implemented login redirection system

README

@@ -23,6 +23,7 @@ CURRENT FEATURES
 	- Roles and permissions
 	- Administrative user controller
 		- Set roles, activate, enable / disable users  
+	- Login, permission, and access denied redirection system
 	- Member list and public profiles for logged in users
 	- Activation, with option to resend activation code
 	- Beta invitation system 
@@ -42,8 +43,8 @@ CURRENT FEATURES
 		- custom-err-msg, permalink_fu, uberkit, will_paginate
 	- Debug Plugins 
 		- exception_logger, rails-footnotes, query_analyzer, query_stats, rows_logger
-	- Development Plugins
-		- auto_migrations
+	- Development and Performance Plugins
+		- auto_migrations, pseudo_cursors
 	- Testing 
 		- rspec, rspec_rails
 	- Gems
@@ -56,7 +57,6 @@ KNOWN ISSUES
 TODO
 	- Fix known issues
 	- Full rSpec test suite
-	- Better access and permission denied redirects
 	- Make the ActivationsController "activate" action restful
 	- Integrate user interface plugins / dry form builders
 	- Move query stats and rows logger to footnotes plugin
@@ -76,6 +76,8 @@ Open_id_authentication by David Heinemeier Hansson is released under the MIT Lic
 	- http://github.com/activefx/open_id_authentication/tree/master (modified for restful_authentication_tutorial)
 Permalink_fu by Rick Olson is released under the MIT License
 	- http://github.com/technoweenie/permalink_fu/tree/master
+Pseudo_cursors by Brian Durand is released under the MIT License
+	- http://github.com/sml/pseudo_cursors/tree/master
 Query_analyzer by Bob Silva is released under the MIT License
 	- http://svn.nfectio.us/plugins/query_analyzer
 Query_stats by Dan Manges is released under the MIT License
@@ -128,6 +130,7 @@ Yahoo User Interface 3 CSS:
 	- http://developer.yahoo.com/yui/3/cssbase/
 Rails Security:
 	- http://www.slideshare.net/heikowebers/advanced-ruby-on-rails-security/
+	- http://guides.rails.info/securing_rails_applications/security.html
 Additional Resources:
 	- http://delicious.com/activefx/restful_authentication
 	- http://delicious.com/activefx/openid

app/controllers/members_controller.rb

@@ -1,5 +1,5 @@
 class MembersController < ApplicationController
-  before_filter :login_required
+	before_filter :login_required
 
   def index
 		@users = User.member_list(params[:page])

app/controllers/sessions_controller.rb

@@ -57,7 +57,11 @@ def open_id_authentication(identity_url_params)
     authenticate_with_open_id(identity_url_params, 
         :optional => [ :nickname, :email, :fullname],
 				:invitation_token => params[:invitation_token],
-				:remember_me => params[:remember_me]) do |result, identity_url, registration|
+				:remember_me => params[:remember_me],
+				:requested => session[:return_to],
+				:refered_from => session[:refered_from]) do |result, identity_url, registration|
+			session[:return_to] = params[:requested]
+			session[:refered_from] = params[:refered_from]
       case result.status
       when :missing
         failed_login("Sorry, the OpenID server couldn't be found.", identity_url, true)
@@ -67,7 +71,7 @@ def open_id_authentication(identity_url_params)
         failed_login("OpenID verification was canceled.", identity_url, true)
       when :failed
         failed_login("Sorry, the OpenID verification failed.", identity_url, true)
-      when :successful
+      when :successful 
 				OpenidUser.find_with_identity_url(identity_url) do |account, user, message, item_msg, item_path|
 					if account	
 						(successful_login(user) and return) if user
@@ -111,7 +115,16 @@ def successful_login(user)
     # Protects against session fixation attacks, causes request forgery
     # protection if user resubmits an earlier form using back
     # button. Uncomment if you understand the tradeoffs.
-    # reset_session
+		#
+		# reset_session has been uncommented in the restful_authentication_tutorial app,
+		# which is not the default setting of the restful_authentication plugin
+		# guides.rails.info/securing_rails_applications/security.html#_session_fixation_countermeasures
+		#
+		refered_from = session[:refered_from]
+		return_to = session[:return_to]
+    reset_session
+		session[:refered_from] = refered_from 
+		session[:return_to] = return_to
     self.current_user = user
     new_cookie_flag = (params[:remember_me] == "1")
     handle_remember_cookie! new_cookie_flag

app/models/site_user.rb

@@ -7,8 +7,8 @@ def self.authenticate(login, password, &block)
 		yield nil, "Username and password cannot be blank.", nil, nil and
 			return if (login.blank? || password.blank?)
 		u = find :first, :conditions => ['login = ?', login], :include => :roles
-		yield nil, "Could not log you in as '#{login}', your username or password is incorrect.", nil, nil and
-			return unless (u && u.authenticated?(password))
+		yield nil, "Could not log you in as '#{CGI.escapeHTML(login)}', your username or password is incorrect.", nil, 
+			nil and return unless (u && u.authenticated?(password))
 		case
 		when !u.active?
 			yield nil, "Your account has not been activated, please check your email or %s.", "request a new activation 				code", "resend_activation_path"

db/schema.rb

@@ -27,6 +27,7 @@
     t.string   "email"
     t.string   "token"
     t.datetime "sent_at"
+    t.datetime "used_at"
     t.datetime "created_at"
     t.datetime "updated_at"
   end

lib/authenticated_system.rb

@@ -90,6 +90,7 @@ def access_denied
     # We can return to this location by calling #redirect_back_or_default.
     def store_location
       session[:return_to] = request.request_uri
+			session[:refered_from] = request.env["HTTP_REFERER"]
     end
 
     # Redirect to the URI stored by the most recent store_location call or
@@ -98,7 +99,7 @@ def store_location
     # for any controller you want to be bounce-backable.
     def redirect_back_or_default(default)
       redirect_to(session[:return_to] || default)
-      session[:return_to] = nil
+			session[:return_to] = nil
     end
 
     # Inclusion hook to make #current_user and #logged_in?

lib/authentication/user_abstraction.rb

@@ -71,7 +71,7 @@ def find_with_activation_code(activation_code = nil, &block) #yield error, messa
 					yield :notice, "Your account has already been activated. You can log in below", "login_path"
 				when u
 					u.activate!
-					path = ((u.user_type == "SiteUser") ? "login_path" : "login_with_openid_path")
+					path = ((u.user_type == "OpenidUser") ? "login_with_openid_path" : "login_path")
 					yield :notice, "Signup complete! Please sign in to continue.", path
 				end
 			end
@@ -192,7 +192,7 @@ def site_in_beta?
 			end
 
 			def emails_match?
-				return false if self.invitation.nil?
+				return false unless invitation
 				self.email == self.invitation.email
 			end
 

lib/role_requirement_system.rb

@@ -115,8 +115,36 @@ def access_denied
         #return false
 				respond_to do |format|
 					format.html do 
-						flash[:error] = "You don't have permission to complete this action."
-	          redirect_to root_path
+						flash[:error] = "You don't have permission to complete this action."		
+						domain = "http://#{APP_CONFIG['settings']['domain']}"				
+						case
+						# Checks to see if the call to access_denied is the result of a failed redirect after logging 
+						# in normally (HTTP_REFERER includes one of the paths) or with OpenID (HTTP_REFERER is nil)
+						when (session[:refered_from] && request.env['HTTP_REFERER'] && 
+							(request.env['HTTP_REFERER'].include?("#{APP_CONFIG['settings']['domain']}/session/new" || 
+							"#{APP_CONFIG['settings']['domain']}/login"))), (request.env['HTTP_REFERER'].nil? && 
+							session[:refered_from]) 
+								referer = session[:refered_from]
+						else
+								referer = request.env['HTTP_REFERER']
+						end							
+						case 
+						# Makes sure the referer is a page on your website
+						when (referer[0...(domain.length)] != domain)
+							redirect_to root_path
+						else
+							# Make sure the current_user has permission to access the referer path
+							path = referer[(domain.length)..(referer.length)]
+							route = ActionController::Routing::Routes.recognize_path(path, {:method => :get})
+							if url_options_authenticate?(:controller => route[:controller], :action => route[:action], 
+								:params => route[:id]) && (route[:controller] != "four_oh_fours")
+								redirect_to(referer)
+							else
+								redirect_to root_path
+							end
+						end
+						session[:refered_from] = nil
+						session[:return_to] = nil
 					end
 	        format.any do
 	          headers["Status"]           = "Unauthorized"
@@ -131,13 +159,14 @@ def access_denied
 
     def check_roles       
       return access_denied unless self.class.user_authorized_for?(current_user, params, binding)
-
+      session[:refered_from] = nil
+			session[:return_to] = nil
       true
     end
 
   protected
     # receives a :controller, :action, and :params.  Finds the given controller and runs user_authorized_for? on it.
-    # This can be called in your views, and is for advanced users only.  If you are using :if / :unless eval expressions, 
+    # This can be called in your views, and is for advanced users only.  If you are usredirect_to root_pathing :if / :unless eval expressions, 
     #   then this may or may not work (eval strings use the current binding to execute, not the binding of the target 
     #   controller)
     def url_options_authenticate?(params = {})