ERROR_ACTIONS = [:render_error, :render_not_found]
around_filter :thread_clear
- before_filter :permit_anonymous_browsing_for_public_data
around_filter :set_thread_api_token
# Methods that don't require login should
# skip_around_filter :require_thread_api_token
end
end
+ def redirect_to uri, *args
+ if request.xhr?
+ if not uri.is_a? String
+ uri = polymorphic_url(uri)
+ end
+ render json: {href: uri}
+ else
+ super
+ end
+ end
+
def choose
params[:limit] ||= 40
respond_to do |f|
protected
+ helper_method :strip_token_from_path
def strip_token_from_path(path)
path.sub(/([\?&;])api_token=[^&;]*[&;]?/, '\1')
end
def redirect_to_login
- respond_to do |f|
- f.html {
- if request.method.in? ['GET', 'HEAD']
- redirect_to arvados_api_client.arvados_login_url(return_to: strip_token_from_path(request.url))
- else
- flash[:error] = "Either you are not logged in, or your session has timed out. I can't automatically log you in and re-attempt this request."
- redirect_to :back
- end
- }
- f.json {
- @errors = ['You do not seem to be logged in. You did not supply an API token with this request, and your session (if any) has timed out.']
- self.render_error status: 422
- }
+ if request.xhr? or request.format.json?
+ @errors = ['You are not logged in. Most likely your session has timed out and you need to log in again.']
+ render_error status: 401
+ elsif request.method.in? ['GET', 'HEAD']
+ redirect_to arvados_api_client.arvados_login_url(return_to: strip_token_from_path(request.url))
+ else
+ flash[:error] = "Either you are not logged in, or your session has timed out. I can't automatically log you in and re-attempt this request."
+ redirect_to :back
end
false # For convenience to return from callbacks
end
else
@object = model_class.find(params[:uuid])
end
- rescue ArvadosApiClient::NotFoundException, RuntimeError => error
+ rescue ArvadosApiClient::NotFoundException, ArvadosApiClient::NotLoggedInException, RuntimeError => error
if error.is_a?(RuntimeError) and (error.message !~ /^argument to find\(/)
raise
end
def setup_user_session
return false unless params[:api_token]
Thread.current[:arvados_api_token] = params[:api_token]
- Thread.current[:arvados_anonymous_api_token] = nil
begin
user = User.current
rescue ArvadosApiClient::NotLoggedInException
end
end
- def permit_anonymous_browsing_for_public_data
- if !Thread.current[:arvados_api_token] && !params[:api_token] && !session[:arvados_api_token]
- Thread.current[:arvados_anonymous_api_token] = Rails.configuration.anonymous_user_token
- end
- end
-
# Save the session API token in thread-local storage, and yield.
# This method also takes care of session setup if the request
# provides a valid api_token parameter.
end
end
- # Redirect to login/welcome if client provided expired API token (or none at all)
+ # Redirect to login/welcome if client provided expired API token (or
+ # none at all)
def require_thread_api_token
if Thread.current[:arvados_api_token]
yield
# log in" page instead of getting stuck in a redirect loop.
session.delete :arvados_api_token
redirect_to_login
+ elsif request.xhr?
+ # If we redirect to the welcome page, the browser will handle
+ # the 302 by itself and the client code will end up rendering
+ # the "welcome" page in some content area where it doesn't make
+ # sense. Instead, we send 401 ("authenticate and try again" or
+ # "display error", depending on how smart the client side is).
+ @errors = ['You are not logged in.']
+ render_error status: 401
else
redirect_to welcome_users_path(return_to: request.fullpath)
end
end
def ensure_current_user_is_admin
- unless current_user and current_user.is_admin
+ if not current_user
+ @errors = ['Not logged in']
+ render_error status: 401
+ elsif not current_user.is_admin
@errors = ['Permission denied']
- self.render_error status: 401
+ render_error status: 403
end
end
def wiselinks_layout
'body'
end
-
- helper_method :is_anonymous
- def is_anonymous
- return Thread.current[:arvados_anonymous_api_token]
- end
end
projects / arvados.git / blobdiff