authengine 0.0.2

data/app/controllers/authengine/useractions_controller.rb

@@ -0,0 +1,17 @@
+class Authengine::UseractionsController < ApplicationController
+  layout 'authengine/layouts/authengine'
+  
+  def show
+    eval("@useractions = Useraction#{params[:actionlog_id].to_i}.all.map{|u| u.becomes(Useraction)}")
+    @date = Useraction.date_of_index(params[:actionlog_id].to_i)
+    @sort_criteria = [ :created_at, :user_lastName ]
+  end
+  
+  def index
+    dates = (0..4).to_a.inject({}) do |hash,index|
+      hash.merge!( index => Useraction.date_of_index(index) )
+      hash
+    end
+    @dates = dates.invert
+  end
+end

data/app/controllers/authengine/users_controller.rb

@@ -0,0 +1,137 @@
+# Besides the ususal REST actions, this controller contains show_self,
+# edit_self and update_self actions.
+# This permits access to be explicitly controlled via the
+# check_permissions filter, distinguishing between actions on one's own
+# model vs. actions on other users' models.
+class Authengine::UsersController < ApplicationController
+  layout 'authengine/layouts/authengine'
+  #before_filter :not_logged_in_required, :only => [:new, :create]
+  #before_filter :login_required, :only => [:show, :edit, :update]
+  #before_filter :check_administrator_role, :only => [:index, :destroy, :enable]
+  #before_filter :user_or_current_user, :only => [:show, :edit, :update]
+
+  # activate is where a user with the correct activation code
+  # is redirected to, so they can enter passwords and login name
+  skip_before_filter :check_permissions, :only=>[:activate, :signup]
+
+  def index
+    @users = User.find(:all, :order=>"lastName, firstName")
+  end
+
+  def show
+    @user = User.find(params[:id])
+  end
+
+  def show_self
+    @user = current_user
+    render :template=>"users/show"
+  end
+
+  def new
+    @user = User.new
+    @user.user_roles.build
+    @roles = Role.all
+  end
+
+# users may only be created by the administrator from the index page
+  def create
+    cookies.delete :auth_token
+    @user = User.new(params[:user])
+    @user.save!
+    redirect_to authengine_users_path
+  rescue ActiveRecord::RecordInvalid
+    flash[:error] = "There was a problem creating the user account."
+    @roles=Role.all
+    render :action => 'new'
+  end
+
+  def edit # edit a user profile with id given
+    @user = User.find(params[:id])
+  end
+
+  def edit_self # edit profile of current user
+    @user = current_user
+    render :template => 'users/edit'
+  end
+
+# account was created by admin and now user is entering username/password
+  def activate
+    # TODO must remember to reset the session[:activation_code]
+    # looks as if setting current user (next line) was causing the user to be
+    # logged-in after activation
+    user = User.find_and_activate!(params[:activation_code])
+    if user.update_attributes(params[:user].slice(:login, :email, :password, :password_confirmation))
+      redirect_to root_path
+    else
+      flash[:warn] = user.errors.full_messages
+      redirect_to signup_authengine_user_path(user)
+    end
+  rescue User::ArgumentError
+    flash[:notice] = 'Activation code not found. Please ask the database administrator to create an account for you.'
+    redirect_to new_authengine_user_path
+  rescue User::ActivationCodeNotFound
+    flash[:notice] = 'Activation code not found. Please ask the database administrator to create an account for you.'
+    redirect_to new_authengine_user_path
+  rescue User::AlreadyActivated
+    flash[:notice] = 'Your account has already been activated. You can log in below.'
+    redirect_to login_path
+  end
+
+  def update_self
+    @user = User.find(current_user.id)
+    if @user.update_attributes(params[:user])
+      flash[:notice] = "Your profile has been updated"
+      redirect_to authengine_users_path
+    else
+      flash[:notice] = @user.errors.full_messages
+      render :action => 'edit'
+    end
+  end
+
+  def update
+    @user = User.find(params[:id])
+    if @user.update_attributes(params[:user])
+      flash[:notice] = "User updated"
+      redirect_to authengine_users_path
+    else
+      render :action => 'edit'
+    end
+  end
+
+  def destroy
+    @user = User.find(params[:id])
+    @user.destroy
+    redirect_to authengine_users_path
+  end
+
+  def disable
+    @user = User.find(params[:id])
+    unless @user.update_attribute(:enabled, false)
+      flash[:error] = "There was a problem disabling this user."
+    end
+    redirect_to authengine_users_path
+  end
+
+  def enable
+    @user = User.find(params[:id])
+    unless @user.update_attribute(:enabled, true)
+      flash[:error] = "There was a problem enabling this user."
+    end
+    redirect_to authengine_users_path
+  end
+
+  def signup
+    @user = User.find(params[:id])
+  end
+
+protected
+
+  def user_or_current_user
+    if current_user.has_role?('administrator')
+      @user = User.find(params[:id])
+    else
+      @user = current_user
+    end
+  end
+
+end

data/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+## Look in lib/application_helper.rb
+## I can't figure out how to get it included unless I put it that directory

data/app/helpers/authengine/users_helper.rb

@@ -0,0 +1,11 @@
+module Authengine
+  module UsersHelper
+  #used in the edit template to create the correct link for saving
+  #this permits access control by having both "update self" action and 
+  #an update action with id passed in url
+    def requested_user_or_self
+      @user == current_user ? update_self_authengine_user_url(@user) : authengine_user_url(@user, :method => :put)
+    end
+
+  end
+end

data/app/helpers/roles_helper.rb

@@ -0,0 +1,2 @@
+module RolesHelper
+end

data/app/mailers/authengine/user_mailer.rb

@@ -0,0 +1,53 @@
+class Authengine::UserMailer < ActionMailer::Base
+  def signup_notification(user)
+    setup_email(user)
+    @subject    += 'Please activate your new account'  
+    @url = authengine_activate_url(:activation_code => user.activation_code)
+    mail( :to => @recipients,
+          :subject => @subject,
+          :date => @sent_on,
+          :from => @from
+        )
+  end
+
+  def activation(user)
+    setup_email(user)
+    @subject    += 'Your account has been activated!'
+    @url = login_url
+    mail( :to => @recipients,
+          :subject => @subject,
+          :date => @sent_on,
+          :from => @from
+        )
+  end
+
+  def forgot_password(user)
+    setup_email(user)
+    @subject    += 'You have requested to change your password'
+    @url  = "http://#{SITE_URL}/authengine/reset_password/#{user.password_reset_code}"
+  end
+
+  def reset_password(user)
+    setup_email(user)
+    @subject    += 'Your password has been reset.'
+  end
+
+  def message_to_admin(subject,body)
+    @admin = User.find_by_login('admin')
+    @recipients  = @admin.email
+    @from        = @admin.email
+    @subject     = "#{APPLICATION_NAME || "database"} - "
+    @sent_on     = Time.now
+    @subject    += subject
+    @body  = body
+  end
+
+protected
+  def setup_email(user)
+    @recipients  = "#{user.email}"
+    @from        = "#{APPLICATION_NAME || "database"} Administrator<#{ADMIN_EMAIL}>"
+    @subject     = "#{APPLICATION_NAME || "database"} - "
+    @sent_on     = Time.now
+    @user        = user
+  end
+end

data/app/models/action.rb

@@ -0,0 +1,54 @@
+class Action < ActiveRecord::Base
+  belongs_to :controller
+
+  has_many :action_roles, :dependent=>:delete_all
+  has_many :roles, :through => :action_roles
+
+  # useractions are created in order to log actions performed by users, for recording in the log files
+  has_many :useractions
+  has_many :users, :through=>:useractions
+
+  delegate :controller_name, :to=>:controller
+
+  def <=>(other)
+      sort_field <=> other.sort_field
+  end
+
+  def sort_field
+    [controller_name, action_name]
+  end
+
+  def self.list
+    all_actions = Hash.new
+    all(:include=>:controller).each{|a|
+      all_actions[a.controller_name] ||= Hash.new
+      all_actions[a.controller_name][a.action_name] = a.id
+      }
+    all_actions
+  end
+
+  def self.update_table_for(cont,action_names)
+    remove_deleted_actions(cont, action_names)
+    add_new_actions(cont, action_names)
+  end
+
+private
+  # passed-in a controller object and a list of action name strings parsed from the xx_controller.rb file
+  def self.remove_deleted_actions(cont, action_list)
+    # first see what actions are in the table but not in the action_list pulled from the passe-in controller file
+    controller_actions = cont.actions.map(&:action_name)
+    actions_to_delete = controller_actions.delete_if{|a_name| action_list.include?(a_name)}
+    # and delete them from the table
+    actions_to_delete.map! { |ad| find_by_controller_id_and_action_name(cont.id,ad).id }
+    destroy(actions_to_delete)
+  end
+
+  def self.add_new_actions(cont, action_list)
+    # then see what actions are in the action list pulled from the controllers, but not in the table
+    actions = cont.actions.map(&:action_name)
+    action_list.delete_if{ |al| actions.include?(al) }
+    # and add them to the table
+    action_list.each { |a| Action.create(:controller_id=>cont.id,:action_name=>a) } unless action_list.empty?
+  end
+
+end

data/app/models/action_role.rb

@@ -0,0 +1,29 @@
+class ActionRole < ActiveRecord::Base
+  belongs_to :role
+  belongs_to :action
+
+  # this is the key database lookup for checking permissions
+  # returns true if there is at least one of the passed-in role ids
+  # which explicitly permits (i.e. the role has action_role associations)
+  # the specified controller and action
+  def self.permits_access_for(controller, action, role_ids)
+    joins([:role, :action => :controller ]).
+      where("roles.id" => role_ids).
+            where("actions.action_name" => action).
+            where("controllers.controller_name" => controller).
+            exists?
+  end
+
+  def self.assign_developer_access
+    developer_id = Role.developer_id
+    Action.all.each do |a|
+      find_or_create_by_action_id_and_role_id(a.id, developer_id)
+    end if developer_id
+  end
+
+  def self.bootstrap_access_for(role)
+    Action.all.each do |a|
+      find_or_create_by_action_id_and_role_id(a.id, role.id)
+    end
+  end
+end

data/app/models/authenticated_system.rb

@@ -0,0 +1,179 @@
+# AuthenticatedSystem is 'include'd in ActionController by the authengine engine
+# see lib/authengine/engine.rb
+module AuthenticatedSystem
+protected
+  # Returns true or false if the user is logged in.
+  # Preloads @current_user with the user model if they're logged in.
+  def logged_in?
+    current_user != :false
+  end
+
+  # Accesses the current user from the session.  Set it to :false if login fails
+  # so that future calls do not hit the database.
+  def current_user
+    @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie || :false)
+  end
+
+  # Store the given user id in the session.
+  def current_user=(new_user)
+    session[:user_id] = (new_user.nil? || new_user.is_a?(Symbol)) ? nil : new_user.id
+    @current_user = new_user || :false
+  end
+
+  # Check if the user is authorized
+  #
+  # Override this method in your controllers if you want to restrict access
+  # to only a few actions or if you want to check if the user
+  # has the correct rights.
+  #
+  # Example:
+  #
+  #  # only allow nonbobs
+  #  def authorized?
+  #    current_user.login != "bob"
+  #  end
+  def authorized?
+    logged_in?
+  end
+
+  # Filter method to enforce a login requirement.
+  #
+  # To require logins for all actions, use this in your controllers:
+  #
+  #   before_filter :login_required
+  #
+  # To require logins for specific actions, use this in your controllers:
+  #
+  #   before_filter :login_required, :only => [ :edit, :update ]
+  #
+  # To skip this in a subclassed controller:
+  #
+  #   skip_before_filter :login_required
+  #
+  def login_required
+    authorized? || access_denied
+  end
+
+  def not_logged_in_required
+    !logged_in? || permission_denied
+  end
+
+  def check_role(role)
+    unless logged_in? && @current_user.has_role?(role)
+      if logged_in?
+        permission_denied
+      else
+        store_referer
+        access_denied
+      end
+    end
+  end
+
+  # Redirect as appropriate when an access request fails.
+  #
+  # The default action is to redirect to the login screen.
+  #
+  # Override this method in your controllers if you want to have special
+  # behavior in case the user is not authorized
+  # to access the requested action.  For example, a popup window might
+  # simply close itself.
+  def access_denied
+    respond_to do |format|
+      format.html do
+        store_location
+        flash.now[:error] = "You must be logged in to access this feature."
+        logger.info "in access_denied: redirect to session::new"
+        redirect_to :controller => 'authengine/sessions', :action => 'new'
+      end
+      format.xml do
+        request_http_basic_authentication 'Web Password'
+      end
+    end
+  end
+
+  def permission_denied
+    # users will be redirected properly if they tried to access a
+    # resource they didn't have permission for.
+    # Its designed to redirect back to the last page they were on,
+    # unless that page is on another site or has
+    # the same address as the resource they're trying to access.
+    flash[:error] = "You don't have permission to complete that action."
+    respond_to do |format|
+      format.html do
+        domain_name = SITE_URL
+        http_referer = request.env["HTTP_REFERER"]
+
+        referer_domain = http_referer.match(/(http:\/\/)?([^\/]*)/)[2] unless http_referer.nil?
+        store_location
+        store_referer
+
+        if http_referer.nil?
+          session[:refer_to] = nil
+          redirect_to root_path
+        elsif referer_domain != domain_name # came from another site, go to root path
+          session[:refer_to] = nil
+          redirect_to root_path
+        elsif http_referer.match(session[:return_to]) #requesting the same page again go to root path
+          redirect_to root_path
+        else # go back to previous page
+          redirect_to_referer_or_default(root_path)
+        end
+      end
+      format.xml do
+        headers["Status"]           = "Unauthorized"
+        headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+        render :text => "You don't have permission to complete this action.", :status => '401 Unauthorized'
+      end
+    end
+  end
+
+  # Store the URI of the current request in the session.
+  # We can return to this location by calling #redirect_back_or_default.
+  def store_location
+    session[:return_to] = request.fullpath
+  end
+
+  def store_referer
+    session[:refer_to] = request.env["HTTP_REFERER"]
+  end
+
+  # Redirect to the URI stored by the most recent store_location call or
+  # to the passed default.
+  def redirect_back_or_default(default)
+    redirect_to(session[:return_to] || default)
+    session[:return_to] = nil
+  end
+
+  def redirect_to_referer_or_default(default)
+    redirect_to(session[:refer_to] || default)
+    session[:refer_to] = nil
+  end
+
+  # Inclusion hook to make #current_user and #logged_in?
+  # available as ActionView helper methods.
+  def self.included(base)
+    base.send :helper_method, :current_user, :logged_in? if base.respond_to? :helper_method
+  end
+
+  # Called from #current_user.  First attempt to login by the user id stored in the session.
+  def login_from_session
+    self.current_user = User.find(session[:user_id]) if session[:user_id]
+  end
+
+  # Called from #current_user.  Now, attempt to login by basic authentication information.
+  def login_from_basic_auth
+    authenticate_with_http_basic do |username, password|
+      self.current_user = User.authenticate(username, password)
+    end
+  end
+
+  # Called from #current_user.  Finaly, attempt to login by an expiring token in the cookie.
+  def login_from_cookie
+    user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token])
+    if user && user.remember_token?
+      user.remember_me
+      cookies[:auth_token] = { :value => user.remember_token, :expires => user.remember_token_expires_at }
+      self.current_user = user
+    end
+  end
+end