trabajo-afectivo/app/controllers/users_controller.rb

697 lines
19 KiB
Ruby
Raw Normal View History

2014-02-03 19:24:49 +00:00
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
2012-04-10 14:06:46 +00:00
class UsersController < ApplicationController
2012-04-23 06:55:16 +00:00
before_filter :authentication_check, :except => [:create, :password_reset_send, :password_reset_verify]
2012-04-10 14:06:46 +00:00
# @path [GET] /users
#
# @summary Returns a list of Users.
# @notes Requester has to be in role 'Admin' or 'Agent' to
# get a list of all Users. If requester is only in the
# role 'Customer' he gets only his own Users entity.
#
# @response_message 200 [Array<User>] List of matching User records.
# @response_message 401 Invalid session.
2012-04-10 14:06:46 +00:00
def index
2013-07-19 14:21:44 +00:00
# only allow customer to fetch him self
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
users = User.where( :id => current_user.id )
else
users = User.all
end
users_all = []
users.each {|user|
users_all.push User.lookup( :id => user.id ).attributes_with_associations
2012-04-10 14:06:46 +00:00
}
2013-07-19 14:21:44 +00:00
render :json => users_all, :status => :ok
2012-04-10 14:06:46 +00:00
end
# @path [GET] /users/{id}
#
# @summary Returns the User with the requested identifier.
# @notes Requester has to be in role 'Admin' or 'Agent' to
# get a list of all Users. If requester is only in the
# role 'Customer' he gets only his own Users entity.
#
# @parameter id(required) [Integer] The identifier matching the requested User.
# @parameter full [Bool] If set a Asset structure with all connected Assets gets returned.
#
# @response_message 200 [User] User record matching the requested identifier.
# @response_message 401 Invalid session.
2012-04-10 14:06:46 +00:00
def show
2013-07-19 14:21:44 +00:00
# access deny
2014-12-01 07:32:35 +00:00
return if !permission_check
if params[:full]
full = User.full( params[:id] )
render :json => full
return
end
user = User.find( params[:id] )
render :json => user
2012-04-10 14:06:46 +00:00
end
# @path [POST] /users
#
# @summary Creates a User with the provided attribute values.
# @notes TODO.
#
# @parameter User(required,body) [User] The attribute value structure needed to create a User.
#
# @response_message 200 [User] Created User record.
# @response_message 401 Invalid session.
2012-04-10 14:06:46 +00:00
def create
user = User.new( User.param_cleanup(params) )
begin
2013-04-21 23:03:19 +00:00
# check if it's first user
count = User.all.count()
2012-04-10 14:06:46 +00:00
# if it's a signup, add user to customer role
2013-04-21 23:03:19 +00:00
if !current_user
user.updated_by_id = 1
user.created_by_id = 1
2012-08-10 07:43:36 +00:00
# check if feature is enabled
if !Setting.get('user_create_account')
render :json => { :error => 'Feature not enabled!' }, :status => :unprocessable_entity
return
end
2013-04-21 23:03:19 +00:00
# add first user as admin/agent and to all groups
group_ids = []
role_ids = []
if count <= 2
Role.where( :name => [ 'Admin', 'Agent'] ).each { |role|
role_ids.push role.id
}
Group.all().each { |group|
group_ids.push group.id
}
2012-08-10 07:43:36 +00:00
# everybody else will go as customer per default
2012-04-10 14:06:46 +00:00
else
role_ids.push Role.where( :name => 'Customer' ).first.id
end
user.role_ids = role_ids
user.group_ids = group_ids
# else do assignment as defined
else
2014-12-01 07:32:35 +00:00
# permission check by role
return if !permission_check_by_role
if params[:role_ids]
user.role_ids = params[:role_ids]
2012-04-10 14:06:46 +00:00
end
if params[:group_ids]
user.group_ids = params[:group_ids]
end
end
2012-08-10 07:43:36 +00:00
2013-01-20 01:27:47 +00:00
# check if user already exists
if user.email
exists = User.where( :email => user.email ).first
if exists
render :json => { :error => 'User already exists!' }, :status => :unprocessable_entity
return
end
end
2012-11-06 21:43:13 +00:00
user.save
2014-11-04 09:06:41 +00:00
# if first user was added, set system init done
if count <= 2
2014-11-04 09:06:41 +00:00
Setting.set( 'system_init_done', true )
end
2013-01-03 10:47:39 +00:00
# send inviteation if needed / only if session exists
if params[:invite] && current_user
2012-08-10 07:43:36 +00:00
2013-01-03 09:39:33 +00:00
# generate token
token = Token.create( :action => 'PasswordReset', :user_id => user.id )
# send mail
data = {}
data[:subject] = 'Invitation to #{config.product_name} at #{config.fqdn}'
2013-01-03 10:53:11 +00:00
data[:body] = 'Hi #{user.firstname},
2013-01-03 09:39:33 +00:00
2014-10-22 21:00:11 +00:00
I (#{current_user.firstname} #{current_user.lastname}) invite you to #{config.product_name} - the customer support / ticket system platform.
Click on the following link and set your password:
2013-01-03 09:39:33 +00:00
#{config.http_type}://#{config.fqdn}/#password_reset_verify/#{token.name}
2013-01-03 09:39:33 +00:00
Enjoy,
2013-01-03 09:39:33 +00:00
#{current_user.firstname} #{current_user.lastname}
2013-01-03 09:39:33 +00:00
Your #{config.product_name} Team
'
2013-01-03 09:39:33 +00:00
# prepare subject & body
[:subject, :body].each { |key|
data[key.to_sym] = NotificationFactory.build(
:locale => user.locale,
2013-01-03 09:39:33 +00:00
:string => data[key.to_sym],
:objects => {
:token => token,
:user => user,
:current_user => current_user,
}
)
}
2013-01-03 09:39:33 +00:00
# send notification
NotificationFactory.send(
:recipient => user,
:subject => data[:subject],
:body => data[:body]
)
2012-04-10 14:06:46 +00:00
end
2013-01-03 09:39:33 +00:00
user_new = User.find( user.id )
render :json => user_new, :status => :created
rescue Exception => e
render :json => { :error => e.message }, :status => :unprocessable_entity
2012-04-10 14:06:46 +00:00
end
end
# @path [PUT] /users/{id}
#
# @summary Updates the User matching the identifier with the provided attribute values.
# @notes TODO.
#
# @parameter id(required) [Integer] The identifier matching the requested User.
# @parameter User(required,body) [User] The attribute value structure needed to update a User.
#
# @response_message 200 [User] Updated User record.
# @response_message 401 Invalid session.
2012-04-10 14:06:46 +00:00
def update
2013-04-21 23:03:19 +00:00
2014-12-01 07:32:35 +00:00
# access deny
return if !permission_check
2013-04-21 23:03:19 +00:00
user = User.find( params[:id] )
2012-04-10 14:06:46 +00:00
begin
user.update_attributes( User.param_cleanup(params) )
2013-04-21 23:03:19 +00:00
# only allow Admin's and Agent's
if is_role('Admin') && is_role('Agent') && params[:role_ids]
user.role_ids = params[:role_ids]
end
2013-04-21 23:03:19 +00:00
# only allow Admin's
if is_role('Admin') && params[:group_ids]
user.group_ids = params[:group_ids]
2012-04-10 14:06:46 +00:00
end
2013-04-21 23:03:19 +00:00
# only allow Admin's and Agent's
if is_role('Admin') && is_role('Agent') && params[:organization_ids]
user.organization_ids = params[:organization_ids]
end
2013-04-21 23:03:19 +00:00
# get new data
user_new = User.find( params[:id] )
render :json => user_new, :status => :ok
rescue Exception => e
render :json => { :error => e.message }, :status => :unprocessable_entity
2012-04-10 14:06:46 +00:00
end
end
# @path [DELETE] /users/{id}
#
# @summary Deletes the User matching the identifier.
# @notes Requester has to be in role 'Admin' to be able to delete a User.
#
# @parameter id(required) [User] The identifier matching the requested User.
#
# @response_message 200 User successfully deleted.
# @response_message 401 Invalid session.
2012-04-10 14:06:46 +00:00
def destroy
return if deny_if_not_role('Admin')
model_destory_render(User, params)
end
2012-04-10 14:06:46 +00:00
# @path [GET] /users/search
#
# @tag Search
# @tag User
#
# @summary Searches the User matching the given expression(s).
# @notes TODO: It's possible to use the SOLR search syntax.
# Requester has to be in role 'Admin' or 'Agent' to
# be able to search Users. If requester is only in the
# role 'Customer' he gets a permission denied message.
#
2014-12-18 15:03:19 +00:00
# @parameter term [String] The search term.
# @parameter limit [Integer] The limit of search results.
# @parameter role_ids(multi) [Array<String>] A list of Role identifiers to which the Users have to be allocated to.
2014-12-18 15:03:19 +00:00
# @parameter full [Boolean] Defines if the result should be
# true: { user_ids => [1,2,...], assets => {...} }
# or false: [{:id => user.id, :label => "firstname lastname <email>", :value => "firstname lastname <email>"},...].
#
2014-12-18 15:03:55 +00:00
# @response_message 200 [Array<User>] A list of User resources matching the search term.
# @response_message 401 Invalid session.
def search
2012-11-14 01:05:53 +00:00
2013-07-19 14:21:44 +00:00
if is_role('Customer') && !is_role('Admin') && !is_role('Agent')
response_access_deny
return
end
2014-09-24 23:12:23 +00:00
query_params = {
2013-05-21 22:30:09 +00:00
:query => params[:term],
:limit => params[:limit],
:current_user => current_user,
2014-09-24 23:12:23 +00:00
}
if params[:role_ids] && !params[:role_ids].empty?
query_params[:role_ids] = params[:role_ids]
end
# do query
user_all = User.search(query_params)
2012-11-14 01:05:53 +00:00
# build result list
2014-09-24 23:12:23 +00:00
if !params[:full]
users = []
user_all.each { |user|
realname = user.firstname.to_s + ' ' + user.lastname.to_s
if user.email && user.email.to_s != ''
realname = realname + ' <' + user.email.to_s + '>'
end
a = { :id => user.id, :label => realname, :value => realname }
users.push a
}
# return result
render :json => users
return
end
2014-09-24 23:12:23 +00:00
user_ids = []
assets = {}
user_all.each { |user|
assets = user.assets(assets)
user_ids.push user.id
}
# return result
2014-09-24 23:12:23 +00:00
render :json => {
:assets => assets,
:user_ids => user_ids.uniq,
2014-09-24 23:12:23 +00:00
}
2012-04-10 14:06:46 +00:00
end
2012-04-23 06:55:16 +00:00
# @path [GET] /users/history/{id}
#
# @tag History
# @tag User
#
# @summary Returns the History of a User matching the given identifier.
# @notes Requester has to be in role 'Admin' or 'Agent' to
# get the history of a User.
#
# @parameter id(required) [Integer] The identifier matching the requested User.
#
# @response_message 200 [History] The History ressource of the requested User.
# @response_message 401 Invalid session.
2013-10-21 19:00:58 +00:00
def history
# permissin check
if !is_role('Admin') && !is_role('Agent')
response_access_deny
return
end
# get user data
user = User.find( params[:id] )
# get history of user
history = user.history_get(true)
# return result
render :json => history
end
=begin
Resource:
POST /api/v1/users/password_reset
Payload:
{
"username": "some user name"
}
Response:
{
:message => 'ok'
}
Test:
curl http://localhost/api/v1/users/password_reset.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"username": "some_username"}'
=end
2012-04-23 06:55:16 +00:00
def password_reset_send
# check if feature is enabled
if !Setting.get('user_lost_password')
render :json => { :error => 'Feature not enabled!' }, :status => :unprocessable_entity
return
end
2012-04-23 06:55:16 +00:00
success = User.password_reset_send( params[:username] )
if success
render :json => { :message => 'ok' }, :status => :ok
else
render :json => { :message => 'failed' }, :status => :unprocessable_entity
end
end
=begin
Resource:
POST /api/v1/users/password_reset_verify
Payload:
{
"token": "SoMeToKeN",
"password" "new_password"
}
Response:
{
:message => 'ok'
}
Test:
curl http://localhost/api/v1/users/password_reset_verify.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"token": "SoMeToKeN", "password" "new_password"}'
=end
2012-04-23 06:55:16 +00:00
def password_reset_verify
2012-04-23 16:59:35 +00:00
if params[:password]
2013-01-03 12:00:55 +00:00
user = User.password_reset_via_token( params[:token], params[:password] )
2012-04-23 16:59:35 +00:00
else
2013-01-03 12:00:55 +00:00
user = User.password_reset_check( params[:token] )
2012-04-23 16:59:35 +00:00
end
2013-01-03 12:00:55 +00:00
if user
render :json => { :message => 'ok', :user_login => user.login }, :status => :ok
2012-04-23 06:55:16 +00:00
else
render :json => { :message => 'failed' }, :status => :unprocessable_entity
end
end
2013-02-10 21:38:35 +00:00
=begin
Resource:
POST /api/v1/users/password_change
2013-02-10 21:38:35 +00:00
Payload:
{
"password_old": "some_password_old",
2013-02-12 00:56:23 +00:00
"password_new": "some_password_new"
2013-02-10 21:38:35 +00:00
}
Response:
{
:message => 'ok'
}
Test:
curl http://localhost/api/v1/users/password_change.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"password_old": "password_old", "password_new": "password_new"}'
2013-02-10 21:38:35 +00:00
=end
def password_change
# check old password
if !params[:password_old]
render :json => { :message => 'Old password needed!' }, :status => :unprocessable_entity
return
2013-02-10 21:38:35 +00:00
end
user = User.authenticate( current_user.login, params[:password_old] )
if !user
render :json => { :message => 'Old password is wrong!' }, :status => :unprocessable_entity
return
2013-02-10 21:38:35 +00:00
end
# set new password
if !params[:password_new]
render :json => { :message => 'New password needed!' }, :status => :unprocessable_entity
return
2013-02-10 21:38:35 +00:00
end
user.update_attributes( :password => params[:password_new] )
render :json => { :message => 'ok', :user_login => user.login }, :status => :ok
end
2013-02-12 00:56:23 +00:00
=begin
Resource:
PUT /api/v1/users/preferences.json
2013-02-12 00:56:23 +00:00
Payload:
{
"language": "de",
"notification": true
}
Response:
{
:message => 'ok'
}
Test:
curl http://localhost/api/v1/users/preferences.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X PUT -d '{"language": "de", "notifications": true}'
2013-02-12 00:56:23 +00:00
=end
def preferences
if !current_user
render :json => { :message => 'No current user!' }, :status => :unprocessable_entity
return
2013-02-12 00:56:23 +00:00
end
if params[:user]
params[:user].each {|key, value|
current_user.preferences[key.to_sym] = value
}
end
current_user.save
render :json => { :message => 'ok' }, :status => :ok
end
=begin
Resource:
DELETE /api/v1/users/account.json
Payload:
{
"provider": "twitter",
"uid": 581482342942
}
Response:
{
:message => 'ok'
}
Test:
curl http://localhost/api/v1/users/account.json -v -u #{login}:#{password} -H "Content-Type: application/json" -X PUT -d '{"provider": "twitter", "uid": 581482342942}'
=end
def account_remove
if !current_user
render :json => { :message => 'No current user!' }, :status => :unprocessable_entity
return
end
# provider + uid to remove
if !params[:provider]
render :json => { :message => 'provider needed!' }, :status => :unprocessable_entity
return
end
if !params[:uid]
render :json => { :message => 'uid needed!' }, :status => :unprocessable_entity
return
end
# remove from database
record = Authorization.where(
:user_id => current_user.id,
:provider => params[:provider],
:uid => params[:uid],
)
if !record.first
render :json => { :message => 'No record found!' }, :status => :unprocessable_entity
return
end
record.destroy_all
render :json => { :message => 'ok' }, :status => :ok
end
=begin
Resource:
GET /api/v1/users/image/8d6cca1c6bdc226cf2ba131e264ca2c7
Response:
<IMAGE>
Test:
curl http://localhost/api/v1/users/image/8d6cca1c6bdc226cf2ba131e264ca2c7 -v -u #{login}:#{password}
=end
def image
# cache image
2014-12-01 07:32:35 +00:00
response.headers['Expires'] = 1.year.from_now.httpdate
response.headers['Cache-Control'] = 'cache, store, max-age=31536000, must-revalidate'
response.headers['Pragma'] = 'cache'
2014-12-01 07:32:35 +00:00
file = Avatar.get_by_hash( params[:hash] )
if file
2014-07-27 11:40:42 +00:00
send_data(
2014-12-01 07:32:35 +00:00
file.content,
:filename => file.filename,
:type => file.preferences['Content-Type'] || file.preferences['Mime-Type'],
2014-07-27 11:40:42 +00:00
:disposition => 'inline'
)
return
end
2014-12-01 07:32:35 +00:00
# serve default image
image = 'R0lGODdhMAAwAOMAAMzMzJaWlr6+vqqqqqOjo8XFxbe3t7GxsZycnAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAMAAwAAAEcxDISau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru98TwuAA+KQAQqJK8EAgBAgMEqmkzUgBIeSwWGZtR5XhSqAULACCoGCJGwlm1MGQrq9RqgB8fm4ZTUgDBIEcRR9fz6HiImKi4yNjo+QkZKTlJWWkBEAOw=='
send_data(
Base64.decode64(image),
:filename => 'image.gif',
:type => 'image/gif',
:disposition => 'inline'
)
end
=begin
Resource:
POST /api/v1/users/avatar
Payload:
{
"avatar_full": "base64 url",
}
Response:
{
:message => 'ok'
}
Test:
curl http://localhost/api/v1/users/avatar -v -u #{login}:#{password} -H "Content-Type: application/json" -X POST -d '{"avatar": "base64 url"}'
=end
def avatar_new
return if !valid_session_with_user
# get & validate image
file_full = StaticAssets.data_url_attributes( params[:avatar_full] )
file_resize = StaticAssets.data_url_attributes( params[:avatar_resize] )
avatar = Avatar.add(
:object => 'User',
:o_id => current_user.id,
:full => {
:content => file_full[:content],
:mime_type => file_full[:mime_type],
},
:resize => {
:content => file_resize[:content],
:mime_type => file_resize[:mime_type],
},
:source => 'upload ' + Time.now.to_s,
:deletable => true,
)
# update user link
current_user.update_attributes( :image => avatar.store_hash )
render :json => { :avatar => avatar }, :status => :ok
end
def avatar_set_default
return if !valid_session_with_user
# get & validate image
if !params[:id]
render :json => { :message => 'No id of avatar!' }, :status => :unprocessable_entity
return
end
# set as default
avatar = Avatar.set_default( 'User', current_user.id, params[:id] )
# update user link
current_user.update_attributes( :image => avatar.store_hash )
render :json => {}, :status => :ok
end
def avatar_destroy
return if !valid_session_with_user
# get & validate image
if !params[:id]
render :json => { :message => 'No id of avatar!' }, :status => :unprocessable_entity
return
end
# remove avatar
Avatar.remove_one( 'User', current_user.id, params[:id] )
# update user link
avatar = Avatar.get_default( 'User', current_user.id )
current_user.update_attributes( :image => avatar.store_hash )
render :json => {}, :status => :ok
end
def avatar_list
return if !valid_session_with_user
# list of avatars
result = Avatar.list( 'User', current_user.id )
render :json => { :avatars => result }, :status => :ok
end
private
def permission_check_by_role
return true if is_role('Admin')
return true if is_role('Agent')
response_access_deny
return false
end
def permission_check
return true if is_role('Admin')
return true if is_role('Agent')
# allow to update customer by him self
return true if is_role('Customer') && params[:id].to_i == current_user.id
response_access_deny
return false
end
2014-12-01 07:32:35 +00:00
end