api-auth-switch-user.patch

Vincent Caron, 2012-09-01 15:33

Download (1.74 KB)

View differences:

app/controllers/application_controller.rb (working copy)
66 66
      # RSS key authentication does not start a session
67 67
      User.find_by_rss_key(params[:key])
68 68
    elsif Setting.rest_api_enabled? && accept_api_auth?
69
      user = nil
69 70
      if (key = api_key_from_request)
70 71
        # Use API key
71
        User.find_by_api_key(key)
72
        user = User.find_by_api_key(key)
72 73
      else
73 74
        # HTTP Basic, either username/password or API key/random
74 75
        authenticate_with_http_basic do |username, password|
75
          User.try_to_login(username, password) || User.find_by_api_key(username)
76
          user = User.try_to_login(username, password) || User.find_by_api_key(username)
76 77
        end
77 78
      end
79
      # If authenticated user is 'admin', she may use the 'switch user' feature
80
      if (user && user.admin? &&  (su = api_switch_user_from_request))
81
        # Replace user even if 'su' auth fails, don't fallback on the original admin user
82
        user = User.find_by_login(su)
83
      end
84
      user
78 85
    end
79 86
  end
80 87

  
......
451 458
    end
452 459
  end
453 460

  
461
  # Returns the API 'switch user' feature value if present
462
  def api_switch_user_from_request
463
    if params[:su].present?
464
      params[:su].to_s
465
    elsif request.headers["X-Redmine-Switch-User"].present?
466
      request.headers["X-Redmine-Switch-User"].to_s
467
    end
468
  end
469

  
454 470
  # Renders a warning flash if obj has unsaved attachments
455 471
  def render_attachment_warning_if_needed(obj)
456 472
    flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present?