trabajo-afectivo/app/controllers/form_controller.rb

247 lines
7 KiB
Ruby
Raw Normal View History

2015-08-10 00:10:41 +00:00
# Copyright (C) 2012-2014 Zammad Foundation, http://zammad-foundation.org/
class FormController < ApplicationController
skip_before_action :verify_csrf_token
before_action :cors_preflight_check_execute
after_action :set_access_control_headers_execute
2015-08-10 00:10:41 +00:00
def configuration
2015-08-10 00:10:41 +00:00
return if !enabled?
return if !fingerprint_exists?
return if limit_reached?
2015-08-10 00:10:41 +00:00
api_path = Rails.configuration.api_path
http_type = Setting.get('http_type')
fqdn = Setting.get('fqdn')
endpoint = "#{http_type}://#{fqdn}#{api_path}/form_submit"
result = {
2015-08-10 00:10:41 +00:00
enabled: Setting.get('form_ticket_create'),
endpoint: endpoint,
token: token_gen(params[:fingerprint])
2015-08-10 00:10:41 +00:00
}
if params[:test] && current_user && current_user.permissions?('admin.channel_formular')
result[:enabled] = true
end
render json: result, status: :ok
2015-08-10 00:10:41 +00:00
end
def submit
return if !enabled?
return if !fingerprint_exists?
return if !token_valid?(params[:token], params[:fingerprint])
return if limit_reached?
2015-08-10 00:10:41 +00:00
# validate input
errors = {}
if params[:name].blank?
2015-08-10 00:10:41 +00:00
errors['name'] = 'required'
end
if params[:email].blank?
2015-08-10 00:10:41 +00:00
errors['email'] = 'required'
elsif params[:email] !~ /@/
2015-08-10 00:10:41 +00:00
errors['email'] = 'invalid'
2017-11-23 08:09:44 +00:00
elsif params[:email].match?(/(>|<|\||\!|"|§|'|\$|%|&|\(|\)|\?|\s|\.\.)/)
2015-08-10 12:08:06 +00:00
errors['email'] = 'invalid'
end
if params[:title].blank?
2015-08-10 08:56:55 +00:00
errors['title'] = 'required'
end
if params[:body].blank?
2015-08-10 00:10:41 +00:00
errors['body'] = 'required'
end
# realtime verify
if errors['email'].blank?
begin
address = ValidEmail2::Address.new(params[:email])
if !address || !address.valid? || !address.valid_mx?
errors['email'] = 'invalid'
end
rescue => e
message = e.to_s
Rails.logger.info "Can't verify email #{params[:email]}: #{message}"
# ignore 450, graylistings
if message !~ /450/
errors['email'] = message
end
end
end
if errors.present?
2015-08-10 00:10:41 +00:00
render json: {
errors: errors
}, status: :ok
return
end
name = params[:name].strip
email = params[:email].strip.downcase
customer = User.find_by(email: email)
if !customer
role_ids = Role.signup_role_ids
2015-08-10 00:10:41 +00:00
customer = User.create(
firstname: name,
lastname: '',
email: email,
active: true,
role_ids: role_ids,
2015-08-10 00:10:41 +00:00
updated_by_id: 1,
created_by_id: 1,
)
end
# set current user
UserInfo.current_user_id = customer.id
group = Group.find_by(id: Setting.get('form_ticket_create_group_id'))
if !group
group = Group.where(active: true).first
if !group
group = Group.first
end
end
2017-06-16 23:02:13 +00:00
ticket = Ticket.create!(
group_id: group.id,
2015-08-10 00:10:41 +00:00
customer_id: customer.id,
2015-08-10 08:56:55 +00:00
title: params[:title],
preferences: {
form: {
remote_ip: request.remote_ip,
fingerprint_md5: Digest::MD5.hexdigest(params[:fingerprint]),
}
}
2015-08-10 00:10:41 +00:00
)
2017-06-16 23:02:13 +00:00
article = Ticket::Article.create!(
2015-08-10 00:10:41 +00:00
ticket_id: ticket.id,
type_id: Ticket::Article::Type.find_by(name: 'web').id,
sender_id: Ticket::Article::Sender.find_by(name: 'Customer').id,
2015-08-10 00:10:41 +00:00
body: params[:body],
2015-08-10 08:56:55 +00:00
subject: params[:title],
2015-08-10 00:10:41 +00:00
internal: false,
)
2017-11-23 08:09:44 +00:00
params[:file]&.each do |file|
Store.add(
object: 'Ticket::Article',
o_id: article.id,
data: file.read,
filename: file.original_filename,
preferences: {
'Mime-Type' => file.content_type,
}
)
end
UserInfo.current_user_id = 1
result = {
ticket: {
id: ticket.id,
number: ticket.number
}
}
2015-08-10 00:10:41 +00:00
render json: result, status: :ok
end
private
def token_gen(fingerprint)
2017-08-13 15:18:54 +00:00
crypt = ActiveSupport::MessageEncryptor.new(Setting.get('application_secret')[0, 32])
fingerprint = "#{Base64.strict_encode64(Setting.get('fqdn'))}:#{Time.zone.now.to_i}:#{Base64.strict_encode64(fingerprint)}"
Base64.strict_encode64(crypt.encrypt_and_sign(fingerprint))
end
def token_valid?(token, fingerprint)
if token.blank?
Rails.logger.info 'No token for form!'
response_access_deny
return false
end
begin
2017-08-13 15:18:54 +00:00
crypt = ActiveSupport::MessageEncryptor.new(Setting.get('application_secret')[0, 32])
result = crypt.decrypt_and_verify(Base64.decode64(token))
rescue
Rails.logger.info 'Invalid token for form!'
response_access_deny
return false
end
if result.blank?
Rails.logger.info 'Invalid token for form!'
response_access_deny
return false
end
parts = result.split(/:/)
if parts.count != 3
Rails.logger.info "Invalid token for form (need to have 3 parts, only #{parts.count} found)!"
response_access_deny
return false
end
fqdn_local = Base64.decode64(parts[0])
if fqdn_local != Setting.get('fqdn')
Rails.logger.info "Invalid token for form (invalid fqdn found #{fqdn_local} != #{Setting.get('fqdn')})!"
response_access_deny
return false
end
fingerprint_local = Base64.decode64(parts[2])
if fingerprint_local != fingerprint
Rails.logger.info "Invalid token for form (invalid fingerprint found #{fingerprint_local} != #{fingerprint})!"
response_access_deny
return false
end
if parts[1].to_i < (Time.zone.now.to_i - 60 * 60 * 24)
Rails.logger.info 'Invalid token for form (token expired})!'
response_access_deny
return false
end
true
end
def limit_reached?
return false if !SearchIndexBackend.enabled?
form_limit_by_ip_per_hour = Setting.get('form_ticket_create_by_ip_per_hour') || 20
result = SearchIndexBackend.search("preferences.form.remote_ip:'#{request.remote_ip}' AND created_at:>now-1h", form_limit_by_ip_per_hour, 'Ticket')
if result.count >= form_limit_by_ip_per_hour.to_i
response_access_deny
return true
end
form_limit_by_ip_per_day = Setting.get('form_ticket_create_by_ip_per_day') || 240
result = SearchIndexBackend.search("preferences.form.remote_ip:'#{request.remote_ip}' AND created_at:>now-1d", form_limit_by_ip_per_day, 'Ticket')
if result.count >= form_limit_by_ip_per_day.to_i
response_access_deny
return true
end
form_limit_per_day = Setting.get('form_ticket_create_per_day') || 5000
result = SearchIndexBackend.search('preferences.form.remote_ip:* AND created_at:>now-1d', form_limit_per_day, 'Ticket')
if result.count >= form_limit_per_day.to_i
response_access_deny
return true
end
false
end
def fingerprint_exists?
return true if params[:fingerprint].present? && params[:fingerprint].length > 30
Rails.logger.info 'No fingerprint given!'
response_access_deny
false
end
2015-08-10 00:10:41 +00:00
def enabled?
return true if params[:test] && current_user && current_user.permissions?('admin.channel_formular')
return true if Setting.get('form_ticket_create') && Setting.get('customer_ticket_create')
2015-08-10 00:10:41 +00:00
response_access_deny
false
end
end