0
@@ -1,5 +1,6 @@
0
 class AccountController < ApplicationController
0
   include AuthenticatedSystem
0
+  before_filter :login_from_cookie
0
   layout 'simple'
0
 
0
   def index
0
@@ -9,7 +10,11 @@ class AccountController < ApplicationController
0
   def login
0
     return unless request.post?
0
     self.current_user = User.authenticate(params[:login], params[:password])
0
-    if current_user
0
+    if logged_in?
0
+      if params[:remember_me] == "1"
0
+        self.current_user.remember_me
0
+        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
0
+      end
0
       redirect_back_or_default(:controller => '/admin/overview', :action => 'index')
0
       flash[:notice] = "Logged in successfully"
0
     else
0
@@ -19,6 +24,8 @@ class AccountController < ApplicationController
0
 
0
   def logout
0
     self.current_user = nil
0
+    cookies.delete :auth_token
0
+    reset_session
0
     flash[:notice] = "You have been logged out."
0
     redirect_back_or_default(:controller => 'mephisto', :action => 'list', :sections => [])
0
   end

0
@@ -1,5 +1,6 @@
0
 class Admin::BaseController < ApplicationController
0
   include AuthenticatedSystem
0
+  before_filter :login_from_cookie
0
   before_filter :login_required, :except => :feed
0
 
0
   def find_templates_and_resources

0
@@ -21,7 +21,7 @@ class UserAuth < ActiveRecord::Base
0
   # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
0
   def self.authenticate(login, password)
0
     u = find_by_login(login) # need to get the salt
0
-    u.save and return u if u && u.authenticated?(password)
0
+    u && u.authenticated?(password) ? u : nil
0
   end
0
 
0
   # Encrypts some data with the salt.
0
@@ -42,7 +42,24 @@ class UserAuth < ActiveRecord::Base
0
     crypted_password == encrypt(password)
0
   end
0
 
0
-  protected    
0
+  def remember_token?
0
+    remember_token_expires_at && Time.now.utc < remember_token_expires_at 
0
+  end
0
+
0
+  # These create and unset the fields required for remembering users between browser closes
0
+  def remember_me
0
+    self.remember_token_expires_at = 2.weeks.from_now.utc
0
+    self.remember_token            = encrypt("#{email}--#{remember_token_expires_at}")
0
+    save(false)
0
+  end
0
+
0
+  def forget_me
0
+    self.remember_token_expires_at = nil
0
+    self.remember_token            = nil
0
+    save(false)
0
+  end
0
+
0
+  protected
0
     def encrypt_password
0
       return if password.blank?
0
       self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--") if new_record?

0
@@ -7,8 +7,8 @@
0
     <dd><%= password_field_tag 'password', {}, :class => 'big' %></dd>
0
     <dt></dt>
0
     <dd>
0
-      <%= check_box_tag 'user', 'remember_me' %> 
0
-      <label for="user">Remember Me</label>
0
+      <%= check_box_tag 'remember_me' %> 
0
+      <label for="remember_me">Remember Me</label>
0
     </dd>
0
   </dl>
0
   <p class="btns"><%= submit_tag 'Sign in' %></p>

0
@@ -2,7 +2,7 @@
0
 # migrations feature of ActiveRecord to incrementally modify your database, and
0
 # then regenerate this schema definition.
0
 
0
-ActiveRecord::Schema.define(:version => 37) do
0
+ActiveRecord::Schema.define(:version => 38) do
0
 
0
   create_table "assigned_sections", :force => true do |t|
0
     t.column "article_id", :integer
0
@@ -132,17 +132,19 @@ ActiveRecord::Schema.define(:version => 37) do
0
   end
0
 
0
   create_table "users", :force => true do |t|
0
-    t.column "login",            :string,   :limit => 40
0
-    t.column "email",            :string,   :limit => 100
0
-    t.column "crypted_password", :string,   :limit => 40
0
-    t.column "salt",             :string,   :limit => 40
0
-    t.column "activation_code",  :string,   :limit => 40
0
-    t.column "activated_at",     :datetime
0
-    t.column "created_at",       :datetime
0
-    t.column "updated_at",       :datetime
0
-    t.column "filters",          :text
0
-    t.column "deleted_at",       :datetime
0
-    t.column "parse_macros",     :boolean
0
+    t.column "login",                     :string,   :limit => 40
0
+    t.column "email",                     :string,   :limit => 100
0
+    t.column "crypted_password",          :string,   :limit => 40
0
+    t.column "salt",                      :string,   :limit => 40
0
+    t.column "activation_code",           :string,   :limit => 40
0
+    t.column "activated_at",              :datetime
0
+    t.column "created_at",                :datetime
0
+    t.column "updated_at",                :datetime
0
+    t.column "filters",                   :text
0
+    t.column "deleted_at",                :datetime
0
+    t.column "parse_macros",              :boolean
0
+    t.column "remember_token",            :string
0
+    t.column "remember_token_expires_at", :datetime
0
   end
0
 
0
 end

0
@@ -1,144 +1,98 @@
0
 module AuthenticatedSystem
0
   protected
0
-  def logged_in?
0
-    current_user
0
-  end
0
+    def logged_in?
0
+      (@current_user ||= session[:user] ? User.find_by_id(session[:user]) : :false).is_a?(User)
0
+    end
0
 
0
-  # accesses the current user from the session.
0
-  # overwrite this to set how the current user is retrieved from the session.
0
-  # To store just the whole user model in the session:
0
-  #
0
-  #   def current_user
0
-  #     session[:user]
0
-  #   end
0
-  # 
0
-  def current_user
0
-    @current_user ||= session[:user] ? User.find_by_id(session[:user]) : nil
0
-    @current_user ||= cookies[:user] ? User.find(:first, :conditions => ['activation_code = ? and activated_at is null', cookies[:user]]) : nil
0
-  end
0
+    def current_user
0
+      @current_user if logged_in?
0
+    end
0
+    
0
+    def current_user=(new_user)
0
+      session[:user] = (new_user.nil? || new_user.is_a?(Symbol)) ? nil : new_user.id
0
+      @current_user = new_user
0
+    end
0
+    
0
+    def authorized?
0
+      true
0
+    end
0
+    
0
+    def login_required
0
+      username, passwd = get_auth_data
0
+      self.current_user ||= User.authenticate(username, passwd) || :false if username && passwd
0
+      logged_in? && authorized? ? true : access_denied
0
+    end
0
 
0
-  # store the given user in the session.  overwrite this to set how
0
-  # users are stored in the session.  To store the whole user model, do:
0
-  #
0
-  #   def current_user=(new_user)
0
-  #     session[:user] = new_user
0
-  #   end
0
-  # 
0
-  def current_user=(new_user)
0
-    session[:user] = new_user.nil? ? nil : new_user.id
0
-    cookies[:user] = { 
0
-        :value   => new_user ? new_user.make_activation_code : '', 
0
-        :expires => new_user ? 2.weeks.from_now              : 2.weeks.ago
0
-    } unless new_user.nil?
0
-    @current_user = new_user
0
-  end
0
+    def access_denied
0
+      respond_to do |accepts|
0
+        accepts.html do
0
+          store_location
0
+          redirect_to :controller=>"/account", :action =>"login"
0
+        end
0
+        accepts.xml { access_denied_with_basic_auth }
0
+      end
0
+      false
0
+    end
0
 
0
-  # overwrite this if you want to restrict access to only a few actions
0
-  # or if you want to check if the user has the correct rights  
0
-  # example:
0
-  #
0
-  #  # only allow nonbobs
0
-  #  def authorize?(user)
0
-  #    user.login != "bob"
0
-  #  end
0
-  def authorized?(user)
0
-     true
0
-  end
0
+    # store current uri in  the session.
0
+    # we can return to this location by calling return_location
0
+    def store_location
0
+      session[:return_to] = request.request_uri
0
+    end
0
+    
0
+    # move to the last store_location call or to the passed default one
0
+    def redirect_back_or_default(default)
0
+      session[:return_to] ? redirect_to_url(session[:return_to]) : redirect_to(default)
0
+      session[:return_to] = nil
0
+    end
0
+    
0
+    def basic_auth_required
0
+      unless session[:user] = User.authenticate(*get_auth_data) 
0
+        access_denied_with_basic_auth
0
+      end 
0
+    end
0
+    
0
+    # adds ActionView helper methods
0
+    def self.included(base)
0
+      base.send :helper_method, :current_user, :logged_in?
0
+    end
0
 
0
-  # overwrite this method if you only want to protect certain actions of the controller
0
-  # example:
0
-  # 
0
-  #  # don't protect the login and the about method
0
-  #  def protect?(action)
0
-  #    if ['action', 'about'].include?(action)
0
-  #       return false
0
-  #    else
0
-  #       return true
0
-  #    end
0
-  #  end
0
-  def protect?(action)
0
-    true
0
-  end
0
-
0
-  # To require logins, use:
0
-  #
0
-  #   before_filter :login_required                            # restrict all actions
0
-  #   before_filter :login_required, :only => [:edit, :update] # only restrict these actions
0
-  # 
0
-  # To skip this in a subclassed controller:
0
-  #
0
-  #   skip_before_filter :login_required
0
-  # 
0
-  def login_required
0
-    # skip login check if action is not protected
0
-    return true unless protect?(action_name)
0
-
0
-    # check if user is logged in and authorized
0
-    return true if logged_in? and authorized?(current_user)
0
-
0
-    # store current location so that we can 
0
-    # come back after the user logged in
0
-    store_location
0
-
0
-    # call overwriteable reaction to unauthorized access
0
-    access_denied and return false
0
-  end
0
-
0
-  # overwrite if you want to have special behavior in case the user is not authorized
0
-  # to access the current operation. 
0
-  # the default action is to redirect to the login screen
0
-  # example use :
0
-  # a popup window might just close itself for instance
0
-  def access_denied
0
-    redirect_to :controller=>"/account", :action =>"login"
0
-  end  
0
-
0
-  # store current uri in  the session.
0
-  # we can return to this location by calling return_location
0
-  def store_location
0
-    session[:return_to] = request.request_uri
0
-  end
0
-
0
-  # move to the last store_location call or to the passed default one
0
-  def redirect_back_or_default(default)
0
-    session[:return_to] ? redirect_to_url(session[:return_to]) : redirect_to(default)
0
-    session[:return_to] = nil
0
-  end
0
-
0
-  def basic_auth_required(realm='Web Password', error_message="Could't authenticate you") 
0
-    username, passwd = get_auth_data
0
-    # check if authorized
0
-    # try to get user
0
-    unless session[:user] = User.authenticate(username, passwd) 
0
-      # the user does not exist or the password was wrong
0
-      headers["Status"] = "Unauthorized"
0
-      headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
0
-      render :text => error_message, :status => '401 Unauthorized'
0
-    end 
0
-  end
0
-
0
-  # adds ActionView helper methods
0
-  def self.included(base)
0
-    base.send :helper_method, :current_user, :logged_in?
0
-  end
0
+    # When called with before_filter :login_from_cookie will check for an :auth_token
0
+    # cookie and log the user back in if apropriate
0
+    def login_from_cookie
0
+      return unless cookies[:auth_token] && !logged_in?
0
+      user = User.find_by_remember_token(cookies[:auth_token])
0
+      if user && user.remember_token?
0
+        user.remember_me
0
+        self.current_user = user
0
+        cookies[:auth_token] = { :value => self.current_user.remember_token , :expires => self.current_user.remember_token_expires_at }
0
+        flash[:notice] = "Logged in successfully"
0
+      end
0
+    end
0
 
0
   private
0
-  # gets BASIC auth info
0
-  def get_auth_data
0
-    user, pass = '', '' 
0
-    # extract authorisation credentials 
0
-    if request.env.has_key? 'X-HTTP_AUTHORIZATION' 
0
-      # try to get it where mod_rewrite might have put it 
0
-      authdata = request.env['X-HTTP_AUTHORIZATION'].to_s.split 
0
-    elsif request.env.has_key? 'HTTP_AUTHORIZATION' 
0
-      # this is the regular location 
0
-      authdata = request.env['HTTP_AUTHORIZATION'].to_s.split  
0
-    end 
0
-     
0
-    # at the moment we only support basic authentication 
0
-    if authdata and authdata[0] == 'Basic' 
0
-      user, pass = Base64.decode64(authdata[1]).split(':')[0..1] 
0
-    end 
0
-    return [user, pass] 
0
-  end
0
+    def access_denied_with_basic_auth
0
+      headers["Status"]           = "Unauthorized"
0
+      headers["WWW-Authenticate"] = %(Basic realm="Web Password")
0
+      render :text => "Could't authenticate you", :status => '401 Unauthorized'
0
+    end
0
+
0
+    # gets BASIC auth info
0
+    def get_auth_data
0
+      user, pass = '', '' 
0
+      # extract authorisation credentials 
0
+      if request.env.has_key? 'X-HTTP_AUTHORIZATION' 
0
+        # try to get it where mod_rewrite might have put it 
0
+        authdata = request.env['X-HTTP_AUTHORIZATION'].to_s.split 
0
+      elsif request.env.has_key? 'HTTP_AUTHORIZATION' 
0
+        # this is the regular location 
0
+        authdata = request.env['HTTP_AUTHORIZATION'].to_s.split  
0
+      end 
0
+       
0
+      # at the moment we only support basic authentication 
0
+      if authdata && authdata[0] == 'Basic' 
0
+        user, pass = Base64.decode64(authdata[1]).split(':')[0..1] 
0
+      end 
0
+      return [user, pass] 
0
+    end
0
 end
0
\ No newline at end of file

0
@@ -9,6 +9,8 @@ quentin:
0
   updated_at: <%= 5.days.ago.to_s :db %>
0
   filters: "--- \n- :textile_filter\n"
0
   parse_macros: true
0
+  remember_token: quentintoken
0
+  remember_token_expires_at: <%= 5.days.from_now %>
0
   # activated_at: <%= 5.days.ago.to_s :db %> # only if you're activating new signups
0
 arthur:
0
   id: 2

0
@@ -20,21 +20,18 @@ class AccountControllerTest < Test::Unit::TestCase
0
   def test_should_login_and_redirect
0
     post :login, :login => 'quentin', :password => 'quentin'
0
     assert session[:user]
0
-    assert cookies['user']
0
     assert_redirected_to :controller => 'admin/overview', :action => 'index'
0
   end
0
 
0
   def test_should_fail_login_and_not_redirect
0
     post :login, :login => 'quentin', :password => 'bad password'
0
     assert_nil session[:user]
0
-    assert_nil cookies['user']
0
     assert_response :success
0
   end
0
 
0
   def test_should_fail_login_for_disabled_user_and_not_redirect
0
     post :login, :login => 'aaron', :password => 'arthur'
0
     assert_nil session[:user]
0
-    assert_nil cookies['user']
0
     assert_response :success
0
   end
0
 
0
@@ -46,33 +43,55 @@ class AccountControllerTest < Test::Unit::TestCase
0
     assert_response :redirect
0
   end
0
 
0
-  # Uncomment if you're activating new user accounts
0
-  # 
0
-  # def test_should_activate_user
0
-  #   assert_nil User.authenticate('arthur', 'arthur')
0
-  #   get :activate, :id => users(:arthur).activation_code
0
-  #   assert_equal users(:arthur), User.authenticate('arthur', 'arthur')
0
-  # end
0
-  # 
0
-  # def test_should_activate_user_and_send_activation_email
0
-  #   get :activate, :id => users(:arthur).activation_code
0
-  #   assert_equal 1, @emails.length
0
-  #   assert(@emails.first.subject =~ /Your account has been activated/)
0
-  #   assert(@emails.first.body    =~ /#{assigns(:user).login}, your account has been activated/)
0
-  # end
0
-  # 
0
-  # def test_should_send_activation_email_after_signup
0
-  #   create_user
0
-  #   assert_equal 1, @emails.length
0
-  #   assert(@emails.first.subject =~ /Please activate your new account/)
0
-  #   assert(@emails.first.body    =~ /Username: quire/)
0
-  #   assert(@emails.first.body    =~ /Password: quire/)
0
-  #   assert(@emails.first.body    =~ /account\/activate\/#{assigns(:user).activation_code}/)
0
-  # end
0
+  def test_should_remember_me
0
+    post :login, :login => 'quentin', :password => 'quentin', :remember_me => "1"
0
+    assert_not_nil @response.cookies["auth_token"]
0
+  end
0
 
0
-  protected
0
-  def create_user(options = {})
0
-    post :signup, :user => { :login => 'quire', :email => 'quire@example.com', 
0
-                             :password => 'quire', :password_confirmation => 'quire' }.merge(options)
0
+  def test_should_not_remember_me
0
+    post :login, :login => 'quentin', :password => 'quentin', :remember_me => "0"
0
+    assert_nil cookies[:auth_token]
0
+  end
0
+  
0
+  def test_should_delete_token_on_logout
0
+    login_as :quentin
0
+    get :logout
0
+    assert_equal @response.cookies["auth_token"], []
0
+  end
0
+
0
+  def test_should_login_with_cookie
0
+    users(:quentin).remember_me
0
+    @request.cookies["auth_token"] = cookie_for(:quentin)
0
+    get :index
0
+    assert @controller.send(:logged_in?)
0
   end
0
+
0
+  def test_should_fail_cookie_login
0
+    users(:quentin).remember_me
0
+    users(:quentin).update_attribute :remember_token_expires_at, 5.minutes.ago.utc
0
+    @request.cookies["auth_token"] = cookie_for(:quentin)
0
+    get :index
0
+    assert !@controller.send(:logged_in?)
0
+  end
0
+
0
+  def test_should_fail_cookie_login
0
+    users(:quentin).remember_me
0
+    @request.cookies["auth_token"] = auth_token('invalid_auth_token')
0
+    get :index
0
+    assert !@controller.send(:logged_in?)
0
+  end
0
+
0
+  protected
0
+    def auth_token(token)
0
+      CGI::Cookie.new('name' => 'auth_token', 'value' => token)
0
+    end
0
+    
0
+    def cookie_for(user)
0
+      auth_token users(user).remember_token
0
+    end
0
+
0
+    def create_user(options = {})
0
+      post :signup, :user => { :login => 'quire', :email => 'quire@example.com', 
0
+                               :password => 'quire', :password_confirmation => 'quire' }.merge(options)
0
+    end
0
 end

0
@@ -29,16 +29,6 @@ class Test::Unit::TestCase
0
     @request.host = hostname
0
   end
0
 
0
-  def assert_difference(object, method = nil, difference = 1)
0
-    initial_value = object.send(method)
0
-    yield
0
-    assert_equal initial_value + difference, object.send(method), "#{object}##{method}"
0
-  end
0
-
0
-  def assert_no_difference(object, method, &block)
0
-    assert_difference object, method, 0, &block
0
-  end
0
-
0
   def assert_event_created(mode)
0
     assert_difference Event, :count do
0
       event = yield
0
@@ -73,6 +63,44 @@ class Test::Unit::TestCase
0
   # Sets the current user in the session from the user fixtures.
0
   def login_as(user)
0
     @request.session[:user] = user ? users(user).id : nil
0
+    if block_given?
0
+      yield
0
+      reset!
0
+    end
0
+  end
0
+
0
+  def content_type(type)
0
+    @request.env['Content-Type'] = type
0
+  end
0
+
0
+  def accept(accept)
0
+    @request.env["HTTP_ACCEPT"] = accept
0
+  end
0
+
0
+  def authorize_as(user)
0
+    if user
0
+      @request.env["HTTP_AUTHORIZATION"] = "Basic #{Base64.encode64("#{users(user).login}:test")}"
0
+      accept       'application/xml'
0
+      content_type 'application/xml'
0
+    else
0
+      @request.env["HTTP_AUTHORIZATION"] = nil
0
+      accept       nil
0
+      content_type nil
0
+    end
0
+    if block_given?
0
+      yield
0
+      reset!
0
+    end
0
+  end
0
+
0
+  def assert_difference(object, method = nil, difference = 1)
0
+    initial_value = object.send(method)
0
+    yield
0
+    assert_equal initial_value + difference, object.send(method), "#{object}##{method}"
0
+  end
0
+
0
+  def assert_no_difference(object, method, &block)
0
+    assert_difference object, method, 0, &block
0
   end
0
 
0
   def login_with_cookie_as(user)
0
@@ -87,26 +115,22 @@ class Test::Unit::TestCase
0
 
0
   # Assert the block redirects to the login
0
   # 
0
-  #   assert_requires_login(:bob) { get :edit, :id => 1 }
0
+  #   assert_requires_login(:bob) { |c| c.get :edit, :id => 1 }
0
   #
0
-  def assert_requires_login(user = nil, &block)
0
-    login_as(user) if user
0
-    block.call
0
-    assert_redirected_to :controller => 'account', :action => 'login'
0
+  def assert_requires_login(login = nil)
0
+    yield HttpLoginProxy.new(self, login)
0
   end
0
 
0
-  # Assert the block accepts the login
0
-  # 
0
-  #   assert_accepts_login(:bob) { get :edit, :id => 1 }
0
-  #
0
-  # Accepts anonymous logins:
0
-  #
0
-  #   assert_accepts_login { get :list }
0
-  #
0
-  def assert_accepts_login(user = nil, &block)
0
-    login_as(user) if user
0
-    block.call
0
-    assert_response :success
0
+  def assert_http_authentication_required(login = nil)
0
+    yield XmlLoginProxy.new(self, login)
0
+  end
0
+
0
+  def reset!(*instance_vars)
0
+    instance_vars = [:controller, :request, :response] unless instance_vars.any?
0
+    instance_vars.collect! { |v| "@#{v}".to_sym }
0
+    instance_vars.each do |var|
0
+      instance_variable_set(var, instance_variable_get(var).class.new)
0
+    end
0
   end
0
 
0
   def prepare_theme_fixtures
0
@@ -149,7 +173,6 @@ class ActionController::Integration::Session
0
   def login_as(login)
0
     post '/account/login', :login => login, :password => login
0
     assert request.session[:user]
0
-    assert cookies['user']
0
     assert redirect?
0
   end
0
 
0
@@ -166,4 +189,52 @@ class ActionController::Integration::Session
0
     assert_redirected_to(url)
0
     follow_redirect!
0
   end
0
+end
0
+
0
+class BaseLoginProxy
0
+  attr_reader :controller
0
+  attr_reader :options
0
+  def initialize(controller, login)
0
+    @controller = controller
0
+    @login      = login
0
+  end
0
+
0
+  private
0
+    def authenticated
0
+      raise NotImplementedError
0
+    end
0
+    
0
+    def check
0
+      raise NotImplementedError
0
+    end
0
+    
0
+    def method_missing(method, *args)
0
+      @controller.reset!
0
+      authenticate
0
+      @controller.send(method, *args)
0
+      check
0
+    end
0
+end
0
+
0
+class HttpLoginProxy < BaseLoginProxy
0
+  protected
0
+    def authenticate
0
+      @controller.login_as @login if @login
0
+    end
0
+    
0
+    def check
0
+      @controller.assert_redirected_to :controller => 'sessions', :action => 'new'
0
+    end
0
+end
0
+
0
+class XmlLoginProxy < BaseLoginProxy
0
+  protected
0
+    def authenticate
0
+      @controller.accept 'application/xml'
0
+      @controller.authorize_as @login if @login
0
+    end
0
+    
0
+    def check
0
+      @controller.assert_response 401
0
+    end
0
 end
0
\ No newline at end of file