diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,14 +1,28 @@ class ApplicationController < ActionController::Base protect_from_forgery + before_filter :current_user + SINGLE_USER_MODE_CONF_KEY = 'system.single_user_mode' + MULTIPLE_IP_LOGIN_CONF_KEY = 'right.multiple_ip_login' + + #report and redirect for unauthorized activities + def unauthorized_redirect + flash[:notice] = 'You are not authorized to view the page you requested' + redirect_to :controller => 'main', :action => 'login' + end + + # Returns the current logged-in user (if any). + def current_user + return nil unless session[:user_id] + @current_user ||= User.find(session[:user_id]) + end def admin_authorization return false unless authenticate - user = User.find(session[:user_id], :include => ['roles']) + user = User.includes(:roles).find(session[:user_id]) unless user.admin? - flash[:notice] = 'You are not authorized to view the page you requested' - redirect_to :controller => 'main', :action => 'login' unless user.admin? + unauthorized_redirect return false end return true @@ -18,12 +32,23 @@ return false unless authenticate user = User.find(session[:user_id]) unless user.roles.detect { |role| allowed_roles.member?(role.name) } - flash[:notice] = 'You are not authorized to view the page you requested' - redirect_to :controller => 'main', :action => 'login' + unauthorized_redirect return false end end + def testcase_authorization + #admin always has privileged + puts "haha" + if @current_user.admin? + return true + end + + puts "hehe" + puts GraderConfiguration["right.view_testcase"] + unauthorized_redirect unless GraderConfiguration["right.view_testcase"] + end + protected def authenticate @@ -38,12 +63,17 @@ # check if run in single user mode if GraderConfiguration[SINGLE_USER_MODE_CONF_KEY] - user = User.find(session[:user_id]) + user = User.find_by_id(session[:user_id]) if user==nil or (not user.admin?) flash[:notice] = 'You cannot log in at this time' redirect_to :controller => 'main', :action => 'login' return false end + unless user.enabled? + flash[:notice] = 'Your account is disabled' + redirect_to :controller => 'main', :action => 'login' + return false + end return true end @@ -61,14 +91,32 @@ return true end + def authenticate_by_ip_address + #this assume that we have already authenticate normally + unless GraderConfiguration[MULTIPLE_IP_LOGIN_CONF_KEY] + user = User.find(session[:user_id]) + if (not user.admin? and user.last_ip and user.last_ip != request.remote_ip) + flash[:notice] = "You cannot use the system from #{request.remote_ip}. Your last ip is #{user.last_ip}" + redirect_to :controller => 'main', :action => 'login' + puts "CHEAT: user #{user.login} tried to login from '#{request.remote_ip}' while last ip is '#{user.last_ip}' at #{Time.zone.now}" + return false + end + unless user.last_ip + user.last_ip = request.remote_ip + user.save + end + end + return true + end + def authorization return false unless authenticate user = User.find(session[:user_id]) unless user.roles.detect { |role| - role.rights.detect{ |right| - right.controller == self.class.controller_name and - (right.action == 'all' or right.action == action_name) - } + role.rights.detect{ |right| + right.controller == self.class.controller_name and + (right.action == 'all' or right.action == action_name) + } } flash[:notice] = 'You are not authorized to view the page you requested' #request.env['HTTP_REFERER'] ? (redirect_to :back) : (redirect_to :controller => 'login')