authpwn_rails 0.5.6 → 0.6.0

data/VERSION

@@ -1 +1 @@
-0.5.6
+0.6.0

data/authpwn_rails.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{authpwn_rails}
-  s.version = "0.5.6"
+  s.version = "0.6.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Victor Costan"]
-  s.date = %q{2010-11-18}
+  s.date = %q{2010-11-25}
   s.description = %q{Works with Facebook.}
   s.email = %q{victor@costan.us}
   s.extra_rdoc_files = [
@@ -34,6 +34,7 @@ Gem::Specification.new do |s|
     "lib/authpwn_rails/generators/templates/002_create_facebook_tokens.rb",
     "lib/authpwn_rails/generators/templates/facebook_token.rb",
     "lib/authpwn_rails/generators/templates/facebook_tokens.yml",
+    "lib/authpwn_rails/generators/templates/session/forbidden.html.erb",
     "lib/authpwn_rails/generators/templates/session/home.html.erb",
     "lib/authpwn_rails/generators/templates/session/new.html.erb",
     "lib/authpwn_rails/generators/templates/session/welcome.html.erb",

data/lib/authpwn_rails/generators/session_generator.rb

@@ -8,6 +8,8 @@ class SessionGenerator < Rails::Generators::Base
   def create_session
     copy_file 'session_controller.rb',
               File.join('app', 'controllers', 'session_controller.rb')    
+    copy_file File.join('session', 'forbidden.html.erb'),
+              File.join('app', 'views', 'session', 'forbidden.html.erb')
     copy_file File.join('session', 'home.html.erb'),
               File.join('app', 'views', 'session', 'home.html.erb')
     copy_file File.join('session', 'new.html.erb'),

data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb

@@ -0,0 +1,20 @@
+<p>
+  This view gets displayed when the user tries to access something forbidden.
+</p>
+
+<% if current_user %>
+<p>
+  You should inform the user that they are logged in as 
+  <%= current_user.email %> and suggest them to
+  <%= link_to 'Log out', session_path, :method => :destroy %> and log in as a
+  different user.  
+</p>
+<% else %>
+<p>
+  The user will only see this if JavaScript is disabled. Ask them to
+  <%= link_to 'Log in', new_session_path %>.
+</p>
+<script type="text/javascript">
+window.location = "<%= new_session_path %>";
+</script>
+<% end %>

data/lib/authpwn_rails/generators/templates/session/new.html.erb

@@ -4,6 +4,13 @@
 <p class="notice"><%= flash[:notice] %></p>
 <% end %>
 
+<% if @redirect_url %>
+<p>
+  We need you to log in before we can show you the page that you are trying to
+  view.
+</p>
+<% end %>
+
 <%= form_for User.new, :url => session_path do |f| %>
   <div class="field">
     <%= f.label :email, 'Email Address' %><br />
@@ -17,5 +24,9 @@
   
   <div class="actions">
     <%= f.submit 'Log in' %>
+    
+    <% if @redirect_url %>
+    <%= hidden_field_tag :redirect_url, @redirect_url %>
+    <% end %>
   </div>
 <% end %>

data/lib/authpwn_rails/session.rb

@@ -54,7 +54,24 @@ module ControllerInstanceMethods
     user = user_param && User.find_by_param(user_param)
     self.current_user = user if user
   end
-  private :authenticate_using_session  
+  private :authenticate_using_session
+  
+  # Inform the user that their request is forbidden.
+  #
+  # If a user is logged on, this renders the session/forbidden view with a HTTP
+  # 403 code.
+  # 
+  # If no user is logged in, the user is redirected to session/new, and the
+  # current request's URL is saved in flash[:auth_redirect_url].
+  def bounce_user(redirect_url = request.url)
+    @redirect_url = redirect_url
+    if current_user
+      render 'session/forbidden', :status => :forbidden
+    else
+      flash[:auth_redirect_url] = redirect_url
+      render 'session/forbidden', :status => :forbidden
+    end
+  end
 end
 
 # Included in controllers that call authenticates_using_session.
@@ -62,6 +79,7 @@ module SessionControllerInstanceMethods
   # GET /session/new
   def new
     @user = User.new
+    @redirect_url = flash[:auth_redirect_url]
     redirect_to session_url if current_user
   end
 
@@ -80,15 +98,18 @@ module SessionControllerInstanceMethods
   # POST /session
   def create
     @user = User.new params[:user]
+    @redirect_url = params[:redirect_url] || session_url
     self.current_user =
         User.find_by_email_and_password @user.email, @user.password
         
     respond_to do |format|
       if current_user
-        format.html { redirect_to session_url }
+        format.html { redirect_to @redirect_url }
       else
         format.html do
-          redirect_to new_session_url, :notice => 'Invalid e-mail or password'
+          redirect_to new_session_url, :flash => {
+            :notice => 'Invalid e-mail or password',
+            :auth_redirect_url => @redirect_url }
         end
       end
     end

data/test/cookie_controller_test.rb

@@ -11,6 +11,10 @@ class CookieController < ApplicationController
       render :text => "No user"
     end
   end
+  
+  def bouncer
+    bounce_user
+  end
 end
 
 class CookieControllerTest < ActionController::TestCase
@@ -38,4 +42,20 @@ class CookieControllerTest < ActionController::TestCase
     assert_response :success
     assert_nil assigns(:current_user)
   end
+  
+  test "valid user_id bounced" do
+    set_session_current_user @user
+    get :bouncer
+    assert_response :forbidden
+    assert_template 'session/forbidden'
+  end
+  
+  test "no user_id bounced" do
+    get :bouncer
+    assert_response :forbidden
+    assert_template 'session/forbidden'
+    assert_equal bouncer_cookie_url, flash[:auth_redirect_url]
+    
+    assert_select 'script', %r/.*window.location.*#{new_session_path}.*/
+  end
 end

data/test/helpers/routes.rb

@@ -3,7 +3,9 @@ class ActionController::TestCase
   def setup_routes
     @routes = ActionController::Routing::RouteSet.new
     @routes.draw do
-      resource :cookie, :controller => 'cookie'
+      resource :cookie, :controller => 'cookie' do
+        collection { get :bouncer }
+      end
       resource :facebook, :controller => 'facebook'
       # NOTE: this route should be kept in sync with the session template.
       resource :session, :controller => 'session'

data/test/session_controller_api_test.rb

@@ -46,7 +46,17 @@ class SessionControllerApiTest < ActionController::TestCase
       assert_select 'input#user_password'
       assert_select 'input[type=submit]'
     end
-  end     
+  end
+  
+  test "new renders redirect_url when present in flash" do
+    url = 'http://authpwn.redirect.url'    
+    get :new, {}, {}, { :auth_redirect_url => url }
+    assert_template :new
+    assert_equal url, assigns(:redirect_url), 'redirect_url should be set'
+    assert_select 'form' do
+      assert_select "input[name=redirect_url][value=#{url}]"
+    end
+  end
   
   test "create logs in with good account details" do
     post :create, :user => { :email => @user.email, :password => 'password' }
@@ -55,6 +65,13 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_equal @user, session_current_user, 'session'
   end
   
+  test "create redirects properly with good account details" do
+    url = 'http://authpwn.redirect.url'
+    post :create, :user => { :email => @user.email, :password => 'password' },
+                  :redirect_url => url
+    assert_redirected_to url
+  end
+  
   test "create does not log in with bad password" do
     post :create, :user => { :email => @user.email, :password => 'fail' }
     assert_redirected_to new_session_url
@@ -63,6 +80,15 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_not_nil flash[:notice]
   end
 
+  test "create maintains redirect_url for bad logins" do
+    url = 'http://authpwn.redirect.url'
+    post :create, :user => { :email => @user.email, :password => 'fail' },
+                  :redirect_url => url
+    assert_redirected_to new_session_url
+    assert_not_nil flash[:notice]
+    assert_equal url, flash[:auth_redirect_url]
+  end
+
   test "create does not log in with bad e-mail" do
     post :create, :user => { :email => 'nobody@gmail.com', :password => 'no' }
     assert_redirected_to new_session_url

metadata

@@ -5,9 +5,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 5
   - 6
-  version: 0.5.6
+  - 0
+  version: 0.6.0
 platform: ruby
 authors: 
 - Victor Costan
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-11-18 00:00:00 -05:00
+date: 2010-11-25 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -93,6 +93,7 @@ files:
 - lib/authpwn_rails/generators/templates/002_create_facebook_tokens.rb
 - lib/authpwn_rails/generators/templates/facebook_token.rb
 - lib/authpwn_rails/generators/templates/facebook_tokens.yml
+- lib/authpwn_rails/generators/templates/session/forbidden.html.erb
 - lib/authpwn_rails/generators/templates/session/home.html.erb
 - lib/authpwn_rails/generators/templates/session/new.html.erb
 - lib/authpwn_rails/generators/templates/session/welcome.html.erb