Skip to content
Browse files

implemented login redirection system

  • Loading branch information...
1 parent 0288231 commit 4c65ce444508b01225f28c2716000981e166a281 activefx committed Sep 16, 2008
View
9 README
@@ -23,6 +23,7 @@ CURRENT FEATURES
- Roles and permissions
- Administrative user controller
- Set roles, activate, enable / disable users
+ - Login, permission, and access denied redirection system
- Member list and public profiles for logged in users
- Activation, with option to resend activation code
- Beta invitation system
@@ -42,8 +43,8 @@ CURRENT FEATURES
- custom-err-msg, permalink_fu, uberkit, will_paginate
- Debug Plugins
- exception_logger, rails-footnotes, query_analyzer, query_stats, rows_logger
- - Development Plugins
- - auto_migrations
+ - Development and Performance Plugins
+ - auto_migrations, pseudo_cursors
- Testing
- rspec, rspec_rails
- Gems
@@ -56,7 +57,6 @@ KNOWN ISSUES
TODO
- Fix known issues
- Full rSpec test suite
- - Better access and permission denied redirects
- Make the ActivationsController "activate" action restful
- Integrate user interface plugins / dry form builders
- Move query stats and rows logger to footnotes plugin
@@ -76,6 +76,8 @@ Open_id_authentication by David Heinemeier Hansson is released under the MIT Lic
- http://github.com/activefx/open_id_authentication/tree/master (modified for restful_authentication_tutorial)
Permalink_fu by Rick Olson is released under the MIT License
- http://github.com/technoweenie/permalink_fu/tree/master
+Pseudo_cursors by Brian Durand is released under the MIT License
+ - http://github.com/sml/pseudo_cursors/tree/master
Query_analyzer by Bob Silva is released under the MIT License
- http://svn.nfectio.us/plugins/query_analyzer
Query_stats by Dan Manges is released under the MIT License
@@ -128,6 +130,7 @@ Yahoo User Interface 3 CSS:
- http://developer.yahoo.com/yui/3/cssbase/
Rails Security:
- http://www.slideshare.net/heikowebers/advanced-ruby-on-rails-security/
+ - http://guides.rails.info/securing_rails_applications/security.html
Additional Resources:
- http://delicious.com/activefx/restful_authentication
- http://delicious.com/activefx/openid
View
2 app/controllers/members_controller.rb
@@ -1,5 +1,5 @@
class MembersController < ApplicationController
- before_filter :login_required
+ before_filter :login_required
def index
@users = User.member_list(params[:page])
View
19 app/controllers/sessions_controller.rb
@@ -57,7 +57,11 @@ def open_id_authentication(identity_url_params)
authenticate_with_open_id(identity_url_params,
:optional => [ :nickname, :email, :fullname],
:invitation_token => params[:invitation_token],
- :remember_me => params[:remember_me]) do |result, identity_url, registration|
+ :remember_me => params[:remember_me],
+ :requested => session[:return_to],
+ :refered_from => session[:refered_from]) do |result, identity_url, registration|
+ session[:return_to] = params[:requested]
+ session[:refered_from] = params[:refered_from]
case result.status
when :missing
failed_login("Sorry, the OpenID server couldn't be found.", identity_url, true)
@@ -67,7 +71,7 @@ def open_id_authentication(identity_url_params)
failed_login("OpenID verification was canceled.", identity_url, true)
when :failed
failed_login("Sorry, the OpenID verification failed.", identity_url, true)
- when :successful
+ when :successful
OpenidUser.find_with_identity_url(identity_url) do |account, user, message, item_msg, item_path|
if account
(successful_login(user) and return) if user
@@ -111,7 +115,16 @@ def successful_login(user)
# Protects against session fixation attacks, causes request forgery
# protection if user resubmits an earlier form using back
# button. Uncomment if you understand the tradeoffs.
- # reset_session
+ #
+ # reset_session has been uncommented in the restful_authentication_tutorial app,
+ # which is not the default setting of the restful_authentication plugin
+ # guides.rails.info/securing_rails_applications/security.html#_session_fixation_countermeasures
+ #
+ refered_from = session[:refered_from]
+ return_to = session[:return_to]
+ reset_session
+ session[:refered_from] = refered_from
+ session[:return_to] = return_to
self.current_user = user
new_cookie_flag = (params[:remember_me] == "1")
handle_remember_cookie! new_cookie_flag
View
4 app/models/site_user.rb
@@ -7,8 +7,8 @@ def self.authenticate(login, password, &block)
yield nil, "Username and password cannot be blank.", nil, nil and
return if (login.blank? || password.blank?)
u = find :first, :conditions => ['login = ?', login], :include => :roles
- yield nil, "Could not log you in as '#{login}', your username or password is incorrect.", nil, nil and
- return unless (u && u.authenticated?(password))
+ yield nil, "Could not log you in as '#{CGI.escapeHTML(login)}', your username or password is incorrect.", nil,
+ nil and return unless (u && u.authenticated?(password))
case
when !u.active?
yield nil, "Your account has not been activated, please check your email or %s.", "request a new activation code", "resend_activation_path"
View
1 db/schema.rb
@@ -27,6 +27,7 @@
t.string "email"
t.string "token"
t.datetime "sent_at"
+ t.datetime "used_at"
t.datetime "created_at"
t.datetime "updated_at"
end
View
3 lib/authenticated_system.rb
@@ -90,6 +90,7 @@ def access_denied
# We can return to this location by calling #redirect_back_or_default.
def store_location
session[:return_to] = request.request_uri
+ session[:refered_from] = request.env["HTTP_REFERER"]
end
# Redirect to the URI stored by the most recent store_location call or
@@ -98,7 +99,7 @@ def store_location
# for any controller you want to be bounce-backable.
def redirect_back_or_default(default)
redirect_to(session[:return_to] || default)
- session[:return_to] = nil
+ session[:return_to] = nil
end
# Inclusion hook to make #current_user and #logged_in?
View
4 lib/authentication/user_abstraction.rb
@@ -71,7 +71,7 @@ def find_with_activation_code(activation_code = nil, &block) #yield error, messa
yield :notice, "Your account has already been activated. You can log in below", "login_path"
when u
u.activate!
- path = ((u.user_type == "SiteUser") ? "login_path" : "login_with_openid_path")
+ path = ((u.user_type == "OpenidUser") ? "login_with_openid_path" : "login_path")
yield :notice, "Signup complete! Please sign in to continue.", path
end
end
@@ -192,7 +192,7 @@ def site_in_beta?
end
def emails_match?
- return false if self.invitation.nil?
+ return false unless invitation
self.email == self.invitation.email
end
View
37 lib/role_requirement_system.rb
@@ -115,8 +115,36 @@ def access_denied
#return false
respond_to do |format|
format.html do
- flash[:error] = "You don't have permission to complete this action."
- redirect_to root_path
+ flash[:error] = "You don't have permission to complete this action."
+ domain = "http://#{APP_CONFIG['settings']['domain']}"
+ case
+ # Checks to see if the call to access_denied is the result of a failed redirect after logging
+ # in normally (HTTP_REFERER includes one of the paths) or with OpenID (HTTP_REFERER is nil)
+ when (session[:refered_from] && request.env['HTTP_REFERER'] &&
+ (request.env['HTTP_REFERER'].include?("#{APP_CONFIG['settings']['domain']}/session/new" ||
+ "#{APP_CONFIG['settings']['domain']}/login"))), (request.env['HTTP_REFERER'].nil? &&
+ session[:refered_from])
+ referer = session[:refered_from]
+ else
+ referer = request.env['HTTP_REFERER']
+ end
+ case
+ # Makes sure the referer is a page on your website
+ when (referer[0...(domain.length)] != domain)
+ redirect_to root_path
+ else
+ # Make sure the current_user has permission to access the referer path
+ path = referer[(domain.length)..(referer.length)]
+ route = ActionController::Routing::Routes.recognize_path(path, {:method => :get})
+ if url_options_authenticate?(:controller => route[:controller], :action => route[:action],
+ :params => route[:id]) && (route[:controller] != "four_oh_fours")
+ redirect_to(referer)
+ else
+ redirect_to root_path
+ end
+ end
+ session[:refered_from] = nil
+ session[:return_to] = nil
end
format.any do
headers["Status"] = "Unauthorized"
@@ -131,13 +159,14 @@ def access_denied
def check_roles
return access_denied unless self.class.user_authorized_for?(current_user, params, binding)
-
+ session[:refered_from] = nil
+ session[:return_to] = nil
true
end
protected
# receives a :controller, :action, and :params. Finds the given controller and runs user_authorized_for? on it.
- # This can be called in your views, and is for advanced users only. If you are using :if / :unless eval expressions,
+ # This can be called in your views, and is for advanced users only. If you are usredirect_to root_pathing :if / :unless eval expressions,
# then this may or may not work (eval strings use the current binding to execute, not the binding of the target
# controller)
def url_options_authenticate?(params = {})
2 vendor/plugins/open_id_authentication
@@ -1 +1 @@
-Subproject commit df3411fa5f08c97899ef6dcd9b82b9f2f4832d7b
+Subproject commit 7e5bf94ae495b72a2a3d4437cacc0f3edb4f8fde

0 comments on commit 4c65ce4

Please sign in to comment.
Something went wrong with that request. Please try again.