lockdown 0.9.1 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/lib/lockdown.rb CHANGED
@@ -3,7 +3,7 @@ require File.join(File.dirname(__FILE__), "lockdown", "helper")
3
3
  module Lockdown
4
4
  extend Lockdown::Helper
5
5
 
6
- VERSION = '0.9.1'
6
+ VERSION = '0.9.2'
7
7
 
8
8
  # Returns the version string for the library.
9
9
  def self.version
@@ -16,12 +16,28 @@ module Lockdown
16
16
 
17
17
  def mixin
18
18
  Lockdown.controller_parent.class_eval do
19
- include Lockdown::Frameworks::Rails::Controller::Lock
20
19
  include Lockdown::Session
20
+ include Lockdown::Frameworks::Rails::Controller::Lock
21
21
  end
22
+
23
+ Lockdown.controller_parent.helper_method :authorized?
24
+
25
+ Lockdown.controller_parent.before_filter do |c|
26
+ c.set_current_user
27
+ c.configure_lockdown
28
+ c.check_request_authorization
29
+ end
30
+
31
+ Lockdown.controller_parent.filter_parameter_logging :password,
32
+ :password_confirmation
33
+
34
+ Lockdown.controller_parent.rescue_from SecurityError,
35
+ :with => proc{|e| access_denied(e)}
36
+
22
37
  Lockdown.view_helper.class_eval do
23
38
  include Lockdown::Frameworks::Rails::View
24
39
  end
40
+
25
41
  Lockdown::System.class_eval do
26
42
  extend Lockdown::Frameworks::Rails::System
27
43
  end
@@ -68,6 +84,21 @@ module Lockdown
68
84
 
69
85
  maybe_load_framework_controller_parent
70
86
 
87
+ ApplicationController.helper_method :authorized?
88
+
89
+ ApplicationController.before_filter do |c|
90
+ c.set_current_user
91
+ c.configure_lockdown
92
+ c.check_request_authorization
93
+ end
94
+
95
+ ApplicationController.filter_parameter_logging :password,
96
+ :password_confirmation
97
+
98
+ ApplicationController.rescue_from SecurityError,
99
+ :with => proc{|e| access_denied(e)}
100
+
101
+
71
102
  Dir.chdir("#{Lockdown.project_root}/app/controllers") do
72
103
  Dir["**/*.rb"].sort.each do |c|
73
104
  next if c == "application.rb"
@@ -17,151 +17,128 @@ module Lockdown
17
17
 
18
18
  # Locking methods
19
19
  module Lock
20
- def self.included(base)
21
- base.class_eval do
22
- include Lockdown::Frameworks::Rails::Controller::Lock::InstanceMethods
23
-
24
- helper_method :authorized?
25
- end
26
-
27
- base.before_filter do |c|
28
- c.set_current_user
29
- c.configure_lockdown
30
- c.check_request_authorization
31
- end
32
-
33
-
34
- base.filter_parameter_logging :password, :password_confirmation
35
-
36
- base.rescue_from SecurityError, :with => proc{|e| access_denied(e)}
20
+ def configure_lockdown
21
+ check_session_expiry
22
+ store_location
37
23
  end
38
24
 
39
- module InstanceMethods
40
-
41
- def configure_lockdown
42
- check_session_expiry
43
- store_location
25
+ def set_current_user
26
+ login_from_basic_auth? unless logged_in?
27
+ if logged_in?
28
+ Thread.current[:who_did_it] = Lockdown::System.
29
+ call(self, :who_did_it)
44
30
  end
31
+ end
45
32
 
46
- def set_current_user
47
- login_from_basic_auth? unless logged_in?
48
- if logged_in?
49
- Thread.current[:who_did_it] = Lockdown::System.
50
- call(self, :who_did_it)
51
- end
52
- end
53
-
54
- def check_request_authorization
55
- unless authorized?(path_from_hash(params))
56
- raise SecurityError, "Authorization failed for params #{params.inspect}"
57
- end
33
+ def check_request_authorization
34
+ unless authorized?(path_from_hash(params))
35
+ raise SecurityError, "Authorization failed for params #{params.inspect}"
58
36
  end
37
+ end
38
+
39
+ def path_allowed?(url)
40
+ session[:access_rights] ||= Lockdown::System.public_access
41
+ session[:access_rights].include?(url)
42
+ end
59
43
 
60
- def path_allowed?(url)
61
- session[:access_rights] ||= Lockdown::System.public_access
62
- session[:access_rights].include?(url)
44
+ def check_session_expiry
45
+ if session[:expiry_time] && session[:expiry_time] < Time.now
46
+ nil_lockdown_values
47
+ Lockdown::System.call(self, :session_timeout_method)
63
48
  end
64
-
65
- def check_session_expiry
66
- if session[:expiry_time] && session[:expiry_time] < Time.now
67
- nil_lockdown_values
68
- Lockdown::System.call(self, :session_timeout_method)
69
- end
70
- session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
71
- end
72
-
73
- def store_location
74
- if (request.method == :get) && (session[:thispage] != sent_from_uri)
75
- session[:prevpage] = session[:thispage] || ''
76
- session[:thispage] = sent_from_uri
77
- end
78
- end
79
-
80
- def sent_from_uri
81
- request.request_uri
49
+ session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
50
+ end
51
+
52
+ def store_location
53
+ if (request.method == :get) && (session[:thispage] != sent_from_uri)
54
+ session[:prevpage] = session[:thispage] || ''
55
+ session[:thispage] = sent_from_uri
82
56
  end
83
-
84
- def authorized?(url, method = nil)
85
- return false unless url
57
+ end
86
58
 
87
- return true if current_user_is_admin?
59
+ def sent_from_uri
60
+ request.request_uri
61
+ end
62
+
63
+ def authorized?(url, method = nil)
64
+ return false unless url
88
65
 
89
- method ||= request.method
66
+ return true if current_user_is_admin?
90
67
 
91
- url_parts = URI::split(url.strip)
68
+ method ||= request.method
92
69
 
93
- url = url_parts[5]
70
+ url_parts = URI::split(url.strip)
94
71
 
95
- return true if path_allowed?(url)
72
+ url = url_parts[5]
96
73
 
97
- begin
98
- hash = ActionController::Routing::Routes.recognize_path(url, :method => method)
99
- return path_allowed?(path_from_hash(hash)) if hash
100
- rescue Exception
101
- # continue on
102
- end
74
+ return true if path_allowed?(url)
103
75
 
104
- # Passing in different domain
105
- return remote_url?(url_parts[2])
76
+ begin
77
+ hash = ActionController::Routing::Routes.recognize_path(url, :method => method)
78
+ return path_allowed?(path_from_hash(hash)) if hash
79
+ rescue Exception
80
+ # continue on
106
81
  end
107
-
108
- def access_denied(e)
109
82
 
110
- RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"
83
+ # Passing in different domain
84
+ return remote_url?(url_parts[2])
85
+ end
86
+
87
+ def access_denied(e)
88
+
89
+ RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"
111
90
 
112
- if Lockdown::System.fetch(:logout_on_access_violation)
113
- reset_session
91
+ if Lockdown::System.fetch(:logout_on_access_violation)
92
+ reset_session
93
+ end
94
+ respond_to do |format|
95
+ format.html do
96
+ store_location
97
+ redirect_to Lockdown::System.fetch(:access_denied_path)
98
+ return
114
99
  end
115
- respond_to do |format|
116
- format.html do
117
- store_location
118
- redirect_to Lockdown::System.fetch(:access_denied_path)
119
- return
120
- end
121
- format.xml do
122
- headers["Status"] = "Unauthorized"
123
- headers["WWW-Authenticate"] = %(Basic realm="Web Password")
124
- render :text => e.message, :status => "401 Unauthorized"
125
- return
126
- end
100
+ format.xml do
101
+ headers["Status"] = "Unauthorized"
102
+ headers["WWW-Authenticate"] = %(Basic realm="Web Password")
103
+ render :text => e.message, :status => "401 Unauthorized"
104
+ return
127
105
  end
128
106
  end
107
+ end
129
108
 
130
- def path_from_hash(hash)
131
- hash[:controller].to_s + "/" + hash[:action].to_s
132
- end
109
+ def path_from_hash(hash)
110
+ hash[:controller].to_s + "/" + hash[:action].to_s
111
+ end
133
112
 
134
- def remote_url?(domain = nil)
135
- return false if domain.nil? || domain.strip.length == 0
136
- request.host.downcase != domain.downcase
137
- end
113
+ def remote_url?(domain = nil)
114
+ return false if domain.nil? || domain.strip.length == 0
115
+ request.host.downcase != domain.downcase
116
+ end
138
117
 
139
- def redirect_back_or_default(default)
140
- if session[:prevpage].nil? || session[:prevpage].blank?
141
- redirect_to(default)
142
- else
143
- redirect_to(session[:prevpage])
144
- end
145
- end
146
-
147
- # Called from current_user. Now, attempt to login by
148
- # basic authentication information.
149
- def login_from_basic_auth?
150
- username, passwd = get_auth_data
151
- if username && passwd
152
- set_session_user ::User.authenticate(username, passwd)
153
- end
118
+ def redirect_back_or_default(default)
119
+ if session[:prevpage].nil? || session[:prevpage].blank?
120
+ redirect_to(default)
121
+ else
122
+ redirect_to(session[:prevpage])
154
123
  end
124
+ end
155
125
 
156
- @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
157
- # gets BASIC auth info
158
- def get_auth_data
159
- auth_key = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
160
- auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
161
- return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
126
+ # Called from current_user. Now, attempt to login by
127
+ # basic authentication information.
128
+ def login_from_basic_auth?
129
+ username, passwd = get_auth_data
130
+ if username && passwd
131
+ set_session_user ::User.authenticate(username, passwd)
162
132
  end
163
-
164
- end # InstanceMethods
133
+ end
134
+
135
+ @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
136
+ # gets BASIC auth info
137
+ def get_auth_data
138
+ auth_key = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
139
+ auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
140
+ return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
141
+ end
165
142
  end # Lock
166
143
  end # Controller
167
144
  end # Rails
@@ -12,6 +12,10 @@ module Lockdown
12
12
  end
13
13
  end
14
14
 
15
+ def logged_in?
16
+ current_user_id.to_i > 0
17
+ end
18
+
15
19
  def current_user_id
16
20
  session[:current_user_id]
17
21
  end
@@ -3,8 +3,6 @@
3
3
  #
4
4
  #*** MUST define a current_user method that will return the current user object
5
5
  #
6
- #*** MUST define a logged_in? method that will return true if a user is logged in
7
- #
8
6
  #*** MUST add call to add_lockdown_session_values to your login method
9
7
  #
10
8
  # # This method uses the current_user method.
@@ -21,6 +19,8 @@
21
19
  #
22
20
  # current_user_id: returns the id of the current_user
23
21
  #
22
+ # logged_in? : returns true if current_user_id > 0
23
+ #
24
24
  # current_user_is_admin?: returns true if user is assigned
25
25
  # administrator rights.
26
26
  #
@@ -2,7 +2,7 @@ require File.join(File.dirname(__FILE__), %w[.. .. .. spec_helper])
2
2
 
3
3
  class TestAController
4
4
  extend Lockdown::Frameworks::Rails::Controller
5
- include Lockdown::Frameworks::Rails::Controller::Lock::InstanceMethods
5
+ include Lockdown::Frameworks::Rails::Controller::Lock
6
6
  end
7
7
 
8
8
  describe Lockdown::Frameworks::Rails::Controller do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: lockdown
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.9.1
4
+ version: 0.9.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Stone
@@ -9,7 +9,7 @@ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
11
 
12
- date: 2009-03-22 00:00:00 -04:00
12
+ date: 2009-03-25 00:00:00 -04:00
13
13
  default_executable:
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency