Added admin session management.

app/assets/javascripts/app/controllers/session.js.coffee

@@ -0,0 +1,55 @@
+class Session extends App.ControllerContent
+  events:
+    'click [data-type="delete"]': 'destroy'
+
+  constructor: ->
+    super
+    # check authentication
+    return if !@authenticate()
+
+    @load()
+    @interval(
+      =>
+        @load
+      10000
+    )
+
+  # fetch data, render view
+  load: ->
+    App.Com.ajax(
+      id:    'sessions'
+      type:  'GET'
+      url:   'api/sessions'
+      success: (data) =>
+        @render(data)
+    )
+
+  render: (data) ->
+    App.Collection.load( type: 'User', data: data.users )
+
+    # fill users
+    for session in data.sessions
+      if session.data && session.data.user_id
+        session.data.user = App.User.find( session.data.user_id )
+
+    @html App.view('session')(
+      sessions: data.sessions
+    )
+
+    # show frontend times
+    @frontendTimeUpdate()
+
+  destroy: (e) ->
+    e.preventDefault()
+    sessionId = $( e.target ).data('session-id')
+    App.Com.ajax(
+      id:    'sessions/' + sessionId
+      type:  'DELETE'
+      url:   'api/sessions/' + sessionId
+      success: (data) =>
+        @load()
+    )
+
+
+App.Config.set( 'session', Session, 'Routes' )
+App.Config.set( 'session', { prio: 3700, parent: '#admin', name: 'Sessions', target: '#session', role: ['Admin'] }, 'NavBar' )

app/assets/javascripts/app/views/session.jst.eco

@@ -0,0 +1,28 @@
+<div class="page-header">
+  <h1><%- @T('Sessions') %><small></small></h1>
+</div>
+<table class="table table-striped table-hover">
+  <thead>
+    <tr>
+      <th class="span4"><%- @T('User') %></th>
+      <th class="span3"><%- @T('Browser') %></th>
+      <th class="span3"><%- @T('Location') %></th>
+      <th class="span1"><%- @T('Age') %></th>
+      <th class="span1"><%- @T('Update') %></th>
+      <th class="span1"></th>
+    </tr>
+  </thead>
+  <tbody>
+    <% for session in @sessions: %>
+    <tr>
+      <td><% if session.data.user: %><%= session.data.user.displayName() %><% end %></td>
+      <td><% if session.data.user_agent: %><%= session.data.user_agent %><% end %></td>
+      <td><% if session.data.geo: %><%= session.data.geo.country_code %> <%= session.data.geo.city %><% end %></td>
+      <td><span class="humanTimeFromNow" data-time="<%- session.created_at %>">?</span></td>
+      <td><span class="humanTimeFromNow" data-time="<%- session.updated_at %>">?</span></td>
+      <td><a href="#" data-session-id="<%- session.id %>" data-type="delete" class="icon-trash" title="<%- @T('Delete') %>"></a></td>
+    </tr>
+    <% end %>
+  </tbody>
+</table>
+

app/controllers/application_controller.rb

@@ -14,7 +14,7 @@ class ApplicationController < ActionController::Base
   :mode_show_rendeder,
   :model_index_render
 
-  before_filter :set_user
+  before_filter :set_user, :session_update
   before_filter :cors_preflight_check
 
   after_filter  :set_access_control_headers
@@ -73,9 +73,26 @@ class ApplicationController < ActionController::Base
     UserInfo.current_user_id = current_user.id
   end
 
+  # update session updated_at
+  def session_update
+    session[:ping] = Time.now.utc.iso8601
+
+    # check if remote ip need to be updated
+    if !session[:remote_id] || session[:remote_id] != request.remote_ip
+      session[:remote_id]  = request.remote_ip
+      session[:geo]        = Geoip.location( request.remote_ip )
+    end
+
+    # fill user agent
+    if !session[:user_agent]
+      session[:user_agent] = request.env['HTTP_USER_AGENT']
+    end
+  end
+
   def authentication_check_only
 
     puts 'authentication_check'
+    session[:request_type] = 1
     #puts params.inspect
     #puts session.inspect
     #puts cookies.inspect
@@ -83,6 +100,8 @@ class ApplicationController < ActionController::Base
     # check http basic auth
     authenticate_with_http_basic do |username, password|
       puts 'http basic auth check'
+      session[:request_type] = 2
+
       userdata = User.authenticate( username, password )
       message = ''
       if !userdata
@@ -113,6 +132,8 @@ class ApplicationController < ActionController::Base
         userdata = User.find( logon_session.data[:user_id] )
       end
 
+      session[:request_type] = 3
+
       # set logon session user to current user
       current_user_set(userdata)
       return {

app/controllers/sessions_controller.rb

@@ -148,4 +148,30 @@ class SessionsController < ApplicationController
     redirect_to '/#'
   end
 
+  def list
+    return if deny_if_not_role('Admin')
+    sessions = ActiveRecord::SessionStore::Session.order('created_at DESC').limit(10000)
+    users = {}
+    sessions_clean = []
+    sessions.each {|session|
+      next if !session.data['user_id']
+      sessions_clean.push session
+      if session.data['user_id']
+        if !users[ session.data['user_id'] ]
+          users[ session.data['user_id'] ] = User.user_data_full( session.data['user_id'] )
+        end
+      end
+    }
+    render :json => {
+      :sessions => sessions_clean,
+      :users    => users,
+    }
+  end
+
+  def delete
+    return if deny_if_not_role('Admin')
+    session = ActiveRecord::SessionStore::Session.find(params[:id])
+    session.destroy
+    render :json => {}
+  end
 end

app/models/observer/session.rb

@@ -0,0 +1,25 @@
+# Copyright (C) 2012-2013 Zammad Foundation, http://zammad-foundation.org/
+
+require 'history'
+
+class Observer::Session < ActiveRecord::Observer
+  observe 'active_record::_session_store::_session'
+
+  def before_create(record)
+    check(record)
+  end
+  def before_update(record)
+    check(record)
+  end
+
+  def check(record)
+    return if !record.data
+
+    # remember request type
+    if record.data['request_type']
+      record[:request_type] = record.data['request_type']
+      record.data.delete('request_type')
+    end
+  end
+
+end

config/application.rb

@@ -26,6 +26,7 @@ module Zammad
     # Activate observers that should always be running.
     # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
     config.active_record.observers =
+      'observer::_session',
       'observer::_history',
       'observer::_ticket::_first_response',
       'observer::_ticket::_last_contact',

config/routes/auth.rb

@@ -2,16 +2,18 @@ module ExtraRoutes
   def add(map)
 
     # omniauth
-    map.match '/auth/:provider/callback', :to => 'sessions#create_omniauth'
+    map.match '/auth/:provider/callback', :to => 'sessions#create_omniauth',:via => [:post, :get, :puts, :delete]
 
     # sso
-    map.match '/auth/sso',                :to => 'sessions#create_sso'
+    map.match '/auth/sso',                :to => 'sessions#create_sso',     :via => [:post, :get]
 
     # sessions
-    map.match '/signin',                  :to => 'sessions#create'
+    map.match '/signin',                  :to => 'sessions#create',         :via => :post
-    map.match '/signshow',                :to => 'sessions#show'
+    map.match '/signshow',                :to => 'sessions#show',           :via => :get
-    map.match '/signout',                 :to => 'sessions#destroy'
+    map.match '/signout',                 :to => 'sessions#destroy',        :via => [:get, :delete]
 
+    map.match '/api/sessions',            :to => 'sessions#list',           :via => :get
+    map.match '/api/sessions/:id',        :to => 'sessions#delete',         :via => :delete
   end
   module_function :add
 end

db/migrate/20130726000001_update_session.rb

@@ -0,0 +1,9 @@
+class UpdateSession < ActiveRecord::Migration
+  def up
+    add_column :sessions, :request_type,      :integer, :null => true
+    add_index :sessions, :request_type
+  end
+  def down
+  end
+end
+

lib/geoip.rb

@@ -0,0 +1,26 @@
+require 'faraday'
+require 'cache'
+
+module Geoip
+  def self.location(address)
+
+    # check cache
+    cache_key = "geoip::#{address}"
+    cache = Cache.get( cache_key )
+    return cache if cache
+
+    # do lookup
+    host = "http://freegeoip.net"
+    url  = "/json/#{CGI::escape address}"
+    data = {}
+    begin
+      conn = Faraday.new( :url => host )
+      response = conn.get url
+      data = JSON.parse( response.body )
+      Cache.write( cache_key, data, { :expires_in => 90.days } )
+    rescue
+      Cache.write( cache_key, data, { :expires_in => 60.minutes } )
+    end
+    data
+  end
+end