Much work.
This commit is contained in:
Dan Milne
@@ -1,16 +1,4 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
class Current < ActiveSupport::CurrentAttributes
|
||||
attribute :baffle_host
|
||||
attribute :baffle_internal_host
|
||||
attribute :project
|
||||
attribute :ip
|
||||
|
||||
def baffle_host
|
||||
@baffle_host || ENV.fetch("BAFFLE_HOST", "localhost:3000")
|
||||
end
|
||||
|
||||
def baffle_internal_host
|
||||
@baffle_internal_host || ENV.fetch("BAFFLE_INTERNAL_HOST", nil)
|
||||
end
|
||||
attribute :session
|
||||
delegate :user, to: :session, allow_nil: true
|
||||
end
|
||||
|
||||
3
app/models/session.rb
Normal file
3
app/models/session.rb
Normal file
@@ -0,0 +1,3 @@
|
||||
class Session < ApplicationRecord
|
||||
belongs_to :user
|
||||
end
|
||||
64
app/models/user.rb
Normal file
64
app/models/user.rb
Normal file
@@ -0,0 +1,64 @@
|
||||
class User < ApplicationRecord
|
||||
has_secure_password
|
||||
has_many :sessions, dependent: :destroy
|
||||
|
||||
normalizes :email_address, with: ->(e) { e.strip.downcase }
|
||||
|
||||
enum :role, { admin: 0, user: 1, viewer: 2 }, default: :user
|
||||
|
||||
validates :email_address, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
|
||||
validates :role, presence: true
|
||||
|
||||
before_validation :set_first_user_as_admin, on: :create
|
||||
|
||||
def self.from_oidc(auth_hash)
|
||||
# Extract user info from OIDC auth hash
|
||||
email = auth_hash.dig('info', 'email')
|
||||
return nil unless email
|
||||
|
||||
user = find_or_initialize_by(email_address: email)
|
||||
|
||||
# Map OIDC groups to role
|
||||
if auth_hash.dig('extra', 'raw_info', 'groups')
|
||||
user.role = map_oidc_groups_to_role(auth_hash.dig('extra', 'raw_info', 'groups'))
|
||||
end
|
||||
|
||||
# Don't override password for OIDC users
|
||||
user.save!(validate: false) if user.new_record?
|
||||
user
|
||||
end
|
||||
|
||||
def admin?
|
||||
role == 'admin'
|
||||
end
|
||||
|
||||
def viewer?
|
||||
role == 'viewer'
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def set_first_user_as_admin
|
||||
return if User.any?
|
||||
self.role = 'admin'
|
||||
end
|
||||
|
||||
def self.map_oidc_groups_to_role(groups)
|
||||
groups = Array(groups)
|
||||
|
||||
# Check admin groups first
|
||||
admin_groups = ENV['OIDC_ADMIN_GROUPS']&.split(',')&.map(&:strip)
|
||||
return 'admin' if admin_groups && (admin_groups & groups).any?
|
||||
|
||||
# Check user groups
|
||||
user_groups = ENV['OIDC_USER_GROUPS']&.split(',')&.map(&:strip)
|
||||
return 'user' if user_groups && (user_groups & groups).any?
|
||||
|
||||
# Check viewer groups
|
||||
viewer_groups = ENV['OIDC_VIEWER_GROUPS']&.split(',')&.map(&:strip)
|
||||
return 'viewer' if viewer_groups && (viewer_groups & groups).any?
|
||||
|
||||
# Default to user if no group matches
|
||||
'user'
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user