ioquatix-account_engine 0.1.0

data/lib/account_engine/configuration.rb

@@ -0,0 +1,101 @@
+# Configuration
+module AccountEngine
+  # These are the default constants, used if nothing else is specified
+  mattr_accessor :email_charset, :site_email, :admin_email, :app_url, :app_name
+  mattr_accessor :generate_password, :validate_email, :salt, :security_token_life_hours
+  mattr_accessor :confirm_account, :use_email_notification
+  mattr_reader :registration
+  
+  def self.registration=(r)
+    if [:open, :closed].include? r
+      @@registration = r
+    end
+  end
+  
+  mattr_accessor :guest_role_name, :user_role_name
+  mattr_accessor :admin_role_name, :admin_login, :admin_password, :admin_email
+  
+  mattr_accessor :login_page, :logout_page, :stealth
+  
+  mattr_accessor :users_table, :roles_table, :permissions_table
+  
+  # The names of the new Role and Permission tables
+  if ActiveRecord::Base.pluralize_table_names
+    @@users_table = "users"
+    @@roles_table = "roles"
+    @@permissions_table = "permissions"
+  else
+    @@users_table = "user"
+    @@roles_table = "role"
+    @@permissions_table = "permission"
+  end
+  
+  # Join tables for users <-> roles, and roles <-> permissions
+  def self.users_roles_table
+    "#{AccountEngine.users_table}_#{AccountEngine.roles_table}"
+  end
+  
+  def self.permissions_roles_table
+    "#{AccountEngine.permissions_table}_#{AccountEngine.roles_table}"
+  end
+  
+  def self.allow_registration?
+    return (@@registration == :open ? true : false)
+  end
+  
+  #Generate random passwords
+  @@generate_password = true
+  
+  # Source address for user emails
+  @@site_email = 'root@localhost'
+  
+  # Destination email for system errors
+  @@admin_email = 'root@localhost'
+  
+  # Sent in emails to users
+  @@app_url = 'http://localhost:3000/'
+  
+  # Sent in emails to users
+  @@app_name = 'My Application'
+  
+  # Whether the model will enforce email validation
+  @@validate_email = true
+  
+  # Email charset
+  @@email_charset = 'utf-8'
+  
+  # Security token lifetime in hours
+  @@security_token_life_hours = 48
+  
+  # Registrations are open to the public
+  @@registration = :closed
+  
+  # controls whether or not email is used
+  @@use_email_notification = true
+
+  # Controls whether accounts must be confirmed after signing up
+  # ONLY if this and use_email_notification are both true
+  @@confirm_account = false
+
+  # The names of the Guest and User roles
+  # The Guest role is automatically assigned to any visitor who is not logged in
+  @@guest_role_name = "Guest"
+  # The User role is given to every user
+  @@user_role_name = "User"
+
+  # The details for the Admin user and role
+  @@admin_role_name = "Administrator"
+  @@admin_login = "admin"
+  @@admin_password = "test123"
+  @@admin_email = "root@localhost"
+  
+  # The controller/action
+  @@login_page = {:controller => 'account', :action => 'login'}
+  
+  @@logout_page = {:controller => 'account', :action => 'logout'}
+  
+  # If this is set to true, authorization failure messages won't volunteer
+  # any extra information, and missing actions will not be flagged as such.
+  @@stealth = false
+end
+

data/lib/account_engine/controller.rb

@@ -0,0 +1,246 @@
+
+require 'account_engine/support'
+
+module AccountEngine
+  module Controller
+    # methods to be added to the ApplicationController
+    
+    include AccountEngine::Support
+    
+    module ClassMethods
+      
+      # Returns an array containing all subclasses of ApplicationController
+      def all_controllers
+        #ObjectSpace.subclasses_of(ApplicationController)
+        subclasses_of(ApplicationController)
+      end
+    end
+    
+    # Returns an array of all action names for this controller
+    # (Actually returns the result of ApplicationController#action_methods, which is private)
+    def action_method_names
+      action_methods
+    end
+    
+    def self.included(base)
+      base.extend(ClassMethods)
+
+      base.class_eval do        
+        # We don't want these actions to be exposed to the Permission
+        # system synchronisation, so we hide them for all controllers.
+        hide_action :require_without_load_path_reloading, :process_test
+        hide_action :action_method_names, :wsdl, :deepcopy
+        hide_action :readable?, :writable?, :r?, :w?, :authorize_action
+        hide_action :store_location, :redirect_back_or_default
+
+        # methods from the AccountEngine module itself
+        hide_action :link_if_authorized, :authorized?, :user_name_if_logged_in
+        hide_action :user?, :current_user, :logged_in?
+      end
+    end
+
+    protected
+    # Use this method to log a user in to the system
+    def authenticate_user
+      # If we are already logged in, return true
+      return true if current_user
+      
+      login = params[:login]
+      password = params[:password]
+      id = params[:user_id]
+      key = params[:key]
+      user = nil
+      
+      if login and password
+        user = User.authenticate(login, password)
+      end
+      
+      if id and key and user.nil?
+        user = User.authenticate_by_token(id, key)
+      end
+      
+      if user
+        user.update_attribute(:logged_in_at, Time.now)
+        session[:user] = user
+        return true
+      end
+      
+      return false
+    end
+    
+    # overwrite this if you want to restrict access to only a few actions
+    # or if you want to check if the user has the correct rights  
+    # example:
+    #
+    #  # only allow nonbobs
+    #  def authorized?(user)
+    #    user.login != "bob"
+    #  end
+    def authorize?(user)
+       true
+    end
+
+    # overwrite this method if you only want to protect certain actions of the controller
+    # example:
+    # 
+    #  # don't protect the login and the about method
+    #  def protect?(action)
+    #    if ['action', 'about'].include?(action)
+    #       return false
+    #    else
+    #       return true
+    #    end
+    #  end
+    def protect?(action)
+      true
+    end
+
+    # login_required filter. add 
+    #
+    #   before_filter :login_required
+    #
+    # if the controller should be under any rights management. 
+    # for finer access control you can overwrite
+    #   
+    #   def authorize?(user)
+    # 
+    def login_required
+      if not protect?(action_name)
+        return true  
+      end
+
+      if user? and authorize?(current_user)
+        return true
+      end
+      
+      if authorize_action
+        return true
+      end
+      
+      if user?
+        # If we are logged in and were denied, we will need to actually back out of the operation
+        redirect_to request.env['HTTP_REFERER'] || session['prev_uri'] || "/"
+        return false
+      end
+
+      # store current location so that we can 
+      # come back after the user logged in
+      store_location
+
+      # call overwriteable reaction to unauthorized access
+      access_denied
+    end
+
+    # overwrite if you want to have special behavior in case the user is not authorized
+    # to access the current operation. 
+    # the default action is to redirect to the login screen
+    # example use :
+    # a popup window might just close itself for instance
+    def access_denied
+      logger.info "Access denied! Action: #{action_name} User: #{current_user}"
+      redirect_to AccountEngine.login_page
+      return false
+    end  
+
+    # store current uri in  the session.
+    # we can return to this location by calling return_location
+    def store_location
+      session['return-to'] = request.request_uri
+    end
+
+    # move to the last store_location call or to the passed default one
+    def redirect_to_stored_or_default(default=nil)
+      if session['return-to'].nil?
+        redirect_to default
+      else
+        redirect_to session['return-to']
+        session['return-to'] = nil
+      end
+    end
+
+    def redirect_back_or_default(default=nil)
+      if request.env["HTTP_REFERER"].nil?
+        redirect_to default
+      else
+        redirect_to(request.env["HTTP_REFERER"]) # same as redirect_to :back
+      end
+    end
+  
+
+    # This method will return true if:
+    #
+    # * The Guest Role is authorized to perform the current action
+    # * The currently logged in user is omnipotent
+    # * The currently logged in user has permission to perform the current
+    #   action.
+    #
+    # In all other cases, it will return false. This method is a replacement
+    # for the +login_required+ method provided by the AccountEngine. If the Guest
+    # role does not have permission for the current action, the user will be
+    # redirected to the login page (and redirected back to this action upon
+    # successful authentication). Users can also authenticate directly via
+    # a security token (see AccountEngine for details). 
+    def authorize_action
+      required_permission = "%s/%s" % [ params["controller"], params["action"] ]
+      logger.debug "required_perm is #{required_permission}"
+
+      controller = params["controller"]
+      action = params["action"]
+
+      # EVERYONE should be able to get to the root. This might never come up, but
+      # better to be safe than sorry. This condition could just as easily be
+      # appended to the Guest check below, but it's clearer up here.
+      if (controller == nil && action == nil)
+        return true
+      end
+
+      # if the controller wasn't nil, but the action was, then we want to 
+      # set the action to "index" so we can check authentication properly
+      action ||= "index"
+
+      # If someone is or can be logged in...
+      # calling 'user?' from the AccountEngine will ensure that a User is
+      # loaded into the session if possible. It could either be there already
+      # or via a user_id and security key
+      if user?
+        # ... then if that logged user is NOT authorised...
+
+        unless current_user.authorized?(controller, action)
+          # YOU... SHALL... NOT... PASS!
+
+          flash[:message] = "Permission warning: You are not authorized for the action '#{required_permission}'." 
+        
+          # Here we are distinguishing between unauthorized actions and actions which do
+          # not exist. It *might* be better to employ a 'steath' technique and simple
+          # claim that all nonsense actions are unauthorized too... but that can make it
+          # difficult to debug.
+          if !AccountEngine.stealth
+            if Permission.find_by_controller_and_action(controller, action)
+
+              # This is a real action, but the user is not allowed to perform it.
+              allowed_roles = Permission.find_by_controller_and_action(controller, action).roles.collect {|r| r.name}.join(', ')
+              your_roles = current_user.roles.collect {|r| r.name}.join(', ')
+              flash[:message] << " Allowed Roles: #{allowed_roles}. User '#{current_user.login}' has only the following: #{your_roles}."
+          
+            else # This wasn't even a real action.
+            end
+          end
+          
+          return false
+        end
+      else
+        
+        # noone is or can be logged in...
+        unless User.guest_user_authorized?(controller, action)          
+          flash[:message] = "You need to log in." 
+          return false
+        end
+      end          
+
+      # If we get here, the user is either a guest and this action is permitted
+      # for guest users, or the user is logged in and the action is permitted by
+      # one or more of their associated roles. Let them pass..
+      return true        
+    end
+  end
+end

data/lib/account_engine/helper.rb

@@ -0,0 +1,104 @@
+
+require 'account_engine/support'
+
+module AccountEngine
+  module Helper
+    include AccountEngine::Support
+    
+    def link_to_user(user = current_user)
+      link_to user.fullname, :controller => 'account', :action => 'show'
+    end
+    
+    #--
+    # The methods to be included in both ApplicationController and ApplicationHelper
+    #++
+
+    # Returns an HTML link if the user has authorisation to perform the
+    # supplied action. All other options and parameters are identical to
+    # those for ActionView::link_to
+    # e.g.
+    #   link_if_authorized("Home", {:controller => "home", :action => "index"})
+    #
+    # If either of the :controller or :action options are ommitted, the
+    # current controller or action will be used instead.
+    #
+    # This method can also take an additional block, which can override the actual
+    # user permissions (i.e. the user must have valid permissions AND this block
+    # must not return false or nil for the link to be generated).
+    #
+    # We also provide special elements with the html_options argument.
+    #
+    # === :wrap_in
+    # This can be used to wrap the link in a given tag. This is useful if some 
+    # surrounding markup to the link should also be ommitted if the user is not 
+    # authorised for that link. E.g.
+    #   <ul>
+    #     <%= link_if_authorised("Delete", {:action => "delete"}, :wrap_in => "li") %>
+    #     ...
+    #   </ul>
+    #
+    # In this case, if the user is not authorised for this link, the <li></li>
+    # element will not be generated. Please note that this is fairly simplistic
+    # and relies on Rails' own #content_tag method. For more sophisticated
+    # control of markup based on authorisation, use the #authorised?() method
+    # directly.
+    #
+    # === :show_text
+    # if this flag is set to true, the text given for the link will be shown
+    # (although not as a link) even if the use is NOT authorised for the given
+    # action.
+    def link_if_authorized(name, options = {}, html_options = {}, *params, &block)
+      result = html_options.delete(:show_text) ? name : ""
+
+      # we need to strip leading slashes when checking authorisation, but not when
+      # actually generating the link.
+      auth_options = options.dup
+      if auth_options[:controller]
+        auth_options[:controller] = auth_options[:controller].gsub(/^\//, '')
+      end
+
+      (block.nil? || (yield block)) && authorized?(auth_options) {
+        #result = link_to_with_current_styling(name, options, html_options, *params)
+        result = link_to(name, options, html_options, *params)
+
+        # TODO: won't this pass other things like html_options[:id], which is EVIL since two
+        # things shouldn't share the same ID.
+        wrap_tag = html_options.delete(:wrap_in)
+        result = content_tag(wrap_tag, result, html_options) if wrap_tag != nil
+      }
+      result
+    end
+    
+    # Returns true, and also executes an optional code block if the current user 
+    # is authorised for the supplied controller and action. If no action is 
+    # supplied, "index" is used by default. Returns false if the user is not
+    # authorised.
+    # e.g.
+    #   <% authorized?("person", "destroy") { %>
+    #     <p>You have the power to destroy users! Well done.</p>
+    #   <% } %>
+    def authorized?(options, &block) # default the action to "index"
+      controller = options[:controller]
+      action = options[:action]
+
+      # use the current controller/action if none is given in options
+      controller ||= @controller.controller_name   
+      action ||= @controller.action_name
+
+      if current_user.nil?
+        RAILS_DEFAULT_LOGGER.debug "checking guest authorisation for #{controller}/#{action}"
+        if User.guest_user_authorized?(controller, action)
+          yield block if block != nil
+          return true
+        end
+      else
+        RAILS_DEFAULT_LOGGER.debug "checking user:#{session[:user].id} authorisation for #{controller}/#{action}"
+        if current_user.authorized?(controller, action)
+          yield block if block != nil
+          return true
+        end
+      end
+      return false
+    end
+  end
+end