Redmine

/.project

/.loadpath

/.powrc

/.rvmrc

/config/additional_environment.rb

/config/configuration.yml

/config/database.yml

/config/email.yml

/config/initializers/session_store.rb

/config/initializers/secret_token.rb

/coverage

/db/*.db

/db/*.sqlite3

/db/schema.rb

/files/*

/lib/redmine/scm/adapters/mercurial/redminehelper.pyc

/lib/redmine/scm/adapters/mercurial/redminehelper.pyo

/log/*.log*

/log/mongrel_debug

/plugins/*

!/plugins/README

/public/dispatch.*

/public/plugin_assets/*

/public/themes/*

!/public/themes/alternate

!/public/themes/classic

!/public/themes/README

/tmp/*

/tmp/cache/*

/tmp/pdf/*

/tmp/sessions/*

/tmp/sockets/*

/tmp/test/*

/tmp/thumbnails/*

/vendor/cache

/vendor/rails

*.rbc

/.bundle

/Gemfile.lock

/Gemfile.local

syntax: glob

.project

.loadpath

.powrc

.rvmrc

config/additional_environment.rb

config/configuration.yml

config/database.yml

config/email.yml

config/initializers/session_store.rb

config/initializers/secret_token.rb

coverage

db/*.db

db/*.sqlite3

db/schema.rb

files/*

lib/redmine/scm/adapters/mercurial/redminehelper.pyc

lib/redmine/scm/adapters/mercurial/redminehelper.pyo

log/*.log*

log/mongrel_debug

public/dispatch.*

public/plugin_assets/*

tmp/*

tmp/cache/*

tmp/pdf/*

tmp/sessions/*

tmp/sockets/*

tmp/test/*

tmp/thumbnails/*

vendor/cache

vendor/rails

*.rbc

.svn/

.git/

.bundle

Gemfile.lock

Gemfile.local

**Do not send a pull requst to this github repository**.

For more detail, please see [official website] wiki [Contribute].

[official website]: http://www.redmine.org

[Contribute]: http://www.redmine.org/projects/redmine/wiki/Contribute

source 'https://rubygems.org'

gem "rails", "3.2.22.2"

gem "rack-cache", "1.2" if RUBY_VERSION < "1.9.3"

gem "jquery-rails", "~> 3.1.4"

gem "coderay", "~> 1.1.0"

gem "fastercsv", "~> 1.5.0", :platforms => [:mri_18, :mingw_18, :jruby]

gem "builder", ">= 3.0.4"

gem "request_store", "1.0.5"

gem "mime-types"

gem "rbpdf", "~> 1.18.7"

gem "i18n", "~> 0.6.11"

# rake 11 require ruby 1.9.3 or higher

if RUBY_VERSION < "1.9.3"

  gem "rake", "~> 10.4.2"

end

# Optional gem for LDAP authentication

group :ldap do

  gem "net-ldap", "~> 0.3.1"

end

# Optional gem for OpenID authentication

group :openid do

  gem "ruby-openid", "~> 2.3.0", :require => "openid"

  gem "rack-openid"

end

platforms :mri, :mingw do

  # Optional gem for exporting the gantt to a PNG file, not supported with jruby

  group :rmagick do

    # RMagick 2 supports ruby 1.9

    # RMagick 1 would be fine for ruby 1.8 but Bundler does not support

    # different requirements for the same gem on different platforms

    gem "rmagick", (RUBY_VERSION < "1.9" ? "2.13.3" : "~> 2.13.4")

  end

  # Optional Markdown support, not for JRuby

  group :markdown do

    gem "redcarpet", (RUBY_VERSION < "1.9" ? "~> 2.3.0" : "~> 3.3.2")

  end

end

platforms :jruby do

  # jruby-openssl is bundled with JRuby 1.7.0

  gem "jruby-openssl" if Object.const_defined?(:JRUBY_VERSION) && JRUBY_VERSION < '1.7.0'

  gem "activerecord-jdbc-adapter", "~> 1.3.2"

end

# Include database gems for the adapters found in the database

# configuration file

require 'erb'

require 'yaml'

database_file = File.join(File.dirname(__FILE__), "config/database.yml")

if File.exist?(database_file)

  database_config = YAML::load(ERB.new(IO.read(database_file)).result)

  adapters = database_config.values.map {|c| c['adapter']}.compact.uniq

  if adapters.any?

    adapters.each do |adapter|

      case adapter

      when 'mysql2'

        gem "mysql2", "~> 0.3.11", :platforms => [:mri, :mingw]

        gem "activerecord-jdbcmysql-adapter", :platforms => :jruby

      when 'mysql'

        gem "mysql", "~> 2.8.1", :platforms => [:mri, :mingw]

        gem "activerecord-jdbcmysql-adapter", :platforms => :jruby

      when /postgresql/

        gem "pg", "~> 0.17.1", :platforms => [:mri, :mingw]

        gem "activerecord-jdbcpostgresql-adapter", :platforms => :jruby

      when /sqlite3/

        gem "sqlite3", :platforms => [:mri, :mingw]

        gem "jdbc-sqlite3", ">= 3.8.10.1", :platforms => :jruby

        gem "activerecord-jdbcsqlite3-adapter", :platforms => :jruby

      when /sqlserver/

        gem "tiny_tds", "~> 0.6.2", :platforms => [:mri, :mingw]

        gem "activerecord-sqlserver-adapter", :platforms => [:mri, :mingw]

      else

        warn("Unknown database adapter `#{adapter}` found in config/database.yml, use Gemfile.local to load your own database gems")

      end

    end

  else

    warn("No adapter found in config/database.yml, please configure it first")

  end

else

  warn("Please configure your config/database.yml first")

end

group :development do

  gem "rdoc", ">= 2.4.2"

  gem "yard"

end

group :test do

  gem "minitest"

  gem "test-unit", "~> 3.0"

  gem "shoulda", "~> 3.3.2"

  gem "shoulda-matchers", "1.4.1"

  gem "mocha", "~> 1.0.0", :require => 'mocha/api'

  if RUBY_VERSION >= '1.9.3'

    gem "capybara"

    # Request at least nokogiri 1.6.7.2 because of security advisories

    gem "nokogiri", ">= 1.6.7.2"

    gem "selenium-webdriver"

  end

end

local_gemfile = File.join(File.dirname(__FILE__), "Gemfile.local")

if File.exists?(local_gemfile)

  puts "Loading Gemfile.local ..." if $DEBUG # `ruby -d` or `bundle -v`

  instance_eval File.read(local_gemfile)

end

# Load plugins' Gemfiles

Dir.glob File.expand_path("../plugins/*/{Gemfile,PluginGemfile}", __FILE__) do |file|

  puts "Loading #{file} ..." if $DEBUG # `ruby -d` or `bundle -v`

  #TODO: switch to "eval_gemfile file" when bundler >= 1.2.0 will be required (rails 4)

  instance_eval File.read(file), file

end

= Redmine

Redmine is a flexible project management web application written using Ruby on Rails framework.

More details can be found in the doc directory or on the official website http://www.redmine.org

#!/usr/bin/env rake

# Add your own tasks in files placed in lib/tasks ending in .rake,

# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.

require File.expand_path('../config/application', __FILE__)

RedmineApp::Application.load_tasks

# Redmine - project management software

# Copyright (C) 2006-2016  Jean-Philippe Lang

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

class AccountController < ApplicationController

  helper :custom_fields

  include CustomFieldsHelper

  # prevents login action to be filtered by check_if_login_required application scope filter

  skip_before_filter :check_if_login_required, :check_password_change

  # Overrides ApplicationController#verify_authenticity_token to disable

  # token verification on openid callbacks

  def verify_authenticity_token

    unless using_open_id?

      super

    end

  end

  # Login request and validation

  def login

    if request.get?

      if User.current.logged?

        redirect_back_or_default home_url, :referer => true

      end

    else

      authenticate_user

    end

  rescue AuthSourceException => e

    logger.error "An error occured when authenticating #{params[:username]}: #{e.message}"

    render_error :message => e.message

  end

  # Log out current user and redirect to welcome page

  def logout

    if User.current.anonymous?

      redirect_to home_url

    elsif request.post?

      logout_user

      redirect_to home_url

    end

    # display the logout form

  end

  # Lets user choose a new password

  def lost_password

    (redirect_to(home_url); return) unless Setting.lost_password?

    if params[:token]

      @token = Token.find_token("recovery", params[:token].to_s)

      if @token.nil? || @token.expired?

        redirect_to home_url

        return

      end

      @user = @token.user

      unless @user && @user.active?

        redirect_to home_url

        return

      end

      if request.post?

        @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation]

        if @user.save

          @token.destroy

          flash[:notice] = l(:notice_account_password_updated)

          redirect_to signin_path

          return

        end

      end

      render :template => "account/password_recovery"

      return

    else

      if request.post?

        user = User.find_by_mail(params[:mail].to_s)

        # user not found

        unless user

          flash.now[:error] = l(:notice_account_unknown_email)

          return

        end

        unless user.active?

          handle_inactive_user(user, lost_password_path)

          return

        end

        # user cannot change its password

        unless user.change_password_allowed?

          flash.now[:error] = l(:notice_can_t_change_password)

          return

        end

        # create a new token for password recovery

        token = Token.new(:user => user, :action => "recovery")

        if token.save

          Mailer.lost_password(token).deliver

          flash[:notice] = l(:notice_account_lost_email_sent)

          redirect_to signin_path

          return

        end

      end

    end

  end

  # User self-registration

  def register

    (redirect_to(home_url); return) unless Setting.self_registration? || session[:auth_source_registration]

    if request.get?

      session[:auth_source_registration] = nil

      @user = User.new(:language => current_language.to_s)

    else

      user_params = params[:user] || {}

      @user = User.new

      @user.safe_attributes = user_params

      @user.admin = false

      @user.register

      if session[:auth_source_registration]

        @user.activate

        @user.login = session[:auth_source_registration][:login]

        @user.auth_source_id = session[:auth_source_registration][:auth_source_id]

        if @user.save

          session[:auth_source_registration] = nil

          self.logged_user = @user

          flash[:notice] = l(:notice_account_activated)

          redirect_to my_account_path

        end

      else

        @user.login = params[:user][:login]

        unless user_params[:identity_url].present? && user_params[:password].blank? && user_params[:password_confirmation].blank?

          @user.password, @user.password_confirmation = user_params[:password], user_params[:password_confirmation]

        end

        case Setting.self_registration

        when '1'

          register_by_email_activation(@user)

        when '3'

          register_automatically(@user)

        else

          register_manually_by_administrator(@user)

        end

      end

    end

  end

  # Token based account activation

  def activate

    (redirect_to(home_url); return) unless Setting.self_registration? && params[:token].present?

    token = Token.find_token('register', params[:token].to_s)

    (redirect_to(home_url); return) unless token and !token.expired?

    user = token.user

    (redirect_to(home_url); return) unless user.registered?

    user.activate

    if user.save

      token.destroy

      flash[:notice] = l(:notice_account_activated)

    end

    redirect_to signin_path

  end

  # Sends a new account activation email

  def activation_email

    if session[:registered_user_id] && Setting.self_registration == '1'

      user_id = session.delete(:registered_user_id).to_i

      user = User.find_by_id(user_id)

      if user && user.registered?

        register_by_email_activation(user)

        return

      end

    end

    redirect_to(home_url)

  end

  private

  def authenticate_user

    if Setting.openid? && using_open_id?

      open_id_authenticate(params[:openid_url])

    else

      password_authentication

    end

  end

  def password_authentication

    user = User.try_to_login(params[:username], params[:password], false)

    if user.nil?

      invalid_credentials

    elsif user.new_record?

      onthefly_creation_failed(user, {:login => user.login, :auth_source_id => user.auth_source_id })

    else

      # Valid user

      if user.active?

        successful_authentication(user)

      else

        handle_inactive_user(user)

      end

    end

  end

  def open_id_authenticate(openid_url)

    back_url = signin_url(:autologin => params[:autologin])

    authenticate_with_open_id(

          openid_url, :required => [:nickname, :fullname, :email],

          :return_to => back_url, :method => :post

    ) do |result, identity_url, registration|

      if result.successful?

        user = User.find_or_initialize_by_identity_url(identity_url)

        if user.new_record?

          # Self-registration off

          (redirect_to(home_url); return) unless Setting.self_registration?

          # Create on the fly

          user.login = registration['nickname'] unless registration['nickname'].nil?

          user.mail = registration['email'] unless registration['email'].nil?

          user.firstname, user.lastname = registration['fullname'].split(' ') unless registration['fullname'].nil?

          user.random_password

          user.register

          case Setting.self_registration

          when '1'

            register_by_email_activation(user) do

              onthefly_creation_failed(user)

            end

          when '3'

            register_automatically(user) do

              onthefly_creation_failed(user)

            end

          else

            register_manually_by_administrator(user) do

              onthefly_creation_failed(user)

            end

          end

        else

          # Existing record

          if user.active?

            successful_authentication(user)

          else

            handle_inactive_user(user)

          end

        end

      end

    end

  end

  def successful_authentication(user)

    logger.info "Successful authentication for '#{user.login}' from #{request.remote_ip} at #{Time.now.utc}"

    # Valid user

    self.logged_user = user

    # generate a key and set cookie if autologin

    if params[:autologin] && Setting.autologin?

      set_autologin_cookie(user)

    end

    call_hook(:controller_account_success_authentication_after, {:user => user })

    redirect_back_or_default my_page_path

  end

  def set_autologin_cookie(user)

    token = Token.create(:user => user, :action => 'autologin')

    cookie_options = {

      :value => token.value,

      :expires => 1.year.from_now,

      :path => (Redmine::Configuration['autologin_cookie_path'] || '/'),

      :secure => (Redmine::Configuration['autologin_cookie_secure'] ? true : false),

      :httponly => true

    }

    cookies[autologin_cookie_name] = cookie_options

  end

  # Onthefly creation failed, display the registration form to fill/fix attributes

  def onthefly_creation_failed(user, auth_source_options = { })

    @user = user

    session[:auth_source_registration] = auth_source_options unless auth_source_options.empty?

    render :action => 'register'

  end

  def invalid_credentials

    logger.warn "Failed login for '#{params[:username]}' from #{request.remote_ip} at #{Time.now.utc}"

    flash.now[:error] = l(:notice_account_invalid_creditentials)

  end

  # Register a user for email activation.

  #

  # Pass a block for behavior when a user fails to save

  def register_by_email_activation(user, &block)

    token = Token.new(:user => user, :action => "register")

    if user.save and token.save

      Mailer.register(token).deliver

      flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))

      redirect_to signin_path

    else

      yield if block_given?

    end

  end

  # Automatically register a user

  #

  # Pass a block for behavior when a user fails to save

  def register_automatically(user, &block)

    # Automatic activation

    user.activate

    user.last_login_on = Time.now

    if user.save

      self.logged_user = user

      flash[:notice] = l(:notice_account_activated)

      redirect_to my_account_path

    else

      yield if block_given?

    end

  end

  # Manual activation by the administrator

  #

  # Pass a block for behavior when a user fails to save

  def register_manually_by_administrator(user, &block)

    if user.save

      # Sends an email to the administrators

      Mailer.account_activation_request(user).deliver

      account_pending(user)

    else

      yield if block_given?

    end

  end

  def handle_inactive_user(user, redirect_path=signin_path)

    if user.registered?

      account_pending(user, redirect_path)

    else

      account_locked(user, redirect_path)

    end

  end

  def account_pending(user, redirect_path=signin_path)

    if Setting.self_registration == '1'

      flash[:error] = l(:notice_account_not_activated_yet, :url => activation_email_path)

      session[:registered_user_id] = user.id

    else

      flash[:error] = l(:notice_account_pending)

    end

    redirect_to redirect_path

  end

  def account_locked(user, redirect_path=signin_path)

    flash[:error] = l(:notice_account_locked)

    redirect_to redirect_path

  end

end

# Redmine - project management software

# Copyright (C) 2006-2016  Jean-Philippe Lang

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

class ActivitiesController < ApplicationController

  menu_item :activity

  before_filter :find_optional_project

  accept_rss_auth :index

  def index

    @days = Setting.activity_days_default.to_i

    if params[:from]

      begin; @date_to = params[:from].to_date + 1; rescue; end

    end

    @date_to ||= Date.today + 1

    @date_from = @date_to - @days

    @with_subprojects = params[:with_subprojects].nil? ? Setting.display_subprojects_issues? : (params[:with_subprojects] == '1')

    @author = (params[:user_id].blank? ? nil : User.active.find(params[:user_id]))

    @activity = Redmine::Activity::Fetcher.new(User.current, :project => @project,

                                                             :with_subprojects => @with_subprojects,

                                                             :author => @author)

    @activity.scope_select {|t| !params["show_#{t}"].nil?}

    @activity.scope = (@author.nil? ? :default : :all) if @activity.scope.empty?

    events = @activity.events(@date_from, @date_to)

    if events.empty? || stale?(:etag => [@activity.scope, @date_to, @date_from, @with_subprojects, @author, events.first, events.size, User.current, current_language])

      respond_to do |format|

        format.html {

          @events_by_day = events.group_by {|event| User.current.time_to_date(event.event_datetime)}

          render :layout => false if request.xhr?

        }

        format.atom {

          title = l(:label_activity)

          if @author

            title = @author.name

          elsif @activity.scope.size == 1

            title = l("label_#{@activity.scope.first.singularize}_plural")

          end

          render_feed(events, :title => "#{@project || Setting.app_title}: #{title}")

        }

      end

    end

  rescue ActiveRecord::RecordNotFound

    render_404

  end

  private

  # TODO: refactor, duplicated in projects_controller

  def find_optional_project

    return true unless params[:id]

    @project = Project.find(params[:id])

    authorize

  rescue ActiveRecord::RecordNotFound

    render_404

  end

end

# Redmine - project management software

# Copyright (C) 2006-2016  Jean-Philippe Lang

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

class AdminController < ApplicationController

  layout 'admin'

  menu_item :projects, :only => :projects

  menu_item :plugins, :only => :plugins

  menu_item :info, :only => :info

  before_filter :require_admin

  helper :sort

  include SortHelper

  def index

    @no_configuration_data = Redmine::DefaultData::Loader::no_data?

  end

  def projects

    @status = params[:status] || 1

    scope = Project.status(@status).order('lft')

    scope = scope.like(params[:name]) if params[:name].present?

    @projects = scope.all

    render :action => "projects", :layout => false if request.xhr?

  end

  def plugins

    @plugins = Redmine::Plugin.all

  end

  # Loads the default configuration

  # (roles, trackers, statuses, workflow, enumerations)

  def default_configuration

    if request.post?

      begin

        Redmine::DefaultData::Loader::load(params[:lang])

        flash[:notice] = l(:notice_default_data_loaded)

      rescue Exception => e

        flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))

      end

    end

    redirect_to admin_path

  end

  def test_email

    raise_delivery_errors = ActionMailer::Base.raise_delivery_errors

    # Force ActionMailer to raise delivery errors so we can catch it

    ActionMailer::Base.raise_delivery_errors = true

    begin

      @test = Mailer.test_email(User.current).deliver

      flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))

    rescue Exception => e

      flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))

    end

    ActionMailer::Base.raise_delivery_errors = raise_delivery_errors

    redirect_to settings_path(:tab => 'notifications')

  end

  def info

    @db_adapter_name = ActiveRecord::Base.connection.adapter_name

    @checklist = [

      [:text_default_administrator_account_changed, User.default_admin_account_changed?],

      [:text_file_repository_writable, File.writable?(Attachment.storage_path)],

      ["#{l :text_plugin_assets_writable} (./public/plugin_assets)",   File.writable?(Redmine::Plugin.public_directory)],

      [:text_rmagick_available,        Object.const_defined?(:Magick)],

      [:text_convert_available,        Redmine::Thumbnail.convert_available?]

    ]

  end

end

# Redmine - project management software

# Copyright (C) 2006-2016  Jean-Philippe Lang

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

require 'uri'

require 'cgi'

class Unauthorized < Exception; end

class ApplicationController < ActionController::Base

  include Redmine::I18n

  include Redmine::Pagination

  include RoutesHelper

  helper :routes

  class_attribute :accept_api_auth_actions

  class_attribute :accept_rss_auth_actions

  class_attribute :model_object

  layout 'base'

  protect_from_forgery

  def verify_authenticity_token

    unless api_request?

      super

    end

  end

  def handle_unverified_request

    unless api_request?

      super

      cookies.delete(autologin_cookie_name)

      self.logged_user = nil

      set_localization

      render_error :status => 422, :message => "Invalid form authenticity token."

    end

  end

  before_filter :session_expiration, :user_setup, :force_logout_if_password_changed, :check_if_login_required, :check_password_change, :set_localization

  rescue_from ::Unauthorized, :with => :deny_access

  rescue_from ::ActionView::MissingTemplate, :with => :missing_template

  include Redmine::Search::Controller

  include Redmine::MenuManager::MenuController

  helper Redmine::MenuManager::MenuHelper

  def session_expiration

    if session[:user_id]

      if session_expired? && !try_to_autologin

        set_localization(User.active.find_by_id(session[:user_id]))

        self.logged_user = nil

        flash[:error] = l(:error_session_expired)

        require_login

      else

        session[:atime] = Time.now.utc.to_i

      end

    end

  end

  def session_expired?

    if Setting.session_lifetime?

      unless session[:ctime] && (Time.now.utc.to_i - session[:ctime].to_i <= Setting.session_lifetime.to_i * 60)

        return true

      end

    end

    if Setting.session_timeout?

      unless session[:atime] && (Time.now.utc.to_i - session[:atime].to_i <= Setting.session_timeout.to_i * 60)

        return true

      end

    end

    false

  end

  def start_user_session(user)

    session[:user_id] = user.id

    session[:ctime] = Time.now.utc.to_i

    session[:atime] = Time.now.utc.to_i

    if user.must_change_password?

      session[:pwd] = '1'

    end

  end

  def user_setup

    # Check the settings cache for each request

    Setting.check_cache

    # Find the current user

    User.current = find_current_user

    logger.info("  Current user: " + (User.current.logged? ? "#{User.current.login} (id=#{User.current.id})" : "anonymous")) if logger

  end

  # Returns the current user or nil if no user is logged in

  # and starts a session if needed

  def find_current_user

    user = nil

    unless api_request?

      if session[:user_id]

        # existing session

        user = (User.active.find(session[:user_id]) rescue nil)

      elsif autologin_user = try_to_autologin

        user = autologin_user

      elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth?

        # RSS key authentication does not start a session

        user = User.find_by_rss_key(params[:key])

      end

    end

    if user.nil? && Setting.rest_api_enabled? && accept_api_auth?

      if (key = api_key_from_request)

        # Use API key

        user = User.find_by_api_key(key)

      elsif request.authorization.to_s =~ /\ABasic /i

        # HTTP Basic, either username/password or API key/random

        authenticate_with_http_basic do |username, password|

          user = User.try_to_login(username, password) || User.find_by_api_key(username)

        end

        if user && user.must_change_password?

          render_error :message => 'You must change your password', :status => 403

          return

        end

      end

      # Switch user if requested by an admin user

      if user && user.admin? && (username = api_switch_user_from_request)

        su = User.find_by_login(username)

        if su && su.active?

          logger.info("  User switched by: #{user.login} (id=#{user.id})") if logger

          user = su

        else

          render_error :message => 'Invalid X-Redmine-Switch-User header', :status => 412

        end

      end

    end

    user

  end

  def force_logout_if_password_changed

    passwd_changed_on = User.current.passwd_changed_on || Time.at(0)

    # Make sure we force logout only for web browser sessions, not API calls

    # if the password was changed after the session creation.

    if session[:user_id] && passwd_changed_on.utc.to_i > session[:ctime].to_i

      reset_session

      set_localization

      flash[:error] = l(:error_session_expired)

      redirect_to signin_url

    end

  end

  def autologin_cookie_name

    Redmine::Configuration['autologin_cookie_name'].presence || 'autologin'

  end

  def try_to_autologin

    if cookies[autologin_cookie_name] && Setting.autologin?

      # auto-login feature starts a new session

      user = User.try_to_autologin(cookies[autologin_cookie_name])

      if user

        reset_session

        start_user_session(user)

      end

      user

    end

  end

  # Sets the logged in user

  def logged_user=(user)

    reset_session

    if user && user.is_a?(User)

      User.current = user

      start_user_session(user)

    else

      User.current = User.anonymous

    end

  end

  # Logs out current user

  def logout_user

    if User.current.logged?

      cookies.delete(autologin_cookie_name)

      Token.delete_all(["user_id = ? AND action = ?", User.current.id, 'autologin'])

      self.logged_user = nil

    end

  end

  # check if login is globally required to access the application

  def check_if_login_required

    # no check needed if user is already logged in

    return true if User.current.logged?

    require_login if Setting.login_required?

  end

  def check_password_change

    if session[:pwd]

      if User.current.must_change_password?

        redirect_to my_password_path

      else

        session.delete(:pwd)

      end

    end

  end

  def set_localization(user=User.current)

    lang = nil

    if user && user.logged?

      lang = find_language(user.language)

    end

    if lang.nil? && !Setting.force_default_language_for_anonymous? && request.env['HTTP_ACCEPT_LANGUAGE']

      accept_lang = parse_qvalues(request.env['HTTP_ACCEPT_LANGUAGE']).first

      if !accept_lang.blank?

        accept_lang = accept_lang.downcase

        lang = find_language(accept_lang) || find_language(accept_lang.split('-').first)

      end

    end

    lang ||= Setting.default_language

    set_language_if_valid(lang)

  end

  def require_login

    if !User.current.logged?

      # Extract only the basic url parameters on non-GET requests

      if request.get?

        url = url_for(params)

      else

        url = url_for(:controller => params[:controller], :action => params[:action], :id => params[:id], :project_id => params[:project_id])

      end

      respond_to do |format|

        format.html {

          if request.xhr?

            head :unauthorized

          else

            redirect_to :controller => "account", :action => "login", :back_url => url

          end

        }

        format.atom { redirect_to :controller => "account", :action => "login", :back_url => url }

        format.xml  { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }

        format.js   { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }

        format.json { head :unauthorized, 'WWW-Authenticate' => 'Basic realm="Redmine API"' }

      end

      return false

    end

    true

  end

  def require_admin

    return unless require_login

    if !User.current.admin?

      render_403

      return false

    end

    true

  end

  def deny_access

    User.current.logged? ? render_403 : require_login

  end

  # Authorize the user for the requested action

  def authorize(ctrl = params[:controller], action = params[:action], global = false)

    allowed = User.current.allowed_to?({:controller => ctrl, :action => action}, @project || @projects, :global => global)

    if allowed

      true

    else

      if @project && @project.archived?

        render_403 :message => :notice_not_authorized_archived_project

      else

        deny_access

      end

    end

  end

  # Authorize the user for the requested action outside a project

  def authorize_global(ctrl = params[:controller], action = params[:action], global = true)

    authorize(ctrl, action, global)

  end

  # Find project of id params[:id]

  def find_project

    @project = Project.find(params[:id])

  rescue ActiveRecord::RecordNotFound

    render_404

  end

  # Find project of id params[:project_id]

  def find_project_by_project_id

    @project = Project.find(params[:project_id])

  rescue ActiveRecord::RecordNotFound

    render_404

  end

  # Find a project based on params[:project_id]

  # TODO: some subclasses override this, see about merging their logic

  def find_optional_project

    @project = Project.find(params[:project_id]) unless params[:project_id].blank?

    allowed = User.current.allowed_to?({:controller => params[:controller], :action => params[:action]}, @project, :global => true)

    allowed ? true : deny_access

  rescue ActiveRecord::RecordNotFound

    render_404

  end

  # Finds and sets @project based on @object.project

  def find_project_from_association

    render_404 unless @object.present?

    @project = @object.project

  end

  def find_model_object

    model = self.class.model_object

    if model

      @object = model.find(params[:id])

      self.instance_variable_set('@' + controller_name.singularize, @object) if @object

    end

  rescue ActiveRecord::RecordNotFound

    render_404

  end

  def self.model_object(model)

    self.model_object = model

  end

  # Find the issue whose id is the :id parameter

  # Raises a Unauthorized exception if the issue is not visible

  def find_issue

    # Issue.visible.find(...) can not be used to redirect user to the login form

    # if the issue actually exists but requires authentication

    @issue = Issue.find(params[:id])

    raise Unauthorized unless @issue.visible?

    @project = @issue.project

  rescue ActiveRecord::RecordNotFound

    render_404

  end

  # Find issues with a single :id param or :ids array param

  # Raises a Unauthorized exception if one of the issues is not visible

  def find_issues

    @issues = Issue.where(:id => (params[:id] || params[:ids])).preload(:project, :status, :tracker, :priority, :author, :assigned_to, :relations_to).to_a

    raise ActiveRecord::RecordNotFound if @issues.empty?

    raise Unauthorized unless @issues.all?(&:visible?)

    @projects = @issues.collect(&:project).compact.uniq

    @project = @projects.first if @projects.size == 1

  rescue ActiveRecord::RecordNotFound

    render_404

  end

  def find_attachments

    if (attachments = params[:attachments]).present?

      att = attachments.values.collect do |attachment|

        Attachment.find_by_token( attachment[:token] ) if attachment[:token].present?

      end

      att.compact!

    end

    @attachments = att || []

  end

  # make sure that the user is a member of the project (or admin) if project is private

  # used as a before_filter for actions that do not require any particular permission on the project

  def check_project_privacy

    if @project && [email protected]?

      if @project.visible?

        true

      else

        deny_access

      end

    else

      @project = nil

      render_404

      false

    end

  end

  def back_url

    url = params[:back_url]

    if url.nil? && referer = request.env['HTTP_REFERER']

      url = CGI.unescape(referer.to_s)

    end

    url

  end

  def redirect_back_or_default(default, options={})

    back_url = params[:back_url].to_s

    if back_url.present? && valid_url = validate_back_url(back_url)

      redirect_to(valid_url)

      return

    elsif options[:referer]

      redirect_to_referer_or default

      return

    end

    redirect_to default

    false

  end

  # Returns a validated URL string if back_url is a valid url for redirection,

  # otherwise false

  def validate_back_url(back_url)

    if CGI.unescape(back_url).include?('..')

      return false

    end

    begin

      uri = URI.parse(back_url)

    rescue URI::InvalidURIError

      return false

    end

    [:scheme, :host, :port].each do |component|

      if uri.send(component).present? && uri.send(component) != request.send(component)

        return false

      end

      uri.send(:"#{component}=", nil)

    end

    # Always ignore basic user:password in the URL

    uri.userinfo = nil

    path = uri.to_s

    # Ensure that the remaining URL starts with a slash, followed by a

    # non-slash character or the end

    if path !~ %r{\A/([^/]|\z)}

      return false

    end

    if path.match(%r{/(login|account/register)})

      return false

    end

    if relative_url_root.present? && !path.starts_with?(relative_url_root)

      return false

    end

    return path

  end

  private :validate_back_url

  def valid_back_url?(back_url)

    !!validate_back_url(back_url)

  end

  private :valid_back_url?

  # Redirects to the request referer if present, redirects to args or call block otherwise.

  def redirect_to_referer_or(*args, &block)

    redirect_to :back

  rescue ::ActionController::RedirectBackError

    if args.any?

      redirect_to *args

    elsif block_given?

      block.call

    else

      raise "#redirect_to_referer_or takes arguments or a block"

    end

  end

  def render_403(options={})

    @project = nil

    render_error({:message => :notice_not_authorized, :status => 403}.merge(options))

    return false

  end

  def render_404(options={})

    render_error({:message => :notice_file_not_found, :status => 404}.merge(options))

    return false

  end

  # Renders an error response

  def render_error(arg)

    arg = {:message => arg} unless arg.is_a?(Hash)

    @message = arg[:message]

    @message = l(@message) if @message.is_a?(Symbol)

    @status = arg[:status] || 500

    respond_to do |format|

      format.html {

        render :template => 'common/error', :layout => use_layout, :status => @status

      }

      format.any { head @status }

    end

  end

  # Handler for ActionView::MissingTemplate exception

  def missing_template

    logger.warn "Missing template, responding with 404"

    @project = nil

    render_404

  end

  # Filter for actions that provide an API response

  # but have no HTML representation for non admin users

  def require_admin_or_api_request

    return true if api_request?

    if User.current.admin?

      true

    elsif User.current.logged?

      render_error(:status => 406)

    else

      deny_access

    end

  end

  # Picks which layout to use based on the request

  #

  # @return [boolean, string] name of the layout to use or false for no layout

  def use_layout

    request.xhr? ? false : 'base'

  end

  def render_feed(items, options={})

    @items = items || []

    @items.sort! {|x,y| y.event_datetime <=> x.event_datetime }

    @items = @items.slice(0, Setting.feeds_limit.to_i)

    @title = options[:title] || Setting.app_title

    render :template => "common/feed", :formats => [:atom], :layout => false,

           :content_type => 'application/atom+xml'

  end

  def self.accept_rss_auth(*actions)

    if actions.any?

      self.accept_rss_auth_actions = actions

    else

      self.accept_rss_auth_actions || []

    end

  end

  def accept_rss_auth?(action=action_name)

    self.class.accept_rss_auth.include?(action.to_sym)

  end

  def self.accept_api_auth(*actions)

    if actions.any?

      self.accept_api_auth_actions = actions

    else

      self.accept_api_auth_actions || []

    end

  end

  def accept_api_auth?(action=action_name)

    self.class.accept_api_auth.include?(action.to_sym)

  end

  # Returns the number of objects that should be displayed

  # on the paginated list

  def per_page_option

    per_page = nil

    if params[:per_page] && Setting.per_page_options_array.include?(params[:per_page].to_s.to_i)

      per_page = params[:per_page].to_s.to_i

      session[:per_page] = per_page

    elsif session[:per_page]

      per_page = session[:per_page]

    else

      per_page = Setting.per_page_options_array.first || 25

    end

    per_page

  end

  # Returns offset and limit used to retrieve objects

  # for an API response based on offset, limit and page parameters

  def api_offset_and_limit(options=params)

    if options[:offset].present?

      offset = options[:offset].to_i

      if offset < 0

        offset = 0

      end

    end

    limit = options[:limit].to_i

    if limit < 1

      limit = 25

    elsif limit > 100

      limit = 100

    end

    if offset.nil? && options[:page].present?

      offset = (options[:page].to_i - 1) * limit

      offset = 0 if offset < 0

    end

    offset ||= 0

    [offset, limit]

  end

  # qvalues http header parser

  # code taken from webrick

  def parse_qvalues(value)

    tmp = []

    if value

      parts = value.split(/,\s*/)

      parts.each {|part|

        if m = %r{^([^\s,]+?)(?:;\s*q=(\d+(?:\.\d+)?))?$}.match(part)

          val = m[1]

          q = (m[2] or 1).to_f

          tmp.push([val, q])

        end

      }

      tmp = tmp.sort_by{|val, q| -q}

      tmp.collect!{|val, q| val}

    end

    return tmp

  rescue

    nil

  end

  # Returns a string that can be used as filename value in Content-Disposition header

  def filename_for_content_disposition(name)

    request.env['HTTP_USER_AGENT'] =~ %r{(MSIE|Trident|Edge)} ? ERB::Util.url_encode(name) : name

  end

  def api_request?

    %w(xml json).include? params[:format]

  end

  # Returns the API key present in the request

  def api_key_from_request

    if params[:key].present?

      params[:key].to_s

    elsif request.headers["X-Redmine-API-Key"].present?

      request.headers["X-Redmine-API-Key"].to_s

    end

  end

  # Returns the API 'switch user' value if present

  def api_switch_user_from_request

    request.headers["X-Redmine-Switch-User"].to_s.presence

  end

  # Renders a warning flash if obj has unsaved attachments

  def render_attachment_warning_if_needed(obj)

    flash[:warning] = l(:warning_attachments_not_saved, obj.unsaved_attachments.size) if obj.unsaved_attachments.present?

  end

  # Rescues an invalid query statement. Just in case...

  def query_statement_invalid(exception)

    logger.error "Query::StatementInvalid: #{exception.message}" if logger

    session.delete(:query)

    sort_clear if respond_to?(:sort_clear)

    render_error "An error occurred while executing the query and has been logged. Please report this error to your Redmine administrator."

  end

  # Renders a 200 response for successfull updates or deletions via the API

  def render_api_ok

    render_api_head :ok

  end

  # Renders a head API response

  def render_api_head(status)

    # #head would return a response body with one space

    render :text => '', :status => status, :layout => nil

  end

  # Renders API response on validation failure

  # for an object or an array of objects

  def render_validation_errors(objects)

    messages = Array.wrap(objects).map {|object| object.errors.full_messages}.flatten

    render_api_errors(messages)

  end

  def render_api_errors(*messages)

    @error_messages = messages.flatten

    render :template => 'common/error_messages.api', :status => :unprocessable_entity, :layout => nil

  end

  # Overrides #_include_layout? so that #render with no arguments

  # doesn't use the layout for api requests

  def _include_layout?(*args)

    api_request? ? false : super

  end

end