config/environments/staging.rb db/migrate/20081023115224_baseapp.rb lib/role_requirement_system.rb lib/role_requirement_test_helper.rb script/spec vendor/plugins/aasm/.gitignore vendor/plugins/aasm/CHANGELOG vendor/plugins/aasm/MIT-LICENSE vendor/plugins/aasm/README.rdoc vendor/plugins/aasm/Rakefile vendor/plugins/aasm/TODO vendor/plugins/aasm/aasm.gemspec vendor/plugins/aasm/aasm.rb vendor/plugins/aasm/doc/jamis.rb vendor/plugins/aasm/lib/aasm.rb vendor/plugins/aasm/lib/event.rb vendor/plugins/aasm/lib/persistence.rb vendor/plugins/aasm/lib/persistence/active_record_persistence.rb vendor/plugins/aasm/lib/state.rb vendor/plugins/aasm/lib/state_machine.rb vendor/plugins/aasm/lib/state_transition.rb vendor/plugins/aasm/lib/version.rb vendor/plugins/aasm/spec/functional/conversation.rb vendor/plugins/aasm/spec/functional/conversation_spec.rb vendor/plugins/aasm/spec/spec_helper.rb vendor/plugins/aasm/spec/unit/aasm_spec.rb vendor/plugins/aasm/spec/unit/active_record_persistence_spec.rb vendor/plugins/aasm/spec/unit/event_spec.rb vendor/plugins/aasm/spec/unit/state_spec.rb vendor/plugins/aasm/spec/unit/state_transition_spec.rb vendor/plugins/open_id_authentication/CHANGELOG vendor/plugins/open_id_authentication/README vendor/plugins/open_id_authentication/Rakefile vendor/plugins/open_id_authentication/generators/open_id_authentication_tables/open_id_authentication_tables_generator.rb vendor/plugins/open_id_authentication/generators/open_id_authentication_tables/templates/migration.rb vendor/plugins/open_id_authentication/generators/upgrade_open_id_authentication_tables/templates/migration.rb vendor/plugins/open_id_authentication/generators/upgrade_open_id_authentication_tables/upgrade_open_id_authentication_tables_generator.rb vendor/plugins/open_id_authentication/init.rb vendor/plugins/open_id_authentication/lib/open_id_authentication.rb vendor/plugins/open_id_authentication/lib/open_id_authentication/association.rb vendor/plugins/open_id_authentication/lib/open_id_authentication/db_store.rb vendor/plugins/open_id_authentication/lib/open_id_authentication/mem_cache_store.rb vendor/plugins/open_id_authentication/lib/open_id_authentication/nonce.rb vendor/plugins/open_id_authentication/lib/open_id_authentication/request.rb vendor/plugins/open_id_authentication/lib/open_id_authentication/timeout_fixes.rb vendor/plugins/open_id_authentication/tasks/open_id_authentication_tasks.rake vendor/plugins/open_id_authentication/test/mem_cache_store_test.rb vendor/plugins/open_id_authentication/test/normalize_test.rb vendor/plugins/open_id_authentication/test/open_id_authentication_test.rb vendor/plugins/open_id_authentication/test/status_test.rb vendor/plugins/open_id_authentication/test/test_helper.rb vendor/plugins/restful_authentication/.gitignore vendor/plugins/restful_authentication/CHANGELOG vendor/plugins/restful_authentication/README vendor/plugins/restful_authentication/Rakefile vendor/plugins/restful_authentication/TODO vendor/plugins/restful_authentication/generators/authenticated/USAGE vendor/plugins/restful_authentication/generators/authenticated/authenticated_generator.rb vendor/plugins/restful_authentication/generators/authenticated/lib/insert_routes.rb vendor/plugins/restful_authentication/generators/authenticated/templates/_model_partial.html.erb vendor/plugins/restful_authentication/generators/authenticated/templates/activation.html.erb vendor/plugins/restful_authentication/generators/authenticated/templates/authenticated_system.rb vendor/plugins/restful_authentication/generators/authenticated/templates/authenticated_test_helper.rb vendor/plugins/restful_authentication/generators/authenticated/templates/controller.rb vendor/plugins/restful_authentication/generators/authenticated/templates/helper.rb vendor/plugins/restful_authentication/generators/authenticated/templates/login.html.erb vendor/plugins/restful_authentication/generators/authenticated/templates/mailer.rb vendor/plugins/restful_authentication/generators/authenticated/templates/migration.rb vendor/plugins/restful_authentication/generators/authenticated/templates/model.rb vendor/plugins/restful_authentication/generators/authenticated/templates/model_controller.rb vendor/plugins/restful_authentication/generators/authenticated/templates/model_helper.rb vendor/plugins/restful_authentication/generators/authenticated/templates/model_helper_spec.rb vendor/plugins/restful_authentication/generators/authenticated/templates/observer.rb vendor/plugins/restful_authentication/generators/authenticated/templates/signup.html.erb vendor/plugins/restful_authentication/generators/authenticated/templates/signup_notification.html.erb vendor/plugins/restful_authentication/generators/authenticated/templates/site_keys.rb vendor/plugins/restful_authentication/generators/authenticated/templates/spec/controllers/access_control_spec.rb vendor/plugins/restful_authentication/generators/authenticated/templates/spec/controllers/authenticated_system_spec.rb vendor/plugins/restful_authentication/generators/authenticated/templates/spec/controllers/sessions_controller_spec.rb vendor/plugins/restful_authentication/generators/authenticated/templates/spec/controllers/users_controller_spec.rb vendor/plugins/restful_authentication/generators/authenticated/templates/spec/fixtures/users.yml vendor/plugins/restful_authentication/generators/authenticated/templates/spec/helpers/users_helper_spec.rb vendor/plugins/restful_authentication/generators/authenticated/templates/spec/models/user_spec.rb vendor/plugins/restful_authentication/generators/authenticated/templates/stories/rest_auth_stories.rb vendor/plugins/restful_authentication/generators/authenticated/templates/stories/rest_auth_stories_helper.rb vendor/plugins/restful_authentication/generators/authenticated/templates/stories/steps/ra_navigation_steps.rb vendor/plugins/restful_authentication/generators/authenticated/templates/stories/steps/ra_resource_steps.rb vendor/plugins/restful_authentication/generators/authenticated/templates/stories/steps/ra_response_steps.rb vendor/plugins/restful_authentication/generators/authenticated/templates/stories/steps/user_steps.rb vendor/plugins/restful_authentication/generators/authenticated/templates/stories/users/accounts.story vendor/plugins/restful_authentication/generators/authenticated/templates/stories/users/sessions.story vendor/plugins/restful_authentication/generators/authenticated/templates/test/functional_test.rb vendor/plugins/restful_authentication/generators/authenticated/templates/test/mailer_test.rb vendor/plugins/restful_authentication/generators/authenticated/templates/test/model_functional_test.rb vendor/plugins/restful_authentication/generators/authenticated/templates/test/unit_test.rb vendor/plugins/restful_authentication/init.rb vendor/plugins/restful_authentication/install.rb vendor/plugins/restful_authentication/lib/authentication.rb vendor/plugins/restful_authentication/lib/authentication/by_cookie_token.rb vendor/plugins/restful_authentication/lib/authentication/by_password.rb vendor/plugins/restful_authentication/lib/authorization.rb vendor/plugins/restful_authentication/lib/authorization/aasm_roles.rb vendor/plugins/restful_authentication/lib/authorization/stateful_roles.rb vendor/plugins/restful_authentication/lib/trustification.rb vendor/plugins/restful_authentication/lib/trustification/email_validation.rb vendor/plugins/restful_authentication/notes/AccessControl.txt vendor/plugins/restful_authentication/notes/Authentication.txt vendor/plugins/restful_authentication/notes/Authorization.txt vendor/plugins/restful_authentication/notes/RailsPlugins.txt vendor/plugins/restful_authentication/notes/SecurityFramework.graffle vendor/plugins/restful_authentication/notes/SecurityFramework.png vendor/plugins/restful_authentication/notes/SecurityPatterns.txt vendor/plugins/restful_authentication/notes/Tradeoffs.txt vendor/plugins/restful_authentication/notes/Trustification.txt vendor/plugins/restful_authentication/tasks/auth.rake vendor/plugins/role_requirement/ChangeLog vendor/plugins/role_requirement/MIT-LICENSE vendor/plugins/role_requirement/README.textile vendor/plugins/role_requirement/generators/role_generator_helpers.rb vendor/plugins/role_requirement/generators/roles/roles_generator.rb vendor/plugins/role_requirement/generators/roles/templates/001_roles_migration.rb.erb vendor/plugins/role_requirement/generators/roles/templates/_user_functions.erb vendor/plugins/role_requirement/generators/roles/templates/hijacker.rb vendor/plugins/role_requirement/generators/roles/templates/role_model.rb.erb vendor/plugins/role_requirement/generators/roles/templates/role_requirement_system.rb.erb vendor/plugins/role_requirement/generators/roles/templates/role_requirement_test_helper.rb.erb vendor/plugins/role_requirement/generators/roles/templates/roles.yml vendor/plugins/role_requirement/generators/roles/templates/roles_users.yml vendor/plugins/role_requirement/generators/roles/templates/users_admin_fixture_with_roles.yml vendor/plugins/role_requirement/init.rb vendor/plugins/role_requirement/test/authenticated_system.rb vendor/plugins/role_requirement/test/controller_stub.rb vendor/plugins/role_requirement/test/functional/test_role_controller.rb vendor/plugins/role_requirement/test/test_helper.rb vendor/plugins/role_requirement/test/user_stub.rb @@ -2,9 +2,10 @@ # Likewise, all the methods added will be available for all controllers. class ApplicationController < ActionController::Base include AuthenticatedSystem - include RoleRequirement - + include RoleRequirementSystem + helper :all # include all helpers, all the time + filter_parameter_logging :password, :password_confirmation # Return the value for a given setting def s(identifier) app/controllers/application.rb @@ -1,32 +1,63 @@ # This controller handles the login/logout function of the site. class SessionsController < ApplicationController + skip_before_filter :verify_authenticity_token, :only => :create + layout 'login' - # render new.rhtml def new end def create - self.current_user = User.authenticate(params[:login], params[:password]) - if logged_in? - if params[:remember_me] == "1" - self.current_user.remember_me - cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at } - end - redirect_back_or_default('/') - flash[:notice] = "Welcome back to #{s(:site_name)}, #{self.current_user.login}!" + logout_keeping_session! + if using_open_id? + open_id_authentication else - # TODO: (base_app) Add feature to resend the activation email, which might be caught as SPAM - flash.now[:error] = "The login/password combination you provided is incorrect or your account has not yet been activated." - render :action => 'new' + password_authentication end end def destroy - self.current_user.forget_me if logged_in? - cookies.delete :auth_token - reset_session - flash[:notice] = "You have been logged out. Goodbye!" - redirect_back_or_default('/') + logout_killing_session! + flash[:notice] = "You have been logged out." + redirect_back_or_default(root_path) + end + + def open_id_authentication + authenticate_with_open_id do |result, identity_url| + if result.successful? && self.current_user = User.find_by_identity_url(identity_url) + successful_login + else + flash[:error] = result.message || "Sorry no user with that identity URL exists" + @rememer_me = params[:remember_me] + render :action => :new + end + end + end + + protected + + def password_authentication + user = User.authenticate(params[:login], params[:password]) + if user + self.current_user = user + successful_login + else + note_failed_signin + @login = params[:login] + @remember_me = params[:remember_me] + render :action => :new + end + end + + def successful_login + new_cookie_flag = (params[:remember_me] == "1") + handle_remember_cookie! new_cookie_flag + redirect_back_or_default(root_path) + flash[:notice] = "Logged in successfully" + end + + def note_failed_signin + flash[:error] = "Couldn't log you in as '#{params[:login]}'" + logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}" end end app/controllers/sessions_controller.rb @@ -1,14 +1,17 @@ class UsersController < ApplicationController + skip_before_filter :verify_authenticity_token, :only => :create + before_filter :find_user, :only => [:profile, :destroy, :edit_password, :update_password, :edit_email, :update_email ] - layout 'login' #, :except => [:edit_password, :update_password] + layout 'login' # render new.rhtml def new + @user = User.new end def troubleshooting @@ -21,10 +24,15 @@ class UsersController < ApplicationController render :layout => 'login' end - def forgot_login + def forgot_login if request.put? begin @user = User.find_by_email(params[:email], :conditions => ['NOT state = ?', 'deleted']) + + if ! @user.not_using_openid? + flash[:notice] = "You cannot help you, you're using OpenID!" + redirect_to :back + end rescue @user = nil end @@ -41,14 +49,19 @@ class UsersController < ApplicationController render :layout => 'login' end - def forgot_password + def forgot_password if request.put? @user = User.find_by_login_or_email(params[:email_or_login]) if @user.nil? flash.now[:error] = 'No account was found by that login or email address.' else - @user.forgot_password if @user.active? + if ! @user.not_using_openid? + flash[:notice] = "You cannot reset your password here. You are using OpenID!" + redirect_to :back + else + @user.forgot_password if @user.active? + end end else # Render forgot_password.html.erb @@ -57,7 +70,7 @@ class UsersController < ApplicationController render :layout => 'login' end - def reset_password + def reset_password begin @user = User.find_by_password_reset_code(params[:password_reset_code]) rescue @@ -72,31 +85,53 @@ class UsersController < ApplicationController end def create - cookies.delete :auth_token - @user = User.new(params[:user]) - raise ActiveRecord::RecordInvalid.new(@user) unless @user.valid? - @user.register! - - redirect_back_or_default('/') - flash[:notice] = "Thanks for signing up!<br />You will receive an email in a few minutes with further instructions on how to activate your account." - rescue ActiveRecord::RecordInvalid - render :action => 'new' + logout_keeping_session! + if using_open_id? + authenticate_with_open_id(params[:open_id_url], :return_to => open_id_create_url, + :required => [:nickname, :email]) do |result, identity_url, registration| + if result.successful? + create_new_user(:identity_url => identity_url, :login => registration['nickname'], :email => registration['email']) + else + failed_creation(result.message || "Sorry, something went wrong") + end + end + else + create_new_user(params[:user]) + end end def activate - self.current_user = params[:activation_code].blank? ? :false : User.find_by_activation_code(params[:activation_code]) - if logged_in? && !current_user.active? - current_user.activate! - flash[:notice] = "Your account is now ready.<br />Thanks for signing up!" + logout_keeping_session! + user = User.find_by_activation_code(params[:activation_code]) unless params[:activation_code].blank? + case + when (!params[:activation_code].blank?) && user && !user.active? + user.activate! + flash[:notice] = "Signup complete! Please sign in to continue." + redirect_to login_path + when params[:activation_code].blank? + flash[:error] = "The activation code was missing. Please follow the URL from your email." + redirect_back_or_default(root_path) + else + flash[:error] = "We couldn't find a user with that activation code -- check your email? Or maybe you've already activated -- try signing in." + redirect_back_or_default(root_path) end - redirect_back_or_default('/') end def edit_password + if ! @user.not_using_openid? + flash[:notice] = "You cannot update your password. You are using OpenID!" + redirect_to :back + end + # render edit_password.html.erb end def update_password + if ! @user.not_using_openid? + flash[:notice] = "You cannot update your password. You are using OpenID!" + redirect_to :back + end + if current_user == @user current_password, new_password, new_password_confirmation = params[:current_password], params[:new_password], params[:new_password_confirmation] @@ -127,10 +162,20 @@ class UsersController < ApplicationController end def edit_email + if ! @user.not_using_openid? + flash[:notice] = "You cannot update your email address. You are using OpenID!" + redirect_to :back + end + # render edit_email.html.erb end def update_email + if ! @user.not_using_openid? + flash[:notice] = "You cannot update your email address. You are using OpenID!" + redirect_to :back + end + if current_user == @user if @user.update_attributes(:email => params[:email]) flash[:notice] = "Your email address has been updated." @@ -151,4 +196,32 @@ class UsersController < ApplicationController @user = User.find(params[:id]) end + def create_new_user(attributes) + @user = User.new(attributes) + if @user && @user.valid? + if @user.not_using_openid? + @user.register! + else + @user.register_openid! + end + end + + if @user.errors.empty? + successful_creation(@user) + else + failed_creation + end + end + + def successful_creation(user) + redirect_back_or_default(root_path) + flash[:notice] = "Thanks for signing up!" + flash[:notice] << " We're sending you an email with your activation code." if @user.not_using_openid? + flash[:notice] << " You can now login with your OpenID." if ! @user.not_using_openid? + end + + def failed_creation(message = 'Sorry, there was an error creating your account') + flash[:error] = message + render :action => :new + end end app/controllers/users_controller.rb @@ -1,75 +1,64 @@ require 'digest/sha1' + class User < ActiveRecord::Base + include Authentication + include Authentication::ByPassword + include Authentication::ByCookieToken + include Authorization::AasmRoles + + # Validations + validates_presence_of :login, :if => :not_using_openid? + validates_length_of :login, :within => 3..40, :if => :not_using_openid? + validates_uniqueness_of :login, :case_sensitive => false, :if => :not_using_openid? + validates_format_of :login, :with => RE_LOGIN_OK, :message => MSG_LOGIN_BAD, :if => :not_using_openid? + validates_format_of :name, :with => RE_NAME_OK, :message => MSG_NAME_BAD, :allow_nil => true + validates_length_of :name, :maximum => 100 + validates_presence_of :email, :if => :not_using_openid? + validates_length_of :email, :within => 6..100, :if => :not_using_openid? + validates_uniqueness_of :email, :case_sensitive => false, :if => :not_using_openid? + validates_format_of :email, :with => RE_EMAIL_OK, :message => MSG_EMAIL_BAD, :if => :not_using_openid? + validates_uniqueness_of :identity_url, :unless => :not_using_openid? + validate :normalize_identity_url + # Relations has_and_belongs_to_many :roles has_one :profile - # has_role? simply needs to return true or false whether a user has a role or not. - # It may be a good idea to have "admin" roles return true always - def has_role?(role_in_question) - @_list ||= self.roles.collect(&:name) - return true if @_list.include?("admin") - (@_list.include?(role_in_question.to_s) ) - end - - # Virtual attribute for the unencrypted password - attr_accessor :password - - # Per page pagination - cattr_reader :per_page - @@per_page = 25 - - validates_presence_of :login, :email - validates_presence_of :password, :if => :password_required? - validates_presence_of :password_confirmation, :if => :password_required? - validates_length_of :password, :within => 4..40, :if => :password_required? - validates_confirmation_of :password, :if => :password_required? - validates_length_of :login, :within => 3..40 - validates_length_of :email, :within => 3..100 - validates_uniqueness_of :login, :email, :case_sensitive => false - before_save :encrypt_password - - after_create :create_environment + # Hooks + after_create :create_profile + # HACK HACK HACK -- how to do attr_accessible from here? # prevents a user from submitting a crafted form that bypasses activation # anything else you want your user to change should be added here. - attr_accessible :login, :email, :password, :password_confirmation - - acts_as_state_machine :initial => :pending - state :passive - state :pending, :enter => :make_activation_code - state :unactivated - state :active, :enter => :do_activate - state :suspended - state :deleted, :enter => :do_delete - - event :register do - transitions :from => :passive, :to => :pending, :guard => Proc.new {|u| !(u.crypted_password.blank? && u.password.blank?) } - end + attr_accessible :login, :email, :name, :password, :password_confirmation, :identity_url - event :activate do - transitions :from => :pending, :to => :active + # has_role? simply needs to return true or false whether a user has a role or not. + # It may be a good idea to have "admin" roles return true always + def has_role?(role) + list ||= self.roles.collect(&:name) + list.include?(role.to_s) || list.include?('admin') end - - event :send_activation do - transitions :from => :pending, :to => :unactivated + + # Authenticates a user by their login name and unencrypted password. Returns the user or nil. + def self.authenticate(login, password) + u = find_in_state :first, :active, :conditions => {:login => login} # need to get the salt + u && u.authenticated?(password) ? u : nil end - - event :suspend do - transitions :from => [:passive, :pending, :active, :unactivated], :to => :suspended + + def not_using_openid? + identity_url.blank? end - event :delete do - transitions :from => [:passive, :pending, :active, :unactivated, :suspended], :to => :deleted + def password_required? + new_record? ? not_using_openid? && (crypted_password.blank? || !password.blank?) : !password.blank? end - event :unsuspend do - transitions :from => :suspended, :to => :active, :guard => Proc.new {|u| !u.activated_at.blank? } - transitions :from => :suspended, :to => :pending, :guard => Proc.new {|u| u.activated_at.blank? && u.activation_code.blank? } - transitions :from => :suspended, :to => :unactivated, :guard => Proc.new {|u| u.activated_at.blank? && !u.activation_code.blank? } - transitions :from => :suspended, :to => :passive + def normalize_identity_url + self.identity_url = OpenIdAuthentication.normalize_url(identity_url) unless not_using_openid? + rescue + errors.add_to_base("Invalid OpenID URL") end - + # Creates a new password for the user, and notifies him with an email def reset_password! password = PasswordGenerator.random_pronouncable_password(3) @@ -80,99 +69,74 @@ class User < ActiveRecord::Base UserMailer.deliver_reset_password(self) end - - # Authenticates a user by their login name and unencrypted password. Returns the user or nil. - def self.authenticate(login, password) - u = find_in_state :first, :active, :conditions => {:login => login} # need to get the salt - u && u.authenticated?(password) ? u : nil + + def forgot_password + self.make_password_reset_code + save + UserMailer.deliver_forgot_password(self) end - - # Encrypts some data with the salt. - def self.encrypt(password, salt) - Digest::SHA1.hexdigest("--#{salt}--#{password}--") + + def self.find_by_login_or_email(login_or_email) + find(:first, :conditions => ['login = ? OR email = ?', login_or_email, login_or_email]) + rescue + nil end + +protected - # Encrypts the password with the user salt - def encrypt(password) - self.class.encrypt(password, salt) + def make_activation_code + self.deleted_at = nil + self.activation_code = self.class.make_token end - def authenticated?(password) - crypted_password == encrypt(password) + def make_password_reset_code + self.password_reset_code = self.class.make_token end - - def remember_token? - remember_token_expires_at && Time.now.utc < remember_token_expires_at + + def create_profile + # Give the user a profile + self.profile = Profile.create end + +# -------- - # These create and unset the fields required for remembering users between browser closes - def remember_me - remember_me_for 2.weeks - end + # Virtual attribute for the unencrypted password + # attr_accessor :password + + # Per page pagination + # TODO: Replace with searchgasm + # cattr_reader :per_page + # @@per_page = 25 - def remember_me_for(time) - remember_me_until time.from_now.utc - end - def remember_me_until(time) - self.remember_token_expires_at = time - self.remember_token = encrypt("#{email}--#{remember_token_expires_at}") - save(false) - end - def forget_me - self.remember_token_expires_at = nil - self.remember_token = nil - save(false) - end - def forgot_password - self.make_password_reset_code - save - UserMailer.deliver_forgot_password(self) - end + # Encrypts some data with the salt. + # def self.encrypt(password, salt) + # Digest::SHA1.hexdigest("--#{salt}--#{password}--") + # end + + - def self.find_by_login_or_email(login_or_email) - find(:first, :conditions => ['login = ? OR email = ?', login_or_email, login_or_email]) - rescue - nil - end + - protected # before filter - def encrypt_password - return if password.blank? - self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--") if new_record? - self.crypted_password = encrypt(password) - end - - def password_required? - crypted_password.blank? || !password.blank? - end - - def make_activation_code - self.deleted_at = nil - self.activation_code = Digest::SHA1.hexdigest(Time.now.to_s.split(//).sort_by {rand}.join ) - end + # def encrypt_password + # return if password.blank? + # self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--") if new_record? + # self.crypted_password = encrypt(password) + # end - def make_password_reset_code - self.password_reset_code = Digest::SHA1.hexdigest(Time.now.to_s.split(//).sort_by {rand}.join ) - end + - def do_delete - self.deleted_at = Time.now.utc - end - - def do_activate - self.activated_at = Time.now.utc - self.deleted_at = self.activation_code = nil - end + # def do_delete + # self.deleted_at = Time.now.utc + # end + # + # def do_activate + # self.activated_at = Time.now.utc + # self.deleted_at = self.activation_code = nil + # end - def create_environment - # Give the user a profile - self.profile = Profile.create - - # Give the defaul 'user' role - self.roles << Role.find_by_name('user') - end + end app/models/user.rb @@ -1,9 +1,9 @@ class UserObserver < ActiveRecord::Observer def after_create(user) - UserMailer.deliver_signup_notification(user) + UserMailer.deliver_signup_notification(user) if user.not_using_openid? end def after_save(user) - UserMailer.deliver_activation(user) if user.unactivated? + UserMailer.deliver_activation(user) if user.recently_activated? && user.not_using_openid? end end app/models/user_observer.rb @@ -1,11 +1,19 @@ <h3>Account details</h3> <table class="overview"> <%= cell "Login", h(@user.login) %> - + + <% if ! @user.not_using_openid? %> + <%= cell "OpenID URL", h(@user.identity_url) %> + <% end %> + <%= cell_separator %> - <%= cell "Email", "#{h(@user.email)} <small>#{link_to "change", edit_email_user_url(@user)}</small>" %> + <% change_email_text = @user.not_using_openid? ? " <small>#{link_to "change", edit_email_user_url(@user)}</small>" : "" %> + + <%= cell "Email", "#{h(@user.email)}#{change_email_text}" %> + <% if @user.not_using_openid? %> <%= cell "Password", "#{"*"*8} <small>#{link_to "change", edit_password_user_url(@user)}</small>" %> + <% end %> <%= cell_separator %> app/views/profiles/_account_details.html.erb @@ -1,15 +1,21 @@ <% content_for :sidebar do -%> <h2>My account</h2> +<div id="gravatar"> + <%= gravatar_for @user, :size => 100 %> +</div> + <ul> <li><%= link_to "Update my profile", edit_profile_url(current_user) %></li> <li><%= link_to "Update my avatar", edit_avatar_user_url(current_user) %></li> </ul> +<% if @user.not_using_openid? %> <ul> <li><%= link_to "Change my email address", edit_email_user_url(@user) %></li> <li><%= link_to "Change my password", edit_password_user_url(@user) %></li> </ul> +<% end %> <% unless admin? -%> <ul> app/views/profiles/_my_account.html.erb @@ -4,11 +4,7 @@ <% end -%> <p>The profile you requested does not exist.</p> -<% else -%> - <div style="float: right; margin: 10px"> - <%= gravatar_for @user %> - </div> - +<% else -%> <% content_for :header do -%> <% if current_user == @user -%> My Account app/views/profiles/show.html.erb @@ -9,15 +9,25 @@ <% end -%> <% form_tag session_path do -%> -<p><label for="login">Login</label><br/> -<%= text_field_tag 'login' %></p> + <fieldset> + <legend>Your Details</legend> + + <p><label for="login">Login</label><br/> + <%= text_field_tag 'login' %></p> -<p><label for="password">Password</label><br/> -<%= password_field_tag 'password' %></p> - -<p><label for="remember_me">Remember me:</label> -<%= check_box_tag 'remember_me' %></p> + <p><label for="password">Password</label><br/> + <%= password_field_tag 'password' %></p> + <p><label for="remember_me">Remember me:</label> + <%= check_box_tag 'remember_me' %></p> + </fieldset> + <fieldset> + <legend>Login with OpenID</legend> + + <p><label for="openid_url">OpenID URL</label><br/> + <%= text_field_tag 'openid_url' %></p> + </fieldset> + <ul> <li><%= link_to "Sign up for an account now", signup_url %></li> <li><%= link_to "Having trouble logging in?", user_troubleshooting_url %></li> app/views/sessions/new.rhtml @@ -1,3 +1,5 @@ +<% @user.password = @user.password_confirmation = nil %> + <% content_for :header do -%> Create a new <%= s(:site_name) %> account <% end -%> @@ -10,22 +12,29 @@ Create a new <%= s(:site_name) %> account Already have an account? <%= link_to("Login here", login_url)%> </p> -<%= error_messages_for :user %> <% form_for :user, :url => users_path do |f| -%> -<p><label for="login">Login</label><br/> -<%= f.text_field :login %></p> - -<p><label for="email">Email</label><br/> -<%= f.text_field :email %></p> - -<p><label for="password">Password</label><br/> -<%= f.password_field :password %></p> - -<p><label for="password_confirmation">Confirm Password</label><br/> -<%= f.password_field :password_confirmation %></p> - - -<div id="submitbutton"> - <p><%= submit_tag 'Sign up' %></p> -</div> -<% end -%> + <%= error_messages_for :user %> + <fieldset> + <legend>Your Details</legend> + <p><label for="login">Login</label><br/> + <%= f.text_field :login %></p> + + <p><label for="email">Email</label><br/> + <%= f.text_field :email %></p> + + <p><label for="password">Password</label><br/> + <%= f.password_field :password %></p> + + <p><label for="password_confirmation">Confirm Password</label><br/> + <%= f.password_field :password_confirmation %></p> + </fieldset> + <fieldset> + <legend>Signup with OpenID</legend> + <p><label for="openid_url">OpenID URL</label><br/> + <%= text_field_tag :openid_url, params[:openid_url] || params['openid.identity'] %></p> + </fieldset> + + <div id="submitbutton"> + <p><%= submit_tag 'Sign up' %></p> + </div> +<% end %> app/views/users/new.rhtml @@ -15,4 +15,8 @@ config.action_controller.perform_caching = false config.action_view.cache_template_extensions = false # Don't care if the mailer can't send -config.action_mailer.raise_delivery_errors = false \ No newline at end of file +config.action_mailer.raise_delivery_errors = false + +# Restful Authentication +REST_AUTH_SITE_KEY = '5a5e73a69a893311f859ccff1ffd0fa2d7ea25fd' +REST_AUTH_DIGEST_STRETCHES = 15 \ No newline at end of file config/environments/development.rb @@ -17,3 +17,7 @@ config.action_view.cache_template_loading = true # Disable delivery errors, bad email addresses will be ignored # config.action_mailer.raise_delivery_errors = false + +# Restful Authentication +REST_AUTH_SITE_KEY = '5a5e73a69a893311f859ccff1ffd0fa2d7ea25fd' +REST_AUTH_DIGEST_STRETCHES = 15 \ No newline at end of file config/environments/production.rb @@ -20,3 +20,7 @@ config.action_controller.allow_forgery_protection = false # The :test delivery method accumulates sent emails in the # ActionMailer::Base.deliveries array. config.action_mailer.delivery_method = :test + +# Restful Authentication +REST_AUTH_SITE_KEY = '5a5e73a69a893311f859ccff1ffd0fa2d7ea25fd' +REST_AUTH_DIGEST_STRETCHES = 15 \ No newline at end of file config/environments/test.rb @@ -1,13 +1,22 @@ # See how all your routes lay out with "rake routes" ActionController::Routing::Routes.draw do |map| - # Non RESTful routes for user management. + # RESTful rewrites + + map.signup '/signup', :controller => 'users', :action => 'new' + map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate' + map.login '/login', :controller => 'sessions', :action => 'new' + map.logout '/logout', :controller => 'sessions', :action => 'destroy', :conditions => {:method => :delete} + map.user_troubleshooting '/users/troubleshooting', :controller => 'users', :action => 'troubleshooting' map.user_forgot_password '/users/forgot_password', :controller => 'users', :action => 'forgot_password' map.user_reset_password '/users/reset_password/:password_reset_code', :controller => 'users', :action => 'reset_password' map.user_forgot_login '/users/forgot_login', :controller => 'users', :action => 'forgot_login' map.user_clueless '/users/clueless', :controller => 'users', :action => 'clueless' + map.open_id_complete '/opensession', :controller => "sessions", :action => "create", :requirements => { :method => :get } + map.open_id_create '/opencreate', :controller => "users", :action => "create", :requirements => { :method => :get } + map.resources :users, :member => { :edit_password => :get, :update_password => :put, :edit_email => :get, @@ -16,13 +25,7 @@ ActionController::Routing::Routes.draw do |map| :update_avatar => :put } map.resource :session - - # Account shortcuts - map.signup '/signup', :controller => 'users', :action => 'new' - map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate' - map.login '/login', :controller => 'sessions', :action => 'new' - map.logout '/logout', :controller => 'sessions', :action => 'destroy', :conditions => {:method => :delete} - + # Profiles map.resources :profiles config/routes.rb @@ -9,7 +9,22 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 20080101000005) do +ActiveRecord::Schema.define(:version => 20081023115224) do + + create_table "open_id_authentication_associations", :force => true do |t| + t.integer "issued" + t.integer "lifetime" + t.string "handle" + t.string "assoc_type" + t.binary "server_url" + t.binary "secret" + end + + create_table "open_id_authentication_nonces", :force => true do |t| + t.integer "timestamp", :null => false + t.string "server_url" + t.string "salt", :default => "", :null => false + end create_table "profiles", :force => true do |t| t.integer "user_id" @@ -29,9 +44,6 @@ ActiveRecord::Schema.define(:version => 20080101000005) do t.integer "user_id" end - add_index "roles_users", ["role_id"], :name => "index_roles_users_on_role_id" - add_index "roles_users", ["user_id"], :name => "index_roles_users_on_user_id" - create_table "settings", :force => true do |t| t.string "label" t.string "identifier" @@ -43,19 +55,23 @@ ActiveRecord::Schema.define(:version => 20080101000005) do end create_table "users", :force => true do |t| - t.string "login" - t.string "email" + t.string "login", :limit => 40 + t.string "identity_url" + t.string "name", :limit => 100, :default => "" + t.string "email", :limit => 100 t.string "crypted_password", :limit => 40 t.string "salt", :limit => 40 - t.datetime "created_at" - t.datetime "updated_at" - t.string "remember_token" - t.datetime "remember_token_expires_at" + t.string "remember_token", :limit => 40 t.string "activation_code", :limit => 40 + t.string "state", :default => "passive" + t.datetime "remember_token_expires_at" + t.string "password_reset_cod" t.datetime "activated_at" - t.string "state", :default => "passive" t.datetime "deleted_at" - t.string "password_reset_code" + t.datetime "created_at" + t.datetime "updated_at" end + add_index "users", ["login"], :name => "index_users_on_login", :unique => true + end db/schema.rb @@ -3,21 +3,21 @@ module AuthenticatedSystem # Returns true or false if the user is logged in. # Preloads @current_user with the user model if they're logged in. def logged_in? - current_user != :false + !!current_user end - - # Accesses the current user from the session. Set it to :false if login fails - # so that future calls do not hit the database. + + # Accesses the current user from the session. + # Future calls avoid the database because nil is not equal to false. def current_user - @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie || :false) + @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_user == false end - - # Store the given user in the session. + + # Store the given user id in the session. def current_user=(new_user) - session[:user] = (new_user.nil? || new_user.is_a?(Symbol)) ? nil : new_user.id - @current_user = new_user + session[:user_id] = new_user ? new_user.id : nil + @current_user = new_user || false end - + # Check if the user is authorized # # Override this method in your controllers if you want to restrict access @@ -30,7 +30,8 @@ module AuthenticatedSystem # def authorized? # current_user.login != "bob" # end - def authorized? + # + def authorized?(action=nil, resource=nil, *args) logged_in? end @@ -61,68 +62,126 @@ module AuthenticatedSystem # to access the requested action. For example, a popup window might # simply close itself. def access_denied - respond_to do |accepts| - accepts.html do + respond_to do |format| + format.html do store_location - redirect_to :controller => '/sessions', :action => 'new' + redirect_to new_session_path end - accepts.xml do - headers["Status"] = "Unauthorized" - headers["WWW-Authenticate"] = %(Basic realm="Web Password") - render :text => "Could't authenticate you", :status => '401 Unauthorized' + # format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987 + # you may want to change format.any to e.g. format.any(:js, :xml) + format.any do + request_http_basic_authentication 'Web Password' end end - false - end - + end + # Store the URI of the current request in the session. # # We can return to this location by calling #redirect_back_or_default. def store_location session[:return_to] = request.request_uri end - + # Redirect to the URI stored by the most recent store_location call or - # to the passed default. + # to the passed default. Set an appropriately modified + # after_filter :store_location, :only => [:index, :new, :show, :edit] + # for any controller you want to be bounce-backable. def redirect_back_or_default(default) redirect_to(session[:return_to] || default) session[:return_to] = nil end - + # Inclusion hook to make #current_user and #logged_in? # available as ActionView helper methods. def self.included(base) - base.send :helper_method, :current_user, :logged_in? + base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method end + # + # Login + # + # Called from #current_user. First attempt to login by the user id stored in the session. def login_from_session - self.current_user = User.find_by_id(session[:user]) if session[:user] + self.current_user = User.find_by_id(session[:user_id]) if session[:user_id] end # Called from #current_user. Now, attempt to login by basic authentication information. def login_from_basic_auth - username, passwd = get_auth_data - self.current_user = User.authenticate(username, passwd) if username && passwd + authenticate_with_http_basic do |login, password| + self.current_user = User.authenticate(login, password) + end end + + # + # Logout + # # Called from #current_user. Finaly, attempt to login by an expiring token in the cookie. - def login_from_cookie + # for the paranoid: we _should_ be storing user_token = hash(cookie_token, request IP) + def login_from_cookie user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token]) if user && user.remember_token? - user.remember_me - cookies[:auth_token] = { :value => user.remember_token, :expires => user.remember_token_expires_at } self.current_user = user + handle_remember_cookie! false # freshen cookie token (keeping date) + self.current_user end end - private - @@http_auth_headers = %w(Authorization HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION) + # This is ususally what you want; resetting the session willy-nilly wreaks + # havoc with forgery protection, and is only strictly necessary on login. + # However, **all session state variables should be unset here**. + def logout_keeping_session! + # Kill server-side auth cookie + @current_user.forget_me if @current_user.is_a? User + @current_user = false # not logged in, and don't do it for me + kill_remember_cookie! # Kill client-side auth cookie + session[:user_id] = nil # keeps the session but kill our variable + # explicitly kill any other session variables you set + end - # gets BASIC auth info - def get_auth_data - auth_key = @@http_auth_headers.detect { |h| request.env.has_key?(h) } - auth_data = request.env[auth_key].to_s.split unless auth_key.blank? - return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil] + # The session should only be reset at the tail end of a form POST -- + # otherwise the request forgery protection fails. It's only really necessary + # when you cross quarantine (logged-out to logged-in). + def logout_killing_session! + logout_keeping_session! + reset_session end + + # + # Remember_me Tokens + # + # Cookies shouldn't be allowed to persist past their freshness date, + # and they should be changed at each login + + # Cookies shouldn't be allowed to persist past their freshness date, + # and they should be changed at each login + + def valid_remember_cookie? + return nil unless @current_user + (@current_user.remember_token?) && + (cookies[:auth_token] == @current_user.remember_token) + end + + # Refresh the cookie auth token if it exists, create it otherwise + def handle_remember_cookie! new_cookie_flag + return unless @current_user + case + when valid_remember_cookie? then @current_user.refresh_token # keeping same expiry date + when new_cookie_flag then @current_user.remember_me + else @current_user.forget_me + end + send_remember_cookie! + end + + def kill_remember_cookie! + cookies.delete :auth_token + end + + def send_remember_cookie! + cookies[:auth_token] = { + :value => @current_user.remember_token, + :expires => @current_user.remember_token_expires_at } + end + end lib/authenticated_system.rb @@ -1,10 +1,20 @@ module AuthenticatedTestHelper # Sets the current user in the session from the user fixtures. def login_as(user) - @request.session[:user] = user ? users(user).id : nil + @request.session[:user_id] = user ? users(user).id : nil end def authorize_as(user) - @request.env["HTTP_AUTHORIZATION"] = user ? "Basic #{Base64.encode64("#{users(user).login}:test")}" : nil + @request.env["HTTP_AUTHORIZATION"] = user ? ActionController::HttpAuthentication::Basic.encode_credentials(users(user).login, 'monkey') : nil end -end \ No newline at end of file + + # rspec + def mock_user + user = mock_model(User, :id => 1, + :login => 'user_name', + :name => 'U. Surname', + :to_xml => "User-in-XML", :to_json => "User-in-JSON", + :errors => []) + user + end +end lib/authenticated_test_helper.rb @@ -1,3 +1,10 @@ +# To use the Bootstrap Rake task for you own application create +# yaml files in db/bootstrap containing your data. +# +# E.g. to fill the 'users' table, create the yaml file db/bootstrap/users.yml +# +# Next, run 'rake db:bootstrap' to re-initialize your database. +# namespace :db do desc "Recreates the development database and loads the bootstrap fixtures from db/boostrap." task :bootstrap do |task_args| @@ -6,14 +13,7 @@ namespace :db do require 'rubygems' unless Object.const_defined?(:Gem) %w(environment db:drop db:create db:migrate db:bootstrap:load tmp:create).each { |t| Rake::Task[t].execute task_args} - - puts - puts '=' * 80 - puts - puts "You've been bootstrapped!" - puts - puts "Enjoy!" - puts + end namespace :bootstrap do lib/tasks/bootstrap.rake config/initializers/gravatar.rb db/bootstrap/roles.yml db/bootstrap/roles_users.yml db/bootstrap/settings.yml db/bootstrap/users.yml db/migrate/20080101000001_create_users.rb db/migrate/20080101000002_create_profiles.rb db/migrate/20080101000003_create_roles.rb db/migrate/20080101000004_add_user_reset_password_code.rb db/migrate/20080101000005_create_settings.rb f0871d848857e63a3606a4df88094af53ce410fc Ariejan de Vroom ariejan@ariejan.net http://github.com/ariejan/baseapp/commit/4f78db2bd290c00acdc2c98f130d6eb78adcfa04 4f78db2bd290c00acdc2c98f130d6eb78adcfa04 2008-10-23T03:43:20-07:00 2008-10-23T03:43:20-07:00 Enabled OpenID sign up and login and made minor changes to the view be872307b3bcb4c043586b4d6dbb22c13c9f075a Ariejan de Vroom ariejan@ariejan.net