authengine 0.0.2

data/app/models/authorized_system.rb

@@ -0,0 +1,41 @@
+# AuthorizedSystem is 'include'd in ActionController by the authengine engine
+# see lib/authengine/engine.rb
+module AuthorizedSystem
+  # established for the session when the user logs in
+  # may be modified later if user's roles are modified
+  # or if session is downgraded
+  def current_role_ids=(ids)
+    session[:role].current_role_ids = ids
+  end
+
+  def current_role_ids
+    session[:role].current_role_ids
+  end
+
+  def action_permitted?(controller, action)
+    ActionRole.permits_access_for(controller, action, current_role_ids)
+  end
+
+  def permitted?(controller, action)
+    action_permitted?(controller, action) && logged_in?
+  end
+
+  # for each and every action, we check the configured permission
+  # for the role(s) assigned to the logged-in user
+  # The controller and action can be passed as parameters, to check whether or not to display a link/button
+  # or else the current request controller/action are used to check whether or not to display a page
+  def check_permissions(controller = request.parameters["controller"], action = request.parameters["action"])
+    permission = false
+    if !logged_in?
+      logger.info "access denied: not logged in"
+      access_denied
+    elsif permitted?(controller, action)
+      permission = true
+    else
+      logger.info "permission denied, #{controller}, #{action}"
+      permission_denied
+    end
+    permission
+  end
+
+end

data/app/models/controller.rb

@@ -0,0 +1,124 @@
+# the table is managed so as to make it mirror the file system
+# the only reason this is necessary is to be able to store in the
+# database a last_modified attribute for a file, in order to
+# know whether the actions table is up to date for this controller
+# or should be regenerated from the file contents
+# The class represents both filesystem objects and database objects
+# hmmm... is that really the best way to design it, shouldn't it be two classes?
+class Controller < ActiveRecord::Base
+  has_many :actions, :dependent=>:delete_all
+  CONTROLLERS_DIR = "#{Rails.root.to_s}/app/controllers"
+
+  cattr_accessor :controllers
+
+  # returns an array of strings, each one is a controller name
+  def self.all_controller_names
+    @@controllers ||= all_files.map { |file| file.camelize.gsub(".rb","") }
+  end
+
+  def self.all_files
+    application_files + engine_files
+  end
+
+  def self.engine_files
+    engine_controller_paths.inject([]) do |array, path|
+      # entries may be controller files, but if there are namespaced controllers
+      # then entries are directories
+      directories, files = Dir.new(path).entries.reject{|c|c.match(/^\./)}.partition{|c| File.directory?(File.new(File.join(path,c)))}
+      array += files
+      directories.each do |directory|
+        files = Dir.new(File.join(path,directory)).reject{|c|c.match(/^\./)}.entries.map{|file| File.join(directory,file)}
+        array += files
+      end
+      array
+    end
+  end
+
+  def self.engine_controller_paths
+    Rails::Engine.subclasses.collect { |engine|
+      engine.config.eager_load_paths.detect{|p| p=~/controller/}
+    }.flatten.compact
+  end
+
+  def self.application_files
+    Dir.new(CONTROLLERS_DIR).entries.reject{|c| c.match(/^\./)}.reject{|c| c == 'application_controller.rb'}
+  end
+
+  def self.all_modified_files
+    all_controller_names.select(&:modified?)
+  end
+
+  # a file is declared to be modified if it's either older or newer than the last_modified date
+  # this triggers re-parsing the actions in the file whether it's older or newer
+  # and so responds both to the file being edited and also the database being restored
+  # from an older version.
+  # Only by converting to string could I persuade two apparently equal DateTime objects to match!
+  def modified?
+    file_modification_time.to_s != last_modified.getutc.to_datetime.to_s
+  end
+
+  def file_modification_time
+    file.mtime.getutc.to_datetime
+  end
+
+  def file
+    all_paths = Controller.engine_controller_paths << CONTROLLERS_DIR
+    controller_path = all_paths.detect do |path|
+      full_path = File.join(path, "#{controller_name}_controller.rb")
+      File.exists?(full_path)
+    end
+    File.new(File.join(controller_path, "#{controller_name}_controller.rb"))
+  end
+
+  # updates the controllers table so that it contains a record for each controller file
+  # in the /app/controllers directory
+  def self.update_table
+    cc = Controller.all.inject({}){ |hash,controller| hash[controller.controller_name]=controller; hash } # from the database
+    all_controller_names.each do |f| # f is of the form "ItemsController"
+      cont = f.tableize.gsub!("_controllers","") # cont is of the form "items"
+      admin_name = Role.find_by_name("administrator") ? "administrator" : "admin"
+      if !cc.keys.include?(cont) # it's not in the db
+        new_controller = new(:controller_name=>f.underscore.gsub!("_controller", ""), :last_modified=>Date.today) # add controller to controllers table as there's not a record corresponding with the file
+        new_controller.actions << new_controller.action_list.map { |a| Action.new(:action_name=>a[1]) }# when a new controller is added, its actions must be added to the actions.file
+        new_controller.save
+      elsif cc[cont].modified? # file was modified since db was updated, so read the actions from the file, and add/delete as necessary
+        action_names = cc[cont].actions_from_file # action_names is of the form ["index", "new", "edit", "create", "update"]
+        Action.update_table_for(cc[cont],action_names)
+        # finally modify the last_modified date of the controller record to match the actual file
+        cc[cont].update_attribute(:last_modified,cc[cont].file_modification_time)
+      end
+    end
+    ActionRole.assign_developer_access
+    # delete any records in the controllers table for which there's no xx_controller.rb file... it must've been deleted
+    cc.each { |name,controller| controller.destroy if !all_controller_names.map{|cn| cn.tableize.gsub!("_controllers","")}.include?(name) }
+
+  end
+
+  def self.all_actions_from_files
+    all_controller_names.inject([]){ |ar,c| ar+=c.action_list; ar  }
+  end
+
+  def model_name
+    controller_name.gsub("Controller","").underscore
+  end
+
+  # the actions returned are those that were in the file when it was loaded
+  # this is reasonable only because the actions are changed by the developer
+  # and never get changed "on the fly". However this fact should be considered when testing!
+  def actions_from_file
+    # there's a workaround here for some strangeness that appeared in Rails 3
+    # where public_instance_methods returns some spurious methods with the format
+    # _one_time_conditions_valid_nnn?
+    controller.public_instance_methods(false).reject{|m| m.match(/one_time_conditions_valid/)}.map(&:to_s)
+  end
+
+  def controller
+    (controller_name+"_controller").classify.constantize
+  end
+
+  # returns an array of arrays, each contains the controller controller_name and action name
+  def action_list
+    actions_from_file.collect { |m| [model_name,m] }
+  end
+
+end

data/app/models/role.rb

@@ -0,0 +1,71 @@
+# Roles are hierarchically organized, so that the current role
+# for a session can be downgraded to a lower role.
+# The hierarchy gives meaning to "lower role".
+class Role < ActiveRecord::Base
+  has_many :user_roles
+  has_many :users, :through=>:user_roles
+
+  has_many :action_roles
+  has_many :actions, :through => :action_roles
+
+  belongs_to :parent, :class_name => 'Role'
+
+
+  validates_presence_of :name
+  validates_uniqueness_of :name
+
+  before_destroy do
+    if users.empty?
+      action_roles.clear
+    else
+      false # don't delete a role if there are users assigned
+    end
+  end
+
+  # takes either an array of roles or a single role object
+  def self.equal_or_lower_than(role)
+    roles = role.is_a?(Array) ? role : [role]
+    (lower_than(role) + roles).uniq
+  end
+
+  # takes either an array of roles or a single role object
+  def self.lower_than(role)
+    roles = role.is_a?(Array) ? role : [role]
+    collection = roles.inject([]) do |ar, r|
+      ar + with_ancestor(r)
+    end
+    (collection).uniq
+  end
+
+  # returns an array of roles that have the passed-in role as an
+  # ancestor
+  def self.with_ancestor(role)
+    all.select{|r| r.has_ancestor?(role)}
+  end
+
+  def has_ancestor?(role)
+    ancestors.include?(role)
+  end
+
+  def ancestors
+    node, nodes = self, []
+    nodes << node = node.parent while node.parent
+    nodes
+  end
+
+  def is_developer?
+    name == 'developer'
+  end
+
+  def self.developer
+    where('name = "developer"').first
+  end
+
+  def self.developer_id
+    developer && developer.id
+  end
+
+  def to_s
+    name
+  end
+end

data/app/models/session.rb

@@ -0,0 +1,3 @@
+class Session <ActiveRecord::Base
+  
+end

data/app/models/session_role.rb

@@ -0,0 +1,17 @@
+class SessionRole
+
+  attr_accessor :current_role_ids
+
+  def initialize
+    @current_role_ids = []
+  end
+
+  def add_roles(ids)
+    @current_role_ids += ids
+  end
+
+  def create(id)
+    @current_role_ids << id
+  end
+
+end

data/app/models/user.rb

@@ -0,0 +1,191 @@
+require 'digest/sha1'
+class User < ActiveRecord::Base
+  # Virtual attribute for the unencrypted password
+  attr_accessor :password
+
+# when user account is first created, only firstname, lastname and email are required
+  validates_presence_of     :firstName, :lastName, :email
+  validates_length_of       :email,    :within => 6..100
+  validates_uniqueness_of   :email, :case_sensitive=>false, :if=>Proc.new { |user| all_active=true; User.find_all_by_email(user.email).each { |u| all_active=false if u.status=='inactive' }; all_active }, :message=>'There is already an active user with that email address.'
+  #validates_format_of       :email, :with => EMAIL_REGEX
+
+# the next action on the user's record is account activation
+# at this time, login and password must be present and valid
+  validates_presence_of     :login,                      :on => :update
+  validates_presence_of     :password,                   :if => :password_required?, :on=>:update
+  validates_presence_of     :password_confirmation,      :if => :password_required?, :on=>:update
+  validates_length_of       :password, :within => 4..40, :if => :password_required?, :on=>:update
+  validates_confirmation_of :password,                   :if => :password_required?, :on=>:update
+  validates_length_of       :login,    :within => 3..40, :on => :update
+  validates_uniqueness_of   :login, :case_sensitive => false, :on => :update
+
+  has_many :user_roles, :dependent=>:delete_all
+  accepts_nested_attributes_for :user_roles
+  has_many :roles, :through=>:user_roles
+
+  has_many :useractions, :dependent=>:delete_all
+  has_many :actions, :through=>:useractions
+
+  before_save :encrypt_password
+  before_create :make_activation_code
+
+
+  # prevents a user from submitting a crafted form that bypasses activation
+  # anything else you want your user to change should be added here.
+  # If the ability to add users was extended, may wish to change the attr_accessible to make sure a user cannot assign
+  # themselves to a higher-privileged role
+  # TODO in this application, users are trusted, but see how this should be implemented if users are not trusted
+  attr_accessible :login, :email, :password, :password_confirmation, :firstName, :lastName, :user_roles_attributes
+
+  class PermissionsNotConfigured < StandardError
+    attr_reader :message
+    def initialize(controller,action)
+      @message = "Permissions not yet configured for #{controller}/#{action}"
+    end
+  end
+  class ActivationCodeNotFound < StandardError; end
+  class ArgumentError < StandardError; end
+  class AlreadyActivated < StandardError
+    attr_reader :user, :message;
+    def initialize(user, message=nil)
+      @message, @user = message, user
+    end
+  end
+
+  def first_last_name
+    firstName+' '+lastName
+  end
+
+
+  # Finds the user with the corresponding activation code, activates their account and returns the user.
+  #
+  # Raises:
+  #  +User::ActivationCodeNotFound+ if there is no user with the corresponding activation code
+  #  +User::AlreadyActivated+ if the user with the corresponding activation code has already activated their account
+  def self.find_and_activate!(activation_code)
+    raise ArgumentError if activation_code.nil?
+      user = find_by_activation_code(activation_code)
+    raise ActivationCodeNotFound if !user
+    raise AlreadyActivated.new(user) if user.active?
+      user.send(:activate!)
+      user
+  end
+
+  def self.find_with_activation_code(activation_code)
+    raise ArgumentError if activation_code.nil?
+      user = find_by_activation_code(activation_code)
+    raise ActivationCodeNotFound if !user
+    raise AlreadyActivated.new(user) if user.active?
+    user
+  end
+
+  def active?
+    # the presence of an activation date means they have activated
+    !activated_at.nil?
+  end
+
+  # Returns true if the user has just been activated.
+  def pending?
+    @activated
+  end
+
+  # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
+  def self.authenticate(login, password)
+    u = find :first, :conditions => ['login = ?', login]
+    u && u.authenticated?(password) ? u : nil
+  end
+
+  # Encrypts some data with the salt.
+  def self.encrypt(password, salt)
+    Digest::SHA1.hexdigest("--#{salt}--#{password}--")
+  end
+
+  # Encrypts the password with the user salt
+  def encrypt(password)
+    self.class.encrypt(password, salt)
+  end
+
+  def authenticated?(password)
+    crypted_password == encrypt(password)
+  end
+
+  def remember_token?
+    remember_token_expires_at && Time.now.utc < remember_token_expires_at
+  end
+
+  def forgot_password
+    @forgotten_password = true
+    self.make_password_reset_code
+  end
+
+  def reset_password
+    # First update the password_reset_code before setting the
+    # reset_password flag to avoid duplicate email notifications.
+    update_attribute(:password_reset_code, nil)
+    @reset_password = true
+  end
+
+  #used in user_observer
+  def recently_forgot_password?
+    @forgotten_password
+  end
+
+  def recently_reset_password?
+    @reset_password
+  end
+
+  def forget_me
+    self.remember_token_expires_at = nil
+    self.remember_token            = nil
+    save(:validate => false)
+  end
+
+  def has_role?(name)
+    self.roles.find_by_name(name) ? true : false
+  end
+
+  def self.create_by_sql(attributes)
+    user = User.new(attributes)
+    user.send('encrypt_password')
+    user.send('make_activation_code')
+    now = DateTime.now.to_formatted_s(:db)
+    query = <<-SQL
+    INSERT INTO users
+        (activated_at, activation_code, created_at, crypted_password, email, enabled, firstName, lastName, login, password_reset_code, remember_token, remember_token_expires_at, salt, status, type, updated_at)
+        VALUES
+        ( '#{now}','#{user.activation_code}','#{now}', '#{user.crypted_password}', NULL, 1, '#{user.firstName}', '#{user.lastName}', '#{user.login}', NULL, NULL, NULL, '#{user.salt}', NULL, NULL,'#{now}')
+    SQL
+    #can't use ActiveRecord#create here as it would trigger a notification email
+    ActiveRecord::Base.connection.insert_sql(query)
+  end
+
+protected
+
+  # before filter
+  def encrypt_password
+    return if password.blank?
+    self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--") if salt.blank?
+    self.crypted_password = encrypt(password)
+  end
+
+  def password_required?
+    crypted_password.blank? || !password.blank?
+  end
+
+  def make_activation_code
+    self.activation_code = Digest::SHA1.hexdigest( Time.now.to_s.split(//).sort_by {rand}.join )
+  end
+
+  def make_password_reset_code
+    self.password_reset_code = Digest::SHA1.hexdigest( Time.now.to_s.split(//).sort_by {rand}.join )
+  end
+
+private
+
+  def activate!
+    @activated = true
+    self.update_attribute(:activated_at, Time.now.utc)
+    @activated = false
+  end
+
+end