amrita2 1.9.6 → 2.0.0

data/sample/login_engine/lib/login_engine/authenticated_system.rb

@@ -0,0 +1,113 @@
+module LoginEngine
+  module AuthenticatedSystem
+    
+    protected
+
+    # overwrite this if you want to restrict access to only a few actions
+    # or if you want to check if the user has the correct rights  
+    # example:
+    #
+    #  # only allow nonbobs
+    #  def authorize?(user)
+    #    user.login != "bob"
+    #  end
+    def authorize?(user)
+       true
+    end
+  
+    # overwrite this method if you only want to protect certain actions of the controller
+    # example:
+    # 
+    #  # don't protect the login and the about method
+    #  def protect?(action)
+    #    if ['action', 'about'].include?(action)
+    #       return false
+    #    else
+    #       return true
+    #    end
+    #  end
+    def protect?(action)
+      true
+    end
+   
+    # login_required filter. add 
+    #
+    #   before_filter :login_required
+    #
+    # if the controller should be under any rights management. 
+    # for finer access control you can overwrite
+    #   
+    #   def authorize?(user)
+    # 
+    def login_required
+      if not protect?(action_name)
+        return true  
+      end
+
+      if user? and authorize?(session[:user])
+        return true
+      end
+
+      # store current location so that we can 
+      # come back after the user logged in
+      store_location
+  
+      # call overwriteable reaction to unauthorized access
+      access_denied
+    end
+
+    # overwrite if you want to have special behavior in case the user is not authorized
+    # to access the current operation. 
+    # the default action is to redirect to the login screen
+    # example use :
+    # a popup window might just close itself for instance
+    def access_denied
+      redirect_to :controller => "/user", :action => "login"
+    end  
+  
+    # store current uri in  the session.
+    # we can return to this location by calling return_location
+    def store_location
+      session['return-to'] = request.request_uri
+    end
+
+    # move to the last store_location call or to the passed default one
+    def redirect_to_stored_or_default(default=nil)
+      if session['return-to'].nil?
+        redirect_to default
+      else
+        redirect_to_url session['return-to']
+        session['return-to'] = nil
+      end
+    end
+
+    def redirect_back_or_default(default=nil)
+      if request.env["HTTP_REFERER"].nil?
+        redirect_to default
+      else
+        redirect_to(request.env["HTTP_REFERER"]) # same as redirect_to :back
+      end
+    end
+
+    def user?
+      # First, is the user already authenticated?
+      return true if not session[:user].nil?
+
+      # If not, is the user being authenticated by a token?
+      id = params[:user_id]
+      key = params[:key]
+      if id and key
+        session[:user] = User.authenticate_by_token(id, key)
+        return true if not session[:user].nil?
+      end
+
+      # Everything failed
+      return false
+    end
+  
+    # Returns the current user from the session, if any exists
+    def current_user
+      session[:user]
+    end
+  end
+end  

data/sample/login_engine/lib/login_engine/authenticated_user.rb

@@ -0,0 +1,155 @@
+require 'digest/sha1'
+
+# this model expects a certain database layout and its based on the name/login pattern. 
+
+module LoginEngine
+  module AuthenticatedUser
+
+    def self.included(base)
+      base.class_eval do
+
+        # use the table name given
+        set_table_name LoginEngine.config(:user_table)
+
+        attr_accessor :new_password
+      
+        validates_presence_of :login
+        validates_length_of :login, :within => 3..40
+        validates_uniqueness_of :login
+        validates_uniqueness_of :email
+        validates_format_of :email, :with => /^[^@]+@.+$/
+
+        validates_presence_of :password, :if => :validate_password?
+        validates_confirmation_of :password, :if => :validate_password?
+        validates_length_of :password, { :minimum => 5, :if => :validate_password? }
+        validates_length_of :password, { :maximum => 40, :if => :validate_password? }
+  
+        protected 
+      
+        attr_accessor :password, :password_confirmation
+      
+        after_save :falsify_new_password
+        after_validation :crypt_password
+
+      end
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+    
+      def authenticate(login, pass)
+        u = find(:first, :conditions => ["login = ? AND verified = 1 AND deleted = 0", login])
+        return nil if u.nil?
+        find(:first, :conditions => ["login = ? AND salted_password = ? AND verified = 1", login, AuthenticatedUser.salted_password(u.salt, AuthenticatedUser.hashed(pass))])
+      end
+
+      def authenticate_by_token(id, token)
+        # Allow logins for deleted accounts, but only via this method (and
+        # not the regular authenticate call)
+        u = find(:first, :conditions => ["#{User.primary_key} = ? AND security_token = ?", id, token])
+        return nil if u.nil? or u.token_expired?
+        return nil if false == u.update_expiry
+        u
+      end
+      
+    end
+  
+
+    protected
+    
+      def self.hashed(str)
+        # check if a salt has been set...
+        if LoginEngine.config(:salt) == nil
+          raise "You must define a :salt value in the configuration for the LoginEngine module."
+        end
+  
+        return Digest::SHA1.hexdigest("#{LoginEngine.config(:salt)}--#{str}--}")[0..39]
+      end
+    
+      def self.salted_password(salt, hashed_password)
+        hashed(salt + hashed_password)
+      end
+    
+    public
+  
+    # hmmm, how does this interact with the developer's own User model initialize?
+    # We would have to *insist* that the User.initialize method called 'super'
+    #
+    def initialize(attributes = nil)
+      super
+      @new_password = false
+    end
+
+    def token_expired?
+      self.security_token and self.token_expiry and (Time.now > self.token_expiry)
+    end
+
+    def update_expiry
+      write_attribute('token_expiry', [self.token_expiry, Time.at(Time.now.to_i + 600 * 1000)].min)
+      write_attribute('authenticated_by_token', true)
+      write_attribute("verified", 1)
+      update_without_callbacks
+    end
+
+    def generate_security_token(hours = nil)
+      if not hours.nil? or self.security_token.nil? or self.token_expiry.nil? or 
+          (Time.now.to_i + token_lifetime / 2) >= self.token_expiry.to_i
+        return new_security_token(hours)
+      else
+        return self.security_token
+      end
+    end
+
+    def set_delete_after
+      hours = LoginEngine.config(:delayed_delete_days) * 24
+      write_attribute('deleted', 1)
+      write_attribute('delete_after', Time.at(Time.now.to_i + hours * 60 * 60))
+
+      # Generate and return a token here, so that it expires at
+      # the same time that the account deletion takes effect.
+      return generate_security_token(hours)
+    end
+
+    def change_password(pass, confirm = nil)
+      self.password = pass
+      self.password_confirmation = confirm.nil? ? pass : confirm
+      @new_password = true
+    end
+    
+    protected
+
+    def validate_password?
+      @new_password
+    end
+
+
+    def crypt_password
+      if @new_password
+        write_attribute("salt", AuthenticatedUser.hashed("salt-#{Time.now}"))
+        write_attribute("salted_password", AuthenticatedUser.salted_password(salt, AuthenticatedUser.hashed(@password)))
+      end
+    end
+
+    def falsify_new_password
+      @new_password = false
+      true
+    end
+
+    def new_security_token(hours = nil)
+      write_attribute('security_token', AuthenticatedUser.hashed(self.salted_password + Time.now.to_i.to_s + rand.to_s))
+      write_attribute('token_expiry', Time.at(Time.now.to_i + token_lifetime(hours)))
+      update_without_callbacks
+      return self.security_token
+    end
+
+    def token_lifetime(hours = nil)
+      if hours.nil?
+        LoginEngine.config(:security_token_life_hours) * 60 * 60
+      else
+        hours * 60 * 60
+      end
+    end
+
+  end
+end
+  

data/sample/login_engine/lib/login_engine.rb

@@ -0,0 +1,62 @@
+require 'login_engine/authenticated_user'
+require 'login_engine/authenticated_system'
+
+module LoginEngine
+ include AuthenticatedSystem # re-include the helper module
+
+  #--
+  # Define the configuration values. config sets the value of the
+  # constant ONLY if it has not already been set, i.e. by the user in
+  # environment.rb
+  #++
+
+  # Source address for user emails
+  config :email_from, 'webmaster@your.company'
+
+  # Destination email for system errors
+  config :admin_email, 'webmaster@your.company'
+
+  # Sent in emails to users
+  config :app_url, 'http://localhost:3000/'
+
+  # Sent in emails to users
+  config :app_name, 'TestApp'
+
+  # Email charset
+  config :mail_charset, 'utf-8'
+
+  # Security token lifetime in hours
+  config :security_token_life_hours, 24
+
+  # Two column form input
+  config :two_column_input, true
+
+  # Add all changeable user fields to this array.
+  # They will then be able to be edited from the edit action. You
+  # should NOT include the email field in this array.
+  config :changeable_fields, [ 'firstname', 'lastname' ]
+
+  # Set to true to allow delayed deletes (i.e., delete of record
+  # doesn't happen immediately after user selects delete account,
+  # but rather after some expiration of time to allow this action
+  # to be reverted).
+  config :delayed_delete, false
+
+  # Default is one week
+  config :delayed_delete_days, 7
+  
+  # the table to store user information in
+  if ActiveRecord::Base.pluralize_table_names
+    config :user_table, "users"
+  else
+    config :user_table, "user"
+  end
+
+  # controls whether or not email is used
+  config :use_email_notification, true
+
+  # Controls whether accounts must be confirmed after signing up
+  # ONLY if this and use_email_notification are both true
+  config :confirm_account, true
+
+end

data/sample/login_engine/public/dispatch.rb

@@ -0,0 +1,10 @@
+#!/usr/local/bin/ruby
+
+require File.dirname(__FILE__) + "/../config/environment" unless defined?(RAILS_ROOT)
+
+# If you're using RubyGems and mod_ruby, this require should be changed to an absolute path one, like:
+# "/usr/local/lib/ruby/gems/1.8/gems/rails-0.8.0/lib/dispatcher" -- otherwise performance is severely impaired
+require "dispatcher"
+
+ADDITIONAL_LOAD_PATHS.reverse.each { |dir| $:.unshift(dir) if File.directory?(dir) } if defined?(Apache::RubyRun)
+Dispatcher.dispatch

data/sample/login_engine/test/functional/amrita2_test.rb

@@ -0,0 +1,267 @@
+
+require File.dirname(__FILE__) + '/../test_helper'
+require 'user_controller'
+require 'amrita2/testsupport'
+
+
+# Re-raise errors caught by the controller.
+class UserController; def rescue_action(e) raise e end; end
+
+class UserControllerTestWithAmrita2 < Test::Unit::TestCase
+  include Amrita2::TestSupport
+  fixtures :users
+
+  def setup
+    LoginEngine::CONFIG[:salt] = "test-salt"
+
+    @controller = UserController.new
+    @request, @response = ActionController::TestRequest.new, ActionController::TestResponse.new
+    @request.host = "localhost"
+  end
+
+  def test_invalid_login
+    post :login, :user => { :login => "bob", :password => "wrong_password" }
+    assert_response :success
+
+    assert_nil session[:user]
+    assert_template "login"
+    #puts @response.body
+    assert_equal_as_xml @response.body, <<EOF
+<html>
+  <head>
+    <title>MyApp</title>
+    <link href='/stylesheets/login_engine.css' media='screen' rel='Stylesheet' type='text/css' />
+  </head>
+<body>
+<div id='warning'>Login unsuccessful</div>
+<div title="UserController login" class="form">
+  <h3>Please Login</h3>
+  <div class="form-padding">
+    <form action="/user/login" method="post">
+      <table>
+        <tr class="two_columns">
+          <td class="prompt"><label>Login ID:</label></td>
+          <td class="value"><input id="user_login" name="user[login]" size="30" type="text" value="bob"/></td>
+        </tr>
+        <tr class="two_columns">
+          <td class="prompt"><label>Password:</label></td>
+          <td class="value"><input id="user_password" name="user[password]" size="30" type="password" value=""/></td>
+        </tr>
+      </table>
+      <div class="button-bar">
+        <input name="commit" type="submit" value="Login" />
+        <a href="/user/signup">Register for an account</a> |
+        <a href="/user/forgot_password">Forgot my password</a>
+      </div>
+    </form>
+  </div>
+</div>
+</body>
+</html>
+EOF
+  end
+
+  def test_invalid_login_ja
+    post :login, :user => { :login => "bob", :password => "wrong_password" }, :lang=>'ja'
+    assert_response :success
+
+    assert_nil session[:user]
+    assert_template "login"
+    assert_equal_as_xml @response.body, <<EOF
+<html>
+  <head>
+    <title>MyApp</title>
+    <link href='/stylesheets/login_engine.css' media='screen' rel='Stylesheet' type='text/css' />
+  </head>
+<body>
+<div id='warning'>ログイン失敗</div>
+<div title="UserController login" class="form">
+  <h3>ログインしてください</h3>
+  <div class="form-padding">
+    <form action="/user/login" method="post">
+      <table>
+        <tr class="two_columns">
+          <td class="prompt"><label>ログインID</label></td>
+          <td class="value"><input id="user_login" name="user[login]" size="30" type="text" value="bob"/></td>
+        </tr>
+        <tr class="two_columns">
+          <td class="prompt"><label>パスワード</label></td>
+          <td class="value"><input id="user_password" name="user[password]" size="30" type="password" value=""/></td>
+        </tr>
+      </table>
+      <div class="button-bar">
+        <input name="commit" type="submit" value="ログイン" />
+        <a href="/user/signup">新規登録する</a> |
+        <a href="/user/forgot_password">パスワードを忘れた時はこちら</a>
+      </div>
+    </form>
+  </div>
+</div>
+</body>
+</html>
+EOF
+  end
+
+  def test_signup_bad_password
+    LoginEngine::CONFIG[:use_email_notification] = true
+    ActionMailer::Base.deliveries = []
+
+    @request.session['return-to'] = "/bogus/location"
+    post :signup, :user => { :login => "newbob", :password => "bad", :password_confirmation => "bad", :email => "newbob@test.com" }
+    assert_nil session[:user]
+    #assert_invalid_column_on_record "user", "password"
+    assert assigns["user"].errors.invalid?("password")
+
+    assert_response :success
+    assert_equal 0, ActionMailer::Base.deliveries.size
+
+    #puts @response.body
+    assert_equal_as_xml @response.body, <<EOF
+<html>
+<head>
+  <title>MyApp</title>
+  <link href='/stylesheets/login_engine.css' media='screen' rel='Stylesheet' type='text/css' />
+</head>
+<body>
+
+<div title="UserController signup" class="form">
+  <h3>Signup</h3>
+
+  <div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this user from being saved</h2><p>There was a problem with the following field:</p><ul><li>Password is too short (minimum is 5 characters)</li></ul></div>
+
+  <div class="form-padding">
+    <form action="/user/signup" method="post">
+      <div class="user_edit">
+  <table>
+            <tr class="two_columns">
+          <td class="prompt"><label>First Name:</label></td>
+          <td class="value"><input id="user_firstname" name="user[firstname]" size="30" type="text" /></td>
+        </tr>
+
+            <tr class="two_columns">
+          <td class="prompt"><label>Last Name:</label></td>
+          <td class="value"><input id="user_lastname" name="user[lastname]" size="30" type="text" /></td>
+        </tr>
+
+            <tr class="two_columns">
+          <td class="prompt"><label>Login ID:</label></td>
+          <td class="value"><input id="user_login" name="user[login]" size="30" type="text" value="newbob" /></td>
+        </tr>
+            <tr class="two_columns">
+          <td class="prompt"><label>Email:</label></td>
+          <td class="value"><input id="user_email" name="user[email]" size="30" type="text" value="newbob@test.com" /></td>
+        </tr>
+
+
+  </table>
+</div>
+<br/>
+      <div class="user_password">
+  <table>
+            <tr class="two_columns">
+          <td class="prompt"><label>Password:</label></td>
+          <td class="value"><div class="fieldWithErrors"><input id="user_password" name="user[password]" size="30" type="password" value="" /></div></td>
+        </tr>
+
+            <tr class="two_columns">
+          <td class="prompt"><label>Password Confirmation:</label></td>
+          <td class="value"><input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" value="" /></td>
+        </tr>
+
+
+  </table>
+</div>
+
+      <div class="button-bar">
+        <input name="commit" type="submit" value="Signup" />
+        <a href="/user/login">Cancel</a>
+      </div>
+    </form>
+  </div>
+</div>
+</body>
+</html>
+EOF
+  end
+
+  def test_edit
+    post :login, :user => { :login => "bob", :password => "atest" }
+    assert(@response.has_session_object?(:user))
+
+    get :edit
+    assert_response :success
+
+    #puts @response.body
+    assert_equal_as_xml @response.body, <<EOF
+
+<html>
+<head>
+  <title>MyApp</title>
+  <link href='/stylesheets/login_engine.css' media='screen' rel='Stylesheet' type='text/css' />
+</head>
+<body>
+
+
+     <div id="notice">Login successful</div>
+
+<div title="UserController edit" class="form">
+  <h3>Edit user</h3>
+
+
+
+    <form action="/user/edit" method="post">
+
+
+<div class = "user_edit"><table><tr class = "two_columns"><td class = "prompt">              <label> First Name: </label>
+</td>          <td class = "value">  <input id="user_firstname" name="user[firstname]" size="30" type="text" />       </td>
+</tr><tr class = "two_columns"><td class = "prompt">              <label> Last Name:  </label>
+</td>          <td class = "value">  <input id="user_lastname" name="user[lastname]" size="30" type="text" />        </td>
+</tr><tr class = "two_columns"><td class = "prompt">              <label> Login ID:   </label>
+</td>          <td class = "value">  <input id="user_login" name="user[login]" size="30" type="text" value="bob" />           </td>
+</tr><tr class = "two_columns"><td class = "prompt">              <label> Email:      </label>
+</td>          <td class = "value">  <input id="user_email" name="user[email]" size="30" type="text" value="bob@test.com" />
+       </td>
+</tr></table>
+<input name="submit" type="submit" value="Change Settings" />
+</div>
+    </form>
+    <br/>
+    <form action="/user/change_password" method="post">
+      <input id="back_to" name="back_to" type="hidden" value="edit" />
+
+
+
+
+<div class = "user_password"><table><tr class = "two_columns"><td class = "prompt">              <label> Password:
+</label>
+</td>          <td class = "value">  <input id="user_password" name="user[password]" size="30" type="password" value="" />
+        </td>
+</tr><tr class = "two_columns"><td class = "prompt">              <label> Password Confirmation: </label>
+</td>          <td class = "value">  <input id="user_password_confirmation" name="user[password_confirmation]" size="30" type="password" value="" /> </td>
+</tr></table>
+<input name="submit" type="submit" value="Change password" />
+
+</div>
+    </form>
+
+    <form action="/user/delete" method="post">
+      <div class="user_delete">
+        <input id="user_form" name="user[form]" type="hidden" value="delete" />
+        <input name="submit" type="submit" value="Delete Account" />
+      </div>
+    </form>
+  </div>
+</div>
+</body>
+</html>
+
+EOF
+    post :edit, :user => { "firstname" => "Bob", "form" => "edit" }
+    assert_equal @response.session[:user].firstname, "Bob"
+
+    post :edit, :user => { "firstname" => "", "form" => "edit" }
+    assert_equal @response.session[:user].firstname, ""
+
+    get :logout
+  end
+end