git-svn-id: https://matlabulchifai.googlecode.com/svn/trunk@309 126f7…

…d6c-fee3-11dd-88c7-29a3b14d5316
chandanrekhi · Nov 13, 2009 · 88bfde4 · 88bfde4
1 parent fe37553
commit 88bfde4
Show file tree

Hide file tree

Showing 42 changed files with 3,140 additions and 275 deletions.
diff --git a/new/app/controllers/application_controller.rb b/new/app/controllers/application_controller.rb
@@ -4,6 +4,8 @@
 class ApplicationController < ActionController::Base
   helper :all # include all helpers, all the time
   protect_from_forgery # See ActionController::RequestForgeryProtection for details
+
+  include AuthenticatedSystem
 
   # Scrub sensitive parameters from your log
   # filter_parameter_logging :password

diff --git a/new/app/controllers/dashboard_controller.rb b/new/app/controllers/dashboard_controller.rb
@@ -0,0 +1,7 @@
+class DashboardController < ApplicationController
+  before_filter :login_required
+
+  def index
+  end
+
+end
diff --git a/new/app/controllers/sessions_controller.rb b/new/app/controllers/sessions_controller.rb
@@ -0,0 +1,43 @@
+# This controller handles the login/logout function of the site.  
+class SessionsController < ApplicationController
+  # Be sure to include AuthenticationSystem in Application Controller instead
+  include AuthenticatedSystem
+
+  # render new.rhtml
+  def new
+  end
+
+  def create
+    logout_keeping_session!
+    user = User.authenticate(params[:login], params[:password])
+    if user
+      # Protects against session fixation attacks, causes request forgery
+      # protection if user resubmits an earlier form using back
+      # button. Uncomment if you understand the tradeoffs.
+      # reset_session
+      self.current_user = user
+      new_cookie_flag = (params[:remember_me] == "1")
+      handle_remember_cookie! new_cookie_flag
+      redirect_back_or_default('/')
+      flash[:notice] = "Logged in successfully"
+    else
+      note_failed_signin
+      @login       = params[:login]
+      @remember_me = params[:remember_me]
+      render :action => 'new'
+    end
+  end
+
+  def destroy
+    logout_killing_session!
+    flash[:notice] = "You have been logged out."
+    redirect_back_or_default('/')
+  end
+
+protected
+  # Track failed login attempts
+  def note_failed_signin
+    flash[:error] = "Couldn't log you in as '#{params[:login]}'"
+    logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}"
+  end
+end
diff --git a/new/app/controllers/users_controller.rb b/new/app/controllers/users_controller.rb
@@ -0,0 +1,44 @@
+class UsersController < ApplicationController
+  # Be sure to include AuthenticationSystem in Application Controller instead
+  include AuthenticatedSystem
+
+
+  # render new.rhtml
+  def new
+    @user = User.new
+  end
+
+  def create
+    logout_keeping_session!
+    @user = User.new(params[:user])
+    user.activate!
+
+    success = @user && @user.save
+
+    if success && @user.errors.empty?
+      redirect_back_or_default('/')
+      flash[:notice] = "Thanks for signing up!  We're sending you an email with your activation code."
+    else
+      flash[:error]  = "We couldn't set up that account, sorry.  Please try again, or contact an admin (link is above)."
+      render :action => 'new'
+    end
+  end
+
+  def activate
+    logout_keeping_session!
+    user = User.find_by_activation_code(params[:activation_code]) unless params[:activation_code].blank?
+    case
+    when (!params[:activation_code].blank?) && user && !user.active?
+      user.activate!
+      flash[:notice] = "Signup complete! Please sign in to continue."
+      redirect_to '/login'
+    when params[:activation_code].blank?
+      flash[:error] = "The activation code was missing.  Please follow the URL from your email."
+      redirect_back_or_default('/')
+    else 
+      flash[:error]  = "We couldn't find a user with that activation code -- check your email? Or maybe you've already activated -- try signing in."
+      redirect_back_or_default('/')
+    end
+  end
+
+end
diff --git a/new/app/helpers/dashboard_helper.rb b/new/app/helpers/dashboard_helper.rb
@@ -0,0 +1,2 @@
+module DashboardHelper
+end
diff --git a/new/app/helpers/sessions_helper.rb b/new/app/helpers/sessions_helper.rb
@@ -0,0 +1,2 @@
+module SessionsHelper
+end
diff --git a/new/app/helpers/users_helper.rb b/new/app/helpers/users_helper.rb
@@ -0,0 +1,93 @@
+module UsersHelper
+
+  #
+  # Use this to wrap view elements that the user can't access.
+  # !! Note: this is an *interface*, not *security* feature !!
+  # You need to do all access control at the controller level.
+  #
+  # Example:
+  # <%= if_authorized?(:index,   User)  do link_to('List all users', users_path) end %> |
+  # <%= if_authorized?(:edit,    @user) do link_to('Edit this user', edit_user_path) end %> |
+  # <%= if_authorized?(:destroy, @user) do link_to 'Destroy', @user, :confirm => 'Are you sure?', :method => :delete end %> 
+  #
+  #
+  def if_authorized?(action, resource, &block)
+    if authorized?(action, resource)
+      yield action, resource
+    end
+  end
+
+  #
+  # Link to user's page ('users/1')
+  #
+  # By default, their login is used as link text and link title (tooltip)
+  #
+  # Takes options
+  # * :content_text => 'Content text in place of user.login', escaped with
+  #   the standard h() function.
+  # * :content_method => :user_instance_method_to_call_for_content_text
+  # * :title_method => :user_instance_method_to_call_for_title_attribute
+  # * as well as link_to()'s standard options
+  #
+  # Examples:
+  #   link_to_user @user
+  #   # => <a href="/users/3" title="barmy">barmy</a>
+  #
+  #   # if you've added a .name attribute:
+  #  content_tag :span, :class => :vcard do
+  #    (link_to_user user, :class => 'fn n', :title_method => :login, :content_method => :name) +
+  #          ': ' + (content_tag :span, user.email, :class => 'email')
+  #   end
+  #   # => <span class="vcard"><a href="/users/3" title="barmy" class="fn n">Cyril Fotheringay-Phipps</a>: <span class="email">barmy@blandings.com</span></span>
+  #
+  #   link_to_user @user, :content_text => 'Your user page'
+  #   # => <a href="/users/3" title="barmy" class="nickname">Your user page</a>
+  #
+  def link_to_user(user, options={})
+    raise "Invalid user" unless user
+    options.reverse_merge! :content_method => :login, :title_method => :login, :class => :nickname
+    content_text      = options.delete(:content_text)
+    content_text    ||= user.send(options.delete(:content_method))
+    options[:title] ||= user.send(options.delete(:title_method))
+    link_to h(content_text), user_path(user), options
+  end
+
+  #
+  # Link to login page using remote ip address as link content
+  #
+  # The :title (and thus, tooltip) is set to the IP address 
+  #
+  # Examples:
+  #   link_to_login_with_IP
+  #   # => <a href="/login" title="169.69.69.69">169.69.69.69</a>
+  #
+  #   link_to_login_with_IP :content_text => 'not signed in'
+  #   # => <a href="/login" title="169.69.69.69">not signed in</a>
+  #
+  def link_to_login_with_IP content_text=nil, options={}
+    ip_addr           = request.remote_ip
+    content_text    ||= ip_addr
+    options.reverse_merge! :title => ip_addr
+    if tag = options.delete(:tag)
+      content_tag tag, h(content_text), options
+    else
+      link_to h(content_text), login_path, options
+    end
+  end
+
+  #
+  # Link to the current user's page (using link_to_user) or to the login page
+  # (using link_to_login_with_IP).
+  #
+  def link_to_current_user(options={})
+    if current_user
+      link_to_user current_user, options
+    else
+      content_text = options.delete(:content_text) || 'not signed in'
+      # kill ignored options from link_to_user
+      [:content_method, :title_method].each{|opt| options.delete(opt)} 
+      link_to_login_with_IP content_text, options
+    end
+  end
+
+end
diff --git a/new/app/models/user.rb b/new/app/models/user.rb
@@ -0,0 +1,76 @@
+require 'digest/sha1'
+
+class User < ActiveRecord::Base
+  include Authentication
+  include Authentication::ByPassword
+  include Authentication::ByCookieToken
+
+  validates_presence_of     :login
+  validates_length_of       :login,    :within => 3..40
+  validates_uniqueness_of   :login
+  validates_format_of       :login,    :with => Authentication.login_regex, :message => Authentication.bad_login_message
+
+  validates_format_of       :name,     :with => Authentication.name_regex,  :message => Authentication.bad_name_message, :allow_nil => true
+  validates_length_of       :name,     :maximum => 100
+
+  validates_presence_of     :email
+  validates_length_of       :email,    :within => 6..100 #r@a.wk
+  validates_uniqueness_of   :email
+  validates_format_of       :email,    :with => Authentication.email_regex, :message => Authentication.bad_email_message
+
+  before_create :make_activation_code 
+
+  # HACK HACK HACK -- how to do attr_accessible from here?
+  # prevents a user from submitting a crafted form that bypasses activation
+  # anything else you want your user to change should be added here.
+  attr_accessible :login, :email, :name, :password, :password_confirmation
+
+
+  # Activates the user in the database.
+  def activate!
+    @activated = true
+    self.activated_at = Time.now.utc
+    self.activation_code = nil
+    save(false)
+  end
+
+  # Returns true if the user has just been activated.
+  def recently_activated?
+    @activated
+  end
+
+  def active?
+    # the existence of an activation code means they have not activated yet
+    activation_code.nil?
+  end
+
+  # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
+  #
+  # uff.  this is really an authorization, not authentication routine.  
+  # We really need a Dispatch Chain here or something.
+  # This will also let us return a human error message.
+  #
+  def self.authenticate(login, password)
+    return nil if login.blank? || password.blank?
+    u = find :first, :conditions => ['login = ? and activated_at IS NOT NULL', login] # need to get the salt
+    u && u.authenticated?(password) ? u : nil
+  end
+
+  def login=(value)
+    write_attribute :login, (value ? value.downcase : nil)
+  end
+
+  def email=(value)
+    write_attribute :email, (value ? value.downcase : nil)
+  end
+
+  protected
+
+
+    def make_activation_code
+
+      self.activation_code = self.class.make_token
+    end
+
+
+end
diff --git a/new/app/models/user_mailer.rb b/new/app/models/user_mailer.rb
@@ -0,0 +1,24 @@
+class UserMailer < ActionMailer::Base
+  def signup_notification(user)
+    setup_email(user)
+    @subject    += 'Please activate your new account'
+
+    @body[:url]  = "http://YOURSITE/activate/#{user.activation_code}"
+
+  end
+
+  def activation(user)
+    setup_email(user)
+    @subject    += 'Your account has been activated!'
+    @body[:url]  = "http://YOURSITE/"
+  end
+
+  protected
+    def setup_email(user)
+      @recipients  = "#{user.email}"
+      @from        = "ADMINEMAIL"
+      @subject     = "[YOURSITE] "
+      @sent_on     = Time.now
+      @body[:user] = user
+    end
+end
diff --git a/new/app/models/user_observer.rb b/new/app/models/user_observer.rb
@@ -0,0 +1,11 @@
+class UserObserver < ActiveRecord::Observer
+  def after_create(user)
+    UserMailer.deliver_signup_notification(user)
+  end
+
+  def after_save(user)
+
+    UserMailer.deliver_activation(user) if user.recently_activated?
+
+  end
+end
diff --git a/new/app/views/dashboard/index.html.erb b/new/app/views/dashboard/index.html.erb
@@ -0,0 +1,2 @@
+<h1>Welcome!</h1>
+Links: <%= link_to "Alerts", patient_alerts_path %> <%= link_to "Patients", patients_path %>
diff --git a/new/app/views/sessions/new.html.erb b/new/app/views/sessions/new.html.erb
@@ -0,0 +1,16 @@
+<h1>Log In</h1>
+
+<% form_tag session_path do -%>
+<p><%= label_tag 'login' %><br />
+<%= text_field_tag 'login', @login %></p>
+
+<p><%= label_tag 'password' %><br/>
+<%= password_field_tag 'password', nil %></p>
+
+<!-- Uncomment this if you want this functionality
+<p><%= label_tag 'remember_me', 'Remember me' %>
+<%= check_box_tag 'remember_me', '1', @remember_me %></p>
+-->
+
+<p><%= submit_tag 'Log in' %></p>
+<% end -%>
diff --git a/new/app/views/user_mailer/activation.erb b/new/app/views/user_mailer/activation.erb
@@ -0,0 +1,3 @@
+<%=h @user.login %>, your account has been activated.  Welcome aboard!
+
+  <%=h @url %>
diff --git a/new/app/views/user_mailer/signup_notification.erb b/new/app/views/user_mailer/signup_notification.erb
@@ -0,0 +1,8 @@
+Your account has been created.
+
+  Username: <%=h @user.login %>
+  Password: <%=h @user.password %>
+
+Visit this url to activate your account:
+
+  <%=h @url %>
diff --git a/new/app/views/users/_user_bar.html.erb b/new/app/views/users/_user_bar.html.erb
@@ -0,0 +1,8 @@
+<% if logged_in? -%>
+  <div id="user-bar-greeting">Logged in as <%= link_to_current_user :content_method => :login %></div>
+  <div id="user-bar-action"  >(<%= link_to "Log out", logout_path, { :title => "Log out" }    %>)</div>
+<% else -%>
+  <div id="user-bar-greeting"><%= link_to_login_with_IP 'Not logged in', :style => 'border: none;' %></div>
+  <div id="user-bar-action"  ><%= link_to "Log in",  login_path,  { :title => "Log in" } %> /
+                               <%= link_to "Sign up", signup_path, { :title => "Create an account" } %></div>
+<% end -%>
diff --git a/new/app/views/users/new.html.erb b/new/app/views/users/new.html.erb
@@ -0,0 +1,19 @@
+<h1>Sign up as a new user</h1>
+<% @user.password = @user.password_confirmation = nil %>
+
+<%= error_messages_for :user %>
+<% form_for :user, :url => users_path do |f| -%>
+<p><%= label_tag 'login' %><br/>
+<%= f.text_field :login %></p>
+
+<p><%= label_tag 'email' %><br/>
+<%= f.text_field :email %></p>
+
+<p><%= label_tag 'password' %><br/>
+<%= f.password_field :password %></p>
+
+<p><%= label_tag 'password_confirmation', 'Confirm Password' %><br/>
+<%= f.password_field :password_confirmation %></p>
+
+<p><%= submit_tag 'Sign up' %></p>
+<% end -%>