login_sugar_generator 0.9.4 → 0.9.5

data/templates/README

@@ -1,10 +1,10 @@
 == About
 
 login_sugar is a modification of salted_login generator 1.1.1 that works
-out of the box on Rails 1.1.6
+out of the box on Rails 1.2.3
 
 Changes:
-  - tests all pass out of the box on Rails >= 1.1.4
+  - tests all pass out of the box on Rails 1.2.3
   - using ActiveRecord::Migrations for db setup
   - put underscores in first_name and last_name user attributes
   - replaced Mock Time extension with a Mock Clock.
@@ -12,6 +12,7 @@ Changes:
   - contains a default configuration zip
   - session references se symbols
   - localization removed
+  - removed deprecated code
 
 More about salted_login_generator at http://rubyforge.org/projects/salted-login
 
@@ -21,7 +22,7 @@ If you are on Windoze, see http://wiki.rubyonrails.com/rails/pages/iconv/
 
 == Installation
 
-If you are working with a fresh rails 1.1.6 project, you can unzip the included
+If you are working with a fresh rails 1.2.3 project, you can unzip the included
 default_login_sugar_setup.zip file in your RAILS_ROOT directory. It contains
 preconfigured application controller, environment.rb, application_helper.rb and
 test_helper.rb that should work if you used User as your controller names when
@@ -41,7 +42,6 @@ this:
   class ApplicationController < ActionController::Base
     include <%= class_name %>System
     helper :<%= singular_name %>
-    model :<%= singular_name %>
     before_filter :authenticate_user
 
 Add the following at the end of your config/environment.rb file:
@@ -60,15 +60,14 @@ Edit this file as necessary.
 Import the <%= singular_name %> model into the database.
 
 You'll have to create your development and test databases first and configure your
-config/database.yml appropriately. Note, if you are using mysql you will need to edit
-test/fixtures/users.yml and make the indicated change on the last fixture.
+config/database.yml appropriately.
 
 You can use the provided migration script in
 db/migrate/migration_login_sugar__rename_this_to_fit_your_project.rb.
 
-This model is meant as an example and you
-can extend it, however I suggest first completing the stock installation and running
-the tests to confirm installation, then create a new migration to add your new columns.
+This migration table is meant as an example and you can extend it, however I suggest first
+completing the stock installation and running the tests to confirm installation, then create
+a new migration to add your new columns.
 
 Rename db/migrate/migration_login_sugar__rename_this_to_fit_your_project.rb to
 db/migrate/###_login_sugar.rb where ### is the proper new migration level. For example,
@@ -78,7 +77,7 @@ of the migration in the class definition as well.
 
 Then run:
 
-  rake migrate && rake db:test:clone
+  rake db:migrate
 
 Go ahead and run the unit and functional tests now:
 
@@ -178,6 +177,7 @@ automatically on startup.
 == Changelog
 
 login_sugar
+0.9.5 security updates. compatible with rails 1.2.3
 0.9.4 removed scaffold references, removed localization, added generator rake task
 0.9.3 fixed Clock.now, symbolized session references
 0.9.2 fixed localization reference for sign in form (thanks Nym)

data/templates/controller.rb

@@ -5,31 +5,37 @@ class <%= class_name %>Controller < ApplicationController
 
   def login
     return if generate_blank_form
-    @<%= singular_name %> = <%= class_name %>.new(@params['<%= singular_name %>'])
-    <%= singular_name %> = <%= class_name %>.authenticate(@params['<%= singular_name %>']['login'], @params['<%= singular_name %>']['password'])
+    @<%= singular_name %> = <%= class_name %>.new(params['<%= singular_name %>'])
+    <%= singular_name %> = <%= class_name %>.authenticate(params['<%= singular_name %>']['login'], params['<%= singular_name %>']['password'])
     if <%= singular_name %>
       @current_<%= singular_name %> = <%= singular_name %>
-      @session[:<%= singular_name %>_id] = <%= singular_name %>.id
+      session[:<%= singular_name %>_id] = <%= singular_name %>.id
       flash['notice'] = 'Login succeeded'
       redirect_back_or_default :action => 'welcome'
     else
-      @login = @params['<%= singular_name %>']['login']
+      @login = params['<%= singular_name %>']['login']
       flash['message'] = 'Login failed'
     end
   end
 
   def signup
     return if generate_blank_form
-    @params['<%= singular_name %>'].delete('form')
-    @<%= singular_name %> = <%= class_name %>.new(@params['<%= singular_name %>'])
+    @<%= singular_name %> = <%= class_name %>.new(
+      :login => params['<%= singular_name %>'][:login],
+      :password => params['<%= singular_name %>'][:password],
+      :password_confirmation => params['<%= singular_name %>'][:password_confirmation],
+      :email => params['<%= singular_name %>'][:email],
+      :first_name => params['<%= singular_name %>'][:first_name],
+      :last_name => params['<%= singular_name %>'][:last_name]
+    )
     begin
-      <%= class_name %>.transaction(@<%= singular_name %>) do
+      <%= class_name %>.transaction do
         @<%= singular_name %>.password_needs_confirmation = true
         if @<%= singular_name %>.save
           key = @<%= singular_name %>.generate_security_token
           url = url_for(:action => 'welcome')
           url += "?<%= singular_name %>[id]=#{@<%= singular_name %>.id}&key=#{key}"
-          <%= class_name %>Notify.deliver_signup(@<%= singular_name %>, @params['<%= singular_name %>']['password'], url)
+          <%= class_name %>Notify.deliver_signup(@<%= singular_name %>, params['<%= singular_name %>']['password'], url)
           flash['notice'] = 'Signup successful! Please check your registered email account to verify your account registration and continue with the login.'
           redirect_to :action => 'login'
         end
@@ -41,16 +47,16 @@ class <%= class_name %>Controller < ApplicationController
   end  
   
   def logout
-    @session[:<%= singular_name %>_id] = nil
+    session[:<%= singular_name %>_id] = nil
     @current_<%= singular_name %> = nil
     redirect_to :action => 'login'
   end
 
   def change_password
     return if generate_filled_in
-    @params['<%= singular_name %>'].delete('form')
+    params['<%= singular_name %>'].delete('form')
     begin
-      @<%= singular_name %>.change_password(@params['<%= singular_name %>']['password'], @params['<%= singular_name %>']['password_confirmation'])
+      @<%= singular_name %>.change_password(params['<%= singular_name %>']['password'], params['<%= singular_name %>']['password_confirmation'])
       @<%= singular_name %>.save!
     rescue Exception => ex
       report_exception ex
@@ -58,7 +64,7 @@ class <%= class_name %>Controller < ApplicationController
       render and return
     end
     begin
-      <%= class_name %>Notify.deliver_change_password(@<%= singular_name %>, @params['<%= singular_name %>']['password'])
+      <%= class_name %>Notify.deliver_change_password(@<%= singular_name %>, params['<%= singular_name %>']['password'])
     rescue Exception => ex
       report_exception ex
     end
@@ -74,18 +80,18 @@ class <%= class_name %>Controller < ApplicationController
 
     return if generate_blank_form
 
-    if @params['<%= singular_name %>']['email'].empty?
+    if params['<%= singular_name %>']['email'].empty?
       flash.now['message'] = 'Please enter a valid email address.'
-    elsif (<%= singular_name %> = <%= class_name %>.find_by_email(@params['<%= singular_name %>']['email'])).nil?
-      flash.now['message'] = "We could not find a <%= singular_name %> with the email address #{CGI.escapeHTML(@params['<%= singular_name %>']['email'])}"
+    elsif (<%= singular_name %> = <%= class_name %>.find_by_email(params['<%= singular_name %>']['email'])).nil?
+      flash.now['message'] = "We could not find a <%= singular_name %> with the email address #{CGI.escapeHTML(params['<%= singular_name %>']['email'])}"
     else
       begin
-        <%= class_name %>.transaction(<%= singular_name %>) do
+        <%= class_name %>.transaction do
           key = <%= singular_name %>.generate_security_token
           url = url_for(:action => 'change_password')
           url += "?<%= singular_name %>[id]=#{<%= singular_name %>.id}&key=#{key}"
           <%= class_name %>Notify.deliver_forgot_password(<%= singular_name %>, url)
-          flash['notice'] = "Instructions on resetting your password have been emailed to #{CGI.escapeHTML(@params['<%= singular_name %>']['email'])}."
+          flash['notice'] = "Instructions on resetting your password have been emailed to #{CGI.escapeHTML(params['<%= singular_name %>']['email'])}."
           unless authenticated_<%= singular_name %>?
             redirect_to :action => 'login'
             return
@@ -94,21 +100,21 @@ class <%= class_name %>Controller < ApplicationController
         end
       rescue Exception => ex
         report_exception ex
-        flash.now['message'] = "Your password could not be emailed to #{CGI.escapeHTML(@params['<%= singular_name %>']['email'])}"
+        flash.now['message'] = "Your password could not be emailed to #{CGI.escapeHTML(params['<%= singular_name %>']['email'])}"
       end
     end
   end
 
   def edit
     return if generate_filled_in
-    if @params['<%= singular_name %>']['form']
-      form = @params['<%= singular_name %>'].delete('form')
+    if params['<%= singular_name %>']['form']
+      form = params['<%= singular_name %>'].delete('form')
       begin
         case form
         when "edit"
-          changeable_fields = ['first_name', 'last_name', 'email']
-          params = @params['<%= singular_name %>'].delete_if { |k,v| not changeable_fields.include?(k) }
-          @<%= singular_name %>.attributes = params
+          unclean_params = params['<%= singular_name %>']
+          <%= singular_name %>_params = unclean_params.delete_if { |k,v| not <%= class_name %>::CHANGEABLE_FIELDS.include?(k) }
+          @<%= singular_name %>.attributes = <%= singular_name %>_params
           @<%= singular_name %>.save
           flash.now['notice'] = "<%= class_name %> has been updated."
         when "change_password"
@@ -126,7 +132,7 @@ class <%= class_name %>Controller < ApplicationController
   end
 
   def delete
-    @<%= singular_name %> = @current_<%= singular_name %> || <%= class_name %>.find_by_id( @session[:<%= singular_name %>_id] )
+    @<%= singular_name %> = @current_<%= singular_name %> || <%= class_name %>.find_by_id( session[:<%= singular_name %>_id] )
     begin
       @<%= singular_name %>.update_attribute( :deleted, true )
       logout
@@ -151,7 +157,7 @@ class <%= class_name %>Controller < ApplicationController
 
   # Generate a template <%= singular_name %> for certain actions on get
   def generate_blank_form
-    case @request.method
+    case request.method
     when :get
       @<%= singular_name %> = <%= class_name %>.new
       render
@@ -162,8 +168,8 @@ class <%= class_name %>Controller < ApplicationController
 
   # Generate a template <%= singular_name %> for certain actions on get
   def generate_filled_in
-    @<%= singular_name %> = @current_<%= singular_name %> || <%= class_name %>.find_by_id( @session[:<%= singular_name %>_id] )
-    case @request.method
+    @<%= singular_name %> = @current_<%= singular_name %> || <%= class_name %>.find_by_id( session[:<%= singular_name %>_id] )
+    case request.method
     when :get
       render
       return true

data/templates/controller_test.rb

@@ -72,6 +72,18 @@ class <%= class_name %>ControllerTest < Test::Unit::TestCase
     assert !<%= singular_name %>.verified
   end
 
+
+  def test_signup__cannot_set_arbitrary_attributes
+    post_signup :login => "new<%= singular_name %>",
+                :password => "password", :password_confirmation => "password",
+                :email => "skunk@example.com",
+                :verified => '1',
+                :role => 'superadmin'
+    <%= singular_name %> = <%= class_name %>.find_by_email("skunk@example.com")
+    assert !<%= singular_name %>.verified
+    assert_nil <%= singular_name %>.role
+  end
+
   def test_signup__validates_password_min_length
     post_signup :login => "tesla_rhea", :password => "bad", :password_confirmation => "bad", :email => "someone@example.com"
     assert_password_validation_fails
@@ -107,6 +119,7 @@ class <%= class_name %>ControllerTest < Test::Unit::TestCase
     <%= singular_name %>.reload
     assert <%= singular_name %>.verified
     assert_logged_in( <%= singular_name %> )
+    assert <%= singular_name %>.token_expired?
   end
 
   def test_welcome__fails_if_expired_token

data/templates/helper.rb

@@ -15,12 +15,12 @@ module <%= class_name %>Helper
     opts = DEFAULT_HEAD_OPTIONS.dup
     opts.update(options.symbolize_keys)
     s = "<h3>#{label}</h3>"
-    if @flash['notice'] and not opts[:notice].nil? and opts[:notice]
-      notice = "<div><p>#{@flash['notice']}</p></div>"
+    if flash['notice'] and not opts[:notice].nil? and opts[:notice]
+      notice = "<div><p>#{flash['notice']}</p></div>"
       s = s + notice
     end
-    if @flash['message'] and not opts[:message].nil? and opts[:message]
-      message = "<div id=\"ErrorExplanation\"><p>#{@flash['message']}</p></div>"
+    if flash['message'] and not opts[:message].nil? and opts[:message]
+      message = "<div id=\"ErrorExplanation\"><p>#{flash['message']}</p></div>"
       s = s + message
     end
     if not opts[:error].nil? and opts[:error]
@@ -33,9 +33,4 @@ module <%= class_name %>Helper
    return s
   end
 
-  def start_form_tag_helper(options = {})
-    url = url_for(:action => "#{@controller.action_name}")
-    "#{self.send(:start_form_tag, url, options)}"
-  end
-
 end

data/templates/user.rb

@@ -2,6 +2,7 @@ require 'digest/sha1'
 
 # this model expects a certain database layout and its based on the name/login pattern. 
 class <%= class_name %> < ActiveRecord::Base
+  CHANGEABLE_FIELDS = ['first_name', 'last_name', 'email']
   attr_accessor :password_needs_confirmation
 
   after_save '@password_needs_confirmation = false'
@@ -23,28 +24,28 @@ class <%= class_name %> < ActiveRecord::Base
   end
 
   def self.authenticate(login, pass)
-    u = find_first(["login = ? AND verified = TRUE AND deleted = FALSE", login])
+    u = find( :first, :conditions => ["login = ? AND verified = TRUE AND deleted = FALSE", login])
     return nil if u.nil?
-    find_first(["login = ? AND salted_password = ? AND verified = TRUE", login, salted_password(u.salt, hashed(pass))])
+    find( :first, :conditions => ["login = ? AND salted_password = ? AND verified = TRUE", login, salted_password(u.salt, hashed(pass))])
   end
 
   def self.authenticate_by_token(id, token)
     # Allow logins for deleted accounts, but only via this method (and
     # not the regular authenticate call)
     logger.info "Attempting authorization of #{id} with #{token}"
-    u = find_first(["id = ? AND security_token = ?", id, token])
+    u = find( :first, :conditions => ["id = ? AND security_token = ?", id, token])
     if u
       logger.info "Authenticated by token: #{u.inspect}"
     else
       logger.info "Not authenticated" if u.nil?
     end
     return nil if (u.nil? or u.token_expired?)
-    u.update_attribute :verified, true
+    u.update_attributes :verified => true, :token_expiry => Clock.now
     return u
   end
 
   def token_expired?
-    self.security_token and self.token_expiry and (Clock.now > self.token_expiry)
+    self.security_token and self.token_expiry and (Clock.now >= self.token_expiry)
   end
 
   def generate_security_token

data/templates/users.yml

@@ -44,5 +44,5 @@ unverified_<%= singular_name %>:
   email: unverified_<%= singular_name %>@example.com
   verified: false
   security_token: random_token_string
-  token_expiry: <%%= (Clock.now + 1.day) %> # for mysql, add .strftime("%y-%m-%d %H:%M:%S")
+  token_expiry: <%%= (Clock.now + 1.day).strftime("%y-%m-%d %H:%M:%S") %> # for mysql, add .strftime("%y-%m-%d %H:%M:%S")
   deleted: false

data/templates/view_change_password.rhtml

@@ -4,12 +4,12 @@
   <div class="form-padding">
     Enter your new password in the fields below and click 'Change Password' to have a new password sent to your email inbox.
 
-    <%%= start_form_tag_helper %>
+    <%% form_tag(url_for(:action => "#{@controller.action_name}")) do %>
       <%%= render_partial 'password', :<%= singular_name %> => @<%= singular_name %>, :submit => false %>
       <div class="button-bar">
         <%%= submit_tag 'Change Password' %>
         <%%= link_to 'Cancel', :action => 'welcome' %>
       </div>
-    <%%= end_form_tag %>
+    <%% end %>
   </div>
 </div>

data/templates/view_edit.rhtml

@@ -1,19 +1,19 @@
 <div title="<%%= title_helper %>" class="form">
   <%%= head_helper 'Edit <%= class_name %>', :error => true %>
 
-    <%%= start_form_tag_helper %>
+    <%% form_tag(url_for(:action => "#{@controller.action_name}")) do %>
       <%%= render_partial 'edit', :<%= singular_name %> => @<%= singular_name %>, :submit => true %>
-    <%%= end_form_tag %>
+    <%% end %>
     </br>
-    <%%= start_form_tag_helper %>
+    <%% form_tag(url_for(:action => "#{@controller.action_name}")) do %>
       <%%= render_partial 'password', :submit => true %>
-    <%%= end_form_tag %>
+    <%% end %>
 
-    <%%= start_form_tag_helper %>
+    <%% form_tag(url_for(:action => "#{@controller.action_name}")) do %>
       <div class="<%= singular_name %>_delete">
         <%%= hidden_field '<%= singular_name %>', 'form', :value => 'delete' %>
         <%%= submit_tag 'Delete' %>
       </div>
-    <%%= end_form_tag %>
+    <%% end %>
   </div>
 </div>

data/templates/view_forgot_password.rhtml

@@ -7,13 +7,13 @@
       to have instructions on how to retrieve your forgotten password emailed to you.
     </p>
 
-    <%%= start_form_tag_helper %>
+    <%% form_tag(url_for(:action => "#{@controller.action_name}")) do %>
       <%%= text_field '<%= singular_name %>', "email", :size => 30 %><br/>
 
       <div class="button-bar">
         <%%= submit_tag 'Send instructions' %>
         <%%= link_to 'Cancel', :action => 'login' %>
       </div>
-    <%%= end_form_tag %>
+    <%% end %>
   </div>
 </div>                                                                          

data/templates/view_login.rhtml

@@ -2,7 +2,7 @@
   <%%= head_helper 'Please login' %>
 
   <div class="form-padding">
-    <%%= start_form_tag_helper  %>
+    <%% form_tag(url_for(:action => "#{@controller.action_name}")) do %>
       <table>
         <tr class="two_columns">
           <td class="prompt"><label>Login:</label></td>
@@ -18,7 +18,7 @@
         <%%= submit_tag 'login' %>
         <%%= link_to 'Register for an account', :action => 'signup' %> |
         <%%= link_to 'Forgot my password', :action => 'forgot_password' %>      </div>
-    <%%= end_form_tag %>
+    <%% end %>
   </div>
 </div>
                                                                                 

data/templates/view_signup.rhtml

@@ -2,13 +2,13 @@
   <%%= head_helper 'Sign Up', :error => true %>
 
   <div class="form-padding">
-    <%%= start_form_tag_helper %>
+    <%% form_tag(url_for(:action => "#{@controller.action_name}")) do %>
       <%%= render_partial 'edit', :<%= singular_name %> => @<%= singular_name %>, :submit => false %></br>
       <%%= render_partial 'password', :submit => false %>
       
       <div class="button-bar">
         <%%= submit_tag 'Sign up' %>
       </div>
-    <%%= end_form_tag %>
+  <%% end %>
   </div>
 </div>

metadata

@@ -1,10 +1,10 @@
 --- !ruby/object:Gem::Specification 
-rubygems_version: 0.8.11
+rubygems_version: 0.9.2
 specification_version: 1
 name: login_sugar_generator
 version: !ruby/object:Gem::Version 
-  version: 0.9.4
-date: 2007-01-29 00:00:00 -08:00
+  version: 0.9.5
+date: 2007-05-30 00:00:00 -07:00
 summary: A modification of the Salted Hash Login Generator that works with Rails 1.1.[456]
 require_paths: 
 - lib
@@ -25,6 +25,7 @@ required_ruby_version: !ruby/object:Gem::Version::Requirement
 platform: ruby
 signing_key: 
 cert_chain: 
+post_install_message: 
 authors: 
 - Dav Yaginuma
 files: