Class: SessionsController

Inherits:
ApplicationController
  • Object
show all
Defined in:
app/controllers/sessions_controller.rb

Instance Method Summary collapse

Instance Method Details

#change_userObject 



103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
# File 'app/controllers/sessions_controller.rb', line 103

def change_user
 if !admin_logged_in? && !session[:admin_under_sudo] = 1
    flash[:notice] = "Access denied!"
    redirect_to root_url
  elsif !sudo_enabled
    flash[:notice] = "SUDO Feature disabled"
    redirect_to root_url
  else
    # Again, we have to be really careful with the next 2 lines!
    session[:username] = params[:username]
    session[:admin_under_sudo] = 1
    redirect_to root_url
  end
end

#destroyObject

DELETE account_url



77
78
79
80
81
 
# File 'app/controllers/sessions_controller.rb', line 77

def destroy
  # clear out the session and log out of CAS
  session[:username] = nil
  CASClient::Frameworks::Rails::Filter.logout(self)
end

#editObject

#GET edit_account_url



66
67
68
69
70
71
72
73
74
 
# File 'app/controllers/sessions_controller.rb', line 66

def edit
  #TODO: secure and make proper, use update
  if not params[:username].nil? and User.current=User.find_by_username(params[:username])
    flash[:notice] = ["Welcome", User.current.first].join(', ')
  elsif not params[:username].nil?
    flash[:notice] = ["Sorry - login error! Please see the webmaster... TODO"]
    redirect_to "/"
  end
end

#newObject

GET new_account_url



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'app/controllers/sessions_controller.rb', line 7

def new
  # Will be forced to authenticate before getting here.

  if logged_in?
    # The user is already logged in, so let's not mess with the session.
    flash[:notice] = "You are already logged in!"
    redirect_to root_path
  else
    # The user needs to be logged in.
    user = find_user_by_username(session[:cas_user])

    # New user, the plugin knows what to do.
    if user.nil?
      # Delegate to authenticates_rpi.rb
      new_user_action(session[:cas_user])
      # See if they can log in now.
      user = find_user_by_username(session[:cas_user])
    end

    if user.nil?
      # We don't know this person.
      # TODO: What to do in this case.
      flash[:notice] = "Sorry, your login does not appear to be valid."
      redirect_to root_path
    else
      # This person is in the db, let them in.
      session[:username] = user.send(username_field)
      flash[:notice] = "Logged in successfully - #{current_user_display_name}"

      # This session variable may be set before redirecting to session/new
      # in order to get the user back to the page they were trying to get at.
      if session[:page_before_login]
        redirect_to session[:page_before_login]
        session[:page_before_login] = nil
      else
        redirect_to root_path
      end
    end
  end
#Tidbits of old code:

#      #logger.info("Redirecting to prev uri: " + session[:prev_uri])
#      if session[:prev_uri]
#        redirect_to session[:prev_uri]
#      else
#        redirect_to root_url
#      end

#    elsif User.find(:first)
#      flash[:notice] = ["Sorry, login is for admins only."]
#      redirect_to root_path
#    else
#      flash[:notice] = ['Congratulations! Fill out this form to become the first user!']
#      redirect_to new_user_path
#    end
end

#showObject 



118
119
120
 
# File 'app/controllers/sessions_controller.rb', line 118

def show
  @show_debug = params[:debug] && (admin_logged_in? || session[:admin_under_sudo])
end

#sudoObject

These methods let you pretend to be someone else Security critical, so modify with caution!



85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
 
# File 'app/controllers/sessions_controller.rb', line 85

def sudo
  # Note: we add the session parameter admin_under_sudo. This should
  # NEVER be accessed outside of this controller, as doing that or
  # accessing the actuall session username variable directly would
  # defeat the purpose of encapsulating the login as it really would be.
  if !admin_logged_in? && !session[:admin_under_sudo] = 1
    flash[:notice] = "Access denied!"
    redirect_to root_url
  elsif !sudo_enabled
    flash[:notice] = "SUDO Feature disabled"
    redirect_to root_url
  else
    @users = user_class.find(:all)
    @username_field = username_field
    @name_field = fullname_field || username_field
  end
end