update for work packages commit 20239886d43386a975a449366e09ad8aed83d158 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 14:41:56 2014 +0200 Set default limit and offset for GET work packages resource commit ad79163fd3d97af62b9aa605cd8a5d211501f2c1 Author: Marek Takac <m.takac@finn.de> Date: Fri May 23 14:18:00 2014 +0200 Created GET endpoint work work packages resource & N+1 query optimization commit c3dcba77f02ed4688faf8baf68d8f1811351ec03 Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 19:29:04 2014 +0200 Basic authorization for work package GET and PATCH commit 73d8a8551da59c634cb3fffb2c7a581302263554 Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 15:51:10 2014 +0200 Completed basic implementation of get, patch, head and options requests for work package resource commit 479fc4b00579bd4c7ff3c64712322f0087f081ed Author: Marek Takac <m.takac@finn.de> Date: Thu May 22 10:47:43 2014 +0200 Added target version attributes to the work package resource commit a72cff36a9e90efb01e5ccf7c394edc4a873cf46 Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 18:08:13 2014 +0200 Implemented work package update with some child resources commit 6689628a7419039a34f07d0edff0eb855eb8fb98 Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 16:31:18 2014 +0200 Minor refactoring of work packages api commit 97d4e9a1e6fcbdcda4ecb70d3f06d89936507019 Author: Marek Takac <m.takac@finn.de> Date: Wed May 21 16:28:48 2014 +0200 Created GET work package endpoint commit 1490621af1cee15de310e052f57fc5a542e2ad1a Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 14:40:47 2014 +0200 Created OP API entry point commit 1e080b7936ae2d14ef324b70f95fafb15e9faa2c Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 13:39:57 2014 +0200 Refactor authorize method (created service object) commit 1b0b894456e1e1a22c7b0d759e277125be50e76b Author: Marek Takac <m.takac@finn.de> Date: Tue May 20 11:15:31 2014 +0200 Created basic structure for Work packages API commit 6c8f83ae548fb1cca6049cfc2943301ac2e7cdb9 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 16:29:30 2014 +0200 WorkPackage mapper changes commit d2a7f29201f5d9922e7ec5a1e9c75852c55f84f6 Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 01:30:02 2014 +0200 Added relationships to WorkPackage mapper commit 0122cd4392e587feef662e611cbf02f4bdb06a4d Author: Marek Takac <m.takac@finn.de> Date: Tue May 13 01:14:57 2014 +0200 Created WorkPackage mapper class commit 6a40cdd6bfca7dbc17c02c8a59531d1c6f33e919 Author: Marek Takac <m.takac@finn.de> Date: Mon May 12 19:21:07 2014 +0200 Mappers for Grape API commit 0a4f39be58b3851c1dbfb39618e63e16ea4b05ec Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 16:54:24 2014 +0200 Created some decorators commit 21e1c42b54eee5704cf19a5a0e8abffa39a8d9a7 Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 15:31:25 2014 +0200 Added pundit for authorization commit a76f23ec51d6b04e01ab521a9252c41cb377d6ff Author: Marek Takac <m.takac@finn.de> Date: Tue Apr 29 14:49:20 2014 +0200 Created work package representer & current_user helper method for API commit 4d92b359941367043e66e23373ead15ac92ba5d1 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 14:24:47 2014 +0200 Created basic structure for Work packages API commit d19a5d698a7d92c642011aac731a850106095057 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 14:04:37 2014 +0200 Set up Grape API v3 commit b270fa61643a3eba2d4a2d3828e90f5748dd9757 Author: Marek Takac <m.takac@finn.de> Date: Mon Apr 28 13:58:38 2014 +0200 Added grape Signed-off-by: Alex Coles <alex@alexbcoles.com>
11 years ago
is_authorized
end
# Authorize the user for the requested action outside a project
def authorize_global(ctrl = params[:controller], action = params[:action], global = true)
authorize(ctrl, action, global)
end
# Find project of id params[:id]
# Note: find() is Project.friendly.find()
def find_project
@project = Project.find(params[:id])
rescue ActiveRecord::RecordNotFound
render_404
end
# Find project of id params[:project_id]
# Note: find() is Project.friendly.find()
def find_project_by_project_id
@project = Project.find(params[:project_id])
rescue ActiveRecord::RecordNotFound
render_404
end
# Find a project based on params[:project_id]
# TODO: some subclasses override this, see about merging their logic
def find_optional_project
find_optional_project_and_raise_error
rescue ActiveRecord::RecordNotFound
render_404
end
Boards module (#7008) * Hack spike to show D&D use case [ci skip] * Add ordered work packages * Save order on existing work packages * Boards WIP * CDK drag * Add dragula handler [ci skip] * Add filter to return all manual sorted work packages * Print icon on hover * Boards routing and list components * Better loading indicator on list with streaming result [ci skip] * Add new board and list buttons [ci skip] * Post new query [ci skip] * Added creation of new board lists with persisted queries [ci skip] * Render placeholder row in empty queries [ci skip] * Push boards on grid * Use base class in scope [ci skip] * Extend api for options * Hack spike to show D&D use case [ci skip] * Add ordered work packages * Save order on existing work packages * Boards WIP * CDK drag * Add dragula handler [ci skip] * Add filter to return all manual sorted work packages * Print icon on hover * Boards routing and list components * Better loading indicator on list with streaming result [ci skip] * Add new board and list buttons [ci skip] * Post new query [ci skip] * Added creation of new board lists with persisted queries [ci skip] * Render placeholder row in empty queries [ci skip] * Save queries in grids [ci skip] * Renaming queries [ci skip] * Add existing work packages to board [ci skip] * Introduce card view component for work packages * Extend grids to allow project scope for boards (#7025) Extends the grid backend to also be able to handle boards. In particular, it adds the ability of boards to be attached to projects and changes the page property of grids to a scope property that better describes that more than one board can belong to the same scope (e.g. /projects/:project_id/boards). For a fully featured board, though, widgets need to be able to store options, so that they can store queries. Those widgets might also need to have custom processing and validation. That part has not been implemented. * introduce project association for boards * have dedicated grid registration classes * update and create form for board grids * extract defaults into grid registration [ci skip] * Add drag and drop to card view [ci skip] * Add options to grid * Fix option migration name * Renaming boards [ci skip] * Frontend deletion of boards * Avoid map on NodeList which doesnt exist [ci skip] * Add inline create to boards [ci skip] * Smaller create button [ci skip] * Add navigation for boards * Make inner grid same height * Replace index page with table * Workaround for widget registration [ci skip] * Fixed height for cards and tables [ci skip] * Implement escape as cancel d&d action [ci skip] * Fix and extend grid specs for name and options * Extend board specs for required name * Fix migration for MySQL references https://stackoverflow.com/a/45825566/420614 * Make board list extend from widget Since we cannot configure widgets yet, it's not yet possible to use a board-list widget anywhere. * Fix specs * Fix escape listener removal [ci skip] * Fix renamed to_path in relation spec [ci skip] * Allow deletion of grids for boards * Avoid reloading resource multiple times with replays * Frontend synchronization on deletion [ci skip] * Delete through table * Use work packages board path * Use work packages board path * Fix augmented columns breaking re-rendering * Fix duplicated permission with forums * Strengthen tab switch in specs * Add hidden flag for project-context queries Allows the API to create a hidden query that will not be rendered to the user even if it is within a project context. * private queries * Add hidden flag for project-context queries Allows the API to create a hidden query that will not be rendered to the user even if it is within a project context. * Move boards below work packages * Add Board configuration modal * Fix reloading with onPush * Saving / Switching of display mode [ci skip] * Extract wp-query-selectable-title into common component * Fix renaming of board-list * Fix auto-hide notifications in boards * Add permissions to seeders * Reorder lists in board * Linting * Remove default gravatar from settings * Show assignees avatar in the card view of WPs * Fix specs * Add missing method * Fix timeline icon * Use URL as input to be able to show avatars for groups, too * Fix test * Add further specs * Use correct data attribute to avoid unnecessary data base calls * Add further specs * Deletion of board lists * Pass permission via gon to decide whether we can create boards * Fix rename spec * Cherry-pick of 7873d59 and 30abc7f
6 years ago
def find_optional_project_and_raise_error
@project = Project.find(params[:project_id]) unless params[:project_id].blank?
Boards module (#7008) * Hack spike to show D&D use case [ci skip] * Add ordered work packages * Save order on existing work packages * Boards WIP * CDK drag * Add dragula handler [ci skip] * Add filter to return all manual sorted work packages * Print icon on hover * Boards routing and list components * Better loading indicator on list with streaming result [ci skip] * Add new board and list buttons [ci skip] * Post new query [ci skip] * Added creation of new board lists with persisted queries [ci skip] * Render placeholder row in empty queries [ci skip] * Push boards on grid * Use base class in scope [ci skip] * Extend api for options * Hack spike to show D&D use case [ci skip] * Add ordered work packages * Save order on existing work packages * Boards WIP * CDK drag * Add dragula handler [ci skip] * Add filter to return all manual sorted work packages * Print icon on hover * Boards routing and list components * Better loading indicator on list with streaming result [ci skip] * Add new board and list buttons [ci skip] * Post new query [ci skip] * Added creation of new board lists with persisted queries [ci skip] * Render placeholder row in empty queries [ci skip] * Save queries in grids [ci skip] * Renaming queries [ci skip] * Add existing work packages to board [ci skip] * Introduce card view component for work packages * Extend grids to allow project scope for boards (#7025) Extends the grid backend to also be able to handle boards. In particular, it adds the ability of boards to be attached to projects and changes the page property of grids to a scope property that better describes that more than one board can belong to the same scope (e.g. /projects/:project_id/boards). For a fully featured board, though, widgets need to be able to store options, so that they can store queries. Those widgets might also need to have custom processing and validation. That part has not been implemented. * introduce project association for boards * have dedicated grid registration classes * update and create form for board grids * extract defaults into grid registration [ci skip] * Add drag and drop to card view [ci skip] * Add options to grid * Fix option migration name * Renaming boards [ci skip] * Frontend deletion of boards * Avoid map on NodeList which doesnt exist [ci skip] * Add inline create to boards [ci skip] * Smaller create button [ci skip] * Add navigation for boards * Make inner grid same height * Replace index page with table * Workaround for widget registration [ci skip] * Fixed height for cards and tables [ci skip] * Implement escape as cancel d&d action [ci skip] * Fix and extend grid specs for name and options * Extend board specs for required name * Fix migration for MySQL references https://stackoverflow.com/a/45825566/420614 * Make board list extend from widget Since we cannot configure widgets yet, it's not yet possible to use a board-list widget anywhere. * Fix specs * Fix escape listener removal [ci skip] * Fix renamed to_path in relation spec [ci skip] * Allow deletion of grids for boards * Avoid reloading resource multiple times with replays * Frontend synchronization on deletion [ci skip] * Delete through table * Use work packages board path * Use work packages board path * Fix augmented columns breaking re-rendering * Fix duplicated permission with forums * Strengthen tab switch in specs * Add hidden flag for project-context queries Allows the API to create a hidden query that will not be rendered to the user even if it is within a project context. * private queries * Add hidden flag for project-context queries Allows the API to create a hidden query that will not be rendered to the user even if it is within a project context. * Move boards below work packages * Add Board configuration modal * Fix reloading with onPush * Saving / Switching of display mode [ci skip] * Extract wp-query-selectable-title into common component * Fix renaming of board-list * Fix auto-hide notifications in boards * Add permissions to seeders * Reorder lists in board * Linting * Remove default gravatar from settings * Show assignees avatar in the card view of WPs * Fix specs * Add missing method * Fix timeline icon * Use URL as input to be able to show avatars for groups, too * Fix test * Add further specs * Use correct data attribute to avoid unnecessary data base calls * Add further specs * Deletion of board lists * Pass permission via gon to decide whether we can create boards * Fix rename spec * Cherry-pick of 7873d59 and 30abc7f
6 years ago
allowed = User.current.allowed_to?({ controller: params[:controller], action: params[:action] },
@project, global: @project.nil?)
allowed ? true : deny_access
end
# Finds and sets @project based on @object.project
def find_project_from_association
render_404 unless @object.present?
@project = @object.project
rescue ActiveRecord::RecordNotFound
render_404
end
def find_model_object
model = self.class._model_object
if model
@object = model.find(params[:id])
instance_variable_set('@' + controller_name.singularize, @object) if @object
end
rescue ActiveRecord::RecordNotFound
render_404
end
def find_model_object_and_project
if params[:id]
model_object = self.class._model_object
instance = model_object.find(params[:id])
@project = instance.project
instance_variable_set('@' + model_object.to_s.underscore, instance)
else
@project = Project.find(params[:project_id])
end
rescue ActiveRecord::RecordNotFound
render_404
end
# TODO: this method is right now only suited for controllers of objects that somehow have an association to Project
def find_object_and_scope
model_object = self.class._model_object.find(params[:id]) if params[:id].present?
associations = self.class._model_scope + [Project]
associated = find_belongs_to_chained_objects(associations, model_object)
associated.each do |a|
instance_variable_set('@' + a.class.to_s.downcase, a)
end
rescue ActiveRecord::RecordNotFound
render_404
end
# this method finds all records that are specified in the associations param
# after the first object is found it traverses the belongs_to chain of that first object
# if a start_object is provided it is taken as the starting point of the traversal
# e.g associations [Message, Board, Project] finds Message by find(:message_id)
# then message.board and board.project
def find_belongs_to_chained_objects(associations, start_object = nil)
associations.inject([start_object].compact) do |instances, association|
scope_name, scope_association = association.is_a?(Hash) ?
[association.keys.first.to_s.downcase, association.values.first] :
[association.to_s.downcase, association.to_s.downcase]
# TODO: Remove this hidden dependency on params
instances << (instances.last.nil? ?
scope_name.camelize.constantize.find(params[:"#{scope_name}_id"]) :
instances.last.send(scope_association.to_sym))
instances
end
end
def self.model_object(model, options = {})
self._model_object = model
self._model_scope = Array(options[:scope]) if options[:scope]
end
# Filter for bulk work package operations
def find_work_packages
@work_packages = WorkPackage.includes(:project)
.where(id: params[:work_package_id] || params[:ids])
.order('id ASC')
fail ActiveRecord::RecordNotFound if @work_packages.empty?
@projects = @work_packages.map(&:project).compact.uniq
@project = @projects.first if @projects.size == 1
rescue ActiveRecord::RecordNotFound
render_404
end
# Make sure that the user is a member of the project (or admin) if project is private
# used as a before_action for actions that do not require any particular permission
# on the project.
def check_project_privacy
if @project && @project.active?
if @project.is_public? || User.current.member_of?(@project) || User.current.admin?
true
else
User.current.logged? ? render_403 : require_login
end
else
@project = nil
render_404
false
end
end
def back_url
params[:back_url] || request.env['HTTP_REFERER']
end
def redirect_back_or_default(default, use_escaped = true)
policy = RedirectPolicy.new(
params[:back_url],
hostname: request.host,
default: default,
return_escaped: use_escaped
)
redirect_to policy.redirect_url
end
def render_400(options = {})
@project = nil
render_error({ message: :notice_bad_request, status: 400 }.merge(options))
false
end
def render_403(options = {})
@project = nil
render_error({ message: :notice_not_authorized, status: 403 }.merge(options))
false
end
def render_404(options = {})
render_error({ message: :notice_file_not_found, status: 404 }.merge(options))
false
end
def render_500(options = {})
message = t(:notice_internal_server_error, app_title: Setting.app_title)
if $ERROR_INFO.is_a?(ActionView::ActionViewError)
@template.instance_variable_set('@project', nil)
@template.instance_variable_set('@status', 500)
@template.instance_variable_set('@message', message)
else
@project = nil
end
render_error({ message: message }.merge(options))
false
end
def render_optional_error_file(status_code)
user_setup unless User.current.id == session[:user_id]
case status_code
when :not_found
render_404
when :internal_server_error
render_500
else
super
end
end
# Renders an error response
def render_error(arg)
arg = { message: arg } unless arg.is_a?(Hash)
@message = arg[:message]
@message = l(@message) if @message.is_a?(Symbol)
@status = arg[:status] || 500
op_handle_error "[Error #@status] #@message"
respond_to do |format|
format.html do
render template: 'common/error', layout: use_layout, status: @status
end
format.any do
head @status
end
end
end
# Picks which layout to use based on the request
#
# @return [boolean, string] name of the layout to use or false for no layout
def use_layout
[27828] Feature: Query menu in sidenav (#6429) * in main menu add gantt as extra work package child item * Satisfy spec and code climate * Add gantt chart icon behin default gantt query name. * WIP Query menu in left sidebar * Shift query dropdown in left sidenav * Reload menu or load query on click from every project location * WIP set correct label for default queries * Query menu listens on all changes of queries (delete, create, rename, toggle starred) and updates immediatly * WIP: Inline edit, field validation * Inline Edit validation and comfirm * Inline edit: validation of duplicate name * Set default columns and sorting for static queries * Codeclimate issues fixed * WIP Inline edit validation not working perfectly in all error states * Inline edit working * Autocompleter hover disabled and hovering over categories fixed * Category hover and toggle fixed; tested in Chrome, Firefox and Opera * Placeholder cut off fixed and text wrap added * English and german wording adjusted * Styles of inline edit and menu adjusted; matching wiki page styles * prevent menus to be displayed to often * application menu only displayed on work package * specify using no_menu layout more often * adapt tests to altered production implementation * Hamburger icon only in project; on global wp page: default queries shown correctly and summary removed * searching for undefined leads to error * Accessible click fixed (listen on escape) * Gantt in top menu deleted (gantt chart is part of default queries on wp page) * load menu on wp summary page * reduce times queries are loaded * lowercase on second word * remove menu from search and home * Styles fixed (category toggle and correct highlighting) * reflect static query in url * fix autocomplete handling in specs * Open all global menus on default and hide hamburger icon on global pages; Rebuild changes that have been ovrwritten after merge" * Correct highlighting of default queries after reload * Replace summary cuke with spec * WIP * Clear up selectors * Avoid actively setting promises and instead use $state.go to load links [ci skip] * Make editable title component a little simpler We can reuse the component I built for the wiki, that wasn't present in the frontend beforehand. * Fix moving through the menu and selecting items [ci skip] * Add save button to query title when query changed * Improve static names lookup by comparing query_props * Adapt and fix specs * Allow inner scrolling of wp query results Also, style the webkit scrollbar to make it pretty where supported * Allow renaming the query through setting menu, but simply focus on field [ci skip]
6 years ago
request.xhr? ? false : 'no_menu'
end
def render_feed(items, options = {})
@items = items || []
@items = @items.sort { |x, y| y.event_datetime <=> x.event_datetime }
@items = @items.slice(0, Setting.feeds_limit.to_i)
@title = options[:title] || Setting.app_title
render template: 'common/feed', layout: false, content_type: 'application/atom+xml'
end
def self.accept_key_auth(*actions)
actions = actions.flatten.map(&:to_s)
self.accept_key_auth_actions = actions
end
def accept_key_auth_actions
self.class.accept_key_auth_actions || []
end
# Returns a string that can be used as filename value in Content-Disposition header
def filename_for_content_disposition(name)
request.env['HTTP_USER_AGENT'] =~ %r{(MSIE|Trident)} ? ERB::Util.url_encode(name) : name
end
def api_request?
if params[:format].nil?
%w(application/xml application/json).include? request.format.to_s
else
%w(xml json).include? params[:format]
end
end
# Returns the API key present in the request
def api_key_from_request
if params[:key].present?
params[:key]
elsif request.headers['X-OpenProject-API-Key'].present?
request.headers['X-OpenProject-API-Key']
end
end
# Renders a warning flash if obj has unsaved attachments
def render_attachment_warning_if_needed(obj)
unsaved_attachments = obj.attachments.select(&:new_record?)
if unsaved_attachments.any?
flash[:warning] = l(:warning_attachments_not_saved, unsaved_attachments.size)
end
end
# Converts the errors on an ActiveRecord object into a common JSON format
def object_errors_to_json(object)
object.errors.map { |attribute, error|
{ attribute => error }
}.to_json
end
# Renders API response on validation failure
def render_validation_errors(object)
options = { status: :unprocessable_entity, layout: false }
errors = case params[:format]
when 'xml'
{ xml: object.errors }
when 'json'
{ json: { 'errors' => object.errors } } # ActiveResource client compliance
else
fail "Unknown format #{params[:format]} in #render_validation_errors"
end
options.merge! errors
render options
end
# Overrides #default_template so that the api template
# is used automatically if it exists
def default_template(action_name = self.action_name)
if api_request?
begin
return view_paths.find_template(default_template_name(action_name), 'api')
rescue ::ActionView::MissingTemplate
# the api template was not found
# fallback to the default behaviour
end
end
super
end
# Overrides #pick_layout so that #render with no arguments
# doesn't use the layout for api requests
def pick_layout(*args)
api_request? ? nil : super
end
def default_breadcrumb
name = l('label_' + self.class.name.gsub('Controller', '').underscore.singularize + '_plural')
if name =~ /translation missing/i
name = l('label_' + self.class.name.gsub('Controller', '').underscore.singularize)
end
name
end
helper_method :default_breadcrumb
def show_local_breadcrumb
false
end
helper_method :show_local_breadcrumb
def disable_everything_except_api
unless api_request?
head 410
return false
end
true
end
def disable_api
# Changing this to not use api_request? to determine whether a request is an API
# request can have security implications regarding CSRF. See handle_unverified_request
# for more information.
if api_request?
head 410
return false
end
true
end
def check_session_lifetime
if session_expired?
self.logged_user = nil
flash[:warning] = I18n.t('notice_forced_logout', ttl_time: Setting.session_ttl)
redirect_to(controller: '/account', action: 'login', back_url: login_back_url)
end
session[:updated_at] = Time.now
end
def feed_request?
if params[:format].nil?
%w(application/rss+xml application/atom+xml).include? request.format.to_s
else
%w(atom rss).include? params[:format]
end
end
def stop_if_feeds_disabled
if feed_request? && !Setting.feeds_enabled?
render_404(message: I18n.t('label_disabled'))
end
end
private
def session_expired?
!api_request? && current_user.logged? && session_ttl_expired?
end
def permitted_params
@permitted_params ||= PermittedParams.new(params, current_user)
end
def login_back_url_params
{}
end
def login_back_url
# Extract only the basic url parameters on non-GET requests
if request.get?
# rely on url_for to fill in the parameters of the current request
url_for(login_back_url_params)
else
url_params = params.permit(:action, :id, :project_id, :controller)
unless url_params[:controller].to_s.starts_with?('/')
url_params[:controller] = "/#{url_params[:controller]}"
end
url_for(url_params)
end
end
def action_hooks
call_hook(:application_controller_before_action)
end
# ActiveSupport load hooks provide plugins with a consistent entry point to patch core classes.
# They should be called at the very end of a class definition or file,
# so plugins can be sure everything has been loaded. This load hook allows plugins to register
# callbacks when the core application controller is fully loaded. Good explanation of load hooks:
# http://simonecarletti.com/blog/2011/04/understanding-ruby-and-rails-lazy-load-hooks/
ActiveSupport.run_load_hooks(:application_controller, self)
prepend Concerns::AuthSourceSSO
end