X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/43773cb247a1fb744b57070b715bfa5d53a00822..7024cc159936593350aaf7939d700102f6510787:/services/api/app/controllers/user_sessions_controller.rb diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb index 28e7e795cd..71c2823dc1 100644 --- a/services/api/app/controllers/user_sessions_controller.rb +++ b/services/api/app/controllers/user_sessions_controller.rb @@ -1,8 +1,8 @@ class UserSessionsController < ApplicationController - before_filter :login_required, :only => [ :destroy ] + before_filter :require_auth_scope_all, :only => [ :destroy ] - skip_before_filter :uncamelcase_params_hash_keys skip_before_filter :find_object_by_uuid + skip_before_filter :render_404_if_no_object respond_to :html @@ -14,28 +14,47 @@ class UserSessionsController < ApplicationController identity_url_ok = (omniauth['info']['identity_url'].length > 0) rescue false unless identity_url_ok # Whoa. This should never happen. + logger.error "UserSessionsController.create: omniauth object missing/invalid" + logger.error "omniauth.pretty_inspect():\n\n#{omniauth.pretty_inspect()}" - @title = "UserSessionsController.create: omniauth object missing/invalid" - @body = "omniauth.pretty_inspect():\n\n#{omniauth.pretty_inspect()}" - - view_context.fatal_error(@title,@body) - return redirect_to openid_login_error_url + return redirect_to login_failure_url end user = User.find_by_identity_url(omniauth['info']['identity_url']) + if not user + # Check for permission to log in to an existing User record with + # a different identity_url + Link.where(link_class: 'permission', + name: 'can_login', + tail_kind: 'email', + tail_uuid: omniauth['info']['email'], + head_kind: 'arvados#user').each do |link| + if prefix = link.properties['identity_url_prefix'] + if prefix == omniauth['info']['identity_url'][0..prefix.size-1] + user = User.find_by_uuid(link.head_uuid) + break if user + end + end + end + end if not user # New user registration user = User.new(:email => omniauth['info']['email'], :first_name => omniauth['info']['first_name'], :last_name => omniauth['info']['last_name'], - :identity_url => omniauth['info']['identity_url']) + :identity_url => omniauth['info']['identity_url'], + :is_active => Rails.configuration.new_users_are_active) else user.email = omniauth['info']['email'] user.first_name = omniauth['info']['first_name'] user.last_name = omniauth['info']['last_name'] + if user.identity_url.nil? + # First login to a pre-activated account + user.identity_url = omniauth['info']['identity_url'] + end end - # prevent OrvosModel#before_create and _update from throwing + # prevent ArvadosModel#before_create and _update from throwing # "unauthorized": Thread.current[:user] = user @@ -95,20 +114,22 @@ class UserSessionsController < ApplicationController # Stub: automatically register all new API clients api_client_url_prefix = callback_url.match(%r{^.*?://[^/]+})[0] + '/' - api_client = ApiClient.find_or_create_by_url_prefix(api_client_url_prefix) + act_as_system_user do + @api_client = ApiClient.find_or_create_by_url_prefix api_client_url_prefix + end api_client_auth = ApiClientAuthorization. new(user: user, - api_client: api_client, + api_client: @api_client, created_by_ip_address: remote_ip) api_client_auth.save! if callback_url.index('?') - callback_url << '&' + callback_url += '&' else - callback_url << '?' + callback_url += '?' end - callback_url << 'api_token=' << api_client_auth.api_token + callback_url += 'api_token=' + api_client_auth.api_token redirect_to callback_url end end