application_controller.rb
5.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
require 'noosfero/multi_tenancy'
class ApplicationController < ActionController::Base
  protect_from_forgery
  before_filter :detect_stuff_by_domain
  before_filter :init_noosfero_plugins
  before_filter :allow_cross_domain_access
  include AuthenticatedSystem
  before_filter :require_login_for_environment, :if => :private_environment?
  before_filter :verify_members_whitelist, :if => [:private_environment?, :user]
  before_filter :redirect_to_current_user
  before_filter :set_session_theme
  # FIXME: only include necessary methods
  include ApplicationHelper
  # concerns
  include PermissionCheck
  include CustomDesign
  include NeedsProfile
  # implementations
  include FindByContents
  include Noosfero::Plugin::HotSpot
  include SearchTermHelper
  def set_session_theme
    if params[:theme]
      session[:theme] = environment.theme_ids.include?(params[:theme]) ? params[:theme] : nil
    end
  end
  def require_login_for_environment
    login_required
  end
  def verify_members_whitelist
    render_access_denied unless user.is_admin? || environment.in_whitelist?(user)
  end
  after_filter :set_csrf_cookie
  def set_csrf_cookie
    cookies['_noosfero_.XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery? && logged_in?
  end
  def allow_cross_domain_access
    origin = request.headers['Origin']
    return if origin.blank?
    if environment.access_control_allow_origin.include? origin
      response.headers["Access-Control-Allow-Origin"] = origin
      unless environment.access_control_allow_methods.blank?
        response.headers["Access-Control-Allow-Methods"] = environment.access_control_allow_methods
      end
      response.headers["Access-Control-Allow-Credentials"] = 'true'
    elsif environment.restrict_to_access_control_origins
      render_access_denied _('Origin not in allowed.')
    end
  end
  layout :get_layout
  def get_layout
    return false if request.format == :js or request.xhr?
    theme_layout = theme_option(:layout)
    if theme_layout
      (theme_view_file('layouts/'+theme_layout) || theme_layout).to_s
    else
     'application'
    end
  end
  def log_processing
    super
    return unless Rails.env == 'production'
    if logger && logger.info?
      logger.info("  HTTP Referer: #{request.referer}")
      logger.info("  User Agent: #{request.user_agent}")
      logger.info("  Accept-Language: #{request.headers['HTTP_ACCEPT_LANGUAGE']}")
    end
  end
  helper :document
  helper :language
  before_filter :set_locale
  def set_locale
    FastGettext.available_locales = environment.available_locales
    FastGettext.default_locale = environment.default_locale || 'en'
    FastGettext.locale = (params[:lang] || session[:lang] || environment.default_locale || request.env['HTTP_ACCEPT_LANGUAGE'] || 'en')
    I18n.locale = FastGettext.locale.to_s.gsub '_', '-'
    I18n.default_locale = FastGettext.default_locale.to_s.gsub '_', '-'
    if params[:lang]
      session[:lang] = params[:lang]
    end
  end
  attr_reader :environment
  # declares that the given <tt>actions</tt> cannot be accessed by other HTTP
  # method besides POST.
  def self.post_only(actions, redirect = { :action => 'index'})
    before_filter(:only => actions) do |controller|
      if !controller.request.post?
        controller.redirect_to redirect
      end
    end
  end
  helper_method :current_person, :current_person
  protected
  def accept_only_post
    return render_not_found if !request.post?
  end
  def verified_request?
    super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
  end
  def boxes_editor?
    false
  end
  def content_editor?
    false
  end
  def user
    current_user.person if logged_in?
  end
  alias :current_person :user
  # TODO: move this logic somewhere else (Domain class?)
  def detect_stuff_by_domain
    # Sets text domain based on request host for custom internationalization
    FastGettext.text_domain = Domain.custom_locale(request.host)
    @domain = Domain.by_name(request.host)
    if @domain.nil?
      @environment = Environment.default
      # Avoid crashes on test and development setups
      if @environment.nil? && !Rails.env.production?
        @environment = Environment.new
        @environment.name = "Noosfero"
        @environment.is_default = true
      end
    else
      @environment = @domain.environment
      @profile = @domain.profile
      # Check if the requested profile belongs to another domain
      if @profile && !params[:profile].blank? && params[:profile] != @profile.identifier
        @profile = @environment.profiles.find_by(identifier: params[:profile])
        redirect_to url_for(params.merge host: @profile.default_hostname)
      end
    end
  end
  # FIXME this filter just loads @plugins to children controllers and helpers
  def init_noosfero_plugins
    plugins
  end
  def render_not_found(path = nil)
    @no_design_blocks = true
    @path ||= request.path
    # force html template even if the browser asked for a image
    render template: 'shared/not_found', status: 404, layout: get_layout, formats: [:html]
  end
  alias :render_404 :render_not_found
  def render_access_denied(message = nil, title = nil)
    @no_design_blocks = true
    @message = message
    @title = title
    # force html template even if the browser asked for a image
    render template: 'shared/access_denied', status: 403, formats: [:html]
  end
  def load_category
    unless params[:category_path].blank?
      path = params[:category_path]
      @category = environment.categories.find_by(path: path)
      if @category.nil?
        render_not_found(path)
      end
    end
  end
  def find_suggestions(query, context, asset, options={})
    plugins.dispatch_first(:find_suggestions, query, context, asset, options)
  end
  def private_environment?
    @environment.enabled?(:restrict_to_members)
  end
  def redirect_to_current_user
    if params[:profile] == '~'
      if logged_in?
        redirect_to url_for(params.merge profile: user.identifier)
      else
        render_not_found
      end
    end
  end
end