cafe-grader-web

Commit r853:da84d756f1f9 public

parent | child
Description:
change to encrypted cookies
Commit status:
[Not Reviewed]
References:
default
Diff options:
Raw Diff | Patch Diff | Download Diff | Show whitespace | Increase context
Comments:
0 Commit comments 0 Inline Comments
Unresolved TODOs:
There are no unresolved TODOs
Side by Side Unified
Expand All Files Collapse All Files Wide Mode Diff
Add another comment
Browse Files

r853:da84d756f1f9 - - 2 files changed: 8 inserted, 6 deleted

Show file before | Show file after | Raw diff | Download diff | Show whitespace Increase context Show commentsHide comments
@@ -1,159 +1,161
1 1 require 'ipaddr'
2 2 require "securerandom"
3 3
4 4 class ApplicationController < ActionController::Base
5 5 protect_from_forgery
6 6
7 7 before_action :current_user
8 8 before_action :nav_announcement
9 9 before_action :unique_visitor_id
10 10
11 11 SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode'
12 12 MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login'
13 13 WHITELIST_IGNORE_CONF_KEY = 'right.whitelist_ignore'
14 14 WHITELIST_IP_CONF_KEY = 'right.whitelist_ip'
15 15
16 16 #report and redirect for unauthorized activities
17 17 def unauthorized_redirect(notice = 'You are not authorized to view the page you requested')
18 18 flash[:notice] = notice
19 19 redirect_to login_main_path
20 20 end
21 21
22 22 # Returns the current logged-in user (if any).
23 23 def current_user
24 24 return nil unless session[:user_id]
25 25 @current_user ||= User.find(session[:user_id])
26 26 end
27 27
28 28 def nav_announcement
29 29 @nav_announcement = Announcement.where(on_nav_bar: true)
30 30 end
31 31
32 32 def admin_authorization
33 33 return false unless check_valid_login
34 34 user = User.includes(:roles).find(session[:user_id])
35 35 unless user.admin?
36 36 unauthorized_redirect
37 37 return false
38 38 end
39 39 return true
40 40 end
41 41
42 42 def authorization_by_roles(allowed_roles)
43 43 return false unless check_valid_login
44 44 unless @current_user.roles.detect { |role| allowed_roles.member?(role.name) }
45 45 unauthorized_redirect
46 46 return false
47 47 end
48 48 end
49 49
50 50 def testcase_authorization
51 51 #admin always has privileged
52 52 if @current_user.admin?
53 53 return true
54 54 end
55 55
56 56 unauthorized_redirect unless GraderConfiguration["right.view_testcase"]
57 57 end
58 58
59 59 def unique_visitor_id
60 - unless cookies[:uuid]
60 + unless cookies.encrypted[:uuid]
61 61 value = SecureRandom.uuid
62 - cookies[:uuid] = { value: value, expires: 20.year }
62 + cookies.encrypted[:uuid] = { value: value, expires: 20.year }
63 63 end
64 + puts "encrypt " + cookies.encrypted[:uuid]
65 + puts cookies[:uuid]
64 66 end
65 67
66 68 protected
67 69
68 70 #redirect to root (and also force logout)
69 71 #if the user is not logged_in or the system is in "ADMIN ONLY" mode
70 72 def check_valid_login
71 73 #check if logged in
72 74 unless session[:user_id]
73 75 if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
74 76 unauthorized_redirect('You need to login but you cannot log in at this time')
75 77 else
76 78 unauthorized_redirect('You need to login')
77 79 end
78 80 return false
79 81 end
80 82
81 83 # check if run in single user mode
82 84 if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY]
83 85 if @current_user==nil || (!@current_user.admin?)
84 86 unauthorized_redirect('You cannot log in at this time')
85 87 return false
86 88 end
87 89 end
88 90
89 91 # check if the user is enabled
90 92 unless @current_user.enabled? || @current_user.admin?
91 93 unauthorized_redirect 'Your account is disabled'
92 94 return false
93 95 end
94 96
95 97 # check if user ip is allowed
96 98 unless @current_user.admin? || GraderConfiguration[WHITELIST_IGNORE_CONF_KEY]
97 99 unless is_request_ip_allowed?
98 100 unauthorized_redirect 'Your IP is not allowed to login at this time.'
99 101 return false
100 102 end
101 103 end
102 104
103 105 if GraderConfiguration.multicontests?
104 106 return true if @current_user.admin?
105 107 begin
106 108 if @current_user.contest_stat(true).forced_logout
107 109 flash[:notice] = 'You have been automatically logged out.'
108 110 redirect_to :controller => 'main', :action => 'index'
109 111 end
110 112 rescue
111 113 end
112 114 end
113 115 return true
114 116 end
115 117
116 118 #redirect to root (and also force logout)
117 119 #if the user use different ip from the previous connection
118 120 # only applicable when MULTIPLE_IP_LOGIN options is false only
119 121 def authenticate_by_ip_address
120 122 #this assume that we have already authenticate normally
121 123 unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY]
122 124 user = User.find(session[:user_id])
123 125 if (!user.admin? && user.last_ip && user.last_ip != request.remote_ip)
124 126 flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}"
125 127 redirect_to :controller => 'main', :action => 'login'
126 128 return false
127 129 end
128 130 unless user.last_ip
129 131 user.last_ip = request.remote_ip
130 132 user.save
131 133 end
132 134 end
133 135 return true
134 136 end
135 137
136 138 def authorization
137 139 return false unless check_valid_login
138 140 user = User.find(session[:user_id])
139 141 unless user.roles.detect { |role|
140 142 role.rights.detect{ |right|
141 143 right.controller == self.class.controller_name and
142 144 (right.action == 'all' || right.action == action_name)
143 145 }
144 146 }
145 147 flash[:notice] = 'You are not authorized to view the page you requested'
146 148 #request.env['HTTP_REFERER'] ? (redirect_to :back) : (redirect_to :controller => 'login')
147 149 redirect_to :controller => 'main', :action => 'login'
148 150 return false
149 151 end
150 152 end
151 153
152 154 def verify_time_limit
153 155 return true if session[:user_id]==nil
154 156 user = User.find(session[:user_id], :include => :site)
155 157 return true if user==nil || user.site == nil
156 158 if user.contest_finished?
157 159 flash[:notice] = 'Error: the contest you are participating is over.'
158 160 redirect_to :back
159 161 return false
Show file before | Show file after | Raw diff | Download diff | Show whitespace Increase context Show commentsHide comments
@@ -1,99 +1,99
1 1 class LoginController < ApplicationController
2 2
3 3 @@authenticators = []
4 4
5 5 def index
6 6 # show login screen
7 7 reset_session
8 8 redirect_to :controller => 'main', :action => 'login'
9 9 end
10 10
11 11 def login
12 12 user = get_authenticated_user(params[:login], params[:password])
13 13 unless user
14 14 flash[:notice] = 'Wrong password'
15 15 redirect_to :controller => 'main', :action => 'login'
16 16 return
17 17 end
18 18
19 19 if (!GraderConfiguration['right.bypass_agreement']) and (!params[:accept_agree]) and !user.admin?
20 20 flash[:notice] = 'You must accept the agreement before logging in'
21 21 redirect_to :controller => 'main', :action => 'login'
22 22 return
23 23 end
24 24
25 25 #store uuid when login
26 26 if user.last_ip.nil?
27 - user.last_ip = cookies[:uuid]
27 + user.last_ip = cookies.encrypted[:uuid]
28 28 else
29 - if user.last_ip != cookies[:uuid]
30 - user.last_ip =cookies[:uuid]
29 + if user.last_ip != cookies.encrypted[:uuid]
30 + user.last_ip =cookies.encrypted[:uuid]
31 31 #log different login
32 32 end
33 33 end
34 34
35 35 #process logging in
36 36 session[:user_id] = user.id
37 37 session[:admin] = user.admin?
38 38
39 39 # clear forced logout flag for multicontests contest change
40 40 if GraderConfiguration.multicontests?
41 41 contest_stat = user.contest_stat
42 42 if contest_stat.respond_to? :forced_logout
43 43 if contest_stat.forced_logout
44 44 contest_stat.forced_logout = false
45 45 contest_stat.save
46 46 end
47 47 end
48 48 end
49 49
50 50 #save login information
51 - Login.create(user_id: user.id, ip_address: cookies[:uuid])
51 + Login.create(user_id: user.id, ip_address: cookies.encrypted[:uuid])
52 52
53 53 redirect_to :controller => 'main', :action => 'list'
54 54 end
55 55
56 56 def site_login
57 57 begin
58 58 site = Site.find(params[:login][:site_id])
59 59 rescue ActiveRecord::RecordNotFound
60 60 site = nil
61 61 end
62 62 if site==nil
63 63 flash[:notice] = 'Wrong site'
64 64 redirect_to :controller => 'main', :action => 'login' and return
65 65 end
66 66 if (site.password) and (site.password == params[:login][:password])
67 67 session[:site_id] = site.id
68 68 redirect_to :controller => 'site', :action => 'index'
69 69 else
70 70 flash[:notice] = 'Wrong site password'
71 71 redirect_to :controller => 'site', :action => 'login'
72 72 end
73 73 end
74 74
75 75 def logout
76 76 redirect_to root_path
77 77 end
78 78
79 79 def self.add_authenticator(authenticator)
80 80 @@authenticators << authenticator
81 81 end
82 82
83 83 protected
84 84
85 85 def get_authenticated_user(login, password)
86 86 if @@authenticators.empty?
87 87 return User.authenticate(login, password)
88 88 else
89 89 user = User.authenticate(login, password)
90 90 @@authenticators.each do |authenticator|
91 91 if not user
92 92 user = authenticator.authenticate(login, password)
93 93 end
94 94 end
95 95 return user
96 96 end
97 97 end
98 98
99 99 end
You need to be logged in to leave comments. Login now