ioquatix-account_engine 0.1.0

data/lib/account_engine.rb

@@ -0,0 +1,63 @@
+#  Copyright (c) 2006 Samuel Williams <samuel.williams@oriontransfer.co.nz>
+#  
+#  The GNU General Public License (GPL)
+#  Version 2, June 1991
+#  
+#  This program is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#  
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#  
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+require 'account_engine/configuration'
+require 'account_engine/controller'
+require 'account_engine/helper'
+require 'account_engine/user_account'
+
+module AccountEngine
+  include AccountEngine::Helper
+  
+  # This method will check the Roles in the database against to ensure that there is
+  # only ONE omnipotent role.
+  def self.check_system_roles
+    begin
+      if Role.count() > 0
+        begin
+          omnipotent_roles = Role.find_all_by_omnipotent(true)
+          if omnipotent_roles && omnipotent_roles.length != 1
+            @warning = "WARNING: You have more than one omnipotent role: " + 
+                       omnipotent_roles.collect { |r| r.name }.join(", ")
+          elsif omnipotent_roles == nil
+            @warning = "WARNING: You have no omnipotent roles. Please re-run the bootstrap rake task."
+          end
+        rescue
+          @warning = "WARNING: Could not check integrity of system roles. Please check your data."
+        end
+      else
+        raise "skip error" # this will be caught below
+      end
+    rescue # either Roles.count() == 0, or the Roles table doesn't even exist yet.
+      @warning = "Skipping integrity check. You have no system roles set up; once your " +
+                 "database tables are set up, run rake bootstrap to create the basic roles."
+    end
+    
+    if @warning != nil
+      RAILS_DEFAULT_LOGGER.warn @warning
+      puts @warning
+    end
+  end
+  
+  # An exception to be raised when the integrity of the authorization system is
+  # threatened.
+  class SystemProtectionError < Exception
+  end
+end

data/rails/app/controllers/account_controller.rb

@@ -0,0 +1,162 @@
+class AccountController < ApplicationController
+  layout 'admin'
+  
+  # Override this function in your own application to define a custom home action.
+  def home
+    @user = current_user
+    
+    unless @user
+      access_denied
+    end
+  end
+
+  # The action used to log a user in. If the user was redirected to the login page
+  # by the login_required method, they should be sent back to the page they were
+  # trying to access. If not, they will be sent to "/user/home".
+  def login
+    if current_user
+      flash[:notice] = 'You are already logged in!'
+      redirect_to :action => 'home'
+      
+      return
+    end
+    
+    if request.post?
+      if authenticate_user
+        flash[:notice] = 'Login successful'
+        redirect_to_stored_or_default :action => 'home'
+        
+        return
+      else
+        flash.now[:login] = 'Login unsuccessful'
+      end
+    end
+    
+    @login = params[:login]
+  end
+  
+  # Register as a new user.
+  def signup
+    @user = User.new
+  end
+  
+  def register
+    @user = User.new
+    
+    User.transaction(@user) do
+      @user.login = params[:user][:login]
+      @user.email = params[:user][:email]
+      @user.password = params[:user][:password]
+      
+      if AccountEngine.use_email_notification
+        key = @user.generate_security_token
+        url = url_for(:action => '', :user_id => @user.id, :key => key)
+        @user.save!
+        UserNotify.deliver_signup(@user, params[:user][:password], url)
+        flash[:notice] << ' Please check your registered email account to verify your account registration and continue with the login.'
+      else
+        @user.verified = 1
+        @user.save!
+      end
+      
+      flash[:notice] = 'Signup successful! Please log in.'
+      redirect_to :action => 'login', :login => @user.login
+    end
+  end
+
+  def logout
+    session[:user] = nil
+    redirect_to :action => 'login'
+  end
+
+  def change_password
+    if request.post?
+      current_user.password = params[:password]
+      
+      if user.save
+        if AccountEngine.use_email_notification
+          UserNotify.deliver_change_password(user, params[:password])
+          flash[:notice] = "Updated password emailed to #{@user.email}"
+        else
+          flash[:notice] = "Password updated."
+        end
+      else  
+        flash[:warning] = 'There was a problem saving the password. Please retry.'
+      end
+      
+      redirect_back_or_default :action => 'home'
+    end
+  end
+  
+  def edit
+    @user = current_user
+  end
+  
+  def update
+    @user = current_user
+    
+    @user.email = params[:user][:email]
+    @user.login = params[:user][:login]
+    
+    if @user.save
+      flash[:message] = 'Details updated'
+      redirect_to :action => :home
+    else
+      render_action :edit
+    end
+  end
+  
+  def forgot_password
+    # Always redirect if logged in
+    if user?
+      flash[:message] = 'You are currently logged in. You may change your password now.'
+      redirect_to :action => 'change_password'
+      return
+    end
+    
+    if request.post?
+      # Email disabled... we are unable to provide the password
+      if !AccountEngine.use_email_notification
+        flash[:message] = "Please contact the system admin at #{AccountEngine.admin_email} to reset your password."
+        redirect_back_or_default :action => 'login'
+        return
+      end
+      
+      # Handle the :post
+      if params[:email].blank?
+        flash.now[:warning] = 'Please enter a valid email address.'
+      elsif (user = User.find_by_email(params[:email])).nil?
+        flash.now[:warning] = "We could not find a user with the email address #{params[:email]}"
+      else
+        begin
+          User.transaction(user) do
+            key = user.generate_security_token
+            url = url_for(:action => 'change_password', :user_id => user.id, :key => key)
+            UserNotify.deliver_forgot_password(user, url)
+            flash[:notice] = "Instructions on resetting your password have been emailed to #{params[:email]}"
+          end
+          
+          unless user?
+            redirect_to :action => 'login'
+            return
+          end
+          
+          redirect_back_or_default :action => 'home'
+        rescue
+          logger.warn "Error mailing password to user #{params[:email]}: #{$!}"
+          flash.now[:warning] = "Your password could not be emailed to #{params[:email]}"
+        end
+      end
+    end
+    
+  end
+  
+  protected
+  def protect?(action)
+    if ['login', 'signup', 'forgot_password'].include?(action)
+      return false
+    else
+      return true
+    end
+  end
+end

data/rails/app/controllers/permissions_controller.rb

@@ -0,0 +1,90 @@
+# The PermissionController provides methods for manipulating Permission
+# objects from the web interface.
+class PermissionsController < ApplicationController
+  layout 'admin'
+	
+  def resync
+    Permission.sync
+    flash[:message] = "Permissions synchronized"
+    
+    redirect_to :back
+  end
+
+  # Displays a paginated list of all Permission objects
+  def index
+    @permissions = Permission.find :all, :order => 'controller, action'
+  end
+
+  # Displays a single Permission object, by the id given.
+  def show
+    @permission = find_permission(params[:id])
+  end
+
+  # Creates a new Permission object. Note that this is not the recommended
+  # way of creating Permission objects - instead you should use 
+  # Permission.sync to add them automatically from your application
+  def new
+    @permission = Permission.new
+    
+    @permission.system = false
+  end
+  
+  def create
+    @permission = Permission.new params[:permission]
+    
+    if @permission.save
+      flash[:notice] = 'Permission was successfully created.'
+      redirect_to :action => 'list'
+    else
+      render_action 'new'
+    end
+  end
+
+  # Edits a Permission object
+  def edit
+    @permission = find_permission(params[:id])
+    
+    if @permission.system?
+      flash[:warning] = "Cannot edit system permissions."
+      redirect_to :back
+    end
+  end
+  
+  def update
+    @permission = find_permission(params[:id])
+    
+    if @permission.update_attributes(params[:permission])
+      flash[:notice] = 'Permission was successfully updated.'
+      redirect_to :action => 'list'
+    else
+      render_action 'edit'
+    end
+  end
+
+  # Destroys a Permission Object
+  def destroy
+    @permission = find_permission(params[:id])
+    
+    if @permission and !@permission.system?
+      @permission.destroy
+      flash[:notice] = "Permission destroyed"
+    else
+      flash[:warning] = "Cannot delete system permissions."
+    end
+    
+    redirect_to :back
+  end
+  
+  protected
+    # A helper method to find Permission objects by ID, and insert
+    # appropriate error messages into the flash if it couldn't be
+    # found.
+    def find_permission(id)
+      begin
+        Permission.find(id)
+      rescue
+        flash[:message] = "There is no permission with ID ##{id}"
+        nil
+      end
+    end
+end

data/rails/app/controllers/roles_controller.rb

@@ -0,0 +1,133 @@
+class RolesController < ApplicationController
+  layout 'admin'
+  
+  def index
+    @content_columns = Role.content_columns
+    @roles = Role.paginate :page => params[:page], :order => "name"
+  end
+
+  # Displays a single Role object by given id.
+  def show
+    @role = find_role(params[:id])
+    @actions = @role.permissions_by_controller
+    
+    # Add in all controllers
+    Permission.find(:all, :group => 'controller').each do |c|
+      @actions[c.controller] ||= []
+    end
+  end
+  
+  def add_permission
+    @role = Role.find params[:id]
+    @permission = Permission.find params[:permission]
+    
+    @role.permissions << @permission
+    
+    redirect_to :back
+  end
+  
+  def remove_permission
+    @role = Role.find params[:id]
+    @permission = Permission.find params[:permission]
+    
+    @role.permissions.delete(@permission)
+    
+    redirect_to :back
+  end
+
+  # Creates a new Role object with the given parameters.
+  def new
+    @role = Role.new
+  end
+  
+  def create
+    @role = Role.new(params[:role])
+    if @role.save
+      flash[:notice] = 'Role was successfully created.'
+      redirect_to :action => 'list'
+    else
+      render_action 'new'
+    end
+  end
+  
+  # Edit a Role object
+  def edit
+    case request.method
+      when :get
+        if (@role = find_role(params[:id]))
+          # load up the controllers
+          @all_permissions = Permission.find(:all)
+    
+          # split it up into controllers
+          @all_actions = {}
+          @all_permissions.each { |permission|
+            @all_actions[permission.controller] ||= []
+            @all_actions[permission.controller] << permission
+          }
+        else
+          redirect_back_or_default :action => 'list'
+        end
+      when :post
+        if (@role = find_role(params[:id]))
+          # update the action permissions
+          permission_keys = params.keys.select { |k| k =~ /^permissions_/ }
+          permissions = permission_keys.collect { |k| params[k] }
+          
+          begin
+            permissions.collect! { |perm_id| Permission.find(perm_id) }
+    
+            # just wipe them all and re-build
+            @role.permissions.clear
+    
+            permissions.each { |perm|
+              if !@role.permissions.include?(perm)
+                @role.permissions << perm
+              end
+            }
+            
+            # save the object    
+            if @role.update_attributes(params[:role])
+              flash[:notice] = 'Role was successfully updated.'
+              redirect_to :action => 'show', :id => @role
+            else
+              flash[:message] = 'The role could not be updated.'
+              render :action => 'edit'
+            end
+          rescue ActiveRecord::RecordNotFound => e
+            flash[:message] = 'Permission not found!'
+            render :action => 'edit'
+          end
+        else
+          redirect_back_or_default :action => 'list'
+        end       
+    end        
+  end
+
+  # Destroy a given Role object
+  def destroy
+    if (@role = find_role(params[:id]))
+      begin
+        @role.destroy
+        flash[:notice] = "Role '#{@role.name}' has been deleted." 
+        redirect_to :action => 'list'
+      rescue AccountEngine::SystemProtectionError => e
+        flash[:message] = "Cannot destroy the system role '#{@role.name}'!"
+        redirect_to :action => 'list'
+      end
+    else
+      redirect_back_or_default :action => 'list'
+    end
+  end
+  
+  protected
+    # A convenience method to find a Role, and add any errors to the flash if
+    # the Role is not found.
+    def find_role(id)
+      begin
+        Role.find(id)
+      rescue ActiveRecord::RecordNotFound
+        flash[:message] = "There is no role with ID ##{id}"
+        nil
+      end
+    end     
+end

data/rails/app/controllers/users_controller.rb

@@ -0,0 +1,144 @@
+class UsersController < ApplicationController
+  layout 'admin'
+  
+  # Display the details for a given user
+  def show    
+    @user = User.find params[:id]
+  end
+
+  def new
+    @user = User.new
+  end
+  
+  def create
+    @user = User.new(params[:user])
+    
+    if request.post? and @user.save
+      redirect_to :action => :roles, :id => @user
+    else
+      render_action :new
+    end
+  end
+
+  def edit
+    @user = User.find params[:id]
+    
+    redirect_back_or_default :action => 'list' unless @user
+  end
+  
+  def update
+    @user = User.find params[:id]
+    
+    attributes = params[:user]
+    attributes.delete(:password) if attributes[:password].blank?
+    
+    if @user.update_attributes(attributes)
+      redirect_to :action => :list
+    else
+      render_action :edit
+    end
+  end
+  
+  # Displays a paginated list of Users
+  def index
+    @users = User.paginate :page => params[:page], :order => "login"
+  end
+  
+  def roles
+    @user = User.find params[:id]
+    @roles = Role.find(:all)
+  end
+  
+  def add_role
+    @user = User.find params[:id]
+    @role = Role.find params[:role]
+    
+    @user.roles << @role
+    
+    redirect_to :back
+  end
+  
+  def remove_role
+    @user = User.find params[:id]
+    @role = Role.find params[:role]
+    
+    @user.roles.delete(@role)
+    
+    redirect_to :back
+  end
+  
+  protected
+  def delete
+    get_user_to_act_on
+    if do_delete_user(@user)
+      logout
+    else
+      redirect_back_or_default :action => 'home'
+    end    
+  end
+  
+  def restore_deleted
+    get_user_to_act_on
+    @user.deleted = 0
+    if not @user.save
+      flash.now[:warning] = "The account for #{@user['login']} was not restored. Please try the link again."
+      redirect_to :action => 'login'
+    else
+      redirect_to :action => 'home'
+    end
+  end
+
+  protected
+  def destroy(user)
+    UserNotify.deliver_delete(user) if AccountEngine.use_email_notification
+    flash[:notice] = "The account for #{user['login']} was successfully deleted."
+    user.destroy()
+  end
+  
+
+  
+  # Edit the roles for a given User object.
+  # A user typically shouldn't be allowed to edit their own roles, since they could
+  # assign themselves as Admins and then do anything. Therefore, keep this method
+  # locked down as much as possible.
+  def edit_roles
+    if (@user = find_user(params[:id]))
+      begin
+        User.transaction(@user) do
+        
+          roles = params[:user][:roles].collect { |role_id| Role.find(role_id) }
+          # add any new roles & remove any missing roles
+          roles.each { |role| @user.roles << role if !@user.roles.include?(role) }
+          @user.roles.each { |role| @user.roles.delete(role) if !roles.include?(role) }
+
+          @user.save
+          flash[:notice] = "Roles updated for user '#{@user.login}'."
+        end
+      rescue
+        flash[:warning] = 'Roles could not be edited at this time. Please retry.'
+      ensure
+        redirect_to :back
+      end
+    else
+      redirect_back_or_default :action => 'list'
+    end
+  end
+  
+  # Change the password of an arbitrary user
+  def change_password_for_user
+    if (@user = find_user(params[:id]))
+      do_change_password_for(@user)
+      flash[:notice] = "Password for user '#{@user.login}' has been updated."
+    end
+    redirect_back_or_default :action => 'list'
+  end
+
+  # Delete an arbitrary user
+  def delete_user
+    if (@user = find_user(params[:id]))
+      do_delete_user(@user)
+      flash[:notice] = "User '#{@user.login}' has been deleted."
+    end
+    redirect_to :action => 'list'
+  end
+end

data/rails/app/helpers/account_helper.rb

@@ -0,0 +1,3 @@
+module AccountHelper
+  include AccountEngine
+end

data/rails/app/helpers/permissions_helper.rb

@@ -0,0 +1,3 @@
+module PermissionsHelper
+  include AccountEngine
+end

data/rails/app/helpers/roles_helper.rb

@@ -0,0 +1,3 @@
+module RolesHelper
+  include AccountEngine
+end

data/rails/app/helpers/users_helper.rb

@@ -0,0 +1,3 @@
+module UsersHelper
+  include AccountEngine
+end