cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openstreetmap-website/app/controllers/confirmations_controller.rb
Andy Allan 24f6aeda6a Use hash-based flash objects to render complex flash messages 
Since flash objects can only be String, Hash or Array (notably excluding SafeBuffers), then this approach is necessary to render complex html in a safe manner.

Each local can be treated as an (unsafe) string, and therefore escaped normally when rendered into the template. The template (and translation strings) can
contain html since they are no longer stored in the flash as a plain string.

Fixes #3215
2021-06-23 20:10:55 +01:00

137 lines
4.5 KiB
Ruby
Raw Blame History

class ConfirmationsController < ApplicationController
include SessionMethods
layout "site"
before_action :authorize_web
before_action :set_locale
before_action :check_database_readable
authorize_resource :class => false
before_action :check_database_writable, :only => [:confirm, :confirm_email]
before_action :require_cookies, :only => [:confirm]
def confirm
if request.post?
token = UserToken.find_by(:token => params[:confirm_string])
if token&.user&.active?
flash[:error] = t("confirmations.confirm.already active")
redirect_to login_path
elsif !token || token.expired?
flash[:error] = t("confirmations.confirm.unknown token")
redirect_to :action => "confirm"
elsif !token.user.visible?
render_unknown_user token.user.display_name
else
user = token.user
user.status = "active"
user.email_valid = true
flash[:notice] = gravatar_status_message(user) if gravatar_enable(user)
user.save!
referer = safe_referer(token.referer) if token.referer
token.destroy
if session[:token]
token = UserToken.find_by(:token => session[:token])
session.delete(:token)
else
token = nil
end
if token.nil? || token.user != user
flash[:notice] = t("confirmations.confirm.success")
redirect_to login_path(:referer => referer)
else
token.destroy
session[:user] = user.id
session[:fingerprint] = user.fingerprint
redirect_to referer || welcome_path
end
end
else
user = User.visible.find_by(:display_name => params[:display_name])
redirect_to root_path if user.nil? || user.active?
end
end
def confirm_resend
user = User.visible.find_by(:display_name => params[:display_name])
token = UserToken.find_by(:token => session[:token])
if user.nil? || token.nil? || token.user != user
flash[:error] = t "confirmations.confirm_resend.failure", :name => params[:display_name]
else
UserMailer.signup_confirm(user, user.tokens.create).deliver_later
flash[:notice] = { :partial => "confirmations/resend_success_flash", :locals => { :email => user.email, :sender => Settings.email_from } }
end
redirect_to login_path
end
def confirm_email
if request.post?
token = UserToken.find_by(:token => params[:confirm_string])
if token&.user&.new_email?
self.current_user = token.user
current_user.email = current_user.new_email
current_user.new_email = nil
current_user.email_valid = true
gravatar_enabled = gravatar_enable(current_user)
if current_user.save
flash[:notice] = if gravatar_enabled
"#{t('confirmations.confirm_email.success')} #{gravatar_status_message(current_user)}"
else
t("confirmations.confirm_email.success")
end
else
flash[:errors] = current_user.errors
end
current_user.tokens.delete_all
session[:user] = current_user.id
session[:fingerprint] = current_user.fingerprint
redirect_to :controller => :users, :action => :account, :display_name => current_user.display_name
elsif token
flash[:error] = t "confirmations.confirm_email.failure"
redirect_to :controller => :users, :action => :account, :display_name => token.user.display_name
else
flash[:error] = t "confirmations.confirm_email.unknown_token"
end
end
end
private
##
# check if this user has a gravatar and set the user pref is true
def gravatar_enable(user)
# code from example https://en.gravatar.com/site/implement/images/ruby/
return false if user.avatar.attached?
begin
hash = Digest::MD5.hexdigest(user.email.downcase)
url = "https://www.gravatar.com/avatar/#{hash}?d=404" # without d=404 we will always get an image back
response = OSM.http_client.get(URI.parse(url))
available = response.success?
rescue StandardError
available = false
end
oldsetting = user.image_use_gravatar
user.image_use_gravatar = available
oldsetting != user.image_use_gravatar
end
##
# display a message about th current status of the gravatar setting
def gravatar_status_message(user)
if user.image_use_gravatar
t "users.account.gravatar.enabled"
else
t "users.account.gravatar.disabled"
end
end
end
Reference in a new issue View git blame Copy permalink