devise_masquerade 0.6.5 → 2.1.0

data/app/controllers/devise/masquerades_controller.rb

@@ -1,67 +1,62 @@
-class Devise::MasqueradesController < DeviseController
-  if respond_to?(:prepend_before_action)
-    prepend_before_action :authenticate_scope!, :masquerade_authorize!
-  else
-    prepend_before_filter :authenticate_scope!, :masquerade_authorize!
-  end
+require 'securerandom'
 
-  if respond_to?(:before_action)
-    before_action :save_masquerade_owner_session, :only => :show
-  else
-    before_filter :save_masquerade_owner_session, :only => :show
+class Devise::MasqueradesController < DeviseController
+  Devise.mappings.each do |name, _|
+    class_eval <<-METHODS, __FILE__, __LINE__ + 1
+      skip_before_action :masquerade_#{name}!, raise: false
+    METHODS
   end
+  skip_before_action :masquerade!, raise: false
 
-  if respond_to?(:after_action)
-    after_action :cleanup_masquerade_owner_session, :only => :back
-  else
-    after_filter :cleanup_masquerade_owner_session, :only => :back
-  end
+  prepend_before_action :authenticate_scope!, only: :show
+  prepend_before_action :masquerade_authorize!
 
   def show
-    self.resource = find_resource
+    if send("#{masqueraded_resource_name}_masquerade?")
+      resource = masquerading_current_user
 
-    unless self.resource
-      flash[:error] = "#{masqueraded_resource_class} not found."
-      redirect_to(new_user_session_path) and return
-    end
+      go_back(resource, path: after_masquerade_full_path_for(resource))
+    else
+      masqueradable_resource = find_masqueradable_resource
 
-    self.resource.masquerade!
-    request.env["devise.skip_trackable"] = "1"
+      save_masquerade_owner_session(masqueradable_resource)
 
-    masquerade_sign_in(self.resource)
+      resource = masqueradable_resource
+      sign_out(masquerading_current_user)
 
-    if Devise.masquerade_routes_back && Rails::VERSION::MAJOR == 5
-      redirect_back(fallback_location: after_masquerade_full_path_for(resource))
-    elsif Devise.masquerade_routes_back && request.env['HTTP_REFERER'].present?
-      redirect_to :back
-    else
-      redirect_to(after_masquerade_full_path_for(resource))
+      unless resource
+        flash[:error] = "#{masqueraded_resource_class} not found."
+        redirect_to(send("new_#{masqueraded_resource_name}_session_path")) and return
+      end
+
+      request.env['devise.skip_trackable'] = '1'
+
+      masquerade_sign_in(resource)
+
+      go_back(resource, path: after_masquerade_full_path_for(resource))
     end
   end
 
   def back
-    user_id = session[session_key]
+    unless send("#{masqueraded_resource_name}_masquerade?")
+      resource = send("current_#{masqueraded_resource_name}")
+      go_back(resource, path: after_back_masquerade_path_for(resource))
+    else
+      masqueradable_resource = send("current_#{masqueraded_resource_name}")
 
-    owner_user = if user_id.present?
-                   masquerading_resource_class.to_adapter.find_first(:id => user_id)
-                 else
-                   send(:"current_#{masquerading_resource_name}")
-                 end
+      unless send("#{masqueraded_resource_name}_signed_in?")
+        head(401) and return
+      end
 
-    if masquerading_resource_class != masqueraded_resource_class
+      resource = find_owner_resource(masqueradable_resource)
       sign_out(send("current_#{masqueraded_resource_name}"))
-    end
 
-    masquerade_sign_in(owner_user)
-    request.env["devise.skip_trackable"] = nil
+      sign_in(resource)
+      request.env['devise.skip_trackable'] = nil
 
-    if Devise.masquerade_routes_back && Rails::VERSION::MAJOR == 5
-      # If using the masquerade_routes_back and Rails 5
-      redirect_back(fallback_location: after_back_masquerade_path_for(owner_user))
-    elsif Devise.masquerade_routes_back && request.env['HTTP_REFERER'].present?
-      redirect_to :back
-    else
-      redirect_to after_back_masquerade_path_for(owner_user)
+      go_back(resource, path: after_back_masquerade_path_for(resource))
+
+      cleanup_masquerade_owner_session(masqueradable_resource)
     end
   end
 
@@ -75,22 +70,54 @@ class Devise::MasqueradesController < DeviseController
     true
   end
 
-  def find_resource
-    masqueraded_resource_class.to_adapter.find_first(:id => params[:id])
+  def find_masqueradable_resource
+    GlobalID::Locator.locate_signed(params[Devise.masquerade_param], for: 'masquerade')
   end
 
-  private
+  def find_owner_resource(masqueradable_resource)
+    skey = session_key(masqueradable_resource, masquerading_guid)
+
+    if Devise.masquerade_storage_method_session?
+      resource_id = session[skey]
 
-  def masqueraded_resource_class
-    Devise.masqueraded_resource_class || resource_class
+      masquerading_resource_class.find(resource_id)
+    else
+      data = Rails.cache.read(skey)
+
+      GlobalID::Locator.locate_signed(data, for: 'masquerade')
+    end
+  end
+
+  def go_back(user, path:)
+    if Devise.masquerade_routes_back
+      redirect_back(fallback_location: path)
+    else
+      redirect_to path
+    end
   end
 
+  private
+
   def masqueraded_resource_name
     Devise.masqueraded_resource_name || masqueraded_resource_class.model_name.param_key
   end
 
   def masquerading_resource_class
-    Devise.masquerading_resource_class || resource_class
+    @masquerading_resource_class ||= begin
+      unless params[:masquerading_resource_class].blank?
+        params[:masquerading_resource_class].constantize
+      else
+        unless session[session_key_masquerading_resource_class].blank?
+          session[session_key_masquerading_resource_class].constantize
+        else
+          if Devise.masquerading_resource_class_name.present?
+            Devise.masquerading_resource_class_name.constantize
+          else
+            Devise.masquerading_resource_class || resource_class
+          end
+        end
+      end
+    end
   end
 
   def masquerading_resource_name
@@ -98,40 +125,62 @@ class Devise::MasqueradesController < DeviseController
   end
 
   def authenticate_scope!
-    send(:"authenticate_#{masquerading_resource_name}!", :force => true)
+    send(:"authenticate_#{masquerading_resource_name}!", force: true)
   end
 
   def after_masquerade_path_for(resource)
-    "/"
+    '/'
   end
 
   def after_masquerade_full_path_for(resource)
-    if after_masquerade_path_for(resource) =~ /\?/
-      "#{after_masquerade_path_for(resource)}&#{after_masquerade_param_for(resource)}"
-    else
-      "#{after_masquerade_path_for(resource)}?#{after_masquerade_param_for(resource)}"
-    end
-  end
-
-  def after_masquerade_param_for(resource)
-    "#{Devise.masquerade_param}=#{resource.masquerade_key}"
+    after_masquerade_path_for(resource)
   end
 
   def after_back_masquerade_path_for(resource)
     '/'
   end
 
-  def save_masquerade_owner_session
-    unless session.key?(session_key)
-      session[session_key] = send("current_#{masquerading_resource_name}").id
+  def save_masquerade_owner_session(masqueradable_resource)
+    guid = SecureRandom.uuid
+
+    skey = session_key(masqueradable_resource, guid)
+
+    resource_obj = send("current_#{masquerading_resource_name}")
+
+    if Devise.masquerade_storage_method_session?
+      session[skey] = resource_obj.id
+    else
+      # skip sharing owner id via session
+      Rails.cache.write(skey, resource_obj.to_sgid(for: 'masquerade'))
+
+      session[skey] = true
     end
+
+    session[session_key_masquerading_resource_class] = masquerading_resource_class.name
+    session[session_key_masqueraded_resource_class] = masqueraded_resource_class.name
+    session[session_key_masquerading_resource_guid] = guid
   end
 
-  def cleanup_masquerade_owner_session
-    session.delete(session_key)
+  def cleanup_masquerade_owner_session(masqueradable_resource)
+    skey = session_key(masqueradable_resource, masquerading_guid)
+
+    Rails.cache.delete(skey) if Devise.masquerade_storage_method_cache?
+
+    session.delete(session_key_masqueraded_resource_class)
+    session.delete(session_key_masquerading_resource_class)
+    session.delete(session_key_masquerading_resource_guid)
   end
 
-  def session_key
-    "devise_masquerade_#{masqueraded_resource_name}".to_sym
+  def session_key(masqueradable_resource, guid)
+    "devise_masquerade_#{masqueraded_resource_name}_#{masqueradable_resource.id}_#{guid}".to_sym
+  end
+
+  def masquerading_current_user
+    send("current_#{masquerading_resource_name}")
+  end
+
+  def masquerading_guid
+    session[session_key_masquerading_resource_guid]
   end
 end
+

data/devise_masquerade.gemspec

@@ -11,7 +11,7 @@ Gem::Specification.new do |gem|
   gem.email         = ['alex.korsak@gmail.com']
   gem.description   = 'devise masquerade library'
   gem.summary       = 'use for login as functionallity on your admin users pages'
-  gem.homepage      = 'http://github.com/oivoodoo/devise_masquerade/'
+  gem.homepage      = 'http://github.com/oivoodoo/devise_masquerade'
 
   gem.files         = `git ls-files`.split($/)
   gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
@@ -20,8 +20,9 @@ Gem::Specification.new do |gem|
 
   gem.license = 'MIT'
 
-  gem.add_development_dependency('bundler', '>= 1.1.0')
+  gem.add_development_dependency('bundler', '>= 2.0.0')
 
-  gem.add_runtime_dependency('railties', '>= 3.0')
-  gem.add_runtime_dependency('devise', '>= 2.1.0')
+  gem.add_runtime_dependency('railties', '>= 5.2.0')
+  gem.add_runtime_dependency('devise', '>= 4.7.0')
+  gem.add_runtime_dependency('globalid', '>= 0.3.6')
 end

data/features/back.feature

@@ -3,14 +3,28 @@ Feature: Use back button for returning to the owner of the masquerade action.
   As an masquerade user
   I want to be able to press a simple button on the page
 
-  Scenario: Use back button
+  Scenario: Use back button with cache
     Given I logged in
+    And devise masquerade configured to use cache
     And I have a user for masquerade
 
     When I am on the users page
     And I login as one user
       Then I should be login as this user
+      And I should be masqueraded by owner user
 
     When I press back masquerade button
       Then I should be login as owner user
 
+  Scenario: Use back button with session
+    Given I logged in
+    And devise masquerade configured to use session
+    And I have a user for masquerade
+
+    When I am on the users page
+    And I login as one user
+      Then I should be login as this user
+      And I should be masqueraded by owner user
+
+    When I press back masquerade button
+      Then I should be login as owner user

data/features/expires_masquerade.feature

@@ -0,0 +1,36 @@
+Feature: Use back button for returning to the owner despite on expiration time.
+  In order to back to the owner user
+  As an masquerade user
+  I want to be able to press a simple button on the page
+
+  Scenario: Use back button with cache
+    Given I logged in
+    And devise masquerade configured to use cache
+    And I have a user for masquerade
+
+    When I have devise masquerade expiration time in 1 second
+
+    When I am on the users page
+    And I login as one user
+      Then I should be login as this user
+      And I should be masqueraded by owner user
+      And I waited for 2 seconds
+
+    When I press back masquerade button
+      Then I should be login as owner user
+
+  Scenario: Use back button with session
+    Given I logged in
+    And devise masquerade configured to use session
+    And I have a user for masquerade
+
+    When I have devise masquerade expiration time in 1 second
+
+    When I am on the users page
+    And I login as one user
+      Then I should be login as this user
+      And I should be masqueraded by owner user
+      And I waited for 2 seconds
+
+    When I press back masquerade button
+      Then I should be login as owner user

data/features/multiple_masquerading_models.feature

@@ -0,0 +1,17 @@
+Feature: Use various models for masquerading
+  In order to use various models for masquerading
+  As an masquerade user
+  I want to be able to press press masquerade as link for different models
+
+  Scenario: Use masquerade button on student and user models
+    Given I logged in
+    And I have a user for masquerade
+    And I have a student for masquerade
+
+    When I am on the users page
+    And I login as one user
+      Then I should be login as this user
+
+    When I am on the students page
+    And I login as one student
+      Then I should be login as this student

data/features/step_definitions/auth_steps.rb

@@ -8,3 +8,11 @@ Given /^I logged in$/ do
 
   click_on 'Log in'
 end
+
+Given("devise masquerade configured to use cache") do
+  Devise.masquerade_storage_method = :cache
+end
+
+Given("devise masquerade configured to use session") do
+  Devise.masquerade_storage_method = :session
+end

data/features/step_definitions/back_steps.rb

@@ -1,5 +1,5 @@
 Given /^I have a user for masquerade$/ do
-  @mask = create(:user)
+  @user_mask = create(:user)
 end
 
 When /^I am on the users page$/ do
@@ -7,11 +7,15 @@ When /^I am on the users page$/ do
 end
 
 When /^I login as one user$/ do
-  click_on "Login as"
+  find('.login_as').click
 end
 
 Then /^I should be login as this user$/ do
-  find('.current_user').should have_content(@mask.email)
+  find('.current_user').should have_content(@user_mask.email)
+end
+
+Then /^I should be masqueraded by owner user$/ do
+  find('.owner_user').should have_content(@user.email)
 end
 
 When /^I press back masquerade button$/ do
@@ -22,3 +26,18 @@ Then /^I should be login as owner user$/ do
   find('.current_user').should have_content(@user.email)
 end
 
+Given /^I have a student for masquerade$/ do
+  @student_mask = create(:student)
+end
+
+When /^I am on the students page$/ do
+  visit '/students'
+end
+
+When /^I login as one student$/ do
+  find('.login_as').click
+end
+
+Then /^I should be login as this student$/ do
+  find('.current_student').should have_content(@student_mask.email)
+end

data/features/step_definitions/expires_steps.rb

@@ -0,0 +1,9 @@
+When("I have devise masquerade expiration time in {int} second") do |seconds|
+  Devise.masquerade_expires_in = seconds.second
+end
+
+Then("I waited for {int} seconds") do |seconds|
+  sleep(seconds)
+
+  Devise.masquerade_expires_in = 5.minutes
+end

data/features/step_definitions/url_helpers_steps.rb

@@ -0,0 +1,11 @@
+Then("I should see maquerade url") do
+  page.html.should include('href="/users/masquerade?masquerade=')
+end
+
+When("I am on the users page with extra params") do
+  visit '/extra_params'
+end
+
+Then("I should see maquerade url with extra params") do
+  page.html.should include('href="/users/masquerade?key1=value1&masquerade=')
+end

data/features/support/env.rb

@@ -1,5 +1,5 @@
 require 'cucumber/rails'
-require 'factory_girl'
+require 'factory_bot'
 require 'database_cleaner'
 require 'cucumber/rspec/doubles'
 
@@ -9,9 +9,11 @@ ENV["RAILS_ENV"] = "test"
 
 Capybara.default_selector = :css
 
-ActionController::Base.allow_rescue = false
+ActiveSupport.on_load(:action_controller) do
+  self.allow_rescue = false
+end
 
-World(FactoryGirl::Syntax::Methods)
+World(FactoryBot::Syntax::Methods)
 
 begin
   DatabaseCleaner.strategy = :transaction
@@ -20,7 +22,24 @@ rescue NameError
 end
 
 Cucumber::Rails::Database.javascript_strategy = :truncation
-Capybara.javascript_driver = :webkit
+
+Capybara.register_driver :chrome do |app|
+  Capybara::Selenium::Driver.new(app, browser: :chrome)
+end
+
+Capybara.register_driver :headless_chrome do |app|
+  caps = Selenium::WebDriver::Remote::Capabilities.chrome(loggingPrefs: { browser: 'ALL' })
+  opts = Selenium::WebDriver::Chrome::Options.new
+
+  chrome_args = %w[--headless --window-size=1920,1080 --no-sandbox --disable-dev-shm-usage]
+  chrome_args.each { |arg| opts.add_argument(arg) }
+  Capybara::Selenium::Driver.new(app, browser: :chrome, options: opts, desired_capabilities: caps)
+end
+
+Capybara.configure do |config|
+  # change this to :chrome to observe tests in a real browser
+  config.javascript_driver = :headless_chrome
+end
 
 Before do
   allow_any_instance_of(DeviseController).to receive(:devise_mapping) { Devise.mappings[:user] }

data/features/url_helpers.feature

@@ -0,0 +1,14 @@
+Feature: Use masquerade path to generate routes on page
+  In order to have the way to render masquerade path
+  As an user
+  I want to be able to see the url and use it
+
+  Scenario: Use masquerade path helper
+    Given I logged in
+    And I have a user for masquerade
+
+    When I am on the users page
+      Then I should see maquerade url
+
+    When I am on the users page with extra params
+      Then I should see maquerade url with extra params

data/lib/devise_masquerade/controllers/helpers.rb

@@ -6,49 +6,130 @@ module DeviseMasquerade
         class_name = mapping.class_name
 
         class_eval <<-METHODS, __FILE__, __LINE__ + 1
+          def masquerade!
+            return if params["#{Devise.masquerade_param}"].blank?
+
+            klass = unless params[:masqueraded_resource_class].blank?
+              params[:masqueraded_resource_class].constantize
+            else
+              if Devise.masqueraded_resource_class_name.present?
+                Devise.masqueraded_resource_class_name.constantize
+              elsif Devise.masqueraded_resource_class
+                Devise.masqueraded_resource_class
+              elsif defined?(User)
+                User
+              end
+            end
+            return unless klass
+
+            resource = GlobalID::Locator.locate_signed params[Devise.masquerade_param], for: 'masquerade'
+
+            if resource
+              masquerade_sign_in(resource)
+            end
+          end
+
           def masquerade_#{name}!
             return if params["#{Devise.masquerade_param}"].blank?
 
-            #{name} = ::#{class_name}.find_by_masquerade_key(params["#{Devise.masquerade_param}"])
+            resource = GlobalID::Locator.locate_signed params[Devise.masquerade_param], for: 'masquerade'
 
-            if #{name}
-              masquerade_sign_in(#{name})
+            if resource
+              masquerade_sign_in(resource)
             end
           end
 
           def #{name}_masquerade?
-            session[:"devise_masquerade_#{name}"].present?
+            return false if current_#{name}.blank?
+            return false if session[#{name}_helper_session_key].blank?
+
+            if Devise.masquerade_storage_method_session?
+              session[#{name}_helper_session_key].present?
+            else
+              ::Rails.cache.exist?(#{name}_helper_session_key).present?
+            end
           end
 
           def #{name}_masquerade_owner
-            return nil unless send(:#{name}_masquerade?)
-            ::#{class_name}.to_adapter.find_first(:id => session[:"devise_masquerade_#{name}"])
+            return unless send(:#{name}_masquerade?)
+
+            if Devise.masquerade_storage_method_session?
+              resource_id = session[#{name}_helper_session_key]
+
+              masqueraded_resource_class.find(resource_id)
+            else
+              sgid = ::Rails.cache.read(#{name}_helper_session_key)
+
+              GlobalID::Locator.locate_signed(sgid, for: 'masquerade')
+            end
           end
 
           private
 
+          def #{name}_helper_session_key
+            ["devise_masquerade_#{name}", current_#{name}.id, #{name}_helper_masquerading_resource_guid].join("_")
+          end
+
+          def #{name}_helper_masquerading_resource_guid
+            session["devise_masquerade_masquerading_resource_guid"].to_s
+          end
+
           def masquerade_sign_in(resource)
             if Devise.masquerade_bypass_warden_callback
               if respond_to?(:bypass_sign_in)
                 bypass_sign_in(resource)
               else
-                sign_in(resource, :bypass => true)
+                sign_in(resource, bypass: true)
               end
             else
               sign_in(resource)
             end
           end
+
+          def masqueraded_resource_class
+            @masqueraded_resource_class ||= begin
+              unless params[:masqueraded_resource_class].blank?
+                params[:masqueraded_resource_class].constantize
+              else
+                unless session[session_key_masqueraded_resource_class].blank?
+                  session[session_key_masquerading_resource_class].constantize
+                else
+                  if Devise.masqueraded_resource_class_name.present?
+                    Devise.masqueraded_resource_class_name.constantize
+                  else
+                    Devise.masqueraded_resource_class || resource_class
+                  end
+                end
+              end
+            end
+          end
+
+          def session_key_masqueraded_resource_class
+            "devise_masquerade_masqueraded_resource_class"
+          end
+
+          def session_key_masquerading_resource_class
+            "devise_masquerade_masquerading_resource_class"
+          end
+
+          def session_key_masquerading_resource_guid
+            "devise_masquerade_masquerading_resource_guid"
+          end
+
         METHODS
 
         ActiveSupport.on_load(:action_controller) do
           if respond_to?(:helper_method)
             helper_method "#{name}_masquerade?"
             helper_method "#{name}_masquerade_owner"
+
+            helper_method :masqueraded_resource_class
+            helper_method :session_key_masqueraded_resource_class
+            helper_method :session_key_masquerading_resource_class
+            helper_method :session_key_masquerading_resource_guid
           end
         end
       end
     end
   end
 end
-
-ActionController::Base.send(:include, DeviseMasquerade::Controllers::Helpers)

data/lib/devise_masquerade/controllers/url_helpers.rb

@@ -1,16 +1,30 @@
+require 'securerandom'
+
 module DeviseMasquerade
   module Controllers
+
     module UrlHelpers
       def masquerade_path(resource, *args)
         scope = Devise::Mapping.find_scope!(resource)
-        send("#{scope}_masquerade_path", resource, *args)
+
+        opts = args.shift || {}
+        opts[:masqueraded_resource_class] = resource.class.name
+
+        opts[Devise.masquerade_param] = resource.masquerade_key
+
+        send("#{scope}_masquerade_index_path", opts, *args)
       end
 
       def back_masquerade_path(resource, *args)
         scope = Devise::Mapping.find_scope!(resource)
-        send("back_#{scope}_masquerade_index_path", *args)
+
+        opts = args.first || {}
+        opts[:masqueraded_resource_class] = resource.class.name
+
+        send("back_#{scope}_masquerade_index_path", opts, *args)
       end
     end
+
   end
 end