jeffrafter-clearance 0.5.4

data/lib/clearance/app/controllers/users_controller.rb

@@ -0,0 +1,45 @@
+module Clearance
+  module App
+    module Controllers
+      module UsersController
+
+        def self.included(controller)
+          controller.send(:include, Actions)
+          controller.send(:include, PrivateMethods)
+
+          controller.class_eval do
+            before_filter :redirect_to_root, :only => [:new, :create], :if => :signed_in?
+            filter_parameter_logging :password
+          end
+        end
+
+        module Actions
+          def new
+            @user = User.new(params[:user])
+          end
+
+          def create
+            @user = User.new params[:user]
+            if @user.save
+              ClearanceMailer.deliver_confirmation @user
+              flash[:notice] = "You will receive an email within the next few minutes. " <<
+                               "It contains instructions for confirming your account."
+              redirect_to url_after_create
+            else
+              render :action => "new"
+            end
+          end
+        end
+
+        module PrivateMethods
+          private
+
+          def url_after_create
+            new_session_url
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/clearance/app/models/clearance_mailer.rb

@@ -0,0 +1,23 @@
+module Clearance
+  module App
+    module Models
+      module ClearanceMailer
+
+        def change_password(user)
+          from       DO_NOT_REPLY
+          recipients user.email
+          subject    "Change your password"
+          body       :user => user
+        end
+
+        def confirmation(user)
+          from       DO_NOT_REPLY
+          recipients user.email
+          subject   "Account confirmation"
+          body      :user => user
+        end
+
+      end
+    end
+  end
+end

data/lib/clearance/app/models/user.rb

@@ -0,0 +1,118 @@
+require 'digest/sha1'
+
+module Clearance
+  module App
+    module Models
+      module User
+
+        def self.included(model)
+          model.extend ClassMethods
+          model.send(:include, InstanceMethods)
+
+          model.class_eval do
+            attr_accessible :email, :password, :password_confirmation
+            attr_accessor :password, :password_confirmation
+
+            validates_presence_of     :email
+            validates_presence_of     :password, :if => :password_required?
+            validates_confirmation_of :password, :if => :password_required?
+            validates_uniqueness_of   :email, :case_sensitive => false
+            validates_format_of       :email, :with => %r{.+@.+\..+}
+
+            before_save :initialize_salt, :encrypt_password, :initialize_token
+          end
+        end
+
+        module InstanceMethods
+          def authenticated?(password)
+            encrypted_password == encrypt(password)
+          end
+
+          def encrypt(string)
+            generate_hash("--#{salt}--#{string}--")
+          end
+
+          def remember?
+            token_expires_at && Time.now.utc < token_expires_at
+          end
+
+          def remember_me!
+            remember_me_until! 2.weeks.from_now.utc
+          end
+
+          def forget_me!
+            clear_token
+            save(false)
+          end
+
+          def confirm_email!
+            self.email_confirmed  = true
+            self.token            = nil
+            save(false)
+          end
+
+          def forgot_password!
+            generate_token
+            save(false)
+          end
+
+          def update_password(new_password, new_password_confirmation)
+            self.password              = new_password
+            self.password_confirmation = new_password_confirmation
+            clear_token if valid?
+            save
+          end
+
+          protected
+
+          def generate_hash(string)
+            Digest::SHA1.hexdigest(string)
+          end
+
+          def initialize_salt
+            if new_record?
+              self.salt = generate_hash("--#{Time.now.utc.to_s}--#{password}--")
+            end
+          end
+
+          def encrypt_password
+            return if password.blank?
+            self.encrypted_password = encrypt(password)
+          end
+
+          def generate_token
+            self.token = encrypt("--#{Time.now.utc.to_s}--#{password}--")
+            self.token_expires_at = nil
+          end
+
+          def clear_token
+            self.token            = nil
+            self.token_expires_at = nil
+          end
+
+          def initialize_token
+            generate_token if new_record?
+          end
+
+          def password_required?
+            encrypted_password.blank? || !password.blank?
+          end
+
+          def remember_me_until!(time)
+            self.token_expires_at = time
+            self.token = encrypt("--#{token_expires_at}--#{password}--")
+            save(false)
+          end
+        end
+
+        module ClassMethods
+          def authenticate(email, password)
+            return nil  unless user = find_by_email(email)
+            return user if     user.authenticated?(password)
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/clearance/lib/extensions/errors.rb

@@ -0,0 +1,4 @@
+module ActionController
+  class Forbidden < StandardError
+  end
+end

data/lib/clearance/lib/extensions/rescue.rb

@@ -0,0 +1 @@
+ActionController::Base.rescue_responses.update('ActionController::Forbidden' => :forbidden)

data/lib/clearance/test/functional/confirmations_controller_test.rb

@@ -0,0 +1,72 @@
+module Clearance
+  module Test
+    module Functional
+      module ConfirmationsControllerTest
+
+        def self.included(controller_test)
+          controller_test.class_eval do
+
+            should_filter_params :token
+
+            context "a user whose email has not been confirmed" do
+              setup { @user = Factory(:user) }
+
+              should "have a token" do
+                assert_not_nil @user.token
+                assert_not_equal "", @user.token
+              end
+
+              context "on GET to #new with correct id and token" do
+                setup do
+                  get :new, :user_id => @user.to_param, :token => @user.token
+                end
+
+                should_set_the_flash_to /confirmed email/i
+                should_set_the_flash_to /signed in/i
+                should_be_signed_in_and_email_confirmed_as { @user }
+                should_redirect_to_url_after_create
+              end
+
+              context "with an incorrect token" do
+                setup do
+                  @bad_token = "bad token"
+                  assert_not_equal @bad_token, @user.token
+                end
+
+                should_forbid "on GET to #new with incorrect token" do
+                  get :new, :user_id => @user.to_param, :token => @bad_token
+                end
+              end
+
+              should_forbid "on GET to #new with blank token" do
+                get :new, :user_id => @user.to_param, :token => ""
+              end
+
+              should_forbid "on GET to #new with no token" do
+                get :new, :user_id => @user.to_param
+              end
+            end
+
+            context "a user with email confirmed" do
+              setup { @user = Factory(:email_confirmed_user) }
+
+              should_forbid "on GET to #new with correct id" do
+                get :new, :user_id => @user.to_param
+              end
+            end
+
+            context "no users" do
+              setup { assert_equal 0, User.count }
+
+              should_forbid "on GET to #new with nonexistent id and token" do
+                get :new, :user_id => '123', :token => '123'
+              end
+            end
+
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/clearance/test/functional/passwords_controller_test.rb

@@ -0,0 +1,180 @@
+module Clearance
+  module Test
+    module Functional
+      module PasswordsControllerTest
+
+        def self.included(controller_test)
+          controller_test.class_eval do
+
+            should_route :get, '/users/1/password/edit',
+              :action  => 'edit', :user_id => '1'
+
+            context "a signed up user" do
+              setup do
+                @user = Factory(:user)
+              end
+
+              context "on GET to #new" do
+                setup { get :new, :user_id => @user.to_param }
+
+                should_respond_with :success
+                should_render_template "new"
+              end
+
+              context "on POST to #create" do
+                context "with correct email address" do
+                  setup do
+                    ActionMailer::Base.deliveries.clear
+                    post :create, :password => { :email => @user.email }
+                  end
+
+                  should "generate a token for the change your password email" do
+                    assert_not_nil @user.reload.token
+                  end
+
+                  should "send the change your password email" do
+                    assert_sent_email do |email|
+                      email.subject =~ /change your password/i
+                    end
+                  end
+
+                  should_set_the_flash_to /password/i
+                  should_redirect_to_url_after_create
+                end
+
+                context "with incorrect email address" do
+                  setup do
+                    email = "user1@example.com"
+                    assert ! User.exists?(['email = ?', email])
+                    ActionMailer::Base.deliveries.clear
+                    assert_equal @user.token, @user.reload.token
+
+                    post :create, :password => { :email => email }
+                  end
+
+                  should "not generate a token for the change your password email" do
+                    assert_equal @user.token, @user.reload.token
+                  end
+
+                  should "not send a password reminder email" do
+                    assert ActionMailer::Base.deliveries.empty?
+                  end
+
+                  should "set a :notice flash" do
+                    assert_not_nil flash.now[:notice]
+                  end
+
+                  should_render_template :new
+                end
+              end
+            end
+
+            context "a signed up user and forgotten password" do
+              setup do
+                @user = Factory(:user)
+                @user.forgot_password!
+              end
+
+              context "on GET to #edit with correct id and token" do
+                setup do
+                  get :edit, :user_id => @user.to_param, :token => @user.token
+                end
+
+                should "find the user" do
+                  assert_equal @user, assigns(:user)
+                end
+
+                should_respond_with :success
+                should_render_template "edit"
+                should_display_a_password_update_form
+              end
+
+              should_forbid "on GET to #edit with correct id but blank token" do
+                get :edit, :user_id => @user.to_param, :token => ""
+              end
+
+              should_forbid "on GET to #edit with correct id but no token" do
+                get :edit, :user_id => @user.to_param
+              end
+
+              context "on PUT to #update with matching password and password confirmation" do
+                setup do
+                  new_password = "new_password"
+                  @encrypted_new_password = @user.encrypt(new_password)
+                  assert_not_equal @encrypted_new_password, @user.encrypted_password
+
+                  put(:update,
+                      :user_id  => @user,
+                      :token    => @user.token,
+                      :user     => {
+                        :password              => new_password,
+                        :password_confirmation => new_password
+                      })
+                  @user.reload
+                end
+
+                should "update password" do
+                  assert_equal @encrypted_new_password, @user.encrypted_password
+                end
+
+                should "clear token" do
+                  assert_nil @user.token
+                end
+
+                should_be_signed_in_as { @user }
+                should_redirect_to_url_after_update
+              end
+
+              context "on PUT to #update with password but blank password confirmation" do
+                setup do
+                  new_password = "new_password"
+                  @encrypted_new_password = @user.encrypt(new_password)
+
+                  put(:update,
+                      :user_id => @user.to_param,
+                      :token   => @user.token,
+                      :user    => {
+                        :password => new_password,
+                        :password_confirmation => ''
+                      })
+                  @user.reload
+                end
+
+                should "not update password" do
+                  assert_not_equal @encrypted_new_password, @user.encrypted_password
+                end
+
+                should "not clear token" do
+                  assert_not_nil @user.token
+                end
+
+                should_not_be_signed_in
+                should_respond_with    :success
+                should_render_template :edit
+
+                should_display_a_password_update_form
+              end
+
+              should_forbid "on PUT to #update with id but no token" do
+                put :update, :user_id => @user.to_param, :token => ""
+              end
+            end
+
+            context "given two users and user one signs in" do
+              setup do
+                @user_one = Factory(:user)
+                @user_two = Factory(:user)
+                sign_in_as @user_one
+              end
+
+              should_forbid "when user one tries to change user two's password on GET with no token" do
+                get :edit, :user_id => @user_two.to_param
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end