Mercurial > hg > soundsoftware-site

annotate app/models/user.rb @ 1628:9c5f8e24dadc live tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Quieten this cron script
author Chris Cannam
date Tue, 25 Aug 2020 11:38:49 +0100
parents a1bdbf8a87d5
children
rev   line source
Chris@0 1 # Redmine - project management software
Chris@1494 2 # Copyright (C) 2006-2014 Jean-Philippe Lang
Chris@0 3 #
Chris@0 4 # This program is free software; you can redistribute it and/or
Chris@0 5 # modify it under the terms of the GNU General Public License
Chris@0 6 # as published by the Free Software Foundation; either version 2
Chris@0 7 # of the License, or (at your option) any later version.
Chris@909 8 #
Chris@0 9 # This program is distributed in the hope that it will be useful,
Chris@0 10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
Chris@0 11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
Chris@0 12 # GNU General Public License for more details.
Chris@909 13 #
Chris@0 14 # You should have received a copy of the GNU General Public License
Chris@0 15 # along with this program; if not, write to the Free Software
Chris@0 16 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Chris@0 17
Chris@0 18 require "digest/sha1"
Chris@0 19
Chris@0 20 class User < Principal
Chris@119 21 include Redmine::SafeAttributes
Chris@909 22
Chris@909 23 # Different ways of displaying/sorting users
Chris@0 24 USER_FORMATS = {
Chris@1115 25 :firstname_lastname => {
Chris@1115 26 :string => '#{firstname} #{lastname}',
Chris@1115 27 :order => %w(firstname lastname id),
Chris@1115 28 :setting_order => 1
Chris@1115 29 },
Chris@1115 30 :firstname_lastinitial => {
Chris@1115 31 :string => '#{firstname} #{lastname.to_s.chars.first}.',
Chris@1115 32 :order => %w(firstname lastname id),
Chris@1115 33 :setting_order => 2
Chris@1115 34 },
Chris@1517 35 :firstinitial_lastname => {
Chris@1517 36 :string => '#{firstname.to_s.gsub(/(([[:alpha:]])[[:alpha:]]*\.?)/, \'\2.\')} #{lastname}',
Chris@1517 37 :order => %w(firstname lastname id),
Chris@1517 38 :setting_order => 2
Chris@1517 39 },
Chris@1115 40 :firstname => {
Chris@1115 41 :string => '#{firstname}',
Chris@1115 42 :order => %w(firstname id),
Chris@1115 43 :setting_order => 3
Chris@1115 44 },
Chris@1115 45 :lastname_firstname => {
Chris@1115 46 :string => '#{lastname} #{firstname}',
Chris@1115 47 :order => %w(lastname firstname id),
Chris@1115 48 :setting_order => 4
Chris@1115 49 },
Chris@1115 50 :lastname_coma_firstname => {
Chris@1115 51 :string => '#{lastname}, #{firstname}',
Chris@1115 52 :order => %w(lastname firstname id),
Chris@1115 53 :setting_order => 5
Chris@1115 54 },
Chris@1115 55 :lastname => {
Chris@1115 56 :string => '#{lastname}',
Chris@1115 57 :order => %w(lastname id),
Chris@1115 58 :setting_order => 6
Chris@1115 59 },
Chris@1115 60 :username => {
Chris@1115 61 :string => '#{login}',
Chris@1115 62 :order => %w(login id),
Chris@1115 63 :setting_order => 7
Chris@1115 64 },
Chris@0 65 }
Chris@0 66
chris@37 67 MAIL_NOTIFICATION_OPTIONS = [
Chris@119 68 ['all', :label_user_mail_option_all],
Chris@119 69 ['selected', :label_user_mail_option_selected],
Chris@119 70 ['only_my_events', :label_user_mail_option_only_my_events],
Chris@119 71 ['only_assigned', :label_user_mail_option_only_assigned],
Chris@119 72 ['only_owner', :label_user_mail_option_only_owner],
Chris@119 73 ['none', :label_user_mail_option_none]
Chris@119 74 ]
chris@37 75
Chris@1517 76 has_and_belongs_to_many :groups,
Chris@1517 77 :join_table => "#{table_name_prefix}groups_users#{table_name_suffix}",
Chris@1517 78 :after_add => Proc.new {|user, group| group.user_added(user)},
Chris@1517 79 :after_remove => Proc.new {|user, group| group.user_removed(user)}
Chris@0 80 has_many :changesets, :dependent => :nullify
Chris@0 81 has_one :preference, :dependent => :destroy, :class_name => 'UserPreference'
Chris@128 82 has_one :rss_token, :class_name => 'Token', :conditions => "action='feeds'"
Chris@128 83 has_one :api_token, :class_name => 'Token', :conditions => "action='api'"
Chris@0 84 belongs_to :auth_source
Chris@909 85
Chris@1464 86 scope :logged, lambda { where("#{User.table_name}.status <> #{STATUS_ANONYMOUS}") }
Chris@1464 87 scope :status, lambda {|arg| where(arg.blank? ? nil : {:status => arg.to_i}) }
Chris@909 88
luisf@55 89 has_one :ssamr_user_detail, :dependent => :destroy, :class_name => 'SsamrUserDetail'
luisf@65 90 accepts_nested_attributes_for :ssamr_user_detail
luis@403 91
luis@403 92 has_one :author
luisf@64 93
Chris@0 94 acts_as_customizable
Chris@909 95
Chris@1464 96 attr_accessor :password, :password_confirmation, :generate_password
Chris@0 97 attr_accessor :last_before_login_on
Chris@0 98 # Prevents unauthorized assignments
Chris@119 99 attr_protected :login, :admin, :password, :password_confirmation, :hashed_password
Chris@1115 100
Chris@1115 101 LOGIN_LENGTH_LIMIT = 60
Chris@1115 102 MAIL_LENGTH_LIMIT = 60
Chris@1115 103
Chris@0 104 validates_presence_of :login, :firstname, :lastname, :mail, :if => Proc.new { |user| !user.is_a?(AnonymousUser) }
Chris@1115 105 validates_uniqueness_of :login, :if => Proc.new { |user| user.login_changed? && user.login.present? }, :case_sensitive => false
Chris@1115 106 validates_uniqueness_of :mail, :if => Proc.new { |user| user.mail_changed? && user.mail.present? }, :case_sensitive => false
Chris@1484 107
Chris@1464 108 # Login must contain letters, numbers, underscores only
Chris@1464 109 validates_format_of :login, :with => /\A[a-z0-9_\-@\.]*\z/i
Chris@1115 110 validates_length_of :login, :maximum => LOGIN_LENGTH_LIMIT
Chris@0 111 validates_length_of :firstname, :lastname, :maximum => 30
Chris@1464 112 validates_format_of :mail, :with => /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i, :allow_blank => true
Chris@1115 113 validates_length_of :mail, :maximum => MAIL_LENGTH_LIMIT, :allow_nil => true
Chris@0 114 validates_confirmation_of :password, :allow_nil => true
Chris@119 115 validates_inclusion_of :mail_notification, :in => MAIL_NOTIFICATION_OPTIONS.collect(&:first), :allow_blank => true
Chris@909 116 validate :validate_password_length
Chris@0 117
Chris@909 118 before_create :set_mail_notification
Chris@1464 119 before_save :generate_password_if_needed, :update_hashed_password
Chris@128 120 before_destroy :remove_references_before_destroy
Chris@1464 121 after_save :update_notified_project_ids
Chris@909 122
luisf@190 123 validates_acceptance_of :terms_and_conditions, :on => :create, :message => :must_accept_terms_and_conditions
luisf@190 124
Chris@1115 125 scope :in_group, lambda {|group|
Chris@441 126 group_id = group.is_a?(Group) ? group.id : group.to_i
Chris@1115 127 where("#{User.table_name}.id IN (SELECT gu.user_id FROM #{table_name_prefix}groups_users#{table_name_suffix} gu WHERE gu.group_id = ?)", group_id)
Chris@441 128 }
Chris@1115 129 scope :not_in_group, lambda {|group|
Chris@441 130 group_id = group.is_a?(Group) ? group.id : group.to_i
Chris@1115 131 where("#{User.table_name}.id NOT IN (SELECT gu.user_id FROM #{table_name_prefix}groups_users#{table_name_suffix} gu WHERE gu.group_id = ?)", group_id)
Chris@441 132 }
Chris@1464 133 scope :sorted, lambda { order(*User.fields_for_order_statement)}
Chris@909 134
Chris@909 135 def set_mail_notification
chris@37 136 self.mail_notification = Setting.default_notification_option if self.mail_notification.blank?
Chris@0 137 true
Chris@0 138 end
Chris@909 139
Chris@909 140 def update_hashed_password
Chris@0 141 # update hashed_password if password was set
Chris@245 142 if self.password && self.auth_source_id.blank?
Chris@245 143 salt_password(password)
Chris@245 144 end
Chris@0 145 end
Chris@909 146
Chris@1464 147 alias :base_reload :reload
Chris@0 148 def reload(*args)
Chris@0 149 @name = nil
Chris@441 150 @projects_by_role = nil
Chris@1464 151 @membership_by_project_id = nil
Chris@1464 152 @notified_projects_ids = nil
Chris@1464 153 @notified_projects_ids_changed = false
Chris@1464 154 @builtin_role = nil
Chris@1464 155 base_reload(*args)
Chris@0 156 end
Chris@909 157
Chris@1 158 def mail=(arg)
Chris@1 159 write_attribute(:mail, arg.to_s.strip)
Chris@1 160 end
Chris@909 161
luisf@59 162 def description=(arg)
luisf@59 163 write_attribute(:description, arg.to_s.strip)
luisf@59 164 end
luisf@59 165
Chris@0 166 def identity_url=(url)
Chris@0 167 if url.blank?
Chris@0 168 write_attribute(:identity_url, '')
Chris@0 169 else
Chris@0 170 begin
Chris@0 171 write_attribute(:identity_url, OpenIdAuthentication.normalize_identifier(url))
Chris@0 172 rescue OpenIdAuthentication::InvalidOpenId
Chris@1464 173 # Invalid url, don't save
Chris@0 174 end
Chris@0 175 end
Chris@0 176 self.read_attribute(:identity_url)
Chris@0 177 end
Chris@909 178
Chris@0 179 # Returns the user that matches provided login and password, or nil
Chris@1464 180 def self.try_to_login(login, password, active_only=true)
Chris@1115 181 login = login.to_s
Chris@1115 182 password = password.to_s
Chris@1115 183
Chris@1464 184 # Make sure no one can sign in with an empty login or password
Chris@1464 185 return nil if login.empty? || password.empty?
Chris@0 186 user = find_by_login(login)
Chris@0 187 if user
Chris@0 188 # user is already in local database
Chris@1464 189 return nil unless user.check_password?(password)
Chris@1464 190 return nil if !user.active? && active_only
Chris@0 191 else
Chris@0 192 # user is not yet registered, try to authenticate with available sources
Chris@0 193 attrs = AuthSource.authenticate(login, password)
Chris@0 194 if attrs
Chris@0 195 user = new(attrs)
Chris@0 196 user.login = login
Chris@0 197 user.language = Setting.default_language
Chris@0 198 if user.save
Chris@0 199 user.reload
Chris@0 200 logger.info("User '#{user.login}' created from external auth source: #{user.auth_source.type} - #{user.auth_source.name}") if logger && user.auth_source
Chris@0 201 end
Chris@0 202 end
Chris@909 203 end
Chris@1464 204 user.update_column(:last_login_on, Time.now) if user && !user.new_record? && user.active?
Chris@0 205 user
Chris@0 206 rescue => text
Chris@0 207 raise text
Chris@0 208 end
Chris@909 209
Chris@0 210 # Returns the user who matches the given autologin +key+ or nil
Chris@0 211 def self.try_to_autologin(key)
Chris@1464 212 user = Token.find_active_user('autologin', key, Setting.autologin.to_i)
Chris@1464 213 if user
Chris@1464 214 user.update_column(:last_login_on, Time.now)
Chris@1464 215 user
Chris@0 216 end
Chris@0 217 end
Chris@909 218
Chris@909 219 def self.name_formatter(formatter = nil)
Chris@909 220 USER_FORMATS[formatter || Setting.user_format] || USER_FORMATS[:firstname_lastname]
Chris@909 221 end
Chris@909 222
Chris@909 223 # Returns an array of fields names than can be used to make an order statement for users
Chris@909 224 # according to how user names are displayed
Chris@909 225 # Examples:
Chris@909 226 #
Chris@909 227 # User.fields_for_order_statement => ['users.login', 'users.id']
Chris@909 228 # User.fields_for_order_statement('authors') => ['authors.login', 'authors.id']
Chris@909 229 def self.fields_for_order_statement(table=nil)
Chris@909 230 table ||= table_name
Chris@909 231 name_formatter[:order].map {|field| "#{table}.#{field}"}
Chris@909 232 end
Chris@909 233
Chris@0 234 # Return user's full name for display
Chris@0 235 def name(formatter = nil)
Chris@909 236 f = self.class.name_formatter(formatter)
Chris@0 237 if formatter
Chris@909 238 eval('"' + f[:string] + '"')
Chris@0 239 else
Chris@909 240 @name ||= eval('"' + f[:string] + '"')
Chris@0 241 end
Chris@0 242 end
Chris@909 243
Chris@0 244 def active?
Chris@0 245 self.status == STATUS_ACTIVE
Chris@0 246 end
Chris@0 247
Chris@0 248 def registered?
Chris@0 249 self.status == STATUS_REGISTERED
Chris@0 250 end
Chris@909 251
Chris@0 252 def locked?
Chris@0 253 self.status == STATUS_LOCKED
Chris@0 254 end
Chris@0 255
Chris@14 256 def activate
Chris@14 257 self.status = STATUS_ACTIVE
Chris@14 258 end
Chris@14 259
Chris@14 260 def register
Chris@14 261 self.status = STATUS_REGISTERED
Chris@14 262 end
Chris@14 263
Chris@14 264 def lock
Chris@14 265 self.status = STATUS_LOCKED
Chris@14 266 end
Chris@14 267
Chris@14 268 def activate!
Chris@14 269 update_attribute(:status, STATUS_ACTIVE)
Chris@14 270 end
Chris@14 271
Chris@14 272 def register!
Chris@14 273 update_attribute(:status, STATUS_REGISTERED)
Chris@14 274 end
Chris@14 275
Chris@14 276 def lock!
Chris@14 277 update_attribute(:status, STATUS_LOCKED)
Chris@14 278 end
Chris@14 279
Chris@245 280 # Returns true if +clear_password+ is the correct user's password, otherwise false
Chris@0 281 def check_password?(clear_password)
Chris@0 282 if auth_source_id.present?
Chris@0 283 auth_source.authenticate(self.login, clear_password)
Chris@0 284 else
Chris@245 285 User.hash_password("#{salt}#{User.hash_password clear_password}") == hashed_password
Chris@0 286 end
Chris@0 287 end
Chris@909 288
Chris@245 289 # Generates a random salt and computes hashed_password for +clear_password+
Chris@245 290 # The hashed password is stored in the following form: SHA1(salt + SHA1(password))
Chris@245 291 def salt_password(clear_password)
Chris@245 292 self.salt = User.generate_salt
Chris@245 293 self.hashed_password = User.hash_password("#{salt}#{User.hash_password clear_password}")
Chris@245 294 end
Chris@0 295
Chris@0 296 # Does the backend storage allow this user to change their password?
Chris@0 297 def change_password_allowed?
Chris@1115 298 return true if auth_source.nil?
Chris@0 299 return auth_source.allow_password_changes?
Chris@0 300 end
Chris@0 301
Chris@1464 302 def must_change_password?
Chris@1464 303 must_change_passwd? && change_password_allowed?
Chris@1464 304 end
Chris@1464 305
Chris@1464 306 def generate_password?
Chris@1464 307 generate_password == '1' || generate_password == true
Chris@1464 308 end
Chris@1464 309
Chris@1464 310 # Generate and set a random password on given length
Chris@1464 311 def random_password(length=40)
Chris@0 312 chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
Chris@1464 313 chars -= %w(0 O 1 l)
Chris@0 314 password = ''
Chris@1464 315 length.times {|i| password << chars[SecureRandom.random_number(chars.size)] }
Chris@0 316 self.password = password
Chris@0 317 self.password_confirmation = password
Chris@0 318 self
Chris@0 319 end
Chris@909 320
Chris@0 321 def pref
Chris@0 322 self.preference ||= UserPreference.new(:user => self)
Chris@0 323 end
Chris@909 324
Chris@0 325 def time_zone
Chris@0 326 @time_zone ||= (self.pref.time_zone.blank? ? nil : ActiveSupport::TimeZone[self.pref.time_zone])
Chris@0 327 end
Chris@909 328
Chris@1517 329 def force_default_language?
Chris@1517 330 Setting.force_default_language_for_loggedin?
Chris@1517 331 end
Chris@1517 332
Chris@1517 333 def language
Chris@1517 334 if force_default_language?
Chris@1517 335 Setting.default_language
Chris@1517 336 else
Chris@1517 337 super
Chris@1517 338 end
Chris@1517 339 end
Chris@1517 340
Chris@0 341 def wants_comments_in_reverse_order?
Chris@0 342 self.pref[:comments_sorting] == 'desc'
Chris@0 343 end
Chris@909 344
Chris@0 345 # Return user's RSS key (a 40 chars long string), used to access feeds
Chris@0 346 def rss_key
Chris@1115 347 if rss_token.nil?
Chris@1115 348 create_rss_token(:action => 'feeds')
Chris@1115 349 end
Chris@1115 350 rss_token.value
Chris@0 351 end
Chris@0 352
Chris@0 353 # Return user's API key (a 40 chars long string), used to access the API
Chris@0 354 def api_key
Chris@1115 355 if api_token.nil?
Chris@1115 356 create_api_token(:action => 'api')
Chris@1115 357 end
Chris@1115 358 api_token.value
Chris@0 359 end
Chris@909 360
Chris@0 361 # Return an array of project ids for which the user has explicitly turned mail notifications on
Chris@0 362 def notified_projects_ids
Chris@0 363 @notified_projects_ids ||= memberships.select {|m| m.mail_notification?}.collect(&:project_id)
Chris@0 364 end
Chris@909 365
Chris@0 366 def notified_project_ids=(ids)
Chris@1464 367 @notified_projects_ids_changed = true
Chris@1464 368 @notified_projects_ids = ids
Chris@0 369 end
Chris@0 370
Chris@1464 371 # Updates per project notifications (after_save callback)
Chris@1464 372 def update_notified_project_ids
Chris@1464 373 if @notified_projects_ids_changed
Chris@1464 374 ids = (mail_notification == 'selected' ? Array.wrap(notified_projects_ids).reject(&:blank?) : [])
Chris@1464 375 members.update_all(:mail_notification => false)
Chris@1464 376 members.where(:project_id => ids).update_all(:mail_notification => true) if ids.any?
Chris@1464 377 end
Chris@1464 378 end
Chris@1464 379 private :update_notified_project_ids
Chris@1464 380
Chris@128 381 def valid_notification_options
Chris@128 382 self.class.valid_notification_options(self)
Chris@128 383 end
Chris@128 384
chris@37 385 # Only users that belong to more than 1 project can select projects for which they are notified
Chris@128 386 def self.valid_notification_options(user=nil)
chris@37 387 # Note that @user.membership.size would fail since AR ignores
chris@37 388 # :include association option when doing a count
Chris@128 389 if user.nil? || user.memberships.length < 1
Chris@128 390 MAIL_NOTIFICATION_OPTIONS.reject {|option| option.first == 'selected'}
chris@37 391 else
chris@37 392 MAIL_NOTIFICATION_OPTIONS
chris@37 393 end
chris@37 394 end
chris@37 395
Chris@0 396 # Find a user account by matching the exact login and then a case-insensitive
Chris@0 397 # version. Exact matches will be given priority.
Chris@0 398 def self.find_by_login(login)
Chris@1517 399 login = Redmine::CodesetUtil.replace_invalid_utf8(login.to_s)
Chris@1464 400 if login.present?
Chris@1464 401 # First look for an exact match
Chris@1517 402 user = where(:login => login).detect {|u| u.login == login}
Chris@1464 403 unless user
Chris@1464 404 # Fail over to case-insensitive if none was found
Chris@1464 405 user = where("LOWER(login) = ?", login.downcase).first
Chris@1464 406 end
Chris@1464 407 user
Chris@1115 408 end
Chris@0 409 end
Chris@0 410
Chris@0 411 def self.find_by_rss_key(key)
Chris@1464 412 Token.find_active_user('feeds', key)
Chris@0 413 end
Chris@909 414
Chris@0 415 def self.find_by_api_key(key)
Chris@1464 416 Token.find_active_user('api', key)
Chris@0 417 end
Chris@909 418
Chris@0 419 # Makes find_by_mail case-insensitive
Chris@0 420 def self.find_by_mail(mail)
Chris@1115 421 where("LOWER(mail) = ?", mail.to_s.downcase).first
Chris@0 422 end
Chris@909 423
Chris@929 424 # Returns true if the default admin account can no longer be used
Chris@929 425 def self.default_admin_account_changed?
Chris@929 426 !User.active.find_by_login("admin").try(:check_password?, "admin")
Chris@929 427 end
Chris@929 428
Chris@0 429 def to_s
Chris@0 430 name
Chris@0 431 end
Chris@909 432
Chris@1115 433 CSS_CLASS_BY_STATUS = {
Chris@1115 434 STATUS_ANONYMOUS => 'anon',
Chris@1115 435 STATUS_ACTIVE => 'active',
Chris@1115 436 STATUS_REGISTERED => 'registered',
Chris@1115 437 STATUS_LOCKED => 'locked'
Chris@1115 438 }
Chris@1115 439
Chris@1115 440 def css_classes
Chris@1115 441 "user #{CSS_CLASS_BY_STATUS[status]}"
Chris@1115 442 end
Chris@1115 443
Chris@0 444 # Returns the current day according to user's time zone
Chris@0 445 def today
Chris@0 446 if time_zone.nil?
Chris@0 447 Date.today
Chris@0 448 else
Chris@0 449 Time.now.in_time_zone(time_zone).to_date
Chris@0 450 end
Chris@0 451 end
Chris@909 452
Chris@1115 453 # Returns the day of +time+ according to user's time zone
Chris@1115 454 def time_to_date(time)
Chris@1115 455 if time_zone.nil?
Chris@1115 456 time.to_date
Chris@1115 457 else
Chris@1115 458 time.in_time_zone(time_zone).to_date
Chris@1115 459 end
Chris@1115 460 end
Chris@1115 461
Chris@0 462 def logged?
Chris@0 463 true
Chris@0 464 end
Chris@909 465
Chris@0 466 def anonymous?
Chris@0 467 !logged?
Chris@0 468 end
Chris@909 469
Chris@1464 470 # Returns user's membership for the given project
Chris@1464 471 # or nil if the user is not a member of project
Chris@1464 472 def membership(project)
Chris@1464 473 project_id = project.is_a?(Project) ? project.id : project
Chris@1464 474
Chris@1464 475 @membership_by_project_id ||= Hash.new {|h, project_id|
Chris@1464 476 h[project_id] = memberships.where(:project_id => project_id).first
Chris@1464 477 }
Chris@1464 478 @membership_by_project_id[project_id]
Chris@1464 479 end
Chris@1464 480
Chris@1464 481 # Returns the user's bult-in role
Chris@1464 482 def builtin_role
Chris@1464 483 @builtin_role ||= Role.non_member
Chris@1464 484 end
Chris@1464 485
Chris@0 486 # Return user's roles for project
Chris@0 487 def roles_for_project(project)
Chris@0 488 roles = []
Chris@0 489 # No role on archived projects
Chris@1115 490 return roles if project.nil? || project.archived?
Chris@1464 491 if membership = membership(project)
Chris@1464 492 roles = membership.roles
Chris@0 493 else
Chris@1464 494 roles << builtin_role
Chris@0 495 end
Chris@0 496 roles
Chris@0 497 end
Chris@909 498
Chris@0 499 # Return true if the user is a member of project
Chris@0 500 def member_of?(project)
Chris@1464 501 projects.to_a.include?(project)
Chris@0 502 end
Chris@909 503
Chris@441 504 # Returns a hash of user's projects grouped by roles
Chris@441 505 def projects_by_role
Chris@441 506 return @projects_by_role if @projects_by_role
Chris@909 507
Chris@1115 508 @projects_by_role = Hash.new([])
Chris@441 509 memberships.each do |membership|
Chris@1115 510 if membership.project
Chris@1115 511 membership.roles.each do |role|
Chris@1115 512 @projects_by_role[role] = [] unless @projects_by_role.key?(role)
Chris@1115 513 @projects_by_role[role] << membership.project
Chris@1115 514 end
Chris@441 515 end
Chris@441 516 end
Chris@441 517 @projects_by_role.each do |role, projects|
Chris@441 518 projects.uniq!
Chris@441 519 end
Chris@909 520
Chris@441 521 @projects_by_role
Chris@441 522 end
Chris@909 523
Chris@909 524 # Returns true if user is arg or belongs to arg
Chris@909 525 def is_or_belongs_to?(arg)
Chris@909 526 if arg.is_a?(User)
Chris@909 527 self == arg
Chris@909 528 elsif arg.is_a?(Group)
Chris@909 529 arg.users.include?(self)
Chris@909 530 else
Chris@909 531 false
Chris@909 532 end
Chris@909 533 end
Chris@909 534
chris@37 535 # Return true if the user is allowed to do the specified action on a specific context
chris@37 536 # Action can be:
Chris@0 537 # * a parameter-like Hash (eg. :controller => 'projects', :action => 'edit')
Chris@0 538 # * a permission Symbol (eg. :edit_project)
chris@37 539 # Context can be:
chris@37 540 # * a project : returns true if user is allowed to do the specified action on this project
Chris@441 541 # * an array of projects : returns true if user is allowed on every project
Chris@909 542 # * nil with options[:global] set : check if user has at least one role allowed for this action,
chris@37 543 # or falls back to Non Member / Anonymous permissions depending if the user is logged
Chris@441 544 def allowed_to?(action, context, options={}, &block)
chris@37 545 if context && context.is_a?(Project)
chris@37 546 return false unless context.allows_to?(action)
Chris@0 547 # Admin users are authorized for anything else
Chris@0 548 return true if admin?
Chris@909 549
chris@37 550 roles = roles_for_project(context)
Chris@0 551 return false unless roles
Chris@1115 552 roles.any? {|role|
Chris@441 553 (context.is_public? || role.member?) &&
Chris@441 554 role.allowed_to?(action) &&
Chris@441 555 (block_given? ? yield(role, self) : true)
Chris@441 556 }
chris@37 557 elsif context && context.is_a?(Array)
Chris@1115 558 if context.empty?
Chris@1115 559 false
Chris@1115 560 else
Chris@1115 561 # Authorize if user is authorized on every element of the array
Chris@1115 562 context.map {|project| allowed_to?(action, project, options, &block)}.reduce(:&)
chris@37 563 end
Chris@0 564 elsif options[:global]
Chris@0 565 # Admin users are always authorized
Chris@0 566 return true if admin?
Chris@909 567
Chris@0 568 # authorize if user has at least one role that has this permission
Chris@0 569 roles = memberships.collect {|m| m.roles}.flatten.uniq
Chris@441 570 roles << (self.logged? ? Role.non_member : Role.anonymous)
Chris@1115 571 roles.any? {|role|
Chris@441 572 role.allowed_to?(action) &&
Chris@441 573 (block_given? ? yield(role, self) : true)
Chris@441 574 }
Chris@0 575 else
Chris@0 576 false
Chris@0 577 end
Chris@0 578 end
chris@22 579
chris@22 580 # Is the user allowed to do the specified action on any project?
chris@22 581 # See allowed_to? for the actions and valid options.
Chris@441 582 def allowed_to_globally?(action, options, &block)
Chris@441 583 allowed_to?(action, nil, options.reverse_merge(:global => true), &block)
chris@22 584 end
Chris@119 585
Chris@1464 586 # Returns true if the user is allowed to delete the user's own account
Chris@1115 587 def own_account_deletable?
Chris@1115 588 Setting.unsubscribe? &&
Chris@1115 589 (!admin? || User.active.where("admin = ? AND id <> ?", true, id).exists?)
Chris@1115 590 end
Chris@1115 591
Chris@119 592 safe_attributes 'login',
Chris@119 593 'firstname',
Chris@119 594 'lastname',
Chris@119 595 'mail',
Chris@119 596 'mail_notification',
Chris@1464 597 'notified_project_ids',
Chris@119 598 'language',
Chris@119 599 'custom_field_values',
Chris@119 600 'custom_fields',
Chris@119 601 'identity_url'
Chris@909 602
Chris@119 603 safe_attributes 'status',
Chris@119 604 'auth_source_id',
Chris@1464 605 'generate_password',
Chris@1464 606 'must_change_passwd',
Chris@119 607 :if => lambda {|user, current_user| current_user.admin?}
Chris@909 608
Chris@119 609 safe_attributes 'group_ids',
Chris@119 610 :if => lambda {|user, current_user| current_user.admin? && !user.new_record?}
Chris@909 611
chris@37 612 # Utility method to help check if a user should be notified about an
chris@37 613 # event.
chris@37 614 #
chris@37 615 # TODO: only supports Issue events currently
chris@37 616 def notify_about?(object)
Chris@1464 617 if mail_notification == 'all'
chris@37 618 true
Chris@1464 619 elsif mail_notification.blank? || mail_notification == 'none'
Chris@1464 620 false
Chris@1464 621 else
Chris@1464 622 case object
Chris@1464 623 when Issue
Chris@1464 624 case mail_notification
Chris@1464 625 when 'selected', 'only_my_events'
Chris@1464 626 # user receives notifications for created/assigned issues on unselected projects
Chris@1464 627 object.author == self || is_or_belongs_to?(object.assigned_to) || is_or_belongs_to?(object.assigned_to_was)
Chris@1464 628 when 'only_assigned'
Chris@1464 629 is_or_belongs_to?(object.assigned_to) || is_or_belongs_to?(object.assigned_to_was)
Chris@1464 630 when 'only_owner'
Chris@1464 631 object.author == self
Chris@1464 632 end
Chris@1464 633 when News
Chris@1464 634 # always send to project members except when mail_notification is set to 'none'
Chris@210 635 true
Chris@210 636 end
chris@37 637 end
chris@37 638 end
Chris@909 639
Chris@0 640 def self.current=(user)
Chris@1464 641 Thread.current[:current_user] = user
Chris@0 642 end
Chris@909 643
Chris@0 644 def self.current
Chris@1464 645 Thread.current[:current_user] ||= User.anonymous
Chris@0 646 end
Chris@909 647
Chris@0 648 # Returns the anonymous user. If the anonymous user does not exist, it is created. There can be only
Chris@0 649 # one anonymous user per database.
Chris@0 650 def self.anonymous
Chris@1115 651 anonymous_user = AnonymousUser.first
Chris@0 652 if anonymous_user.nil?
Chris@0 653 anonymous_user = AnonymousUser.create(:lastname => 'Anonymous', :firstname => '', :mail => '', :login => '', :status => 0)
Chris@0 654 raise 'Unable to create the anonymous user.' if anonymous_user.new_record?
Chris@0 655 end
Chris@0 656 anonymous_user
Chris@0 657 end
Chris@245 658
Chris@245 659 # Salts all existing unsalted passwords
Chris@245 660 # It changes password storage scheme from SHA1(password) to SHA1(salt + SHA1(password))
Chris@245 661 # This method is used in the SaltPasswords migration and is to be kept as is
Chris@245 662 def self.salt_unsalted_passwords!
Chris@245 663 transaction do
Chris@1115 664 User.where("salt IS NULL OR salt = ''").find_each do |user|
Chris@245 665 next if user.hashed_password.blank?
Chris@245 666 salt = User.generate_salt
Chris@245 667 hashed_password = User.hash_password("#{salt}#{user.hashed_password}")
Chris@1115 668 User.where(:id => user.id).update_all(:salt => salt, :hashed_password => hashed_password)
Chris@245 669 end
Chris@245 670 end
Chris@245 671 end
Chris@909 672
Chris@0 673 protected
Chris@909 674
Chris@909 675 def validate_password_length
Chris@1464 676 return if password.blank? && generate_password?
Chris@0 677 # Password length validation based on setting
Chris@0 678 if !password.nil? && password.size < Setting.password_min_length.to_i
Chris@0 679 errors.add(:password, :too_short, :count => Setting.password_min_length.to_i)
Chris@0 680 end
Chris@0 681 end
Chris@909 682
Chris@0 683 private
Chris@909 684
Chris@1464 685 def generate_password_if_needed
Chris@1464 686 if generate_password? && auth_source.nil?
Chris@1464 687 length = [Setting.password_min_length.to_i + 2, 10].max
Chris@1464 688 random_password(length)
Chris@1464 689 end
Chris@1464 690 end
Chris@1464 691
Chris@128 692 # Removes references that are not handled by associations
Chris@128 693 # Things that are not deleted are reassociated with the anonymous user
Chris@128 694 def remove_references_before_destroy
Chris@128 695 return if self.id.nil?
Chris@909 696
Chris@128 697 substitute = User.anonymous
Chris@1517 698 Attachment.where(['author_id = ?', id]).update_all(['author_id = ?', substitute.id])
Chris@1517 699 Comment.where(['author_id = ?', id]).update_all(['author_id = ?', substitute.id])
Chris@1517 700 Issue.where(['author_id = ?', id]).update_all(['author_id = ?', substitute.id])
Chris@1517 701 Issue.where(['assigned_to_id = ?', id]).update_all('assigned_to_id = NULL')
Chris@1517 702 Journal.where(['user_id = ?', id]).update_all(['user_id = ?', substitute.id])
Chris@1517 703 JournalDetail.
Chris@1517 704 where(["property = 'attr' AND prop_key = 'assigned_to_id' AND old_value = ?", id.to_s]).
Chris@1517 705 update_all(['old_value = ?', substitute.id.to_s])
Chris@1517 706 JournalDetail.
Chris@1517 707 where(["property = 'attr' AND prop_key = 'assigned_to_id' AND value = ?", id.to_s]).
Chris@1517 708 update_all(['value = ?', substitute.id.to_s])
Chris@1517 709 Message.where(['author_id = ?', id]).update_all(['author_id = ?', substitute.id])
Chris@1517 710 News.where(['author_id = ?', id]).update_all(['author_id = ?', substitute.id])
Chris@128 711 # Remove private queries and keep public ones
Chris@1464 712 ::Query.delete_all ['user_id = ? AND visibility = ?', id, ::Query::VISIBILITY_PRIVATE]
Chris@1517 713 ::Query.where(['user_id = ?', id]).update_all(['user_id = ?', substitute.id])
Chris@1517 714 TimeEntry.where(['user_id = ?', id]).update_all(['user_id = ?', substitute.id])
Chris@128 715 Token.delete_all ['user_id = ?', id]
Chris@128 716 Watcher.delete_all ['user_id = ?', id]
Chris@1517 717 WikiContent.where(['author_id = ?', id]).update_all(['author_id = ?', substitute.id])
Chris@1517 718 WikiContent::Version.where(['author_id = ?', id]).update_all(['author_id = ?', substitute.id])
Chris@128 719 end
Chris@909 720
Chris@0 721 # Return password digest
Chris@0 722 def self.hash_password(clear_password)
Chris@0 723 Digest::SHA1.hexdigest(clear_password || "")
Chris@0 724 end
Chris@909 725
Chris@245 726 # Returns a 128bits random salt as a hex string (32 chars long)
Chris@245 727 def self.generate_salt
Chris@1115 728 Redmine::Utils.random_hex(16)
Chris@245 729 end
Chris@909 730
Chris@0 731 end
Chris@0 732
Chris@0 733 class AnonymousUser < User
Chris@1115 734 validate :validate_anonymous_uniqueness, :on => :create
Chris@909 735
Chris@1115 736 def validate_anonymous_uniqueness
Chris@0 737 # There should be only one AnonymousUser in the database
Chris@1464 738 errors.add :base, 'An anonymous user already exists.' if AnonymousUser.exists?
Chris@0 739 end
Chris@909 740
Chris@0 741 def available_custom_fields
Chris@0 742 []
Chris@0 743 end
Chris@909 744
Chris@0 745 # Overrides a few properties
Chris@0 746 def logged?; false end
Chris@0 747 def admin; false end
Chris@0 748 def name(*args); I18n.t(:label_user_anonymous) end
Chris@0 749 def mail; nil end
Chris@0 750 def time_zone; nil end
Chris@0 751 def rss_key; nil end
Chris@909 752
Chris@1115 753 def pref
Chris@1115 754 UserPreference.new(:user => self)
Chris@1115 755 end
Chris@1115 756
Chris@1464 757 # Returns the user's bult-in role
Chris@1464 758 def builtin_role
Chris@1464 759 @builtin_role ||= Role.anonymous
Chris@1464 760 end
Chris@1464 761
Chris@1464 762 def membership(*args)
Chris@1464 763 nil
Chris@1464 764 end
Chris@1464 765
Chris@1464 766 def member_of?(*args)
Chris@1464 767 false
Chris@1464 768 end
Chris@1464 769
Chris@128 770 # Anonymous user can not be destroyed
Chris@128 771 def destroy
Chris@128 772 false
Chris@128 773 end
Chris@0 774 end