ae_users 0.6.0

data/app/controllers/permission_controller.rb

@@ -0,0 +1,172 @@
+class PermissionController < ApplicationController
+  unloadable
+  require_login
+  
+  def admin
+    @pclasses = logged_in_person.administrator_classes
+    @roles = Role.find :all
+  end
+  
+  require_class_permission "change_permissions", :class_param => "klass", :only => [:edit]
+  def edit
+    pclass = nil
+    AeUsers.permissioned_classes.each do |pc|
+      if pc.name == params[:klass]
+        pclass = pc
+        break
+      end
+    end
+    
+    if pclass.nil?
+      render :inline => "<h1>Invalid class name <%= h AeUsers.permissioned_classes %></h1>"
+    else
+      if params[:id]
+        @item = pclass.find(params[:id])
+      else
+        @item = pclass
+      end
+    end    
+  end
+  
+  def auto_complete_for_permission_grantee
+    if params[:q]
+      query = params[:q].strip.downcase
+      liketerm = "%#{query}%"
+      terms = query.split
+      
+      if params[:people] == "true"
+        sql = terms.collect do |t|
+          "((LOWER(firstname) like ?) OR (LOWER(lastname) like ?))"
+        end.join(" AND ")
+        doubleterms = []
+        terms.each do |t|
+          doubleterms.push("%#{t}%")
+          doubleterms.push("%#{t}%")
+        end
+        @grantees = Person.find(:all, :conditions => ([sql] + doubleterms))
+        @grantees += EmailAddress.find(:all,
+                                       :conditions => ["LOWER(address) like ?", liketerm]).collect do |ea|
+          ea.person
+        end
+      else
+        @grantees = []
+      end
+
+      if params[:roles] == "true"      
+        @grantees += Role.find(:all,
+                               :conditions => ["LOWER(name) like ?", liketerm])
+      end
+      
+      @grantees.uniq!
+    else
+      @grantees = []
+    end
+    
+    render :partial => "add_grantee"
+  end
+  
+  before_filter :check_grant_perms, :only => [:grant]
+  layout nil, :only => [:grant]
+  def grant
+    perm_params = {}
+    if params[:klass] == 'Person'
+      @grantee = Person.find(params[:id])
+      perm_params[:person_id] = @grantee.id
+    else
+      @grantee = Role.find(params[:id])
+      perm_params[:role_id] = @grantee.id
+    end
+       
+    @perm = Permission.create(perm_params.update(:permission => params[:perm], :permissioned => @permissioned))
+    @perm.destroy_caches
+  end
+  
+  before_filter :check_revoke_perms, :only => [:revoke]
+  def revoke
+    @perm.destroy_caches
+    @perm.destroy
+    render :nothing => true
+  end
+  
+  def create_role
+    @role = Role.create(params[:role])
+    redirect_to :action => 'edit_role', :id => @role.id
+    @role.grant(logged_in_person)
+  end
+  
+  before_filter :check_edit_role_perms, :only => [:edit_role, :delete_role]
+  before_filter :check_edit_role_member_perms, :only => [:add_role_member, :remove_role_member]
+  def edit_role
+  end
+  
+  def add_role_member
+    @person = Person.find(params[:id])
+    
+    @role.people.push @person
+    @role.save
+    if AeUsers.cache_permissions?
+      AeUsers.permission_cache.invalidate_all(@person)
+    end
+    
+    render :partial => "role_member", :locals => {:person => @person}
+  end
+  
+  def remove_role_member   
+    @role.people.delete(@role.people.find(params[:id]))
+    @role.save
+    if AeUsers.cache_permissions?
+      AeUsers.permission_cache.invalidate_all(@person)
+    end
+    
+    render :nothing => true
+  end
+  
+  def delete_role
+    if AeUsers.cache_permissions?
+      @role.people.each do |person|
+        AeUsers.permission_cache.invalidate_all(person)
+      end
+    end
+    @role.destroy
+    render :nothing => true
+  end
+  
+  private
+  def check_grant_perms
+    @permissioned = nil
+    if params[:item_klass] != 'Class'
+      pc = AeUsers.permissioned_class(params[:item_klass])
+      @permissioned = pc.find(params[:item_id])
+    end
+    check_metaperms
+  end
+  
+  def check_revoke_perms
+    @perm = Permission.find(params[:id])
+    @permissioned = @perm.permissioned
+    check_metaperms
+    if @person == @perm.grantee and @perm.permission == "change_permissions"
+      access_denied "Sorry, you can't revoke your own right to change permissions.  (You'd probably regret it anyway!)" +
+                    " If you're trying to transfer ownership to someone else, just give them all the permissions, and have them revoke yours."
+    end
+  end
+  
+  def check_metaperms
+    @person = logged_in_person
+    if not @person.permitted?(@permissioned, "change_permissions")
+      access_denied "Sorry, you are not allowed to change the permissions of that object."
+    end
+  end
+  
+  def check_edit_role_perms
+    @role ||= Role.find(params[:id])
+    if not @role.permitted?(logged_in_person, "edit")
+      access_denied "Sorry, you are not allowed to edit this role."
+    end
+  end
+  
+  def check_edit_role_member_perms
+    @role = Role.find(params[:role])
+    check_edit_role_perms
+  end
+end

data/app/helpers/account_helper.rb

@@ -0,0 +1,2 @@
+module AccountHelper
+end

data/app/helpers/auth_helper.rb

@@ -0,0 +1,5 @@
+module AuthHelper
+  def auth_stylesheet
+    "<link rel=\"stylesheet\" href=\"#{url_for :controller => 'auth', :action => 'index', :format => 'css'}\" />"
+  end
+end

data/app/helpers/permission_helper.rb

@@ -0,0 +1,2 @@
+module PermissionHelper
+end

data/app/models/account.rb

@@ -0,0 +1,50 @@
+require 'digest/md5'
+
+class Account < ActiveRecord::Base
+  establish_connection :users
+  belongs_to :person
+  
+  def self.find_by_email_address(address)
+    p = Person.find_by_email_address(address)
+    if not p.nil?
+      return p.account
+    end
+  end
+  
+  def password=(p)
+    if not p.nil?
+      write_attribute("password", Account.hash_password(p))
+    else
+      write_attribute("password", nil)
+    end
+  end
+  
+  def self.hash_password(p)
+    if p.nil?
+      return nil
+    else
+      return Digest::MD5.hexdigest(p)
+    end
+  end
+  
+  def check_password(p)
+    return self.password == Account.hash_password(p)
+  end
+  
+  def generate_password(address = nil, length = 6)
+    chars = ('a'..'z').to_a + ('A'..'Z').to_a + ('1'..'9').to_a - ['o', 'O', 'i', 'I']
+    genpwd = Array.new(length) { chars[rand(chars.size)] }.join
+    self.password= genpwd
+    save
+    AuthNotifier::deliver_generated_password(self, genpwd, address)
+    return genpwd
+  end
+  
+  def generate_activation(address=nil)
+    self.active = false
+    self.activation_key = Digest::MD5.hexdigest("#{password} #{Time.now.to_s}")
+    self.save
+    
+    AuthNotifier::deliver_account_activation(self, address)
+  end
+end

data/app/models/auth_notifier.rb

@@ -0,0 +1,34 @@
+class AuthNotifier < ActionMailer::Base 
+  def account_activation(account, address=nil)
+    if address.nil?
+      address = account.person.primary_email_address
+    elsif address.kind_of? EmailAddress
+      address = address.address
+    end
+    
+    @recipients = address
+    @from = "noreply@#{default_url_options[:host]}"
+    @subject = "Your account on #{default_url_options[:host]}"
+    
+    @body["name"] = account.person.name || "New User"
+    @body["account"] = account
+    @body["server_name"] = default_url_options[:host]
+  end
+  
+  def generated_password(account, password, address=nil)
+    if address.nil?
+      address = account.person.primary_email_address
+    elsif address.kind_of? EmailAddress
+      address = address.address
+    end
+    
+    @recipients = address
+    @from = "noreply@#{default_url_options[:host]}"
+    @subject = "Your password has been reset on #{default_url_options[:host]}"
+    
+    @body["name"] = account.person.name
+    @body["account"] = account
+    @body["server_name"] = default_url_options[:host]
+    @body["password"] = password
+  end
+end

data/app/models/auth_ticket.rb

@@ -0,0 +1,39 @@
+require 'digest/sha1'
+
+class AuthTicket < ActiveRecord::Base
+  belongs_to :person
+  validates_uniqueness_of :secret
+  
+  before_save do |record|
+    record.secret
+  end
+  
+  def self.find_ticket(secret)
+    AuthTicket.find(:first, :conditions => ["secret = ? and (expires_at is null or expires_at > current_timestamp())", secret])
+  end
+  
+  def generate_secret
+    secret = nil
+    while secret.nil?
+      hashseed = "#{id}_#{Time.new.to_i}_#{rand}"
+      secret = Digest::SHA1.hexdigest(hashseed)
+      if AuthTicket.find_by_secret(secret)
+        secret = nil
+      end
+    end
+    self.secret = secret
+    return secret
+  end
+  
+  def secret
+    if read_attribute(:secret).nil?
+      generate_secret
+    else
+      read_attribute(:secret)
+    end
+  end
+  
+  def expired?
+    expires_at and expires_at <= Time.new
+  end
+end

data/app/models/email_address.rb

@@ -0,0 +1,17 @@
+class EmailAddress < ActiveRecord::Base
+  establish_connection :users
+  belongs_to :person
+  validates_uniqueness_of :address
+  
+  def primary=(value)
+    if value and not person.nil?
+      person.email_addresses.each do |addr|
+        if addr != self
+          addr.primary = false
+          addr.save
+        end
+      end
+    end
+    write_attribute(:primary, value)
+  end
+end

data/app/models/login.rb

@@ -0,0 +1,23 @@
+class Login
+  attr_accessor :email, :password, :remember, :return_to, :have_password
+  
+  def initialize(args)
+    if not args.nil?
+      if args[:email]
+        self.email = args[:email]
+      end
+      if args[:password]
+        self.password = args[:password]
+      end
+      if args[:remember]
+        self.remember = args[:remember]
+      end
+      if args[:return_to]
+        self.return_to = args[:return_to]
+      end
+      if args[:have_password]
+        self.have_password = args[:have_password] == "true"
+      end
+    end
+  end
+end

data/app/models/open_id_identity.rb

@@ -0,0 +1,5 @@
+class OpenIdIdentity < ActiveRecord::Base
+  establish_connection :users
+  belongs_to :person
+  validates_uniqueness_of :identity_url
+end

data/app/models/permission.rb

@@ -0,0 +1,57 @@
+class Permission < ActiveRecord::Base
+  belongs_to :role
+  belongs_to :person
+  belongs_to :permissioned, :polymorphic => true
+  
+  def object
+    return permissioned
+  end
+  
+  def grantee
+    if not role.nil?
+      return role
+    else
+      return person
+    end
+  end
+  
+  def cache_conds
+    cond_sql = "permission_name = ?"
+    cond_objs = [permission]
+    if person
+      cond_sql += " and person_id = ?"
+      cond_objs += [person.id]
+    end
+    if permissioned
+      cond_sql += " and permissioned_type = ? and permissioned_id = ?"
+      cond_objs += [permissioned.class.name, permissioned.id]
+    end
+    return [cond_sql] + cond_objs
+  end
+
+  def destroy_caches_for_person(p)
+    if AeUsers.cache_permissions?
+      if permissioned and permission
+        AeUsers.permission_cache.invalidate(p, permissioned, permission)
+      else
+        AeUsers.permission_cache.invalidate_all(:person => p)
+      end
+    end
+  end
+  
+  def destroy_caches
+    if AeUsers.cache_permissions?
+      if person
+        destroy_caches_for_person(person)
+      elsif role
+        role.members.each do |person|
+          AeUsers.permission_cache.invalidate(person, permissioned, permission)
+        end
+      elsif permissioned and permission
+        AeUsers.permission_cache.invalidate_all(:permissioned => permissioned, :permission => permission)
+      else
+        AeUsers.permission_cache.invalidate_all
+      end
+    end
+  end
+end

data/app/models/person.rb

@@ -0,0 +1,156 @@
+class Person < ActiveRecord::Base
+  establish_connection :users
+  has_one :account
+  has_many :open_id_identities
+  has_and_belongs_to_many :roles
+  has_many :permissions, :dependent => :destroy, :include => :permissioned
+  has_many :email_addresses, :dependent => :destroy
+
+  def self.sreg_map  
+    {:fullname => Proc.new do |fullname|
+      if fullname =~ /^([^ ]+) +(.*)$/
+        {:firstname => $1, :lastname => $2}
+      else
+        {:firstname => fullname}
+      end
+    end, 
+    :dob => Proc.new do |dob|
+      if dob =~ /^([0-9]{4})-([0-9]{2})-([0-9]{2})$/
+        {:birthdate => Time.local($1, $2, $3)}
+      else
+        {}
+      end
+    end,
+    :gender => Proc.new do |gender|
+      if gender == 'M'
+        {:gender => 'male'}
+      elsif gender == 'F'
+        {:gender => 'female'}
+      else
+        {}
+      end
+    end,
+    :email => Proc.new do |email|
+      {:primary_email_address => email}
+    end
+    }
+  end
+  
+  def self.find_by_email_address(address)
+    ea = EmailAddress.find_by_address(address)
+    if not ea.nil?
+      return ea.person
+    end
+  end
+  
+  def primary_email_address
+    primary = email_addresses.find_by_primary true
+    if not primary
+      primary = email_addresses.find :first
+    end
+    if primary.nil?
+      return nil
+    else
+      return primary.address
+    end
+  end
+  
+  def primary_email_address=(address)
+    if primary_email_address != address
+      ea = email_addresses.find_or_create_by_address(address)
+      ea.primary = true
+      ea.save
+    end
+  end
+
+  def all_permissions
+    allperms = permissions
+    roles.each do |role|
+      allperms += role.permissions
+    end
+    return allperms
+  end
+  
+  def permitted?(obj, perm_name)
+    if AeUsers.cache_permissions?
+      if obj and obj.kind_of? ActiveRecord::Base
+        return AeUsers.permission_cache.permitted?(self, obj, perm_name)
+      else
+        return AeUsers.permission_cache.permitted?(self, nil, perm_name)
+      end
+    else
+      return uncached_permitted?(obj, perm_name)
+    end
+  end
+  
+  def uncached_permitted?(obj, perm_name)
+    result = false
+    all_permissions.each do |permission|
+      po = permission.permissioned
+      
+      if po.kind_of? ActiveRecord::Base
+        objmatch = (po.class.name == obj.class.name and po.id == obj.id)
+      else
+        objmatch = (po == obj)
+      end
+      
+      permmatch = (permission.permission == perm_name)
+      
+      result = ((po.nil? or objmatch) and
+        (permission.permission.nil? or permmatch))
+      
+      if result
+        break
+      end
+    end
+    logger.debug "Permission check result: #{result}"
+    return result
+  end
+  
+  def administrator_classes
+    AeUsers.permissioned_classes.select do |c|
+      permitted?(c, "change_permissions_#{c.name.tableize}")
+    end
+  end
+  
+  def administrator?
+    administrator_classes.length > 0
+  end
+  
+  def current_age
+    age_as_of Date.today
+  end
+  
+  def age_as_of(base = Date.today)
+    if not birthdate.nil?
+      base.year - birthdate.year - ((base.month * 100 + base.day >= birthdate.month * 100 + birthdate.day) ? 0 : 1)
+    end
+  end
+  
+  def app_profile
+    @app_profile ||= AeUsers.profile_class.find_by_person_id(id)
+    @app_profile
+  end
+  
+  def profile
+    app_profile
+  end
+  
+  def name
+    return "#{firstname} #{lastname}"
+#    n = firstname
+#    if nickname and nickname.length > 0
+#      n += " \"#{nickname}\""
+#    end
+#    n += " #{lastname}"
+#    return n
+  end
+  
+  if not AeUsers.profile_class.nil?
+    class_eval <<-END_CODE
+    def #{AeUsers.profile_class.name.tableize.singularize}
+      app_profile
+    end
+    END_CODE
+  end
+end