Feature #11755 » api-auth-switch-user.patch
| app/controllers/application_controller.rb (working copy) | ||
|---|---|---|
| 66 | 66 |
# RSS key authentication does not start a session |
| 67 | 67 |
User.find_by_rss_key(params[:key]) |
| 68 | 68 |
elsif Setting.rest_api_enabled? && accept_api_auth? |
| 69 |
user = nil |
|
| 69 | 70 |
if (key = api_key_from_request) |
| 70 | 71 |
# Use API key |
| 71 |
User.find_by_api_key(key) |
|
| 72 |
user = User.find_by_api_key(key)
|
|
| 72 | 73 |
else |
| 73 | 74 |
# HTTP Basic, either username/password or API key/random |
| 74 | 75 |
authenticate_with_http_basic do |username, password| |
| 75 |
User.try_to_login(username, password) || User.find_by_api_key(username) |
|
| 76 |
user = User.try_to_login(username, password) || User.find_by_api_key(username)
|
|
| 76 | 77 |
end |
| 77 | 78 |
end |
| 79 |
# If authenticated user is 'admin', she may use the 'switch user' feature |
|
| 80 |
if (user && user.admin? && (su = api_switch_user_from_request)) |
|
| 81 |
# Replace user even if 'su' auth fails, don't fallback on the original admin user |
|
| 82 |
user = User.find_by_login(su) |
|
| 83 |
end |
|
| 84 |
user |
|
| 78 | 85 |
end |
| 79 | 86 |
end |
| 80 | 87 | |
| ... | ... | |
| 451 | 458 |
end |
| 452 | 459 |
end |
| 453 | 460 | |
| 461 |
# Returns the API 'switch user' feature value if present |
|
| 462 |
def api_switch_user_from_request |
|
| 463 |
if params[:su].present? |
|
| 464 |
params[:su].to_s |
|
| 465 |
elsif request.headers["X-Redmine-Switch-User"].present? |
|
| 466 |
request.headers["X-Redmine-Switch-User"].to_s |
|
| 467 |
end |
|
| 468 |
end |
|
| 469 | ||
| 454 | 470 |
# Renders a warning flash if obj has unsaved attachments |
| 455 | 471 |
def render_attachment_warning_if_needed(obj) |
| 456 | 472 |
flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present? |