@@ -8,8 +8,8 @@ authentication: * Account approval / disabling by admin * Rudimentary hooks for authorization and access control. -Several features were updated in May, 2008. -* "Stable newer version":http://github.com/technoweenie/restful-authentication/tree/master +Several features were updated in May, 2008. +* "Stable newer version":http://github.com/technoweenie/restful-authentication/tree/master * "'Classic' (backward-compatible) version":http://github.com/technoweenie/restful-authentication/tree/classic * "Experimental version":http://github.com/technoweenie/restful-authentication/tree/modular (Much more modular, needs testing & review) @@ -54,7 +54,7 @@ These best version of the release notes are in the notes/ directory in the "source code":http://github.com/technoweenie/restful-authentication/tree/master -- look there for the latest version. The wiki versions are taken (manually) from there. - + *************************************************************************** <a id="AWESOME"/> </a> @@ -62,14 +62,14 @@ h2. Exciting new features h3. Stories -There are now RSpec stories that allow expressive, enjoyable tests for the +There are now "Cucumber":http://wiki.github.com/aslakhellesoy/cucumber/home features that allow expressive, enjoyable tests for the authentication code. The flexible code for resource testing in stories was extended from "Ben Mabey's.":http://www.benmabey.com/2008/02/04/rspec-plain-text-stories-webrat-chunky-bacon/ h3. Modularize to match security design patterns: * Authentication (currently: password, browser cookie token, HTTP basic) -* Trust metric (email validation) +* Trust metric (email validation) * Authorization (stateful roles) * Leave a flexible framework that will play nicely with other access control / policy definition / trust metric plugins @@ -111,8 +111,8 @@ h2. Installation This is a basic restful authentication generator for rails, taken from acts as authenticated. Currently it requires Rails 1.2.6 or above. -**IMPORTANT FOR RAILS > 2.1 USERS** To avoid a @NameError@ exception ("lighthouse tracker ticket":http://rails_security.lighthouseapp.com/projects/15332-restful_authentication/tickets/2-not-a-valid-constant-name-errors#ticket-2-2), check out the code to have an _underscore_ and not _dash_ in its name: -* either use <code>git clone git://github.com/technoweenie/restful-authentication.git restful_authentication</code> +**IMPORTANT FOR RAILS > 2.1 USERS** To avoid a @NameError@ exception ("lighthouse tracker ticket":http://rails_security.lighthouseapp.com/projects/15332-restful_authentication/tickets/2-not-a-valid-constant-name-errors#ticket-2-2), check out the code to have an _underscore_ and not _dash_ in its name: +* either use <code>git clone git://github.com/technoweenie/restful-authentication.git restful_authentication</code> * or rename the plugin's directory to be <code>restful_authentication</code> after fetching it. To use the generator: @@ -140,19 +140,19 @@ To use the generator: activation code. (@--stateful@ implies @--include-activation@). Based on the idea at [[http://www.vaporbase.com/postings/stateful_authentication]]. Passing @--skip-migration@ will skip the user migration, and @--skip-routes@ will skip - resource generation -- both useful if you've already run this generator. + resource generation -- both useful if you've already run this generator. (Needs the "acts_as_state_machine plugin":http://elitists.textdriven.com/svn/plugins/acts_as_state_machine/, but new installs should probably run with @--aasm@ instead.) * --aasm: Works the same as stateful but uses the "updated aasm gem":http://github.com/rubyist/aasm/tree/master - + * --rspec: Generate RSpec tests and Stories in place of standard rails tests. This requires the "RSpec and Rspec-on-rails plugins":http://rspec.info/ (make sure you "./script/generate rspec" after installing RSpec.) The rspec and story suite are much more thorough than the rails tests, and changes are unlikely to be backported. - + * --old-passwords: Use the older password scheme (see [[#COMPATIBILITY]], above) * --skip-migration: Don't generate a migration file for this model @@ -169,30 +169,30 @@ alter to suit. There are additional security minutae in @notes/README-Tradeoffs@ * Add these familiar login URLs to your @config/routes.rb@ if you like: - <pre><code> - map.signup '/signup', :controller => 'users', :action => 'new' + <pre><code> + map.signup '/signup', :controller => 'users', :action => 'new' map.login '/login', :controller => 'session', :action => 'new' - map.logout '/logout', :controller => 'session', :action => 'destroy' + map.logout '/logout', :controller => 'session', :action => 'destroy' </code></pre> * With @--include-activation@, also add to your @config/routes.rb@: - <pre><code> - map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate', :activation_code => nil - </code></pre> + <pre><code> + map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate', :activation_code => nil + </code></pre> and add an observer to @config/environment.rb@: - - <pre><code> + + <pre><code> config.active_record.observers = :user_observer - </code></pre> + </code></pre> Pay attention, may be this is not an issue for everybody, but if you should have problems, that the sent activation_code does match with that in the database stored, reload your user object before sending its data through email something like: - <pre><code> + <pre><code> class UserObserver < ActiveRecord::Observer def after_create(user) user.reload @@ -207,16 +207,16 @@ alter to suit. There are additional security minutae in @notes/README-Tradeoffs@ * With @--stateful@, add an observer to config/environment.rb: - - <pre><code> + + <pre><code> config.active_record.observers = :user_observer </code></pre> - + and modify the users resource line to read - + map.resources :users, :member => { :suspend => :put, :unsuspend => :put, - :purge => :delete } + :purge => :delete } * If you use a public repository for your code (such as github, rubyforge, gitorious, etc.) make sure to NOT post your site_keys.rb (add a line like README.textile 2f7136a08fc6fb19fae7228074664e85f876e331 Bryan Ash bryan.a.ash@gmail.com http://github.com/technoweenie/restful-authentication/commit/dada879ae7b4ff77d5f5825056e7d1ba7601a033 dada879ae7b4ff77d5f5825056e7d1ba7601a033 2009-01-11T19:26:27-08:00 2009-01-11T19:26:27-08:00 Reference Cucumber instead of RSpec in README 9462ab3ed86cf2d2e641bbfc378a2313cd9543bd Bryan Ash bryan.a.ash@gmail.com