card 1.16.12 → 1.16.13

data/mod/05_standard/set/all/comment.rb

@@ -1,16 +1,22 @@
-event :add_comment, after: :approve, on: :save, when: proc {|c| c.comment } do
+event :add_comment, after: :approve, on: :save, when: proc { |c| c.comment } do
+  cleaned_comment =
+    comment.split(/\n/).map do |line|
+      "<p>#{line.strip.empty? ? '&nbsp;' : line}</p>"
+    end * "\n"
+
+  signature =
+    if Auth.signed_in?
+      "[[#{Auth.current.name}]]"
+    else
+      Env.session[:comment_author] = comment_author if Env.session
+      "#{ comment_author } (Not signed in)"
+    end
+
   self.content = %{
-    #{ content }
-    #{ '<hr>' unless content.blank? }
-    #{ comment.split(/\n/).map {|line| "<p>#{line.strip.empty? ? '&nbsp;' : line}</p>"} * "\n" }
-    <div class="w-comment-author">--#{
-      if Auth.signed_in?
-        "[[#{Auth.current.name}]]"
-      else
-        Env.session[:comment_author] = comment_author if Env.session
-        "#{ comment_author } (Not signed in)"
-      end
-    }.....#{Time.now}</div>
+    #{content}
+    #{'<hr>' unless content.blank?}
+    #{cleaned_comment}
+    <div class="w-comment-author">--#{signature}.....#{Time.now}</div>
   }
 end
 

data/mod/05_standard/set/all/error.rb

@@ -1,4 +1,8 @@
-
+def copy_errors card
+  card.errors.each do |att, msg|
+    errors.add att, msg
+  end
+end
 
 format do
   view :closed_missing, perms: :none, closed: true do |args|

data/mod/05_standard/set/right/account.rb

@@ -12,36 +12,19 @@ def blocked?;  status == 'blocked' end
 def built_in?; status == 'system'  end
 def pending?;  status == 'pending' end
 
-def authenticate_by_token val
+def validate_token! test_token
   tcard = token_card
-  error = token_error(tcard, val)
-  if error == :none
-    Auth.as_bot { tcard.delete! }
-    left.id
-  else
-    error
-  end
-end
-
-def token_error tcard, val
-  case
-  when !tcard
-    :token_not_found
-  when token != val
-    :incorrect_token
-  when tcard.updated_at <= Card.config.token_expiry.ago
-    # < means "before"
-    :token_expired
-  when !left || !left.accountable?
-    :illegal_account
-  else
-    :none
-  end
+  tcard.validate! test_token
+  copy_errors tcard
+  errors.empty?
 end
 
 format do
   view :verify_url do
-    card_url "update/#{card.cardname.left_name.url_key}?token=#{card.token}"
+    signup_name = card.cardname.left_name
+    card_url "update/#{signup_name.url_key}" \
+             "?token=#{card.token}" \
+             '&live_token=true'
   end
 
   view :verify_days do
@@ -49,8 +32,9 @@ format do
   end
 
   view :reset_password_url do
-    card_url "update/#{card.cardname.url_key}?" \
-             "reset_token=#{card.token_card.refresh(true).content}"
+    card_url "update/#{card.cardname.url_key}" \
+             "?token=#{card.token_card.refresh(true).content}" \
+             '&live_token=true&event=reset_password'
   end
 
   view :reset_password_days do
@@ -76,20 +60,16 @@ format :html do
   end
 end
 
-
 event :validate_accountability, on: :create, before: :approve do
-  unless left and left.accountable?
-    errors.add :content, "not allowed on this card"
+  unless left && left.accountable?
+    errors.add :content, 'not allowed on this card'
   end
 end
 
 event :require_email, on: :create, after: :approve do
-  unless subfield(:email)
-    errors.add :email, 'required'
-  end
+  errors.add :email, 'required' unless subfield(:email)
 end
 
-
 event :set_default_salt, on: :create, before: :process_subcards do
   salt = Digest::SHA1.hexdigest "--#{Time.now.to_s}--"
   Env[:salt] = salt # HACK!!! need viable mechanism to get this to password
@@ -97,35 +77,34 @@ event :set_default_salt, on: :create, before: :process_subcards do
 end
 
 event :set_default_status, on: :create, before: :process_subcards do
-  default_status = ( Auth.needs_setup? ? 'active' : 'pending' )
+  default_status = Auth.needs_setup? ? 'active' : 'pending'
   add_subfield :status, content: default_status
 end
 
 def confirm_ok?
-  Card.new( type_id: Card.default_accounted_type_id ).ok? :create
+  Card.new(type_id: Card.default_accounted_type_id).ok? :create
 end
 
-event :generate_confirmation_token, :on=>:create, :before=>:process_subcards, :when=>proc{ |c| c.confirm_ok? } do
+event :generate_confirmation_token,
+      on: :create, before: :process_subcards,
+      when: proc { |c| c.confirm_ok? } do
   add_subfield :token, content: generate_token
 end
 
-event :reset_password, on: :update, before: :approve, when: proc{ |c| c.has_reset_token? } do
-  case ( result = authenticate_by_token @env_token )
-  when Integer
-    Auth.signin result
+event :reset_password, on: :update, before: :approve, when:
+    proc { |c| c.reset_password? } do
+  if validate_token! @env_token
+    token_card.used!
+    Auth.signin left_id
     success << edit_password_success_args
-    abort :success
-  when :token_expired
-    send_reset_password_token
-    success << {
-      id: '_self',
-      view: 'message',
-      message: "Sorry, this token has expired. Please check your email for a new password reset link."
-    }
-    abort :success
   else
-    abort :failure, "error resetting password: #{result}" # bad token or account
+    error_msg = errors.first.last
+    send_reset_password_token
+    msg = "Sorry, #{error_msg}. " \
+          'Please check your email for a new password reset link.'
+    success << { id: '_self', view: 'message', message: msg }
   end
+  abort :success
 end
 
 def edit_password_success_args
@@ -136,8 +115,9 @@ def edit_password_success_args
   }
 end
 
-def has_reset_token?
-  @env_token = Env.params[:reset_token]
+def reset_password?
+  @env_token = Env.params[:token]
+  @env_token && Env.params[:event] == 'reset_password'
 end
 
 event :reset_token do
@@ -146,55 +126,52 @@ event :reset_token do
   end
 end
 
-
 event :send_welcome_email do
-  if ((welcome = Card['welcome email']) && welcome.type_code == :email_template)
-    welcome.deliver(context: left, to: self.email)
+  welcome = Card['welcome email']
+  if welcome && welcome.type_code == :email_template
+    welcome.deliver context: left, to: email
   end
 end
 
-event :send_account_verification_email, on: :create, after: :extend, when: proc{ |c| c.token.present? } do
-  Card[:verification_email].deliver( context: self, to: self.email )
+event :send_account_verification_email, on: :create, after: :extend, when:
+    proc { |c| c.token.present? } do
+  Card[:verification_email].deliver context: self, to: email
 end
 
 event :send_reset_password_token do
   Auth.as_bot do
     token_card.update_attributes! content: generate_token
   end
-  Card[:password_reset_email].deliver( context: self, to: self.email )
+  Card[:password_reset_email].deliver context: self, to: email
 end
 
 def ok_to_read
   is_own_account? ? true : super
 end
 
-
 def changes_visible? act
   act.relevant_actions_for(act.card).each do |action|
     return true if action.card.ok? :read
   end
-  return false
+  false
 end
 
 def send_change_notice act, followed_set, follow_option
-  if changes_visible?(act)
-    Auth.as(left.id) do
-      Card[:follower_notification_email].deliver(
-        context:       act.card,
-        to:            email,
-        follower:      left.name,
-        followed_set:  followed_set,
-        follow_option: follow_option
-      )
-    end
+  return unless changes_visible?(act)
+  Auth.as(left.id) do
+    Card[:follower_notification_email].deliver(
+      context:       act.card,
+      to:            email,
+      follower:      left.name,
+      followed_set:  followed_set,
+      follow_option: follow_option
+    )
   end
 end
 
-
 format :email do
   view :mail do |args|
     args[:to] ||= card.email
     super args
   end
 end
-

data/mod/05_standard/set/right/token.rb

@@ -1,5 +1,52 @@
 include All::Permissions::Accounts
 
-view :raw do |args|
-  "Private data"
+DURATIONS = 'second|minute|hour|day|week|month|year'
+
+card_accessor :expiration
+
+view :raw do
+  'Private data'
+end
+
+def validate! token
+  error =
+    case
+    when !real?           then [:token_not_found, 'no token found']
+    when expired?         then [:token_expired, 'expired token']
+    when content != token then [:incorrect_token, 'token mismatch']
+    end
+  errors.add *error if error
+end
+
+def expired?
+  !permanent? && updated_at <= term.ago
+end
+
+def permanent?
+  term == 'permanent'
+end
+
+def used!
+  Auth.as_bot { delete! } unless permanent?
+end
+
+def term
+  @term ||=
+    if expiration.present?
+      term_from_string expiration
+    else
+      Card.config.token_expiry
+    end
+end
+
+def term_from_string string
+  string.strip!
+  return 'permanent' if string == 'none'
+  re_match = /^(\d+)[\.\s]*(#{DURATIONS})s?$/.match(string)
+  number, unit = re_match.captures if re_match
+  if unit
+    number.to_i.send unit
+  else
+    raise Card::Oops, "illegal expiration value (eg '2 days')"
+  end
 end

data/mod/05_standard/set/self/signin.rb

@@ -87,14 +87,14 @@ event :signin, before: :approve, on: :update do
 
   abort :failure, 'bad signin args' unless email && pword
 
-  if (signin_id = Auth.authenticate(email, pword))
-    Auth.signin signin_id
+  if (account = Auth.authenticate(email, pword))
+    Auth.signin account.left_id
   else
-    accted = Auth[email.strip.downcase]
+    account = Auth[email.strip.downcase]
     error_msg =
       case
-      when accted.nil?             then 'Unrecognized email.'
-      when !accted.account.active? then 'Sorry, that account is not active.'
+      when account.nil?     then 'Unrecognized email.'
+      when !account.active? then 'Sorry, that account is not active.'
       else 'Wrong password'
       end
     errors.add :signin, error_msg
@@ -112,15 +112,17 @@ event :send_reset_password_token,
   email = subfield :email
   email &&= email.content
 
-  if (accted = Auth[email.strip.downcase]) && accted.account.active?
-    accted.account.send_reset_password_token
-    abort :success
-  else
-    if accted
-      errors.add :account, 'not active'
+  account = Auth[email.strip.downcase]
+  if account
+    if account.active?
+      account.send_reset_password_token
+      abort :success
     else
-      errors.add :email, 'not recognized'
+      errors.add :account, 'not active'
+      abort :failure
     end
+  else
+    errors.add :email, 'not recognized'
     abort :failure
   end
 end

data/mod/05_standard/set/type/signup.rb

@@ -101,25 +101,21 @@ end
 
 event :activate_by_token, before: :approve, on: :update,
                           when: proc { |c| c.has_token? } do
-  result = if account
-             account.authenticate_by_token(@env_token)
-           else
-             "no account associated with #{name}"
-           end
-
-  case result
-  when Integer
-    abort :failure, 'no field manipulation mid-activation' if subcards.present?
-    # necessary because the rest of the action is performed as Wagn Bot
+  abort :failure, 'no field manipulation mid-activation' if subcards.present?
+  # necessary because this performs actions as Wagn Bot
+  abort :failure, "no account associated with #{name}" if !account
+
+  account.validate_token! @env_token
+
+  if account.errors.empty?
+    account.token_card.used!
     activate_account
     Auth.signin id
-    Auth.as_bot
-    Env.params[:success] = ''
-  when :token_expired
+    Auth.as_bot # use admin permissions for rest of action
+    success << ''
+  else
     resend_activation_token
     abort :success
-  else
-    abort :failure, "signup activation error: #{result}" # bad token or account
   end
 end
 
@@ -128,6 +124,7 @@ def has_token?
 end
 
 event :activate_account do
+  # FIXME: -- sends email before account is fully activated
   add_subfield :account
   subfield(:account).add_subfield :status, content: 'active'
   self.type_id = Card.default_accounted_type_id
@@ -152,12 +149,11 @@ end
 event :resend_activation_token do
   account.reset_token
   account.send_account_verification_email
-  Env.params[:success] = {
-    id: '_self',
-    view: 'message',
-    message: 'Sorry, this token has expired. ' \
-             ' Please check your email for a new password reset link.'
-  }
+  message = 'Please check your email for a new password reset link.'
+  if account.errors.any?
+    message = "Sorry, #{account.errors.first.last}. #{message}"
+  end
+  success << { id: '_self', view: 'message', message: message }
 end
 
 def signed_in_as_me_without_password?

data/mod/05_standard/spec/set/all/account_spec.rb

@@ -78,7 +78,7 @@ describe Card::Set::All::Account do
       c = Card['Joe New']
       u = Card::Auth[ 'joe@new.com' ]
 
-      expect(c).to eq(u)
+      expect(c.account).to eq(u)
       expect(c.type_id).to eq(Card::UserID)
 =begin
       email = ActionMailer::Base.deliveries.last

data/mod/05_standard/spec/set/right/account_spec.rb

@@ -1,31 +1,45 @@
 # -*- encoding : utf-8 -*-
 
 describe Card::Set::Right::Account do
-
   describe '#create' do
-    context "valid user" do
-      #note - much of this is tested in account_request_spec
+    context 'valid user' do
+      # note - much of this is tested in account_request_spec
       before do
         Card::Auth.as_bot do
-          @user_card = Card.create! name: 'TmpUser', type_id: Card::UserID, '+*account'=>{
-            '+*email'=>'tmpuser@wagn.org', '+*password'=>'tmp_pass'
-          }
+          @user_card = Card.create!(
+            name: 'TmpUser',
+            type_id: Card::UserID,
+            '+*account' => {
+              '+*email' => 'tmpuser@wagn.org', '+*password' => 'tmp_pass'
+            }
+          )
         end
-
       end
 
       it 'should create an authenticable password' do
-        expect(Card::Auth.password_authenticated?( @user_card.account, 'tmp_pass')).to be_truthy
+        validity = Card::Auth.password_valid? @user_card.account, 'tmp_pass'
+        expect(validity).to be_truthy
       end
     end
 
     it "should check accountability of 'accounted' card" do
-      @unaccountable = Card.create name: 'BasicUnaccountable', '+*account'=>{ '+*email'=>'tmpuser@wagn.org', '+*password'=>'tmp_pass' }
-      expect(@unaccountable.errors['+*account'].first).to eq('not allowed on this card')
-    end
-
-    it "should require email" do
-      @no_email = Card.create name: 'TmpUser', type_id: Card::UserID, '+*account'=>{ '+*password'=>'tmp_pass' }
+      @unaccountable = Card.create(
+        name: 'BasicUnaccountable',
+        '+*account' => {
+          '+*email' => 'tmpuser@wagn.org',
+          '+*password' => 'tmp_pass'
+        }
+      )
+      error_msg = @unaccountable.errors['+*account'].first
+      expect(error_msg).to eq('not allowed on this card')
+    end
+
+    it 'should require email' do
+      @no_email = Card.create(
+        name: 'TmpUser',
+        type_id: Card::UserID,
+        '+*account' => { '+*password' => 'tmp_pass' }
+      )
       expect(@no_email.errors['+*account'].first).to match(/email required/)
     end
   end
@@ -33,78 +47,82 @@ describe Card::Set::Right::Account do
   describe '#send_account_verification_email' do
     before do
       @email = 'joe@user.com'
-      @account = Card::Auth[@email].account
+      @account = Card::Auth[@email]
       Mail::TestMailer.deliveries.clear
       @account.send_account_verification_email
       @mail = Mail::TestMailer.deliveries.last
     end
 
     it 'has correct address' do
-      expect( @mail.to ).to eq([@email])
+      expect(@mail.to).to eq([@email])
     end
 
     it 'contains deck title' do
-      expect( @mail.parts[0].body.raw_source ).to match(Card.setting( :title ))
+      expect(@mail.parts[0].body.raw_source).to match(Card.setting(:title))
     end
 
     it 'contains link to verify account' do
-      expect( @mail.parts[0].body.raw_source ).to include("/update/#{@account.left.cardname.url_key}?token=#{@account.token}")
+      url = "/update/#{@account.left.cardname.url_key}?token=#{@account.token}"
+      expect(@mail.parts[0].body.raw_source).to include(url)
     end
 
     it 'contains expiry days' do
-      expect(@mail.parts[0].body.raw_source).to include("valid for #{Card.config.token_expiry / 1.day } days")
+      msg = "valid for #{Card.config.token_expiry / 1.day} days"
+      expect(@mail.parts[0].body.raw_source).to include(msg)
     end
   end
 
   describe '#send_reset_password_token' do
     before do
       @email = 'joe@user.com'
-      @account = Card::Auth[@email].account
+      @account = Card::Auth[@email]
       Mail::TestMailer.deliveries = []
       @account.send_reset_password_token
       @mail = Mail::TestMailer.deliveries.last
     end
 
     it 'contains deck title' do
-      expect( @mail.parts[0].body.raw_source ).to match(Card.setting( :title ))
+      expect(@mail.parts[0].body.raw_source).to match(Card.setting(:title))
     end
 
     it 'contains password resset link' do
-      expect( @mail.parts[0].body.raw_source ).to include("/update/#{@account.cardname.url_key}?reset_token=#{@account.token_card.refresh(true).content}")
+      token = @account.token_card.refresh(true).content
+      url = "/update/#{@account.cardname.url_key}?token=#{token}"
+      expect(@mail.parts[0].body.raw_source).to include(url)
     end
 
     it 'contains expiry days' do
-      expect(@mail.parts[0].body.raw_source).to include("valid for #{Card.config.token_expiry / 1.day } days")
+      url = "valid for #{Card.config.token_expiry / 1.day} days"
+      expect(@mail.parts[0].body.raw_source).to include(url)
     end
   end
 
-
-
-
   describe '#update_attributes' do
     before :each do
-      @user_card = Card::Auth[ 'joe@user.com' ]
+      @account = Card::Auth['joe@user.com']
     end
 
     it 'should reset password' do
-      @user_card.account.password_card.update_attributes!(content: 'new password')
-      assert_equal @user_card.id, Card::Auth.authenticate('joe@user.com', 'new password')
+      @account.password_card.update_attributes!(content: 'new password')
+      authenticated = Card::Auth.authenticate 'joe@user.com', 'new password'
+      assert_equal @account, authenticated
     end
 
     it 'should not rehash password when updating email' do
-      @user_card.account.email_card.update_attributes!(content: 'joe2@user.com')
-      assert_equal @user_card.id, Card::Auth.authenticate('joe2@user.com', 'joe_pass')
+      @account.email_card.update_attributes! content: 'joe2@user.com'
+      authenticated = Card::Auth.authenticate 'joe2@user.com', 'joe_pass'
+      assert_equal @account, authenticated
     end
   end
 
-
   describe '#reset_password' do
     before :each do
       @email = 'joe@user.com'
-      @account = Card::Auth[@email].account
+      @account = Card::Auth[@email]
       @account.send_reset_password_token
       @token = @account.token
-      Card::Env.params[:reset_token] = @token
+      Card::Env.params[:token] = @token
+      Card::Env.params[:event] = 'reset_password'
       Card::Auth.current_id = Card::AnonymousID
     end
 
@@ -112,44 +130,51 @@ describe Card::Set::Right::Account do
       expect(Card::Auth.current_id).to eq(Card::AnonymousID)
       expect(@account.save).to eq(true)
       expect(Card::Auth.current_id).to eq(@account.left_id)
-      @account = @account.refresh force=true
+      @account = @account.refresh true
       expect(@account.fetch(trait: :token)).to be_nil
-      expect(@account.save).to be_falsey
     end
 
     it 'should not work if token is expired' do
-      @account.token_card.update_column :updated_at, 3.days.ago.strftime("%F %T")
+      @account.token_card.update_column :updated_at,
+                                        3.days.ago.strftime('%F %T')
       @account.token_card.expire
-
       result = @account.save
-      expect(result).to eq(true)                 # successfully completes save
-      expect(@account.token).not_to eq(@token)   # token gets updated
-      expect(@account.success.message).to match(/expired/) # user notified of expired token
+
+      expect(result).to eq(true)
+      # successfully completes save
+
+      expect(@account.token).not_to eq(@token)
+      # token gets updated
+
+      expect(@account.success.message).to match(/expired/)
+      # user notified of expired token
     end
 
     it 'should not work if token is wrong' do
-      Card::Env.params[:reset_token] = @token + 'xxx'
+      Card::Env.params[:token] = @token + 'xxx'
+      Card::Env.params[:event] = 'reset_password'
       @account.save
-      expect(@account.errors[:abort].first).to match(/incorrect_token/)
+      expect(@account.errors[:incorrect_token].first).to match(/mismatch/)
     end
-
   end
 
-
   describe '#send_change_notice' do
     it 'send multipart email' do
       skip
-#      pending
+      #      pending
     end
 
     context 'denied access' do
       it 'excludes protected subcards' do
         skip
-        Card.create(name: "A+B+*self+*read", type: 'Pointer', content: "[[u1]]")
-        u2 = Card.fetch 'u2+*following', new: {type: 'Pointer'}
-        u2.add_item "A"
-        a = Card.fetch "A"
-        a.update_attributes( content: "new content", subcards: {'+B'=>{content: 'hidden content'}})
+        Card.create(name: 'A+B+*self+*read', type: 'Pointer', content: '[[u1]]')
+
+        u2 = Card.fetch 'u2+*following', new: { type: 'Pointer' }
+        u2.add_item 'A'
+
+        a = Card.fetch 'A'
+        a.update_attributes(content: 'new content',
+                            subcards: { '+B' => { content: 'hidden content' } })
       end
 
       it 'sends no email if changes not visible' do
@@ -158,4 +183,3 @@ describe Card::Set::Right::Account do
     end
   end
 end
-