X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/ee367f165db323da5012eb22ab62a32f1512f37c..b2dc99425b69c319f85ee1e44c30d03a9cd737d2:/app/controllers/application_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 36f4629823..cc8b2c35e0 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,11 +1,13 @@ class ApplicationController < ActionController::Base + include CurrentApiClient + protect_from_forgery before_filter :uncamelcase_params_hash_keys + around_filter :thread_with_auth_info, :except => [:render_error, :render_not_found] before_filter :find_object_by_uuid, :except => :index - before_filter :authenticate_api_token - before_filter :set_remote_ip - before_filter :login_required + before_filter :remote_ip + before_filter :login_required, :except => :render_not_found before_filter :catch_redirect_hint @@ -17,72 +19,6 @@ class ApplicationController < ActionController::Base end end - # Authentication - def login_required - if !current_user - respond_to do |format| - format.html { - redirect_to '/auth/joshid' - } - format.json { - render :json => { 'error' => 'Not logged in' }.to_json - } - end - end - end - - def current_user - return nil unless session[:user_id] - @current_user ||= User.find(session[:user_id]) rescue nil - end - # /Authentication - - before_filter :set_remote_ip - before_filter :login_required - - # Authentication - def login_required - if !current_user - respond_to do |format| - format.html { - redirect_to '/auth/joshid' - } - format.json { - render :json => { 'error' => 'Not logged in' }.to_json - } - end - end - end - - def current_user - return nil unless session[:user_id] - @current_user ||= User.find(session[:user_id]) rescue nil - end - # /Authentication - - before_filter :set_remote_ip - before_filter :login_required - - # Authentication - def login_required - if !current_user - respond_to do |format| - format.html { - redirect_to '/auth/joshid' - } - format.json { - render :json => { 'error' => 'Not logged in' }.to_json - } - end - end - end - - def current_user - return nil unless session[:user_id] - @current_user ||= User.find(session[:user_id]) rescue nil - end - # /Authentication - unless Rails.application.config.consider_all_requests_local rescue_from Exception, :with => :render_error @@ -113,26 +49,42 @@ class ApplicationController < ActionController::Base end def index - @objects ||= if params[:where] + @objects ||= model_class. + joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid=#{model_class.sanitize current_user.uuid} AND permissions.link_class='permission'"). + where("?=? OR #{table_name}.owner=? OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL", + true, current_user.is_admin, + current_user.uuid, current_user.uuid) + if params[:where] where = params[:where] - where = JSON.parse(where) if where.is_a?(String) + where = Oj.load(where) if where.is_a?(String) conditions = ['1=1'] where.each do |attr,value| if (!value.nil? and attr.to_s.match(/^[a-z][_a-z0-9]+$/) and model_class.columns.collect(&:name).index(attr)) if value.is_a? Array - conditions[0] << " and #{attr} in (?)" + conditions[0] << " and #{table_name}.#{attr} in (?)" conditions << value else - conditions[0] << " and #{attr}=?" + conditions[0] << " and #{table_name}.#{attr}=?" conditions << value end end end - model_class.where(*conditions) + if conditions.length > 1 + conditions[0].sub!(/^1=1 and /, '') + @objects = @objects. + where(*conditions) + end end - @objects ||= model_class.all + if params[:limit] + begin + @objects = @objects.limit(params[:limit].to_i) + rescue + raise "invalid argument (limit)" + end + end + @objects.uniq!(&:id) if params[:eager] and params[:eager] != '0' and params[:eager] != 0 and params[:eager] != '' @objects.each(&:eager_load_associations) end @@ -153,7 +105,7 @@ class ApplicationController < ActionController::Base raise "no #{resource_name} (or #{resource_name.camelcase(:lower)}) provided with request #{params.inspect}" end if @attrs.class == String - @attrs = uncamelcase_hash_keys(JSON.parse @attrs) + @attrs = uncamelcase_hash_keys(Oj.load @attrs) end @object = model_class.new @attrs @object.save @@ -163,7 +115,7 @@ class ApplicationController < ActionController::Base def update @attrs = params[resource_name] if @attrs.is_a? String - @attrs = uncamelcase_hash_keys(JSON.parse @attrs) + @attrs = uncamelcase_hash_keys(Oj.load @attrs) end @object.update_attributes @attrs show @@ -171,6 +123,56 @@ class ApplicationController < ActionController::Base protected + # Authentication + def login_required + if !current_user + respond_to do |format| + format.html { + redirect_to '/auth/joshid' + } + format.json { + render :json => { errors: ['Not logged in'] }.to_json + } + end + end + end + + def thread_with_auth_info + begin + user = nil + api_client = nil + api_client_auth = nil + if params[:api_token] + api_client_auth = ApiClientAuthorization. + includes(:api_client, :user). + where('api_token=?', params[:api_token]). + first + if api_client_auth + session[:user_id] = api_client_auth.user.id + session[:api_client_uuid] = api_client_auth.api_client.uuid + user = api_client_auth.user + api_client = api_client_auth.api_client + end + elsif session[:user_id] + user = User.find(session[:user_id]) rescue nil + api_client = ApiClient. + where('uuid=?',session[:api_client_uuid]). + first rescue nil + end + Thread.current[:api_client_trusted] = session[:api_client_trusted] + Thread.current[:api_client_ip_address] = remote_ip + Thread.current[:api_client] = api_client + Thread.current[:user] = user + yield + ensure + Thread.current[:api_client_trusted] = nil + Thread.current[:api_client_ip_address] = nil + Thread.current[:api_client_uuid] = nil + Thread.current[:user] = nil + end + end + # /Authentication + def model_class controller_name.classify.constantize end @@ -179,6 +181,10 @@ class ApplicationController < ActionController::Base controller_name.singularize end + def table_name + controller_name + end + def find_object_by_uuid if params[:id] and params[:id].match /\D/ params[:uuid] = params.delete :id @@ -192,7 +198,7 @@ class ApplicationController < ActionController::Base def accept_attribute_as_json(attr, force_class) if params[resource_name].is_a? Hash if params[resource_name][attr].is_a? String - params[resource_name][attr] = JSON.parse params[resource_name][attr] + params[resource_name][attr] = Oj.load params[resource_name][attr] if force_class and !params[resource_name][attr].is_a? force_class raise TypeError.new("#{resource_name}[#{attr.to_s}] must be a #{force_class.to_s}") end @@ -234,17 +240,7 @@ class ApplicationController < ActionController::Base render json: @object_list end - def authenticate_api_token - unless Rails.configuration. - accept_api_token. - has_key?(params[:api_token] || - cookies[:api_token]) - render_error(Exception.new("Invalid API token")) - end - end - -private - def set_remote_ip + def remote_ip # Caveat: this is highly dependent on the proxy setup. YMMV. if request.headers.has_key?('HTTP_X_REAL_IP') then # We're behind a reverse proxy @@ -254,5 +250,4 @@ private @remote_ip = request.env['REMOTE_ADDR'] end end - end