/
users_controller.rb
257 lines (210 loc) · 8.7 KB
/
users_controller.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
# frozen_string_literal: true
# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
#
# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
#
# This program is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free Software
# Foundation; either version 3.0 of the License, or (at your option) any later
# version.
#
# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License along
# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
class UsersController < ApplicationController
include Pagy::Backend
include Authenticator
include Emailer
include Registrar
include Recorder
include Rolify
before_action :find_user, only: [:edit, :change_password, :delete_account, :update, :update_password]
before_action :ensure_unauthenticated_except_twitter, only: [:create]
before_action :check_user_signup_allowed, only: [:create]
before_action :check_admin_of, only: [:edit, :change_password, :delete_account]
# POST /u
def create
@user = User.new(user_params)
@user.provider = @user_domain
# User or recpatcha is not valid
render("sessions/new") && return unless valid_user_or_captcha
# Redirect to root if user token is either invalid or expired
return redirect_to root_path, flash: { alert: I18n.t("registration.invite.fail") } unless passes_invite_reqs
# User has passed all validations required
@user.save
logger.info "Support: #{@user.email} user has been created."
# Set user to pending and redirect if Approval Registration is set
if approval_registration
@user.set_role :pending
return redirect_to root_path,
flash: { success: I18n.t("registration.approval.signup") } unless Rails.configuration.enable_email_verification
end
send_registration_email
# Sign in automatically if email verification is disabled or if user is already verified.
if !Rails.configuration.enable_email_verification || @user.email_verified
@user.set_role(initial_user_role(@user.email))
login(@user) && return
end
send_activation_email(@user, @user.create_activation_token)
redirect_to root_path
end
# GET /u/:user_uid/edit
def edit
redirect_to root_path unless current_user
end
# GET /u/:user_uid/change_password
def change_password
redirect_to edit_user_path unless current_user.greenlight_account?
end
# GET /u/:user_uid/delete_account
def delete_account
redirect_to signin_path unless current_user
end
# POST /u/:user_uid/edit
def update
if session[:prev_url].present?
path = session[:prev_url]
session.delete(:prev_url)
else
path = admins_path
end
redirect_path = current_user.admin_of?(@user, "can_manage_users") ? path : edit_user_path(@user)
unless can_edit_user?(@user, current_user)
params[:user][:name] = @user.name
params[:user][:email] = @user.email
end
old_user_email = @user.email
if @user.without_terms_acceptance { @user.update_attributes(user_params) }
@user.without_terms_acceptance {
@user.update_attributes(email_verified: false) if user_params[:email] != old_user_email
user_locale(@user)
}
if @user.without_terms_acceptance { update_roles(params[:user][:role_id]) }
return redirect_to redirect_path, flash: { success: I18n.t("info_update_success") }
else
flash[:alert] = I18n.t("administrator.roles.invalid_assignment")
end
end
render :edit
end
# POST /u/:user_uid/change_password
def update_password
# Update the users password.
if @user.authenticate(user_params[:old_password])
# Bad UX on client side [FIXED].
@user.assign_attributes user_params.slice(:password, :password_confirmation)
else
# Original password is incorrect, can't update.
@user.errors.add(:old_password, I18n.t("old_password_incorrect"))
end
# Notify the user that their account has been updated.
if @user.errors.empty? && @user.without_terms_acceptance {
@user.save && @user.update(last_pwd_update: Time.zone.now)
}
# Changing the password has to update the last_pwd_update to match the event timestamp.
# The activated_at session metadata has to match it too to reset the state of the active session
# making this change password request.
# This keeps only this session alive.
session[:activated_at] = @user.last_pwd_update.to_i if current_user.id == @user.id
return redirect_to change_password_path, flash: { success: I18n.t("info_update_success") }
end
# redirect_to change_password_path
render :change_password
end
# DELETE /u/:user_uid
def destroy
# Include deleted users in the check
admin_path = request.referer.present? ? request.referer : admins_path
@user = User.include_deleted.find_by(uid: params[:user_uid])
logger.info "Support: #{current_user.email} is deleting #{@user.email}."
self_delete = current_user == @user
redirect_url = self_delete ? root_path : admin_path
begin
if current_user && (self_delete || current_user.admin_of?(@user, "can_manage_users"))
# Permanently delete if the user is deleting themself
perm_delete = self_delete || (params[:permanent].present? && params[:permanent] == "true")
# Permanently delete the rooms under the user if they have not been reassigned
if perm_delete
@user.rooms.include_deleted.each do |room|
# Destroy all recordings then permanently delete the room
delete_all_recordings(room.bbb_id)
room.destroy(true)
end
end
@user.destroy(perm_delete)
# Log the user out if they are deleting themself
session.delete(:user_id) if self_delete
return redirect_to redirect_url, flash: { success: I18n.t("administrator.flash.delete") } unless self_delete
else
flash[:alert] = I18n.t("administrator.flash.delete_fail")
end
rescue => e
logger.error "Support: Error in user deletion: #{e}"
flash[:alert] = I18n.t(params[:message], default: I18n.t("administrator.flash.delete_fail"))
end
redirect_to redirect_url
end
# GET /u/:user_uid/recordings
def recordings
if current_user && current_user.uid == params[:user_uid]
@search, @order_column, @order_direction, recs =
all_recordings(current_user.rooms.pluck(:bbb_id), params.permit(:search, :column, :direction), true)
@pagy, @recordings = pagy_array(recs)
else
redirect_to root_path
end
end
# GET | POST /terms
def terms
redirect_to '/404' unless Rails.configuration.terms
if params[:accept] == "true"
current_user.update_attributes(accepted_terms: true)
login(current_user)
end
end
# GET /shared_access_list
def shared_access_list
# Don't allow searchs unless atleast 3 characters are passed
return redirect_to '/404' unless params[:search].strip.length >= 3
roles_can_appear = []
Role.where(provider: @user_domain).each do |role|
roles_can_appear << role.name if role.get_permission("can_appear_in_share_list") && role.priority >= 0
end
initial_list = User.where.not(uid: params[:owner_uid])
.with_role(roles_can_appear)
.shared_list_search(params[:search])
initial_list = initial_list.where(provider: @user_domain) if Rails.configuration.loadbalanced_configuration
# Respond with JSON object of users
respond_to do |format|
format.json { render body: initial_list.pluck_to_hash(:uid, :name).to_json }
end
end
private
def find_user
@user = User.find_by(uid: params[:user_uid])
end
# Verify that GreenLight is configured to allow user signup.
def check_user_signup_allowed
redirect_to root_path unless Rails.configuration.allow_user_signup
end
def user_params
params.require(:user).permit(:name, :email, :image, :password, :password_confirmation,
:old_password, :accepted_terms, :language)
end
def send_registration_email
if invite_registration
send_invite_user_signup_email(@user)
elsif approval_registration
send_approval_user_signup_email(@user)
end
end
# Checks that the user is allowed to edit this user
def check_admin_of
redirect_to root_path if current_user &&
@user != current_user &&
!current_user.admin_of?(@user, "can_manage_users")
end
end