RubyGems - devise_masquerade - Versions diffs - 1.0.0 → 1.3.2 - Mend

devise_masquerade 1.0.0 → 1.3.2

Files changed (49) hide show

checksums.yaml +4 -4
data/.github/FUNDING.yml +1 -0
data/.github/workflows/brakeman-analysis.yml +44 -0
data/.github/workflows/rubocop-analysis.yml +39 -0
data/.ruby-version +1 -1
data/.travis.yml +1 -0
data/Gemfile +4 -2
data/Gemfile.lock +31 -18
data/README.md +21 -1
data/app/controllers/devise/masquerades_controller.rb +66 -24
data/devise_masquerade.gemspec +1 -1
data/features/back.feature +0 -1
data/features/multiple_masquerading_models.feature +17 -0
data/features/step_definitions/auth_steps.rb +1 -0
data/features/step_definitions/back_steps.rb +18 -3
data/features/step_definitions/url_helpers_steps.rb +11 -0
data/features/url_helpers.feature +14 -0
data/lib/devise_masquerade.rb +5 -5
data/lib/devise_masquerade/controllers/helpers.rb +27 -6
data/lib/devise_masquerade/controllers/url_helpers.rb +14 -2
data/lib/devise_masquerade/models/masqueradable.rb +2 -27
data/lib/devise_masquerade/rails.rb +5 -7
data/lib/devise_masquerade/routes.rb +3 -2
data/lib/devise_masquerade/version.rb +1 -1
data/spec/controllers/admin/dashboard_controller_spec.rb +3 -4
data/spec/controllers/dashboard_controller_spec.rb +3 -5
data/spec/controllers/devise/masquerades_controller_spec.rb +60 -39
data/spec/controllers/masquerades_tests_controller_spec.rb +41 -0
data/spec/dummy/app/controllers/admin/dashboard_controller.rb +0 -1
data/spec/dummy/app/controllers/application_controller.rb +2 -0
data/spec/dummy/app/controllers/dashboard_controller.rb +4 -1
data/spec/dummy/app/controllers/masquerades_tests_controller.rb +7 -0
data/spec/dummy/app/controllers/students_controller.rb +8 -0
data/spec/dummy/app/models/student.rb +3 -0
data/spec/dummy/app/views/admin/dashboard/index.html.erb +0 -2
data/spec/dummy/app/views/dashboard/extra_params.html.erb +7 -0
data/spec/dummy/app/views/dashboard/index.html.erb +0 -2
data/spec/dummy/app/views/layouts/application.html.erb +8 -2
data/spec/dummy/app/views/students/_student.html.erb +6 -0
data/spec/dummy/app/views/students/index.html.erb +1 -0
data/spec/dummy/app/views/users/_user.html.erb +1 -1
data/spec/dummy/config/routes.rb +9 -5
data/spec/dummy/db/migrate/20191022100000_create_students.rb +14 -0
data/spec/dummy/db/schema.rb +10 -1
data/spec/models/user_spec.rb +3 -30
data/spec/support/factories.rb +8 -4
metadata +34 -13
data/spec/controllers/masquerades_controller_spec.rb +0 -42
data/spec/dummy/app/controllers/masquerades_controller.rb +0 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 53c11df20b59df74e7a1c60c2c895c4174583cfa8211a5922d2eafe4c5b92855
-  data.tar.gz: 8e39886ffd23cf8dcbe841da11802ffd3db437ba94ed8a38962a82cd29a8e475
+  metadata.gz: 7b817222d25ead9ef77e2075ab3d2f86693659fea00373b9cd998c8dfc81becb
+  data.tar.gz: 7d95e96a4ed3f3c6addcb54fcab39fe0df54d6eeaf513e0d363035b61d1da46e
 SHA512:
-  metadata.gz: '0528ff0b74a4008536b5cbaa404d16483bc3a6fe399f00899d3297d2a8dac95bedb945c5b65c920b47c3721799e02d82644cca2152145db19b7026e3a1674e32'
-  data.tar.gz: 47123c4f6eccfc61ff5171ece7db757cd05bf7fa87f32731d4b4bfe13d1cfe542d3f8a28c251bcd6bb4a6e4de95a7d070b3fb7fee4d2aebdbbd0dfd646d9f039
+  metadata.gz: dcec6dae97ed366a03553c6762f4d042a256aed0765aec2fe39c64ea93ecf1f4593eb60e7d57555fc399b0f4ae818f6883e80b11974b0a88c17bdfb18831cc0d
+  data.tar.gz: 6814d659d4cb22cb9b88aacd55d0ca3a54c208248919b389174cb220d4bf856682fe6cfd3ce287ec03bdc9554baec3e3556d7b44c92139138daaf3467b44b682

data/.github/FUNDING.yml ADDED Viewed

	@@ -0,0 +1 @@
1	+ patreon: oivoodoo

data/.github/workflows/brakeman-analysis.yml ADDED Viewed

@@ -0,0 +1,44 @@
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+name: Brakeman Scan
+# This section configures the trigger for the workflow. Feel free to customize depending on your convention
+on:
+  push:
+    branches: [ "master", "main" ]
+  pull_request:
+    branches: [ "master", "main" ]
+jobs:
+  brakeman-scan:
+    name: Brakeman Scan
+    runs-on: ubuntu-latest
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v2
+    # Customize the ruby version depending on your needs
+    - name: Setup Ruby
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: '2.7'
+    - name: Setup Brakeman
+      env:
+        BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
+      run: |
+        gem install brakeman --version $BRAKEMAN_VERSION
+    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+    - name: Scan
+      continue-on-error: true
+      run: |
+        brakeman -f sarif -o output.sarif.json .
+    # Upload the SARIF file generated in the previous step
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: output.sarif.json

data/.github/workflows/rubocop-analysis.yml ADDED Viewed

@@ -0,0 +1,39 @@
+name: "Rubocop"
+on: push
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+    # If running on a self-hosted runner, check it meets the requirements
+    # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+    # This step is not necessary if you add the gem to your Gemfile
+    - name: Install Code Scanning integration
+      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+    - name: Install dependencies
+      run: bundle install
+    - name: Rubocop run
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+    - name: Upload Sarif output
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: rubocop.sarif

data/.ruby-version CHANGED Viewed

	@@ -1 +1 @@
1	- 2.6.0
1	+ 2.7.2

data/.travis.yml CHANGED Viewed

@@ -2,6 +2,7 @@ language: ruby
 rvm:
   - 2.5.1
   - 2.6.0
+  - 2.7.2
 gemfile:
   - Gemfile
 script: time ./script/travis.sh

data/Gemfile CHANGED Viewed

@@ -15,11 +15,11 @@ group :test do
   gem 'pry-byebug'
   gem 'guard'
-  gem 'guard-rspec'
+  gem 'guard-rspec', '~> 4.7'
   gem 'guard-bundler'
   gem 'guard-cucumber'
-  gem 'rspec'
+  gem 'rspec', github: 'rspec/rspec'
   gem 'rspec-core', github: 'rspec/rspec-core'
   gem 'rspec-expectations', github: 'rspec/rspec-expectations'
   gem 'rspec-mocks', github: 'rspec/rspec-mocks'
@@ -36,4 +36,6 @@ group :test do
   gem 'selenium-webdriver'
   gem 'chromedriver-helper'
   gem 'launchy'
+  gem "nokogiri", ">= 1.10.8"
 end

data/Gemfile.lock CHANGED Viewed

@@ -40,13 +40,22 @@ GIT
   specs:
     rspec-support (3.10.0.pre)
+GIT
+  remote: https://github.com/rspec/rspec.git
+  revision: e1c2c6bd78c849d7956431331f32ba5092951dab
+  specs:
+    rspec (3.10.0.pre)
+      rspec-core (= 3.10.0.pre)
+      rspec-expectations (= 3.10.0.pre)
+      rspec-mocks (= 3.10.0.pre)
 PATH
   remote: .
   specs:
-    devise_masquerade (1.0.0)
+    devise_masquerade (1.3.2)
       devise (>= 4.7.0)
+      globalid (>= 0.3.6)
       railties (>= 5.2.0)
-      zeitwerk (>= 2.2.0)
 GEM
   remote: https://rubygems.org/
@@ -89,7 +98,7 @@ GEM
     archive-zip (0.12.0)
       io-like (~> 0.3.0)
     backports (3.15.0)
-    bcrypt (3.1.13)
+    bcrypt (3.1.16)
     bson (1.12.5)
     bson_ext (1.12.5)
       bson (~> 1.12.5)
@@ -133,7 +142,7 @@ GEM
     cucumber-tag_expressions (1.1.1)
     cucumber-wire (0.0.1)
     database_cleaner (1.0.1)
-    devise (4.7.1)
+    devise (4.7.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -169,8 +178,10 @@ GEM
       cucumber (>= 1.3.0)
       guard-compat (~> 1.0)
       nenv (~> 0.1)
-    guard-rspec (1.2.2)
-      guard (>= 1.1)
+    guard-rspec (4.7.3)
+      guard (~> 2.1)
+      guard-compat (~> 1.1)
+      rspec (>= 2.99.0, < 4.0)
     i18n (1.7.0)
       concurrent-ruby (~> 1.0)
     io-like (0.3.0)
@@ -179,7 +190,7 @@ GEM
     listen (3.2.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    loofah (2.3.0)
+    loofah (2.3.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     lumberjack (1.0.13)
@@ -190,13 +201,14 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2019.1009)
     mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
+    mini_portile2 (2.5.0)
     minitest (5.12.2)
     multi_json (1.14.1)
     multi_test (0.1.2)
     nenv (0.3.0)
-    nokogiri (1.10.4)
-      mini_portile2 (~> 2.4.0)
+    nokogiri (1.11.1)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
     notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
@@ -209,7 +221,8 @@ GEM
       byebug (~> 11.0)
       pry (~> 0.10)
     public_suffix (4.0.1)
-    rack (2.0.7)
+    racc (1.5.2)
+    rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails-dom-testing (2.0.3)
@@ -228,10 +241,9 @@ GEM
     rb-inotify (0.10.0)
       ffi (~> 1.0)
     regexp_parser (1.6.0)
-    responders (3.0.0)
+    responders (3.0.1)
       actionpack (>= 5.0)
       railties (>= 5.0)
-    rspec (1.3.2)
     rubyzip (2.0.0)
     selenium-webdriver (3.142.6)
       childprocess (>= 0.5, < 4.0)
@@ -250,8 +262,8 @@ GEM
     thread_safe (0.3.6)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    warden (1.2.8)
-      rack (>= 2.0.6)
+    warden (1.2.9)
+      rack (>= 2.0.9)
     xpath (3.2.0)
       nokogiri (~> 1.8)
     zeitwerk (2.2.0)
@@ -274,12 +286,13 @@ DEPENDENCIES
   guard
   guard-bundler
   guard-cucumber
-  guard-rspec
+  guard-rspec (~> 4.7)
   launchy
+  nokogiri (>= 1.10.8)
   pry
   pry-byebug
   rb-fsevent
-  rspec
+  rspec!
   rspec-core!
   rspec-expectations!
   rspec-mocks!
@@ -291,4 +304,4 @@ DEPENDENCIES
   test-unit
 BUNDLED WITH
-   2.0.2
+   2.1.4

data/README.md CHANGED Viewed

@@ -33,18 +33,30 @@ In the view you can use url helper for defining link:
     = link_to "Login As", masquerade_path(user)
+`masquerade_path` would create specific `/masquerade` path with query params `masquerade`(key) and `masqueraded_resource_class` to know
+which model to choose to search and sign in by masquerade key.
 In the model you'll need to add the parameter :masqueradable to the existing comma separated values in the devise method:
 ```ruby
     devise :invitable, :confirmable, :database_authenticatable, :registerable, :masqueradable
 ```
-Add into your application_controller.rb:
+Add into your `application_controller.rb` if you want to have custom way on sign in by using masquerade token otherwise you can still
+use only `masquerade_path` in your view to generate temporary token and link to make `Login As`:
 ```ruby
     before_action :masquerade_user!
 ```
+or
+```ruby
+    before_action :masquerade!
+```
+`masquerade!` is generic way in case if you want to support multiple models on masquerade.
 Instead of user you can use your resource name admin, student or another names.
 If you want to back to the owner of masquerade action user you could use
@@ -167,6 +179,14 @@ in `routes.rb`:
 And check http://localhost:3000/, use for login user1@example.com and
 'password'
+## Troubleshooting
+Are you working in development mode and wondering why masquerade attempts result in a [Receiving "You are already signed in" flash[:error]](https://github.com/oivoodoo/devise_masquerade/issues/58) message? `Filter chain halted as :require_no_authentication rendered or redirected` showing up in your logfile? Chances are that you need to enable caching:
+    rails dev:cache
+This is a one-time operation, so you can set it and forget it. Should you ever need to disable caching in development, you can re-run the command as required.
 ## Test project
     make test

data/app/controllers/devise/masquerades_controller.rb CHANGED Viewed

@@ -1,5 +1,13 @@
 class Devise::MasqueradesController < DeviseController
-  prepend_before_action :authenticate_scope!, :masquerade_authorize!
+  Devise.mappings.each do |name, _|
+    class_eval <<-METHODS, __FILE__, __LINE__ + 1
+      skip_before_action :masquerade_#{name}!, raise: false
+    METHODS
+  end
+  skip_before_action :masquerade!, raise: false
+  prepend_before_action :authenticate_scope!, only: :show
+  prepend_before_action :masquerade_authorize!
   before_action :save_masquerade_owner_session, only: :show
@@ -8,13 +16,16 @@ class Devise::MasqueradesController < DeviseController
   def show
     self.resource = find_resource
+    if resource.class != masquerading_resource_class
+      sign_out(send("current_#{masquerading_resource_name}"))
+    end
     unless resource
       flash[:error] = "#{masqueraded_resource_class} not found."
       redirect_to(new_user_session_path) and return
     end
-    resource.masquerade!
-    request.env["devise.skip_trackable"] = "1"
+    request.env['devise.skip_trackable'] = '1'
     masquerade_sign_in(resource)
@@ -22,15 +33,13 @@ class Devise::MasqueradesController < DeviseController
   end
   def back
-    user_id = session[session_key]
-    resource = if user_id.present?
-      masquerading_resource_class.to_adapter.find_first(:id => user_id)
-    else
-      send(:"current_#{masquerading_resource_name}")
+    unless send("#{masqueraded_resource_name}_signed_in?")
+      head(401) and return
     end
-    if masquerading_resource_class != masqueraded_resource_class
+    self.resource = find_owner_resource
+    if resource.class != masqueraded_resource_class
       sign_out(send("current_#{masqueraded_resource_name}"))
     end
@@ -51,7 +60,11 @@ class Devise::MasqueradesController < DeviseController
   end
   def find_resource
-    masqueraded_resource_class.to_adapter.find_first(id: params[:id])
+    GlobalID::Locator.locate_signed params[Devise.masquerade_param], for: 'masquerade'
+  end
+  def find_owner_resource
+    GlobalID::Locator.locate_signed(Rails.cache.read(session_key), for: 'masquerade')
   end
   def go_back(user, path:)
@@ -65,7 +78,17 @@ class Devise::MasqueradesController < DeviseController
   private
   def masqueraded_resource_class
-    Devise.masqueraded_resource_class || resource_class
+    @masqueraded_resource_class ||= begin
+      unless params[:masqueraded_resource_class].blank?
+        params[:masqueraded_resource_class].constantize
+      else
+        unless session[session_key_masqueraded_resource_class].blank?
+          session[session_key_masquerading_resource_class].constantize
+        else
+          Devise.masqueraded_resource_class || resource_class
+        end
+      end
+    end
   end
   def masqueraded_resource_name
@@ -73,7 +96,17 @@ class Devise::MasqueradesController < DeviseController
   end
   def masquerading_resource_class
-    Devise.masquerading_resource_class || resource_class
+    @masquerading_resource_class ||= begin
+      unless params[:masquerading_resource_class].blank?
+        params[:masquerading_resource_class].constantize
+      else
+        unless session[session_key_masquerading_resource_class].blank?
+          session[session_key_masquerading_resource_class].constantize
+        else
+          Devise.masquerading_resource_class || resource_class
+        end
+      end
+    end
   end
   def masquerading_resource_name
@@ -89,15 +122,7 @@ class Devise::MasqueradesController < DeviseController
   end
   def after_masquerade_full_path_for(resource)
-    if after_masquerade_path_for(resource) =~ /\?/
-      "#{after_masquerade_path_for(resource)}&#{after_masquerade_param_for(resource)}"
-    else
-      "#{after_masquerade_path_for(resource)}?#{after_masquerade_param_for(resource)}"
-    end
-  end
-  def after_masquerade_param_for(resource)
-    "#{Devise.masquerade_param}=#{resource.masquerade_key}"
+    after_masquerade_path_for(resource)
   end
   def after_back_masquerade_path_for(resource)
@@ -105,16 +130,33 @@ class Devise::MasqueradesController < DeviseController
   end
   def save_masquerade_owner_session
+    resource_gid = send("current_#{masquerading_resource_name}").to_sgid(
+      expires_in: Devise.masquerade_expires_in, for: 'masquerade')
+    # skip sharing owner id via session
+    Rails.cache.write(session_key, resource_gid, expires_in: Devise.masquerade_expires_in)
     unless session.key?(session_key)
-      session[session_key] = send("current_#{masquerading_resource_name}").id
+      session[session_key_masquerading_resource_class] = masquerading_resource_class.name
+      session[session_key_masqueraded_resource_class] = masqueraded_resource_class.name
     end
   end
   def cleanup_masquerade_owner_session
-    session.delete(session_key)
+    Rails.cache.delete(session_key)
+    session.delete(session_key_masqueraded_resource_class)
+    session.delete(session_key_masquerading_resource_class)
   end
   def session_key
     "devise_masquerade_#{masqueraded_resource_name}".to_sym
   end
+  def session_key_masqueraded_resource_class
+    "devise_masquerade_masqueraded_resource_class"
+  end
+  def session_key_masquerading_resource_class
+    "devise_masquerade_masquerading_resource_class"
+  end
 end