1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
|
# == Schema Information
# Schema version: 56
#
# Table name: users
#
# id :integer not null, primary key
# email :string(255) not null
# name :string(255) not null
# hashed_password :string(255) not null
# salt :string(255) not null
# created_at :datetime not null
# updated_at :datetime not null
# email_confirmed :boolean default(false), not null
# url_name :text not null
# last_daily_track_email :datetime default(Sat Jan 01 00:00:00 UTC 2000)
#
# models/user.rb:
# Model of people who use the site to file requests, make comments etc.
#
# Copyright (c) 2007 UK Citizens Online Democracy. All rights reserved.
# Email: francis@mysociety.org; WWW: http://www.mysociety.org/
#
# $Id: user.rb,v 1.57 2008-07-08 09:41:04 francis Exp $
require 'digest/sha1'
class User < ActiveRecord::Base
validates_presence_of :email, :message => "^Please enter your email address"
validates_presence_of :name, :message => "^Please enter your name"
validates_presence_of :url_name
validates_presence_of :hashed_password, :message => "^Please enter a password"
has_many :info_requests, :order => 'created_at desc'
has_many :user_info_request_sent_alerts
has_many :post_redirects
has_many :track_things, :foreign_key => 'tracking_user_id', :order => 'created_at desc'
attr_accessor :password_confirmation
validates_confirmation_of :password, :message =>"^Please enter the same password twice"
acts_as_xapian :texts => [ :name ],
:values => [ [ :created_at, 0, "created_at", :date ] ],
:terms => [ [ :variety, 'V', "variety" ] ]
def variety
"user"
end
def validate
errors.add(:email, "doesn't look like a valid address") unless MySociety::Validate.is_valid_email(self.email)
if MySociety::Validate.is_valid_email(self.name)
errors.add(:name, "^Please enter your name, not your email address, in the name field.")
end
end
# Don't display any leading/trailing spaces
def name
name = read_attribute(:name)
if not name.nil?
name.strip!
end
name
end
# Return user given login email, password and other form parameters (e.g. name)
#
# The specific_user_login parameter says that login as a particular user is
# expected, so no parallel registration form is being displayed.
def self.authenticate_from_form(params, specific_user_login = false)
if specific_user_login
auth_fail_message = "Either the email or password was not recognised, please try again."
else
auth_fail_message = "Either the email or password was not recognised, please try again. Or create a new account using the form on the right."
end
user = self.find_user_by_email(params[:email])
if user
# There is user with email, check password
expected_password = encrypted_password(params[:password], user.salt)
if user.hashed_password != expected_password
user.errors.add_to_base(auth_fail_message)
end
else
# No user of same email, make one (that we don't save in the database)
# for the forms code to use.
user = User.new(params)
# deliberately same message as above so as not to leak whether registered
user.errors.add_to_base(auth_fail_message)
end
user
end
# Case-insensitively find a user from their email
def self.find_user_by_email(email)
return self.find(:first, :conditions => [ 'email ilike ?', email ] ) # using ilike for case insensitive
end
# When name is changed, also change the url name
def name=(name)
write_attribute(:name, name)
self.update_url_name
end
def update_url_name
url_name = MySociety::Format.simplify_url_part(self.name, 32)
# For user with same name as others, add on arbitary numeric identifier
unique_url_name = url_name
suffix_num = 2 # as there's already one without numeric suffix
while not User.find_by_url_name(unique_url_name, :conditions => self.id.nil? ? nil : ["id <> ?", self.id] ).nil?
unique_url_name = url_name + "_" + suffix_num.to_s
suffix_num = suffix_num + 1
end
write_attribute(:url_name, unique_url_name)
end
# Virtual password attribute, which stores the hashed password, rather than plain text.
def password
@password
end
def password=(pwd)
@password = pwd
if pwd.blank?
self.hashed_password = nil
return
end
create_new_salt
self.hashed_password = User.encrypted_password(self.password, self.salt)
end
# For use in to/from in email messages
def name_and_email
return self.name + " <" + self.email + ">"
end
# The "internal admin" is a special user for internal use.
def User.internal_admin_user
contact_email = MySociety::Config.get("CONTACT_EMAIL", 'contact@localhost')
u = User.find_by_email(contact_email)
if u.nil?
password = PostRedirect.generate_random_token
u = User.new(
:name => 'Internal admin user',
:email => contact_email,
:password => password,
:password_confirmation => password
)
u.save!
end
return u
end
private
def self.encrypted_password(password, salt)
string_to_hash = password + salt # XXX need to add a secret here too?
Digest::SHA1.hexdigest(string_to_hash)
end
def create_new_salt
self.salt = self.object_id.to_s + rand.to_s
end
end
|
