apispree_auth 0.0.0

data/LICENSE

@@ -0,0 +1,26 @@
+Copyright (c) 2007-2010, Rails Dog LLC and other contributors
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name Spree nor the names of its contributors may be used to
+      endorse or promote products derived from this software without specific
+      prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,36 @@
+Overview
+--------
+
+This gem provides the so-called "core" functionality of Spree and is a requirement for any Spree application or
+store.  The basic data models as well as product catalog and admin functionality are all provided by this gem.
+
+
+Security Warning
+----------------
+
+*This gem provides absolutely no authentication and authorization.  You are strongly encouraged to install
+and use the spree-auth gem in addition to spree-core in order to restrict access to orders and other admin
+functionality.*
+
+
+Running Tests
+-------------
+
+You need to do a quick one-time creation of a test application and then you can use it to run the tests.
+
+    rake test_app
+
+Then run the rspec tests
+
+    rake spec
+
+Then run the cucumber tests
+
+    bundle exec cucumber
+
+Misc
+----
+
+authentication by token example
+
+    http://localhost:3000/?auth_token=oWBSN16k6dWx46TtSGcp

data/app/controllers/admin_controller_decorator.rb

@@ -0,0 +1,7 @@
+Admin::BaseController.class_eval do
+  before_filter :authorize_admin
+
+  def authorize_admin
+    authorize! :admin, Object
+  end
+end

data/app/controllers/admin_orders_controller_decorator.rb

@@ -0,0 +1,15 @@
+Admin::OrdersController.class_eval do
+  before_filter :check_authorization
+
+  private
+
+  def check_authorization
+    load_order
+    session[:access_token] ||= params[:token]
+
+    resource = @order || Order
+    action = params[:action].to_sym
+
+    authorize! action, resource, session[:access_token]
+  end
+end

data/app/controllers/admin_resource_controller_decorator.rb

@@ -0,0 +1,3 @@
+Admin::ResourceController.class_eval do
+  authorize_resource
+end

data/app/controllers/checkout_controller_decorator.rb

@@ -0,0 +1,42 @@
+CheckoutController.class_eval do
+  before_filter :check_authorization
+  before_filter :check_registration, :except => [:registration, :update_registration]
+
+  helper :users
+
+  def registration
+    @user = User.new
+  end
+
+  def update_registration
+    # hack - temporarily change the state to something other than cart so we can validate the order email address
+    current_order.state = "address"
+    if current_order.update_attributes(params[:order])
+      redirect_to checkout_path
+    else
+      @user = User.new
+      render 'registration'
+    end
+  end
+
+  private
+  def check_authorization
+    authorize!(:edit, current_order, session[:access_token])
+  end
+
+  # Introduces a registration step whenever the +registration_step+ preference is true.
+  def check_registration
+    return unless Spree::Auth::Config[:registration_step]
+    return if current_user or current_order.email
+    store_location
+    redirect_to checkout_registration_path
+  end
+
+  # Overrides the equivalent method defined in spree_core.  This variation of the method will ensure that users
+  # are redirected to the tokenized order url unless authenticated as a registered user.
+  def completion_route
+    return order_path(@order) if current_user
+    token_order_path(@order, @order.token)
+  end
+
+end

data/app/controllers/orders_controller_decorator.rb

@@ -0,0 +1,17 @@
+OrdersController.class_eval do
+  before_filter :check_authorization
+
+  private
+
+  def check_authorization
+    session[:access_token] ||= params[:token]
+    order = current_order || Order.find_by_number(params[:id])
+
+    if order
+      authorize! :edit, order, session[:access_token]
+    else
+      authorize! :create, Order
+    end
+  end
+
+end

data/app/controllers/resource_controller_decorator.rb

@@ -0,0 +1,25 @@
+# This overrides the before method provided by resource_controller so that the current_user is authorized
+# for each action before proceding.
+module ResourceController
+  module Helpers
+    module Internal
+      protected
+      # Calls the before block for the action, if one is present.
+      def before(action)
+
+        resource = case action
+        when :index, :new, :create
+          model
+        else object
+        end
+
+        if resource.respond_to? :token
+          authorize! action, resource, session[:access_token]
+        else
+          authorize! action, resource
+        end
+        invoke_callbacks *self.class.send(action).before
+      end
+    end
+  end
+end

data/app/controllers/spree/base_controller_decorator.rb

@@ -0,0 +1,49 @@
+Spree::BaseController.class_eval do
+
+  before_filter :set_current_user
+
+  # graceful error handling for cancan authorization exceptions
+  rescue_from CanCan::AccessDenied do |exception|
+    return unauthorized
+  end
+
+  private
+
+  # Redirect as appropriate when an access request fails.  The default action is to redirect to the login screen.
+  # Override this method in your controllers if you want to have special behavior in case the user is not authorized
+  # to access the requested action.  For example, a popup window might simply close itself.
+  def unauthorized
+    respond_to do |format|
+      format.html do
+        if current_user
+          flash.now[:error] = I18n.t(:authorization_failure)
+          render 'shared/unauthorized', :layout => 'spree_application'
+        else
+          flash[:error] = I18n.t(:authorization_failure)
+          store_location
+          redirect_to login_path and return
+        end
+      end
+      format.xml do
+        request_http_basic_authentication 'Web Password'
+      end
+      format.json do
+        render :text => "Not Authorized \n", :status => 401
+      end
+    end
+  end
+
+  def store_location
+    # disallow return to login, logout, signup pages
+    disallowed_urls = [signup_url, login_url, destroy_user_session_path]
+    disallowed_urls.map!{|url| url[/\/\w+$/]}
+    unless disallowed_urls.include?(request.fullpath)
+      session["user_return_to"] = request.fullpath
+    end
+  end
+
+  def set_current_user
+    User.current = current_user
+  end
+
+end

data/app/controllers/user_passwords_controller.rb

@@ -0,0 +1,20 @@
+class UserPasswordsController < Devise::PasswordsController
+  include SpreeBase
+  helper :users, 'spree/base'
+
+  def new
+    super
+  end
+
+  def create
+    super
+  end
+
+  def edit
+    super
+  end
+
+  def update
+    super
+  end
+end

data/app/controllers/user_registrations_controller.rb

@@ -0,0 +1,64 @@
+class UserRegistrationsController < Devise::RegistrationsController
+  include SpreeBase
+  helper :users, 'spree/base'
+
+  ssl_required
+  after_filter :associate_user, :only => :create
+  before_filter :check_permissions, :only => [:edit, :update]
+  skip_before_filter :require_no_authentication
+
+  # GET /resource/sign_up
+  def new
+    super
+  end
+
+  # POST /resource/sign_up
+  def create
+    @user = build_resource(params[:user])
+    logger.debug(@user)
+    if resource.save
+      set_flash_message(:notice, :signed_up)
+      sign_in_and_redirect(:user, @user)
+    else
+      clean_up_passwords(resource)
+      render_with_scope(:new)
+    end
+  end
+
+  # GET /resource/edit
+  def edit
+    super
+  end
+
+  # PUT /resource
+  def update
+    super
+  end
+
+  # DELETE /resource
+  def destroy
+    super
+  end
+
+  # GET /resource/cancel
+  # Forces the session data which is usually expired after sign
+  # in to be expired now. This is useful if the user wants to
+  # cancel oauth signing in/up in the middle of the process,
+  # removing all OAuth session data.
+  def cancel
+    super
+  end
+
+  protected
+
+  def check_permissions
+    authorize!(:create, resource)
+  end
+
+  def associate_user
+    return unless current_user and current_order
+    current_order.associate_user!(current_user)
+    session[:guest_token] = nil
+  end
+
+end

data/app/controllers/user_sessions_controller.rb

@@ -0,0 +1,81 @@
+class UserSessionsController < Devise::SessionsController
+  include SpreeBase
+  helper :users, 'spree/base'
+
+  include Spree::CurrentOrder
+
+  after_filter :associate_user, :only => :create
+
+  ssl_required :new, :create, :destroy, :update
+  ssl_allowed :login_bar
+
+  # GET /resource/sign_in
+  def new
+    super
+  end
+  def create
+    authenticate_user!
+
+    if user_signed_in?
+      api_key = current_user.generate_api_key!
+      user_response = Hash.new
+      user_response[:user] = Hash.new
+      user_response[:user][:email]=current_user.email
+      user_response[:user][:authentication_token]=current_user.authentication_token
+      user_response[:user][:sign_in_count]=current_user.sign_in_count
+      respond_to do |format|
+        format.html {
+          flash.notice = t(:logged_in_succesfully)
+          redirect_back_or_default(products_path)
+        }
+        format.json {
+          render :json => user_response.to_json
+        }
+      end
+    else
+      flash.now[:error] = t('devise.failure.invalid')
+      render :new
+    end
+  end
+  #~ def create
+    #~ authenticate_user!
+
+    #~ if user_signed_in?
+      #~ respond_to do |format|
+        #~ format.html {
+          #~ flash[:notice] = I18n.t("logged_in_succesfully")
+          #~ redirect_back_or_default(products_path)
+        #~ }
+        #~ format.js {
+          #~ user = resource.record
+          #~ render :json => {:ship_address => user.ship_address, :bill_address => user.bill_address}.to_json
+        #~ }
+      #~ end
+    #~ else
+      #~ flash[:error] = I18n.t("devise.failure.invalid")
+      #~ render :new
+    #~ end
+  #~ end
+
+  def destroy
+    session.clear
+    super
+  end
+
+  def nav_bar
+    render :partial => "shared/nav_bar"
+  end
+
+  private
+
+  def associate_user
+    return unless current_user and current_order
+    current_order.associate_user!(current_user)
+    session[:guest_token] = nil
+  end
+
+  def accurate_title
+    I18n.t(:log_in)
+  end
+
+end

data/app/controllers/users_controller.rb

@@ -0,0 +1,54 @@
+class UsersController < Spree::BaseController
+  prepend_before_filter :load_object, :only => [:show, :edit, :update]
+  prepend_before_filter :authorize_actions, :only => :new
+
+  def show
+    @orders = @user.orders.complete
+  end
+
+  def create
+    @user = User.new(params[:user])
+    if @user.save
+
+      if current_order
+        current_order.associate_user!(@user)
+        session[:guest_token] = nil
+      end
+
+      redirect_back_or_default(root_url)
+    else
+      render 'new'
+    end
+
+  end
+
+  def update
+    if @user.update_attributes(params[:user])
+      if params[:user][:password].present?
+        # this logic needed b/c devise wants to log us out after password changes
+        user = User.reset_password_by_token(params[:user])
+        sign_in(@user, :event => :authentication, :bypass => !Spree::Auth::Config[:signout_after_password_change])
+      end
+      flash.notice = I18n.t("account_updated")
+      redirect_to account_url
+    else
+      render 'edit'
+    end
+
+  end
+
+  private
+    def load_object
+      @user ||= current_user
+      authorize! params[:action].to_sym, @user
+    end
+
+    def authorize_actions
+      authorize! params[:action].to_sym, User
+    end
+
+    def accurate_title
+      I18n.t(:account)
+    end
+
+end