Every repository with this icon (
) is private.
Every repository with this icon (
) is public.
| Description: | Rails authentication with email & password. edit |
-
Need test & implementation.
Comments
-
4 votes
0 comments Created 5 months ago by dancroakuser changes his email, a confirmation email should be sentfeaturesxFrom Mustafa Ekim via the mailing list.
Comments
-
4 votes
Use a config file instead of HOST and DO_NOT_REPLY constants
0 comments Created 5 months ago by samgI find it odd having to define constants in environment files as part of the config. I've updated my fork (samg/clearance) to use a config/clearance.yml file instead of HOST and DO_NOT_REPLY constants. This seems more in keeping with rails conventions, and more maintainable since it centralizes the engine's config.
All tests and features pass, and I've updated README.textile, and the generator README to reflect this configuration method.
(sorry for the pull request. missed that in the readme)
Comments
-
0 votes
0 comments Created 5 months ago by mike-burnsDo not allow unconfirmed users to clear the tokenfeaturesxUser#clear_token should raise unless email_confirmed?.
Comments
-
3 votes
Just like the title says, Clearance routes are loaded before the app routes if ActiveSupport::Inflector.inflections is called. Issue occurs even if the block passed to #inflections is empty.
Clearly this is a problem in ActiveSupport or ActionPack (or both), but I'm stretching my knowledge of Rails internals, so maybe someone else can dig around and see what's what.
I'm running Rails 2.3.2 and Clearance 0.6.7.
Steps to reproduce:
- Create a fresh Rails 2.3.2 app
- Install Clearance like normal (add gem dependency to environment.rb, unpack to vendor/gems, script/generate clearance)
- rake db:migrate
Open config/initializers/inflections.rb and change it to the following:
# Be sure to restart your server when you modify this file. # Add new inflection rules using the following format # (all these examples are active by default): ActiveSupport::Inflector.inflections do |inflect| # inflect.plural /^(ox)$/i, '\1en' # inflect.singular /^(ox)en/i, '\1' # inflect.irregular 'person', 'people' # inflect.uncountable %w( fish sheep ) endAdd a route to config/routes.rb
- rake routes ... the route added in step 5 will be at the bottom.
Chris
Comments
Okay, looks like the problem is with the Clearance RouteSet hack. The router uses alias_method_chain around ActiveSupport::Inflector.inflections to reload the routes anytime #inflections is called, and I'm guessing when the reload occurs the routes are loaded in the default order. I haven't yet figured out where/why that happens though.
I'll continue to investigate.
Chris
This patch seems to fix the issue for me:
--- a/lib/clearance/extensions/routes.rb +++ b/lib/clearance/extensions/routes.rb @@ -2,9 +2,10 @@ class ActionController::Routing::RouteSet def load_routes_with_clearance! lib_path = File.dirname(__FILE__) clearance_routes = File.join(lib_path, *%w[.. .. .. config clearance_routes.rb]) - unless configuration_files.include?(clearance_routes) - add_configuration_file(clearance_routes) - end + + configuration_files.delete(clearance_routes) + add_configuration_file(clearance_routes) + load_routes_without_clearance! endI still haven't figured out where this happens, but the order in which configuration_files is iterated over changes when reload! is called. This patch deletes the clearance_routes.rb file and adds it to the configuration_files array each time load_routes! is called, ensuring it's always at the end.
A hack so closely tied to Rails internals should really have some tests. I tried to write one for this issue but wasn't able to get it working. Maybe someone with more Router experience can tackle that?
Chris
@yaychris
I ran into the same problem you cite. I have an inflection the app cannot live without. I implemented your patch and the system now works. Thank you for posting your solution.
I ask the Clearance people to implement this patch in the future. Thanks.
I also saw this issue in a particularly nasty interaction between Clearance and ActiveMerchant (which adds a couple Inflections under the covers).
rsanheim!!!! oh my god, your comments is exactly what is happening to me right now. It's driving me nuts. I'm going to try that patch. i'll update too.
I tried this patch and it didn't work with AM and Clearance. try again in the morning.
update: this issue happened to me because I left the AM information outside of the after_initialize method. if you are having weird redirection issues, check your after_intialize methods and that you don't have code outside of it, that should be inside.
- Create a fresh Rails 2.3.2 app
-
Hi,
I needed to have HTTP authentication on current project using Clearance, and discovered Clearance does not provide it. I implemented it as following patch:
Does adding feature like this make sense to you?
(Note: I've tried to implement it directly to Clearance, but have not found an obvious way where to put the tests. I could not persuade
AccountsControllerTestto have access toUseror Factory(:email_confirmed_user) etc and had to give up.)Comments
joergbattermann
Tue Sep 01 06:28:16 -0700 2009
| link
Yep agreed. Clearance is awesome, but no http auth is a showstopper for most of my customers' projects. +1
Can Rack::Auth be used instead of altering Clearance?
http://rack.rubyforge.org/doc/Rack/Auth/Basic.html
http://www.sinatrarb.com/faq.html#auth
https://sinatra.lighthouseapp.com/projects/9779/tickets/16-patch-http-authenticationIf not, why?
Hello Dan,
I think the main reason here is convenience. When it's built-in, we get HTTP-Auth for non-HTML requests automatically, quite transparently, and stupidly easy.
To use Rack::Auth::Basic middleware for this in Rails, one has to do (and please correct me if I'm mistaken!!):
- Add the middleware somewhere in the stack
- Intercept calls to non-HTML requests, do the
::User.authenticate(login, password)authentication, - somehow (?) set the @_current_user variable to be available for controllers
Again, correct me if I'm wrong. I haven't tried it, I am just thinking aloud.
Of course, I completely understand the need to keep Clearance lean. I just think the lack of HTTP-Auth for non-HTML requests is something which puts unneccessary burden on the library users -- and more so, if they're beginners etc.
(Now, Sinatra is obviously another story. You expect to operate much closer to the metal.)
Karel
-
looks like password_confirmation validation is not fired when a password is present because of the password_required if conditional:
validates_presence_of :password, :if => :password_required? validates_confirmation_of :password, :if => :password_required?
should rather validate if password is not blank, versus password_required right?
Unit test example:
def test_password_confirmation_is_never_checked unimportant = { :email => "someone@somewhere.com", :email_confirmed => true } @user = User.new( unimportant.merge(:password => 'password', :password_confirmation => 'not_password' )) assert @user.valid? endComments
dutchrapley
Sat Aug 08 12:31:55 -0700 2009
| link
you're asserting that @user is valid
assert @user.valid?
but your test fails b/c the user is not valid since 'password' is not equal to 'notpassword'
i believe your test is doing its jobshouldn't the test assert that @user is not valid?
assert !@user.valid?sorry, that is a bad test example. The point being that you may want to check that a password field and a confirmed password match, regardless of if the password is a required field, for example when updating a password and encrypted_password already exists.
-
For clearance 0.7.0:
In app/views/sessions/new.html.erb and lib/clearance/authentication.rb the old routes are still used. For aesthetics they should be changed to new named routes, sign_in_url and sign_up_pathSuggested changes in my fork
http://github.com/tonkapark/clearance/commit/21955077256a197751af6a6c5af89a55eb3ac334Comments
-
0 votes
make sure all methods in Clearance::Authentication are not callable
0 comments Created 2 months ago by dancroakFigure out how to write this test. Look at how Rails tests hide_action.
Comments
-
1 vote
Add skip_before_filter :authenticate on the appropriate clearance controllers
1 comment Created about 1 month ago by matthewfordSo I don't have to override them when I add before_filter :authenticate in my application controller.
Comments
matthewford
Thu Sep 17 05:01:14 -0700 2009
| link
-
2 votes
Ping pong sessions for one user and multiple machines
1 comment Created about 1 month ago by rmm5tPlease pull this branch.
http://github.com/rmm5t/clearance/commits/fixing_ping_pong_sessionsThis is in reference to the recent clearance google groups thread:
http://groups.google.com/group/thoughtbot-clearance/browse_thread/thread/d071ae84573e40ffThis includes:
- Deprecated
User#remember_me!forUser#reset_remember_token! - Removed
User#initialize_confirmation_tokenfrombefore_save; added#generate_confirmation_tokentobefore_create - Reset the
remember_tokenon sign out instead of sign in
This also includes the "global sign out" feature. I stuck it in there simply because there was already a controller test that expected the sign out to reset the remember_token; it just wasn't testing it correctly before. Plus I'm partial to the feature. If it's a problem, it's easy to change. Just remove the call to
reset_remember_token!inClearance::Authentication::InstanceMethods#signout.Comments
+1 on pulling in this patch. We're experiencing the same problems with session ping pong.
Specifically, when we have a staging server set up for a project, we often have a single standard user account that developers and the client may be using at the same time, testing out features. This produces the highly-unexpected behavior of being logged out between page requests.
- Deprecated
-
It can be done in two ways:
1) Create the corresponding haml templates from the erbs and basically accept an additional command-line argument from the user when generating views. So, for generating haml templates the command would become:
script/generate clearance_views haml
This would basically copy the files over from templates/haml/formtastic to the appropriate location in the application.
2) Generate the haml templates from the corresponding erb templates on the fly by employing nifty html2haml.
Well, I have already implemented the first one as it is quite easy but my proclivity is towards the second one. I would like to take Dan's opinion on this one.
Comments
-
3 votes
User can log in as another user if passwords are the same
3 comments Created about 1 month ago by toastyappsTo recreate, simple create two users with the same password and log both users in on the same day with the remember me option selected. Because the remember_me token is only encrypt("--#{Time.now.utc}--#{password}--") and neither of these values are unique the tokens will clash.
We actually had this problem occur on one of our servers....
Comments
toastyapps
Thu Oct 08 14:25:44 -0700 2009
| link
A suggested fix would be to do something like this instead
encrypt("--#{Time.now.utc}--#{email}--#{password}--") as email should be uniqueUsers would have to login at the same second, not day… But yeah, this looks like a security issue. I suggest hashing the timestamp, email and salt—password is not a good choice since it's non-unique.
toastyapps
Fri Oct 09 06:33:31 -0700 2009
| link
It seems like part of our problem was we had done this in our initializers
Time::DATE_FORMATS[:default] = '%m/%d/%Y'
but still like you mentioned timestamp, email, and salt would all be better in terms of security. -
Well i officially don't know why this isn't working, even after the wiki update for the wonky route that was screwing me up before....
class SessionsController < Clearance::SessionsController # ssl_required :new private def url_after_create some_wicked_path end endand in the routes i have
map.session 'session', :controller => 'sessions', :action => 'create'I'm not sure why this isn't working. i thought this is all i had to do after i read the wiki entry under useage. One day when i was messing around with the Clearance_routes.rb file, it started to work, because i changed clearance_routes to routes and got rid of the extentions/routes.rb file... Just to see what would happen.
So i was excited when i saw this functionality work, but in a new 0.7.0 version of clearance gem, it doesn't work for me. thoughts?
Comments
What version of Rails are you on?
Your config/routes.rb should also be:
map.resource :session, :controller => 'sessions', :only => [:new, :create, :destroy] -
hi another issue i'd like to report, can i put clearance controllers into https://?
i tried simply adding
class SessionsController < Clearance::SessionsController ssl_required :new endinto the controller but no dice. i didn't want to hack the gem yet either. wondering if it's possible?
Comments
