Adds methods to User model to handle tokens.

git-svn-id: http://svn.redmine.org/redmine/trunk@16474 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-02 11:25:55 +01:00 · 2017-04-04 17:15:07 +00:00
parent 5c7aaa4d1e
commit b9ee00a8c8
3 changed files with 20 additions and 5 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -280,13 +280,13 @@ class AccountController < ApplicationController
  end

  def set_autologin_cookie(user)
-    token = Token.create(:user => user, :action => 'autologin')
+    token = user.generate_autologin_token
    secure = Redmine::Configuration['autologin_cookie_secure']
    if secure.nil?
      secure = request.ssl?
    end
    cookie_options = {
-      :value => token.value,
+      :value => token,
      :expires => 1.year.from_now,
      :path => (Redmine::Configuration['autologin_cookie_path'] || RedmineApp::Application.config.relative_url_root || '/'),
      :secure => secure,
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -168,9 +168,10 @@ class ApplicationController < ActionController::Base
  # Logs out current user
  def logout_user
    if User.current.logged?
-      cookies.delete(autologin_cookie_name)
-      Token.where(["user_id = ? AND action = ?", User.current.id, 'autologin']).delete_all
-      Token.where(["user_id = ? AND action = ? AND value = ?", User.current.id, 'session', session[:tk]]).delete_all
+      if autologin = cookies.delete(autologin_cookie_name)
+        User.current.delete_autologin_token(autologin)
+      end
+      User.current.delete_session_token(session[:tk])
      self.logged_user = nil
    end
  end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -417,6 +417,20 @@ class User < Principal
    token.value
  end

+  def delete_session_token(value)
+    Token.where(:user_id => id, :action => 'session', :value => value).delete_all
+  end
+
+  # Generates a new autologin token and returns its value
+  def generate_autologin_token
+    token = Token.create!(:user_id => id, :action => 'autologin')
+    token.value
+  end
+
+  def delete_autologin_token(value)
+    Token.where(:user_id => id, :action => 'autologin', :value => value).delete_all
+  end
+  
  # Returns true if token is a valid session token for the user whose id is user_id
  def self.verify_session_token(user_id, token)
    return false if user_id.blank? || token.blank?