blob: 7760c372be435ed71ab3fe587c809dd76dc97ff2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
# controllers/admin.rb:
# All admin controllers are dervied from this.
#
# Copyright (c) 2009 UK Citizens Online Democracy. All rights reserved.
# Email: hello@mysociety.org; WWW: http://www.mysociety.org/
require 'fileutils'
class AdminController < ApplicationController
layout "admin"
before_filter :authenticate
# action to take if expecting an authenticity token and one isn't received
def handle_unverified_request
raise(ActionController::InvalidAuthenticityToken)
end
# Always give full stack trace for admin interface
def show_rails_exceptions?
true
end
# Expire cached attachment files for a request
def expire_for_request(info_request)
# Clear out cached entries, by removing files from disk (the built in
# Rails fragment cache made doing this and other things too hard)
info_request.foi_fragment_cache_directories.each{ |dir| FileUtils.rm_rf(dir) }
# Remove any download zips
FileUtils.rm_rf(info_request.download_zip_dir)
# Remove the database caches of body / attachment text (the attachment text
# one is after privacy rules are applied)
info_request.clear_in_database_caches!
# also force a search reindexing (so changed text reflected in search)
info_request.reindex_request_events
# and remove from varnish
info_request.purge_in_cache
end
# Expire cached attachment files for a user
def expire_requests_for_user(user)
for info_request in user.info_requests
expire_for_request(info_request)
end
end
# For administration interface, return display name of authenticated user
def admin_current_user
if AlaveteliConfiguration::skip_admin_auth
admin_http_auth_user
else
session[:admin_name]
end
end
# If we're skipping Alaveteli admin authentication, assume that the environment
# will give us an authenticated user name
def admin_http_auth_user
# This needs special magic in mongrel: http://www.ruby-forum.com/topic/83067
# Hence the second clause which reads X-Forwarded-User header if available.
# See the rewrite rules in conf/httpd.conf which set X-Forwarded-User
if request.env["REMOTE_USER"]
return request.env["REMOTE_USER"]
elsif request.env["HTTP_X_FORWARDED_USER"]
return request.env["HTTP_X_FORWARDED_USER"]
else
return "*unknown*";
end
end
def authenticate
if AlaveteliConfiguration::skip_admin_auth
session[:using_admin] = 1
return
else
if session[:using_admin].nil? || session[:admin_name].nil?
if params[:emergency].nil? || AlaveteliConfiguration::disable_emergency_user
if authenticated?(
:web => _("To log into the administrative interface"),
:email => _("Then you can log into the administrative interface"),
:email_subject => _("Log into the admin interface"),
:user_name => "a superuser")
if !@user.nil? && @user.admin_level == "super"
session[:using_admin] = 1
session[:admin_name] = @user.url_name
else
session[:using_admin] = nil
session[:user_id] = nil
session[:admin_name] = nil
self.authenticate
end
end
else
authenticate_or_request_with_http_basic do |user_name, password|
if user_name == AlaveteliConfiguration::admin_username && password == AlaveteliConfiguration::admin_password
session[:using_admin] = 1
session[:admin_name] = user_name
else
request_http_basic_authentication
end
end
end
end
end
end
end
|
