RubyGems - browsercms-artirix - Versions diffs - 4.0.0.rc1.art4 → 4.0.1.1 - Mend

browsercms-artirix 4.0.0.rc1.art4 → 4.0.1.1

Files changed (39) hide show

checksums.yaml +4 -4
data/app/controllers/cms/attachments_controller.rb +1 -1
data/app/controllers/cms/cas_sessions_controller.rb +13 -0
data/app/controllers/cms/sections_controller.rb +1 -1
data/app/controllers/cms/users_controller.rb +1 -1
data/app/helpers/cms/sites/authentication_helper.rb +1 -0
data/app/helpers/cms/sites/devise_shim_helper.rb +1 -1
data/app/models/cms/default_user.rb +6 -0
data/app/models/cms/external_user.rb +1 -1
data/app/models/cms/group.rb +7 -3
data/app/models/cms/guest_user.rb +2 -41
data/app/models/cms/permission.rb +4 -0
data/app/models/cms/persistent_user.rb +17 -110
data/app/models/cms/section.rb +10 -6
data/app/models/cms/user.rb +2 -2
data/app/models/cms/user_group_membership.rb +2 -2
data/app/portlets/login_portlet.rb +2 -2
data/config/routes.rb +33 -34
data/db/browsercms.seeds.rb +7 -4
data/doc/release_notes.md +3 -3
data/lib/browsercms.rb +2 -0
data/lib/cms/authentication/controller.rb +8 -5
data/lib/cms/authentication/test_password_strategy.rb +1 -1
data/lib/cms/behaviors.rb +15 -0
data/lib/cms/behaviors/attaching.rb +1 -1
data/lib/cms/behaviors/userstamping.rb +1 -1
data/lib/cms/behaviors/versioning.rb +3 -4
data/lib/cms/configuration.rb +108 -10
data/lib/cms/configuration/devise.rb +75 -4
data/lib/cms/engine.rb +55 -2
data/lib/cms/users_service.rb +26 -190
data/lib/cms/users_service/cms_login_user_controller_concern.rb +19 -0
data/lib/cms/users_service/cms_user_compatibility_module.rb +137 -0
data/lib/cms/users_service/guest_user_module.rb +42 -0
data/lib/cms/users_service/user_groups_by_codes_module.rb +13 -0
data/lib/cms/users_service/users_factory.rb +50 -0
data/lib/cms/version.rb +1 -1
data/lib/generators/browser_cms/demo_site/templates/demo.seeds.rb +1 -1
metadata +27 -6

data/db/browsercms.seeds.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 require 'cms/data_loader'
-Cms::User.current = cmsadmin = Cms::User.new(login: "cmsadmin", first_name: "CMS", last_name:  "Administrator", email: "cmsadmin@example.com")
+cmsadmin = Cms::User.new(login: "cmsadmin", first_name: "CMS", last_name:  "Administrator", email: "cmsadmin@example.com")
 if %w[development test dev local].include?(Rails.env)
   pwd = cmsadmin.change_password('cmsadmin')
 else
@@ -8,7 +8,10 @@ else
 end
 cmsadmin.save
-Cms::UsersService.use_user cmsadmin.login
+default_cmsadmin = Cms::DefaultUser.new login: 'cmsadmin', full_name: 'CMS Administrator'
+default_cmsadmin.save!
+Cms::UsersService.use_user_by_login cmsadmin.login
 create_permission(:administrate, :name => "administrate", :full_name => "Administer CMS", :description => "Allows users to administer the CMS, including adding users and groups.")
 create_permission(:edit_content, :name => "edit_content", :full_name => "Edit Content", :description => "Allows users to Add, Edit and Delete both Pages and Blocks. Can Save (but not Publish) and Assign them as well.")
@@ -22,8 +25,8 @@ group_types(:cms_user).permissions<<permissions(:edit_content)
 group_types(:cms_user).permissions<<permissions(:publish_content)
 create_group(:guest, :name => 'Guest', :code => 'guest', :group_type => group_types(:guest_group_type))
-create_group(:content_admin, :name => 'Cms Administrators', :code => 'cms-admin', :group_type => group_types(:cms_user))
-create_group(:content_editor, :name => 'Content Editors', :code => 'content-editor', :group_type => group_types(:cms_user))
+create_group(:content_admin, :name => 'Cms Administrators', :code => Cms::UsersService::GROUP_CMS_ADMIN, :group_type => group_types(:cms_user))
+create_group(:content_editor, :name => 'Content Editors', :code => Cms::UsersService::GROUP_CONTENT_EDITOR, :group_type => group_types(:cms_user))
 cmsadmin.groups << groups(:content_admin)
 cmsadmin.groups << groups(:content_editor)

data/doc/release_notes.md CHANGED Viewed

@@ -186,7 +186,7 @@ Devise is now the standard authentication mechanism for BrowserCMS. This adds so
 Upgrading to 4.0 means all user passwords will need to be reset. This doesn't apply where external user databases are used (i.e. CAS) for authentication. Just user accounts stored in the CMS itself.
-This reset is a side effect of using a more secure password encryption algorithm (bcrypt). When users try to log in, they will have to request a password reset. This feature is provided on /cms/login as a standard feature. Users will need to provide an email, and a link for reseting their password will be sent to them. Alternatively, developers may choose to change passwords via the admin interface (or rails console) before turning over sites to the site maintainers.
+This reset is a side effect of using a more secure password encryption algorithm (bcrypt). When users try to log in, they will have to request a password reset. This feature is provided on /cms/users/login as a standard feature. Users will need to provide an email, and a link for reseting their password will be sent to them. Alternatively, developers may choose to change passwords via the admin interface (or rails console) before turning over sites to the site maintainers.
 ### Avoiding a reset
@@ -202,7 +202,7 @@ Note that preserving the old password data is just the first step. The new encry
 ### Forgot Password
-Users can reset their password via the admin UI. On /cms/login, a link to 'Forgot Password' is available. Users can enter an email and have the reset link mailed to them.
+Users can reset their password via the admin UI. On /cms/users/login, a link to 'Forgot Password' is available. Users can enter an email and have the reset link mailed to them.
 Configuration: For Forgot Password to work, need to ensure the following is present for mailer in BrowserCMS setups.
     * config.action_mailer.default_url_options = { :host => "yourhost" }
@@ -236,7 +236,7 @@ This implementation is intended to replace CAS based strategies used in BrowserC
 7. Password Reset - Users will need to reset their password after the upgrade. See Devise Integration/Avoiding a reset if this is concern.
 8. Forgot Password - Consider removing any existing ForgotPassword portlets and just use /forgot-password controller.  Creation is disabled by default.
 9. Reset Password Portlet - These have been removed as they were no longer necessary. Any remaining instances have been converted to 'DeprecatedPlaceholders'. Find and remove these portlets (and the page they were on) from your site.
-10. Login Portlet - Consider removing these and using the built in /login route. Creation is disabled by default.
+10. Login Portlet - Consider removing these and using the built in /users/login route. Creation is disabled by default.
 ### Migration Cleanup

data/lib/browsercms.rb CHANGED Viewed

@@ -4,6 +4,7 @@ require 'cms/configuration'
 require 'cms/version'
 require 'browsercms'
+require 'sass'
 require 'sass-rails'
 require 'compass-rails'
 require 'bootstrap-sass'
@@ -25,6 +26,7 @@ require 'actionpack/page_caching'
 require 'panoramic'
 require 'simple_form'
 require 'devise'
+require 'devise_cas_authenticatable'
 require 'cms/engine'
 require 'cms/extensions'

data/lib/cms/authentication/controller.rb CHANGED Viewed

@@ -25,6 +25,7 @@ module Cms
       def self.included(base)
         base.send :helper_method, :current_user, :logged_in? if base.respond_to? :helper_method
         base.extend ClassMethods
+        base.send :include, Cms::UsersService.controller_module
       end
@@ -58,9 +59,11 @@ module Cms
       # Returns the current user if logged in. If no user is logged in, returns the 'Guest' user which represents a
       # what a visitor can do without being logged in.
       def current_user
-        @current_user ||= begin
-          Cms::PersistentUser.current = current_cms_user || Cms::User.guest
-        end
+        @current_user ||= load_current_user
+      end
+      def load_current_user
+        Cms::UsersService.use_user(current_cms_user || Cms::User.guest)
       end
       # Redirect as appropriate when an access request fails.
@@ -101,8 +104,8 @@ module Cms
       # However, **all session state variables should be unset here**.
       def logout_keeping_session!
         # Kill server-side auth cookie
-        Cms::PersistentUser.current.forget_me if Cms::User.current.is_a? User
-        Cms::PersistentUser.current = false # not logged in, and don't do it for me
+        Cms::UsersService.current.try :forget_me if Cms::UsersService.current.is_a? User
+        Cms::UsersService.current = false # not logged in, and don't do it for me
         session[:user_id] = nil # keeps the session but kill our variable
         # explicitly kill any other session variables you set
       end

data/lib/cms/authentication/test_password_strategy.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Cms
       def authenticate!
         if(authentication_hash[:login] == password && password == EXPECTED_PASSWORD)
           user = Cms::ExternalUser.authenticate(authentication_hash[:login], 'Test Password', {first_name: "Test", last_name: "User"})
-          user.authorize('cms-admin', 'content-editor')
+          user.authorize(Cms::UsersService::GROUP_CMS_ADMIN, Cms::UsersService::GROUP_CONTENT_EDITOR)
           success!(user)
         else
           pass

data/lib/cms/behaviors.rb CHANGED Viewed

@@ -32,3 +32,18 @@ Dir["#{File.dirname(__FILE__)}/behaviors/*.rb"].each do |b|
   ActiveRecord::Base.send(:include, "Cms::Behaviors::#{File.basename(b, ".rb").camelize}".constantize)
 end
+module ARCompatibilityModule
+  # TODO: modification of changed_attributes is forbidden in later rails -> find alternative
+  def compatible_clear_changes_information
+    # for rails 4.2 compat
+    if respond_to?(:clear_changes_information) # rails 4.2
+      clear_changes_information
+    elsif respond_to?(:reset_changes) # rails 4.1
+      reset_changes
+    else
+      changed_attributes.clear # rails < 4.1
+    end
+  end
+end
+ActiveRecord::Base.send(:include, ARCompatibilityModule)

data/lib/cms/behaviors/attaching.rb CHANGED Viewed

@@ -85,7 +85,7 @@ module Cms
         end
         def validates_attachment_presence(name, options = {})
-          message = options[:message] || "Must provide at least one #{name}"
+          message = options.delete(:message) || "Must provide at least one #{name}"
           validate(options) do |record|
             return if record.deleted?
             unless record.attachments.any? { |a| a.attachment_name == name.to_s }

data/lib/cms/behaviors/userstamping.rb CHANGED Viewed

@@ -30,7 +30,7 @@ module Cms
       module InstanceMethods
         def set_userstamps
-          current_user = Cms::User.current ? Cms::User.current : nil
+          current_user = Cms::UsersService.current.presence
           if new_record?
             self.created_by = current_user
           end

data/lib/cms/behaviors/versioning.rb CHANGED Viewed

@@ -36,9 +36,7 @@ module Cms
         obj.after_as_of_version if obj.respond_to?(:after_as_of_version)
         # Last but not least, clear the changed attributes
-        if changed_attrs = obj.send(:changed_attributes)
-          changed_attrs.clear
-        end
+        obj.compatible_clear_changes_information
         obj
       end
@@ -233,7 +231,8 @@ module Cms
             self.version = 1
             # This should call ActiveRecord::Callbacks#create_or_update, which will correctly trigger the :save callback_chain
             saved_correctly = super
-            changed_attributes.clear
+            compatible_clear_changes_information
           else
             logger.debug { "#{self.class}#update" }
             # Because we are 'skipping' the normal ActiveRecord update here, we must manually call the save callback chain.

data/lib/cms/configuration.rb CHANGED Viewed

@@ -29,27 +29,125 @@ module Cms
     end
     # User Class
-    attr_writer :user_class_name
+    def user_key_field
+      Rails.application.config.cms.user_key_field
+    end
+    def user_name_field
+      Rails.application.config.cms.user_name_field
+    end
     def user_class_name
-      @user_class_name ||= 'Cms::User'
+      Rails.application.config.cms.user_class_name
     end
     def user_class
       user_class_name.to_s.constantize
     end
-    # User key
-    attr_writer :user_key_field
-    def user_key_field
-      @user_key_field ||= :login
+    def user_class_devise_options
+      Rails.application.config.cms.user_class_devise_options.dup.tap do |opts|
+        if devise_use_cas_only?
+          opts.delete :database_authenticatable
+          opts.delete :rememberable
+          opts.delete :recoverable
+          opts.unshift(:cas_authenticatable) unless opts.include? :cas_authenticatable
+        end
+      end
     end
-    # User name field
-    attr_writer :user_name_field
-    def user_name_field
-      @user_name_field ||= :full_name
+    def user_cas_extra_attributes_setter
+      Rails.application.config.cms.user_cas_extra_attributes_setter
+    end
+    # DEVISE AND CAS
+    def cas_base_url
+      Rails.application.config.cms.cas_base_url
+    end
+    def cas_destination_url
+      Rails.application.config.cms.cas_destination_url
+    end
+    def cas_follow_url
+      Rails.application.config.cms.cas_follow_url
+    end
+    def cas_logout_url_param
+      Rails.application.config.cms.cas_logout_url_param
+    end
+    def cas_login_url
+      Rails.application.config.cms.cas_login_url
+    end
+    def cas_logout_url
+      Rails.application.config.cms.cas_logout_url
+    end
+    def cas_validate_url
+      Rails.application.config.cms.cas_validate_url
+    end
+    def cas_destination_logout_param_name
+      Rails.application.config.cms.cas_destination_logout_param_name
     end
+    def cas_create_user
+      Rails.application.config.cms.cas_create_user
+    end
+    def cas_enable_single_sign_out
+      Rails.application.config.cms.cas_enable_single_sign_out
+    end
+    def cas_user_identifier
+      Rails.application.config.cms.cas_user_identifier
+    end
+    def user_class_devise_validatable?
+      Rails.application.config.cms.user_class_devise_validatable
+    end
+    def user_class_devise_recoverable?
+      Rails.application.config.cms.user_class_devise_recoverable
+    end
+    def routes_devise_for_options
+      opts = Rails.application.config.cms.routes_devise_for_options.dup
+      unless opts.key? :class_name
+        opts[:class_name] = user_class_name
+      end
+      opts[:skip] ||= []
+      # always skip sessions, we'll add them outside, as BCMS intended.
+      # opts[:skip] << :sessions unless opts[:skip].include? :sessions
+      unless devise_allow_registrations?
+        opts[:skip] << :registrations unless opts[:skip].include? :registrations
+      end
+      opts
+    end
+    def routes_devise_sessions_controller
+      key = devise_use_cas_only? ? :cas_sessions : :sessions
+      cnts = routes_devise_for_options[:controllers] || {}
+      controller_name = cnts[key] || "devise/#{key}"
+      # remove 'cms/' prefix
+      controller_name.gsub /^cms\//, ''
+    end
+    def devise_use_cas_only?
+      !!Rails.application.config.cms.devise_use_cas_only
+    end
+    def devise_allow_registrations?
+      !!Rails.application.config.cms.devise_allow_registrations
+    end
   end
   module Errors

data/lib/cms/configuration/devise.rb CHANGED Viewed

@@ -31,7 +31,7 @@ Devise.setup do |config|
   # session. If you need permissions, you should implement that in a before filter.
   # You can also supply a hash where the value is a boolean determining whether
   # or not authentication should be aborted when the value is not present.
-  config.authentication_keys = [ :login ]
+  config.authentication_keys = [:login]
   # Configure parameters from the request object used for authentication. Each entry
   # given should be a request method and it will automatically be passed to the
@@ -43,12 +43,12 @@ Devise.setup do |config|
   # Configure which authentication keys should be case-insensitive.
   # These keys will be downcased upon creating or modifying a user and when used
   # to authenticate or find a user. Default is :email.
-  config.case_insensitive_keys = [ :login ]
+  config.case_insensitive_keys = [:login]
   # Configure which authentication keys should have whitespace stripped.
   # These keys will have whitespace before and after removed upon creating or
   # modifying a user and when used to authenticate or find a user. Default is :email.
-  config.strip_whitespace_keys = [ :login ]
+  config.strip_whitespace_keys = [:login]
   # Tell if authentication through request.params is enabled. True by default.
   # It can be set to an array that will enable params authentication only for the
@@ -224,7 +224,7 @@ Devise.setup do |config|
   # config.navigational_formats = ['*/*', :html]
   # The default HTTP method used to sign out a resource. Default is :delete.
-  config.sign_out_via = :delete
+  config.sign_out_via = [:delete, :post, :get]
   # ==> OmniAuth
   # Add a new OmniAuth provider. Check the wiki for more information on setting
@@ -254,3 +254,74 @@ Devise.setup do |config|
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
 end
+# override DEVISE CAS
+module Devise
+  def self.cas_action_url(base_url, mapping, action)
+    cas_action_url_factory_class.new(base_url, mapping, action).call
+  end
+  def self.cas_action_url_factory_class
+    @cas_action_url_factory_class ||= CasActionUrlFactoryBase.prepare_class
+  end
+  class CasActionUrlFactoryBase
+    attr_reader :base_url, :mapping, :action
+    def self.prepare_class
+      Class.new(self) do
+        include Rails.application.routes.url_helpers
+        include Rails.application.routes.mounted_helpers if Rails.application.routes.try(:mounted_helpers)
+      end
+    end
+    def initialize(base_url, mapping, action)
+      @base_url = base_url
+      @mapping  = mapping
+      @action   = action
+    end
+    def call
+      uri = URI.parse(base_url).tap { |uri| uri.query = nil }
+      uri.path = load_base_path
+      uri.to_s
+    end
+    alias_method :build, :call
+    private
+    def load_base_path
+      load_routes_path || load_mapping_path
+    end
+    def load_routes_path
+      router_name = mapping.router_name || Devise.available_router_name
+      context = send(router_name)
+      route = "#{mapping.singular}_#{action}_path"
+      if context.respond_to? route
+        context.send route
+      else
+        nil
+      end
+    rescue NameError, NoMemoryError
+      nil
+    end
+    def load_mapping_path
+      path = mapping_fullpath || mapping_raw_path
+      path << "/" unless path =~ /\/$/
+      path << action
+      path
+    end
+    def mapping_fullpath
+      return nil unless mapping.respond_to?(:fullpath)
+      "#{ENV['RAILS_RELATIVE_URL_ROOT']}#{mapping.fullpath}"
+    end
+    def mapping_raw_path
+      "#{ENV['RAILS_RELATIVE_URL_ROOT']}#{mapping.raw_path}"
+    end
+  end
+end

data/lib/cms/engine.rb CHANGED Viewed

@@ -7,6 +7,59 @@ module Cms
     isolate_namespace Cms
     config.cms = ActiveSupport::OrderedOptions.new
+    # USER BASE defaults
+    config.cms.user_class_name = 'Cms::PersistentUser'
+    config.cms.user_key_field  = :login
+    config.cms.user_name_field = :full_name
+    # DEVISE and CAS
+    config.cms.user_class_devise_options = [
+      :database_authenticatable,
+      :rememberable,
+      :recoverable,
+      authentication_keys: [:login]
+    ]
+    config.cms.devise_use_cas_only        = false
+    config.cms.devise_allow_registrations = true
+    config.cms.routes_devise_for_options = {
+      skip:        [],
+      path:        :users,
+      path_names:  {
+        sign_in:  'login',
+        sign_out: 'logout'
+      },
+      router_name: :cms, # we repeat it in the mapping so devise_cas_authenticatable can work nicely
+      controllers: {
+        sessions:     'cms/sessions',
+        passwords:    'cms/passwords',
+        cas_sessions: 'cms/cas_sessions',
+      },
+      module:      :devise,
+      # class_name:  nil, # this one is set by Cms Config, using Cms.user_class_name if it's not set
+    }
+    # Override this with a callable object that will get the user and the extra attributes
+    # on a cas_extra_attributes.
+    config.cms.user_cas_extra_attributes_setter = ->(_user, _extra_attributes) { nil }
+    config.cms.user_class_devise_validatable = true
+    config.cms.user_class_devise_recoverable = true
+    config.cms.cas_base_url                      = "https://cas.myorganization.com"
+    config.cms.cas_destination_url               = nil
+    config.cms.cas_follow_url                    = nil
+    config.cms.cas_logout_url_param              = nil
+    config.cms.cas_login_url                     = nil
+    config.cms.cas_logout_url                    = nil
+    config.cms.cas_validate_url                  = nil
+    config.cms.cas_destination_logout_param_name = nil
+    config.cms.cas_create_user                   = false
+    config.cms.cas_enable_single_sign_out        = true
+    config.cms.cas_user_identifier               = nil
     config.cms.attachments = ActiveSupport::OrderedOptions.new
     # Allows additional menu items to be added to the 'Tools' menu on the Admin tab.
@@ -71,7 +124,7 @@ module Cms
       #    Keys are looked up based on Class.name.underscore
       # @example:
       #   config.cms.templates['cms/form'] = 'my-form-layout' # app/views/layouts/templates/my-form-layout
-      #   config.cms.templates['cms/sites/sessions_controller'] = 'subpage' # For /login
+      #   config.cms.templates['cms/sites/sessions_controller'] = 'subpage' # For /users/login
       #
       app.config.cms.templates = {}
@@ -98,7 +151,7 @@ module Cms
     end
     # Needed to ensure routes added to the main app by the Engine are available. (Since engine draws its routes after the main app)
-    # Borrrow from Spree as documenented here: https://github.com/rails/rails/issues/11895
+    # Borrow from Spree as documented here: https://github.com/rails/rails/issues/11895
     config.after_initialize do
       Rails.application.routes_reloader.reload!
     end