Skip to content

Commit 0fdd757

Browse files
Merge remote-tracking branch 'origin/release/7.1' into dev
2 parents 7b96ae8 + 8eb77bd commit 0fdd757

4 files changed

Lines changed: 99 additions & 8 deletions

File tree

app/controllers/application_controller.rb

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ class ApplicationController < ActionController::Base
4242
include I18n
4343
include Redmine::I18n
4444
include HookHelper
45+
include ::OpenProject::Authentication::SessionExpiry
4546

4647
layout 'base'
4748

@@ -675,13 +676,7 @@ def stop_if_feeds_disabled
675676
private
676677

677678
def session_expired?
678-
!api_request? && current_user.logged? &&
679-
(session_ttl_enabled? && (session[:updated_at].nil? ||
680-
(session[:updated_at] + Setting.session_ttl.to_i.minutes) < Time.now))
681-
end
682-
683-
def session_ttl_enabled?
684-
Setting.session_ttl_enabled? && Setting.session_ttl.to_i >= 5
679+
!api_request? && current_user.logged? && session_ttl_expired?
685680
end
686681

687682
def permitted_params
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
module OpenProject
2+
module Authentication
3+
module SessionExpiry
4+
def session_ttl_enabled?
5+
Setting.session_ttl_enabled? && Setting.session_ttl.to_i >= 5
6+
end
7+
8+
def session_ttl_minutes
9+
Setting.session_ttl.to_i.minutes
10+
end
11+
12+
def session_ttl_expired?
13+
# Only when the TTL setting exists
14+
return false unless session_ttl_enabled?
15+
16+
session[:updated_at].nil? || (session[:updated_at] + session_ttl_minutes) < Time.now
17+
end
18+
end
19+
end
20+
end

lib/open_project/authentication/strategies/warden/session.rb

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
require 'open_project/authentication/session_expiry'
2+
13
module OpenProject
24
module Authentication
35
module Strategies
@@ -7,8 +9,10 @@ module Warden
79
# not been unified in terms of Warden strategies and is only locally
810
# applied to the API v3.
911
class Session < ::Warden::Strategies::Base
12+
include ::OpenProject::Authentication::SessionExpiry
13+
1014
def valid?
11-
session
15+
session && !session_ttl_expired?
1216
end
1317

1418
def authenticate!
Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
#-- copyright
2+
# OpenProject is a project management system.
3+
# Copyright (C) 2012-2017 the OpenProject Foundation (OPF)
4+
#
5+
# This program is free software; you can redistribute it and/or
6+
# modify it under the terms of the GNU General Public License version 3.
7+
#
8+
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
9+
# Copyright (C) 2006-2017 Jean-Philippe Lang
10+
# Copyright (C) 2010-2013 the ChiliProject Team
11+
#
12+
# This program is free software; you can redistribute it and/or
13+
# modify it under the terms of the GNU General Public License
14+
# as published by the Free Software Foundation; either version 2
15+
# of the License, or (at your option) any later version.
16+
#
17+
# This program is distributed in the hope that it will be useful,
18+
# but WITHOUT ANY WARRANTY; without even the implied warranty of
19+
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20+
# GNU General Public License for more details.
21+
#
22+
# You should have received a copy of the GNU General Public License
23+
# along with this program; if not, write to the Free Software
24+
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
25+
#
26+
# See doc/COPYRIGHT.rdoc for more details.
27+
#++
28+
29+
require 'spec_helper'
30+
31+
describe 'Session TTL',
32+
with_settings: {session_ttl_enabled?: true, session_ttl: '10'},
33+
type: :feature do
34+
let!(:user) {FactoryGirl.create :admin}
35+
let!(:work_package) {FactoryGirl.create :work_package}
36+
37+
before do
38+
login_with(user.login, user.password)
39+
end
40+
41+
def expire!
42+
page.set_rack_session(updated_at: Time.now - 1.hour)
43+
end
44+
45+
describe 'outdated TTL on Rails request' do
46+
it 'expires on the next Rails request' do
47+
visit '/my/account'
48+
expect(page).to have_selector('.form--field-container', text: user.login)
49+
50+
# Expire the session
51+
expire!
52+
53+
visit '/'
54+
expect(page).to have_selector('.action-login')
55+
end
56+
end
57+
58+
describe 'outdated TTL on API request' do
59+
it 'expires on the next APIv3 request' do
60+
visit "/api/v3/work_packages/#{work_package.id}"
61+
62+
body = JSON.parse(page.body)
63+
expect(body['id']).to eq(work_package.id)
64+
65+
# Expire the session
66+
expire!
67+
visit "/api/v3/work_packages/#{work_package.id}"
68+
69+
expect(page.body).to eq('unauthorized')
70+
end
71+
end
72+
end

0 commit comments

Comments
 (0)