fat_free_crm 0.12.1 → 0.12.2

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    ZWNmOGI2ODA3NzM3ZWY1ZDZlZjE5ZDE5YjhmNTU2YmQ3MmQzZDljZQ==
+    ODc2YTUzOGEyMTQyYjM2YjU5NjBhZWIxZjdlYzM3YmU0ZDA2MmRiOA==
   data.tar.gz: !binary |-
-    ODQyMGQ0NDFlNDBkMTU2OWVmYzY1ODMzMmJkYTY3ZjVjOTY0MTQxNQ==
+    Y2Q5ZGRmY2YxZTYzNzBkYjJhMmJkODliODYxZDQwOTZkYWI1ZmYzOA==
 SHA512:
   metadata.gz: !binary |-
-    NmFhNTU0YmVkZTBhNjkwZWQ3ZTYxODAyOGVkOGQ3Zjc3MzdmNmVkMDRlNGYx
-    MjljM2UxZDk4ZjY4MWMwNzBjZDk1YWMyODVmYjk2OGE1ODA3NDgwMDA2ZTcy
-    ODEyNTI5MGZjZDY5YjZmNDZlNzY4MmM0YmFhNDRkMjAyMGM2OTE=
+    Zjc1M2JhOGYyNWJhODdlNDVkM2Y1YmU4Yjg2MzlmZmNhNTY4MzUzN2I1NmNk
+    NDBiNTcyZjNlY2Y3NTBlODM1OThhMTYyZmNkZjIyYTA4ZmIwYzI4OTFiNmYx
+    NjIwODkzYjQ1ZGQwNDFlMDFlZmJkMDg0Zjk0MTJhNzY3ZjY0NzI=
   data.tar.gz: !binary |-
-    ZDllMDRjYmIyZjI5YTJhNWE3MmY0ZmRmNzA0N2FiYTY0M2ZiMmRhNjg1ODE4
-    YmM4ODQyY2VjMjAyMGE1YzkxYWVkYzVmZjJkMjU5YjVjNjUzZDQ0MDc4OWEx
-    M2ZlMjMzMTJkNmEzODQ0ZjA4ZjA4NmI1Y2U3MTJhNWE4ODAwNjg=
+    ZTk3Zjc2MmFmZjU3OGQzNWM1ZTUxOWIyNWRjN2I0Y2ZlZTM5ODA4YWZiZGQ1
+    YjEwMzBmYzQ2MWExYTBjMWY2OTEzZTVmYjIwZDQ0MDMwZTkwYjcxMTk3NzJl
+    MjQ0NWUxYmZhZDQ4ZTEwNzU4ZWM0OTYzOWZmMDMyMzRlMTdjNzc=

data/app/controllers/application_controller.rb

@@ -145,7 +145,7 @@ private
 
   #----------------------------------------------------------------------------
   def can_signup?
-    [ :allowed, :needs_approval ].include? Setting.user_signup
+    User.can_signup?
   end
 
   #----------------------------------------------------------------------------
@@ -199,10 +199,10 @@ private
     flash[:warning] = t(:msg_asset_not_available, asset)
 
     respond_to do |format|
-      format.html { redirect_to :action => :index }
+      format.html { redirect_to(redirection_url) }
       format.js   { render(:update) { |page| page.reload } }
-      format.json { render :text => flash[:warning], :status => :not_found }
-      format.xml  { render :text => flash[:warning], :status => :not_found }
+      format.json { render :text => flash[:warning],  :status => :not_found }
+      format.xml  { render :xml => [flash[:warning]], :status => :not_found }
     end
   end
 
@@ -213,32 +213,32 @@ private
 
     url = send("#{related.pluralize}_path")
     respond_to do |format|
-      format.html { redirect_to url }
-      format.js   { render(:update) { |page| page.redirect_to url } }
-      format.json { render :text => flash[:warning], :status => :not_found }
-      format.xml  { render :text => flash[:warning], :status => :not_found }
+      format.html { redirect_to(url) }
+      format.js   { render(:update) { |page| page.redirect_to(url) } }
+      format.json { render :text => flash[:warning],  :status => :not_found }
+      format.xml  { render :xml => [flash[:warning]], :status => :not_found }
     end
   end
 
   #----------------------------------------------------------------------------
   def respond_to_access_denied
-    if self.action_name == "show"
-      flash[:warning] = t(:msg_asset_not_authorized, asset)
-
-    else
-      flick = case self.action_name
-        when "destroy" then "delete"
-        when "promote" then "convert"
-        else self.action_name
-      end
-      flash[:warning] = t(:msg_cant_do, :action => flick, :asset => asset)
-    end
-
+    flash[:warning] = t(:msg_not_authorized, default: 'You are not authorized to take this action.')
     respond_to do |format|
-      format.html { redirect_to :action => :index }
+      format.html { redirect_to(redirection_url) }
       format.js   { render(:update) { |page| page.reload } }
-      format.json { render :text => flash[:warning], :status => :unauthorized }
-      format.xml  { render :text => flash[:warning], :status => :unauthorized }
+      format.json { render :text => flash[:warning],  :status => :unauthorized }
+      format.xml  { render :xml => [flash[:warning]], :status => :unauthorized }
     end
   end
+
+  #----------------------------------------------------------------------------
+  def redirection_url
+    # Try to redirect somewhere sensible. Note: not all controllers have an index action
+    url = if current_user.present?
+      (respond_to?(:index) and self.action_name != 'index') ? { action: 'index' } : root_url
+    else
+      login_url
+    end
+  end
+
 end

data/app/controllers/home_controller.rb

@@ -6,7 +6,6 @@
 class HomeController < ApplicationController
   before_filter :require_user, :except => [ :toggle, :timezone ]
   before_filter :set_current_tab, :only => :index
-  before_filter "hook(:home_before_filter, self, :amazing => true)"
 
   #----------------------------------------------------------------------------
   def index

data/app/controllers/users_controller.rb

@@ -5,44 +5,30 @@
 #------------------------------------------------------------------------------
 class UsersController < ApplicationController
 
-  before_filter :require_no_user, :only => [ :new, :create ]
-  before_filter :require_user, :only => [ :show, :redraw ]
   before_filter :set_current_tab, :only => [ :show, :opportunities_overview ] # Don't hightlight any tabs.
-  before_filter :require_and_assign_user, :except => [ :new, :create, :show, :avatar, :upload_avatar ]
-  before_filter :assign_given_or_current_user, :only => [ :show, :avatar, :upload_avatar, :edit, :update ]
 
-  load_resource
+  check_authorization
+  load_and_authorize_resource # handles all security
 
   respond_to :html, :only => [ :show, :new ]
 
   # GET /users/1
-  # GET /users/1.json
-  # GET /users/1.xml                                                       HTML
+  # GET /users/1.js
   #----------------------------------------------------------------------------
   def show
+    @user = current_user if params[:id].nil?
     respond_with(@user)
   end
 
   # GET /users/new
-  # GET /users/new.json
-  # GET /users/new.xml                                                     HTML
+  # GET /users/new.js
   #----------------------------------------------------------------------------
   def new
-    if can_signup?
-      respond_with(@user)
-    else
-      redirect_to login_path
-    end
-  end
-
-  # GET /users/1/edit                                                      AJAX
-  #----------------------------------------------------------------------------
-  def edit
     respond_with(@user)
   end
 
   # POST /users
-  # POST /users.xml                                                        HTML
+  # POST /users.js
   #----------------------------------------------------------------------------
   def create
     if @user.save
@@ -58,31 +44,29 @@ class UsersController < ApplicationController
     end
   end
 
-  # PUT /users/1
-  # PUT /users/1.json
-  # PUT /users/1.xml                                                       AJAX
+  # GET /users/1/edit.js
   #----------------------------------------------------------------------------
-  def update
-    @user.update_attributes(params[:user])
+  def edit
     respond_with(@user)
   end
 
-  # DELETE /users/1
-  # DELETE /users/1.xml                HTML and AJAX (not directly exposed yet)
+  # PUT /users/1
+  # PUT /users/1.js
   #----------------------------------------------------------------------------
-  def destroy
-    # not exposed
+  def update
+    @user.update_attributes(params[:user])
+    respond_with(@user)
   end
 
   # GET /users/1/avatar
-  # GET /users/1/avatar.xml                                                AJAX
+  # GET /users/1/avatar.js
   #----------------------------------------------------------------------------
   def avatar
     respond_with(@user)
   end
 
   # PUT /users/1/upload_avatar
-  # PUT /users/1/upload_avatar.xml                                         AJAX
+  # PUT /users/1/upload_avatar.js
   #----------------------------------------------------------------------------
   def upload_avatar
     if params[:gravatar]
@@ -106,19 +90,21 @@ class UsersController < ApplicationController
   end
 
   # GET /users/1/password
-  # GET /users/1/password.xml                                              AJAX
+  # GET /users/1/password.js
   #----------------------------------------------------------------------------
   def password
     respond_with(@user)
   end
 
   # PUT /users/1/change_password
-  # PUT /users/1/change_password.xml                                       AJAX
+  # PUT /users/1/change_password.js
   #----------------------------------------------------------------------------
   def change_password
     if @user.valid_password?(params[:current_password], true) || @user.password_hash.blank?
       unless params[:user][:password].blank?
-        @user.update_attributes(params[:user])
+        @user.password = params[:user][:password]
+        @user.password_confirmation = params[:user][:password_confirmation]
+        @user.save
         flash[:notice] = t(:msg_password_changed)
       else
         flash[:notice] = t(:msg_password_not_changed)
@@ -130,27 +116,18 @@ class UsersController < ApplicationController
     respond_with(@user)
   end
 
-  # POST /users/1/redraw                                                   AJAX
+  # POST /users/1/redraw
   #----------------------------------------------------------------------------
   def redraw
     current_user.preference[:locale] = params[:locale]
     render(:update) { |page| page.redirect_to user_path(current_user) }
   end
 
+  # GET /users/opportunities_overview
+  #----------------------------------------------------------------------------
   def opportunities_overview
     @users_with_opportunities = User.have_assigned_opportunities.order(:first_name)
     @unassigned_opportunities = Opportunity.unassigned.pipeline.order(:stage)
   end
 
-  private
-
-  #----------------------------------------------------------------------------
-  def require_and_assign_user
-    require_user
-    @user = current_user
-  end
-
-  def assign_given_or_current_user
-    @user = params[:id] ? User.find(params[:id]) : current_user
-  end
 end

data/app/models/users/ability.rb

@@ -9,11 +9,22 @@ class Ability
   include CanCan::Ability
 
   def initialize(user)
+
+    # handle signup
+    can(:create, User) if User.can_signup?
+
     if user.present?
       entities = [Account, Campaign, Contact, Lead, Opportunity]
 
-      can :create, :all
-      can :read, [User] # for search autocomplete
+      # User
+      can :manage, User, id: user.id # can do any action on themselves
+
+      # Tasks
+      can :create, Task
+      can :manage, Task, user: user.id
+      can :manage, Task, assigned_to: user.id
+
+      # Entities
       can :manage, entities, :access => 'Public'
       can :manage, entities + [Task], :user_id => user.id
       can :manage, entities + [Task], :assigned_to => user.id

data/app/models/users/user.rb

@@ -187,6 +187,10 @@ class User < ActiveRecord::Base
       Ability.new(User.current_user)
     end
 
+    def can_signup?
+      [ :allowed, :needs_approval ].include? Setting.user_signup
+    end
+
   end
 
   ActiveSupport.run_load_hooks(:fat_free_crm_user, self)

data/app/views/layouts/application.html.haml

@@ -20,13 +20,16 @@
     = hook(:javascript_includes, self)
 
     :javascript
-      #{yield :javascript}
-      var _ffcrm_users = [
-      #{User.all.map{|u| "\"#{u.full_name} (@#{u.username})\"" }.join(",\n")}
-      ];
-
+      crm.language = "#{I18n.locale}"
       window.controller = "#{controller.controller_name}"
 
+    - if current_user.present?
+      :javascript
+        #{yield :javascript}
+        var _ffcrm_users = [
+        #{User.all.map{|u| "\"#{u.full_name} (@#{u.username})\"" }.join(",\n")}
+        ];
+
     <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
     <link rel="icon" href="/favicon.ico" type="image/x-icon">
 

data/config/application.rb

@@ -65,7 +65,7 @@ module FatFreeCRM
     config.encoding = "utf-8"
 
     # Configure sensitive parameters which will be filtered from the log file.
-    config.filter_parameters += [:password]
+    config.filter_parameters += [:password, :password_hash, :password_salt, :password_confirmation]
 
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,

data/config/environments/production.rb

@@ -10,9 +10,8 @@ if defined?(FatFreeCRM::Application)
     # Code is not reloaded between requests
     config.cache_classes = true
 
-    # Full error reports are enabled, since this is an internal application.
-    config.consider_all_requests_local       = true
-    # Caching is turned on
+    # Full error reports are disabled and caching is turned on.
+    config.consider_all_requests_local       = false
     config.action_controller.perform_caching = true
 
     # Disable Rails's static asset server (Apache or nginx will already do this)

data/config/initializers/secret_token.rb

@@ -1 +1,25 @@
-FatFreeCRM::Application.config.secret_token = 'bb6810b6691d68fae269cfa4ce1805a5b4b0826e2680988e1102a4b3b80e5753af76d25a90f3ba7bc4c2fa68c4bce3b36df72baa18a0e35a71d3199918766db9'
+# Copyright (c) 2008-2013 Michael Dvorkin and contributors.
+#
+# Fat Free CRM is freely distributable under the terms of MIT license.
+# See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
+#------------------------------------------------------------------------------
+
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure your secret_key_base is kept private
+# if you're sharing your code publicly.
+
+#
+# We should setup a secret token if FFCRM is running in application mode but NOT in engine mode.
+# This functionality has been extracted to lib so it can be tested.
+if FatFreeCRM.application?
+  require 'fat_free_crm/secret_token_generator'
+  FatFreeCRM::SecretTokenGenerator.setup!
+end

data/config/locales/en-US_fat_free_crm.yml

@@ -189,7 +189,7 @@ en-US:
   msg_account_not_approved: Your account has not been approved yet.
   msg_asset_deleted: "%{value} has been deleted."
   msg_asset_not_available: This %{value} is no longer available.
-  msg_asset_not_authorized: You are not authorized to view this %{value}.
+  msg_not_authorized: You are not authorized to take this action.
   msg_assets_not_available: The %{value} are not available.
   msg_asset_rejected: "%{value} has been rejected."
   msg_bad_image_file: "^Could't upload or resize the image file you specified."

data/lib/fat_free_crm.rb

@@ -9,12 +9,22 @@ module FatFreeCRM
     # Return either Application or Engine,
     # depending on how Fat Free CRM has been loaded
     def application
-      defined?(FatFreeCRM::Engine) ? Engine : Application
+      engine? ? Engine : Application
     end
 
     def root
       application.root
     end
+
+    # Are we running as an engine?
+    def engine?
+      defined?(FatFreeCRM::Engine).present?
+    end
+
+    def application?
+      !engine?
+    end
+
   end
 end
 

data/lib/fat_free_crm/secret_token_generator.rb

@@ -0,0 +1,59 @@
+# Copyright (c) 2008-2014 Michael Dvorkin and contributors.
+#
+# Fat Free CRM is freely distributable under the terms of MIT license.
+# See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
+#------------------------------------------------------------------------------
+
+require 'securerandom'
+
+module FatFreeCRM
+
+  class SecretTokenGenerator
+
+    class << self
+
+      #
+      # If there is no secret token defined, we generate one and save it as a setting
+      # If a token has been already been saved, we tell Rails to use it and move on.
+      def setup!
+        if token.blank?
+          Rails.logger.info("No secret key defined yet... generating and saving to Setting.secret_token")
+          generate_and_persist_token!
+        end
+        FatFreeCRM::Application.config.secret_token = token
+        raise(FAIL_MESSAGE) if FatFreeCRM::Application.config.secret_token.blank?
+      end
+
+      private
+
+      FAIL_MESSAGE = ::I18n.t('secret_token_generator.fail_message', default: "There was a problem generating the secret token. Please see lib/fat_free_crm/secret_token_generator.rb")
+
+      #
+      # Read the current token from settings
+      def token
+        Setting.secret_token
+      end
+
+      #
+      # Create a new secret token and save it as a setting.
+      def generate_and_persist_token!
+        quietly do
+          Setting.secret_token = SecureRandom.hex(64)
+        end
+      end
+
+      #
+      # Yields to a block that executes with the logging turned off
+      # This stops the secret token from being appended to the log
+      def quietly(&block)
+        temp_logger = ActiveRecord::Base.logger
+        ActiveRecord::Base.logger = nil
+        yield
+        ActiveRecord::Base.logger = temp_logger
+      end
+
+    end
+
+  end
+
+end

data/lib/fat_free_crm/version.rb

@@ -7,7 +7,7 @@ module FatFreeCRM
   module VERSION #:nodoc:
     MAJOR = 0
     MINOR = 12
-    TINY  = 1
+    TINY  = 2
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/spec/controllers/admin/users_controller_spec.rb

@@ -54,10 +54,8 @@ describe Admin::UsersController do
   #----------------------------------------------------------------------------
   describe "GET new" do
     it "assigns a new user as @user and renders [new] template" do
-      @user = User.new
-
       xhr :get, :new
-      assigns[:user].attributes.should == @user.attributes
+      expect(assigns[:user]).to be_new_record
       response.should render_template("admin/users/new")
     end
   end

data/spec/controllers/users_controller_spec.rb

@@ -3,7 +3,7 @@
 # Fat Free CRM is freely distributable under the terms of MIT license.
 # See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
 #------------------------------------------------------------------------------
-require File.expand_path(File.dirname(__FILE__) + '/../spec_helper')
+require 'spec_helper'
 
 describe UsersController do
 
@@ -15,11 +15,9 @@ describe UsersController do
       require_user
     end
 
-    it "should expose the requested user as @user and render [show] template" do
-      @user = FactoryGirl.create(:user)
-
-      get :show, :id => @user.id
-      assigns[:user].should == @user
+    it "should render [show] template" do
+      get :show, :id => current_user.id
+      assigns[:user].should == current_user
       response.should render_template("users/show")
     end
 
@@ -29,16 +27,30 @@ describe UsersController do
       response.should render_template("users/show")
     end
 
+    it "should show user if admin user" do
+      @user = create(:user)
+      require_user(admin: true)
+      get :show, id: @user.id
+      assigns[:user].should == @user
+      response.should render_template("users/show")
+    end
+
+    it "should not show user if not admin user" do
+      @user = create(:user)
+      get :show, id: @user.id
+      response.should redirect_to(root_url)
+    end
+
     describe "with mime type of JSON" do
       before(:each) do
         request.env["HTTP_ACCEPT"] = "application/json"
       end
 
       it "should render the requested user as JSON" do
-        User.should_receive(:find).and_return(user = mock("User"))
-        user.should_receive(:to_json).and_return("generated JSON")
+        User.should_receive(:find).and_return(current_user)
+        current_user.should_receive(:to_json).and_return("generated JSON")
 
-        get :show, :id => 42
+        get :show, :id => current_user.id
         response.body.should == "generated JSON"
       end
 
@@ -56,10 +68,10 @@ describe UsersController do
       end
 
       it "should render the requested user as XML" do
-        User.should_receive(:find).and_return(user = mock("User"))
-        user.should_receive(:to_xml).and_return("generated XML")
+        User.should_receive(:find).and_return(current_user)
+        current_user.should_receive(:to_xml).and_return("generated XML")
 
-        get :show, :id => 42
+        get :show, :id => current_user.id
         response.body.should == "generated XML"
       end
 
@@ -79,7 +91,7 @@ describe UsersController do
 
     describe "if user is allowed to sign up" do
       it "should expose a new user as @user and render [new] template" do
-        @controller.should_receive(:can_signup?).and_return(true)
+        User.should_receive(:can_signup?).and_return(true)
         @user = FactoryGirl.build(:user)
         User.stub!(:new).and_return(@user)
 
@@ -91,7 +103,7 @@ describe UsersController do
 
     describe "if user is not allowed to sign up" do
       it "should redirect to login_path" do
-        @controller.should_receive(:can_signup?).and_return(false)
+        User.should_receive(:can_signup?).and_return(false)
 
         get :new
         response.should redirect_to(login_path)
@@ -102,14 +114,27 @@ describe UsersController do
   # GET /users/1/edit                                                      AJAX
   #----------------------------------------------------------------------------
   describe "responding to GET edit" do
-    before(:each) do
+
+    it "should expose current user as @user and render [edit] template" do
       require_user
       @user = current_user
+      xhr :get, :edit, :id => @user.id
+      assigns[:user].should == current_user
+      response.should render_template("users/edit")
     end
 
-    it "should expose current user as @user and render [edit] template" do
+    it "should not allow current user to edit another user" do
+      @user = create(:user)
+      require_user
       xhr :get, :edit, :id => @user.id
-      assigns[:user].should == current_user
+      expect(response.body).to eql("window.location.reload();")
+    end
+
+    it "should allow admin to edit another user" do
+      require_user(admin: true)
+      @user = create(:user)
+      xhr :get, :edit, :id => @user.id
+      assigns[:user].should == @user
       response.should render_template("users/edit")
     end
 
@@ -130,6 +155,7 @@ describe UsersController do
       end
 
       it "exposes a newly created user as @user and redirect to profile page" do
+        require_user(admin: true)
         post :create, :user => { :username => @username, :email => @email, :password => @password, :password_confirmation => @password }
         assigns[:user].should == @user
         flash[:notice].should =~ /welcome/
@@ -148,6 +174,7 @@ describe UsersController do
 
     describe "with invalid params" do
       it "assigns a newly created but unsaved user as @user and renders [new] template" do
+        require_user(admin: true)
         @user = FactoryGirl.build(:user, :username => "", :email => "")
         User.stub!(:new).and_return(@user)
 
@@ -292,8 +319,9 @@ describe UsersController do
   describe "responding to PUT change_password" do
     before(:each) do
       require_user
-      @current_user_session.stub!(:unauthorized_record=).and_return(current_user)
-      @current_user_session.stub!(:save).and_return(current_user)
+      User.stub(:find).and_return(current_user)
+      @current_user_session.stub(:unauthorized_record=).and_return(current_user)
+      @current_user_session.stub(:save).and_return(current_user)
       @user = current_user
       @new_password = "secret?!"
     end

data/spec/lib/secret_token_generator_spec.rb

@@ -0,0 +1,55 @@
+# Copyright (c) 2008-2014 Michael Dvorkin and contributors.
+#
+# Fat Free CRM is freely distributable under the terms of MIT license.
+# See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
+#------------------------------------------------------------------------------
+
+require 'spec_helper'
+require 'fat_free_crm/secret_token_generator'
+
+describe FatFreeCRM::SecretTokenGenerator do
+
+  let(:token) { 'e5a4b315c062dec4ecb40dabcde84fd6c067cb016a813702d2f4299ad16255c88ed1020bd47fb527e8e5f7052b04be1fbb8e63c043b8fb36f88d3c7d79a68681' }
+
+  describe "setup!" do
+
+    it "should not generate a token if one already exists" do
+      FatFreeCRM::SecretTokenGenerator.stub(:token).and_return(nil)
+      expect(FatFreeCRM::SecretTokenGenerator).to receive(:generate_and_persist_token!)
+      FatFreeCRM::Application.config.stub(:secret_token).and_return(token)
+      FatFreeCRM::SecretTokenGenerator.setup!
+    end
+
+    it "should generate a token if none exists already" do
+      FatFreeCRM::SecretTokenGenerator.stub(:token).and_return(token)
+      expect(FatFreeCRM::SecretTokenGenerator).not_to receive(:generate_and_persist_token!)
+      FatFreeCRM::SecretTokenGenerator.setup!
+    end
+
+    it "should raise an error if the token is still blank (should never happen)" do
+      FatFreeCRM::SecretTokenGenerator.stub(:token).and_return(nil)
+      lambda { FatFreeCRM::SecretTokenGenerator.setup! }.should raise_error(RuntimeError)
+    end
+
+  end
+
+  describe "token" do
+
+    it "should delegate to Setting" do
+      expect(Setting).to receive(:secret_token).and_return(token)
+      expect(FatFreeCRM::SecretTokenGenerator.send(:token)).to eql(token)
+    end
+
+  end
+
+  describe "generate_and_persist_token!" do
+
+    it "should generate a random token" do
+      expect(SecureRandom).to receive(:hex).with(64).and_return(token)
+      expect(Setting).to receive(:secret_token=).with(token)
+      FatFreeCRM::SecretTokenGenerator.send(:generate_and_persist_token!)
+    end
+
+  end
+
+end

data/spec/models/users/abilities/user_ability_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper'
+require 'cancan/matchers'
+
+def all_actions
+  [:index, :show, :create, :update, :destroy, :manage]
+end
+
+describe "User abilities" do
+
+  subject(:ability)  { Ability.new(user) }
+  let(:subject_user) { create :user }
+
+  context "when site manager, I" do
+    let(:user)  { create :user, admin: true}
+    all_actions.each do |do_action|
+      it{ should be_able_to(do_action, subject_user) }
+    end
+  end
+
+  context "when myself, I" do
+    let(:user) { create :user }
+    let(:subject_user) { user }
+    all_actions.each do |do_action|
+      it{ should be_able_to(do_action, subject_user) }
+    end
+  end
+
+  context "when another user, I" do
+    let(:user)  { create :user }
+    let(:can)    { [] }
+    let(:cannot) { [:show, :create, :update, :index, :destroy, :manage] }
+    it{ can.each do |do_action|
+      should be_able_to(do_action, subject_user)
+    end}
+    it{ cannot.each do |do_action|
+      should_not be_able_to(do_action, subject_user)
+    end}
+  end
+
+  context "when anonymous user, I" do
+    let(:user)  { nil }
+    let(:can)    { [] }
+    let(:cannot) { [:show, :create, :update, :index, :destroy, :manage] }
+    it{ can.each do |do_action|
+      should be_able_to(do_action, subject_user)
+    end}
+    it{ cannot.each do |do_action|
+      should_not be_able_to(do_action, subject_user)
+    end}
+
+    it "and signup enabled" do
+      User.stub(:can_signup?).and_return(true)
+      should be_able_to(:create, User)
+    end
+
+  end
+
+end

data/spec/spec_helper.rb

@@ -11,7 +11,7 @@ require 'rspec/rails'
 require 'capybara/rails'
 
 require 'acts_as_fu'
-require 'factory_girl'
+require 'factory_girl_rails'
 require 'ffaker'
 
 require 'coveralls'
@@ -38,6 +38,7 @@ RSpec.configure do |config|
 
   # RSpec configuration options for Fat Free CRM.
   config.include RSpec::Rails::Matchers
+  config.include(FactoryGirl::Syntax::Methods)
 
   config.before(:each) do
     # Overwrite locale settings within "config/settings.yml" if necessary.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: fat_free_crm
 version: !ruby/object:Gem::Version
-  version: 0.12.1
+  version: 0.12.2
 platform: ruby
 authors:
 - Michael Dvorkin
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-12-27 00:00:00.000000000 Z
+date: 2014-01-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -1052,6 +1052,7 @@ files:
 - lib/fat_free_crm/plugin.rb
 - lib/fat_free_crm/plugin_dependencies.rb
 - lib/fat_free_crm/renderers.rb
+- lib/fat_free_crm/secret_token_generator.rb
 - lib/fat_free_crm/sortable.rb
 - lib/fat_free_crm/tabs.rb
 - lib/fat_free_crm/version.rb
@@ -1171,6 +1172,7 @@ files:
 - spec/lib/mail_processor/dropbox_spec.rb
 - spec/lib/mail_processor/sample_emails/dropbox.rb
 - spec/lib/permissions_spec.rb
+- spec/lib/secret_token_generator_spec.rb
 - spec/lib/view_factory_spec.rb
 - spec/mailers/subscription_mailer_spec.rb
 - spec/mailers/user_mailer_spec.rb
@@ -1196,6 +1198,7 @@ files:
 - spec/models/polymorphic/task_spec.rb
 - spec/models/polymorphic/version_spec.rb
 - spec/models/setting_spec.rb
+- spec/models/users/abilities/user_ability_spec.rb
 - spec/models/users/authentication_spec.rb
 - spec/models/users/group_spec.rb
 - spec/models/users/permission_spec.rb