mini_auth 0.2.0.beta → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/README.md +43 -13
- data/lib/mini_auth/version.rb +1 -1
- data/spec/fake_app.rb +2 -0
- data/spec/mini_auth/setting_password_spec.rb +3 -1
- metadata +12 -12
data/README.md
CHANGED
|
@@ -39,6 +39,8 @@ Synopsis
|
|
|
39
39
|
|
|
40
40
|
class User < ActiveRecord::Base
|
|
41
41
|
include MiniAuth
|
|
42
|
+
|
|
43
|
+
attr_accessible :name
|
|
42
44
|
end
|
|
43
45
|
|
|
44
46
|
a = User.new(:name => "alice", :password => "hotyoga")
|
|
@@ -46,14 +48,19 @@ Synopsis
|
|
|
46
48
|
|
|
47
49
|
a.save # => true
|
|
48
50
|
a.password_digest # => "$2a$10$F5YbEd..."
|
|
49
|
-
a.authenticate("hotyoga) # => a
|
|
50
|
-
a.authenticate("wrong") # => false
|
|
51
51
|
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
52
|
+
x = User.find_by_name("alice")
|
|
53
|
+
x.authenticate("wrong") # => false
|
|
54
|
+
x.authenticate("hotyoga) # => x
|
|
55
|
+
|
|
56
|
+
x.attributes = { :current_password => 'hotyoga', :new_password => 'almond' }
|
|
57
|
+
x.changing_password = true
|
|
58
|
+
x.save
|
|
59
|
+
|
|
60
|
+
y = User.find_by_name("alice")
|
|
61
|
+
y.authenticate("hotyoga) # => false
|
|
62
|
+
y.authenticate("almond") # => y
|
|
63
|
+
|
|
57
64
|
|
|
58
65
|
Usage
|
|
59
66
|
-----
|
|
@@ -89,7 +96,7 @@ When neither of them is set to `true`, you can NOT set or change the user's `pas
|
|
|
89
96
|
a.valid? # => true
|
|
90
97
|
|
|
91
98
|
|
|
92
|
-
###
|
|
99
|
+
### Setting password
|
|
93
100
|
|
|
94
101
|
When the user's `setting_password` attribute is set to `true`, its password can
|
|
95
102
|
be set without knowing the current password.
|
|
@@ -106,7 +113,7 @@ Password can't be blank.
|
|
|
106
113
|
b.valid? # => false
|
|
107
114
|
b.errors[:password] # => "can't be blank"
|
|
108
115
|
|
|
109
|
-
Password can be nil.
|
|
116
|
+
Password can't be nil.
|
|
110
117
|
|
|
111
118
|
b = User.new(:name => "bob", :password => nil)
|
|
112
119
|
b.setting_password => true
|
|
@@ -121,7 +128,7 @@ Password should be given.
|
|
|
121
128
|
b.errors[:password] # => "can't be blank"
|
|
122
129
|
|
|
123
130
|
|
|
124
|
-
###
|
|
131
|
+
### Changing password
|
|
125
132
|
|
|
126
133
|
When the user's `changing_password` attribute is set to `true`, its password can
|
|
127
134
|
NOT be set without knowing the current password. You should provide `current_password`
|
|
@@ -144,7 +151,7 @@ When both of the `setting_password` and the `changing_password` are set to `true
|
|
|
144
151
|
only the latter is effective.
|
|
145
152
|
|
|
146
153
|
|
|
147
|
-
### A user
|
|
154
|
+
### A user who has no password
|
|
148
155
|
|
|
149
156
|
You can save a user whose `password_digest` is nil.
|
|
150
157
|
|
|
@@ -152,7 +159,7 @@ You can save a user whose `password_digest` is nil.
|
|
|
152
159
|
c.save!
|
|
153
160
|
c.password_digest # => nil
|
|
154
161
|
|
|
155
|
-
Such a user can't get authenticated.
|
|
162
|
+
Such a user can't get authenticated, but can exist as a temporary account or placeholder.
|
|
156
163
|
|
|
157
164
|
c.authenticate(nil) # => false
|
|
158
165
|
|
|
@@ -192,7 +199,7 @@ You don't have to use them, however.
|
|
|
192
199
|
|
|
193
200
|
### Mass assignment security
|
|
194
201
|
|
|
195
|
-
The `password_digest` column is protected against
|
|
202
|
+
The `password_digest` column is protected against _mass assignment_.
|
|
196
203
|
|
|
197
204
|
c.update_attributes(:password_digest => 'dummy')
|
|
198
205
|
c.password_digest # => nil (unchanged)
|
|
@@ -202,6 +209,29 @@ Similarly, the `setting_password` and `changing_password` attributes are protect
|
|
|
202
209
|
c.attributes = { :setting_password => true, :password => '0000' }
|
|
203
210
|
c.setting_password? # => false
|
|
204
211
|
|
|
212
|
+
A class that includes `Miniauth` is forced to adopt the _whitelist-principle_ regarding the mass assignment protection.
|
|
213
|
+
That is, you have to enumerate the names of attributes that can be set via a hash by the `attr_accessible` method.
|
|
214
|
+
|
|
215
|
+
class User < ActiveRecord::Base
|
|
216
|
+
include MiniAuth
|
|
217
|
+
|
|
218
|
+
attr_accessible :name, :address, :phone
|
|
219
|
+
end
|
|
220
|
+
|
|
221
|
+
Note that the attributes `password`, `password_confirmation`, `current_password`, `new_password`, and
|
|
222
|
+
`new_password_confirmation` are included in the whitelist by default.
|
|
223
|
+
|
|
224
|
+
If your class has a _role_ such as :admin, you should enumerate the accessible attributes as follows:
|
|
225
|
+
|
|
226
|
+
class User < ActiveRecord::Base
|
|
227
|
+
include MiniAuth
|
|
228
|
+
|
|
229
|
+
attr_accessible :name, :address, :phone
|
|
230
|
+
attr_accessible *(accessible_attributes(:default) + [ :is_admin ]), :as => :admin
|
|
231
|
+
end
|
|
232
|
+
|
|
233
|
+
For more information about mass assignment security, please refer to the
|
|
234
|
+
[Mass Assignment](http://guides.rubyonrails.org/security.html#mass-assignment) section of Rails Guides.
|
|
205
235
|
|
|
206
236
|
License
|
|
207
237
|
-------
|
data/lib/mini_auth/version.rb
CHANGED
data/spec/fake_app.rb
CHANGED
metadata
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mini_auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.0
|
|
5
|
-
prerelease:
|
|
4
|
+
version: 0.2.0
|
|
5
|
+
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
8
8
|
- Tsutomu Kuroda
|
|
@@ -13,7 +13,7 @@ date: 2011-12-19 00:00:00.000000000 Z
|
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rails
|
|
16
|
-
requirement: &
|
|
16
|
+
requirement: &17342020 !ruby/object:Gem::Requirement
|
|
17
17
|
none: false
|
|
18
18
|
requirements:
|
|
19
19
|
- - ~>
|
|
@@ -21,10 +21,10 @@ dependencies:
|
|
|
21
21
|
version: 3.1.0
|
|
22
22
|
type: :runtime
|
|
23
23
|
prerelease: false
|
|
24
|
-
version_requirements: *
|
|
24
|
+
version_requirements: *17342020
|
|
25
25
|
- !ruby/object:Gem::Dependency
|
|
26
26
|
name: bcrypt-ruby
|
|
27
|
-
requirement: &
|
|
27
|
+
requirement: &17268340 !ruby/object:Gem::Requirement
|
|
28
28
|
none: false
|
|
29
29
|
requirements:
|
|
30
30
|
- - ! '>='
|
|
@@ -32,10 +32,10 @@ dependencies:
|
|
|
32
32
|
version: '0'
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
|
-
version_requirements: *
|
|
35
|
+
version_requirements: *17268340
|
|
36
36
|
- !ruby/object:Gem::Dependency
|
|
37
37
|
name: rspec-rails
|
|
38
|
-
requirement: &
|
|
38
|
+
requirement: &17267280 !ruby/object:Gem::Requirement
|
|
39
39
|
none: false
|
|
40
40
|
requirements:
|
|
41
41
|
- - ~>
|
|
@@ -43,10 +43,10 @@ dependencies:
|
|
|
43
43
|
version: 2.7.0
|
|
44
44
|
type: :development
|
|
45
45
|
prerelease: false
|
|
46
|
-
version_requirements: *
|
|
46
|
+
version_requirements: *17267280
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: sqlite3
|
|
49
|
-
requirement: &
|
|
49
|
+
requirement: &17266540 !ruby/object:Gem::Requirement
|
|
50
50
|
none: false
|
|
51
51
|
requirements:
|
|
52
52
|
- - ! '>='
|
|
@@ -54,7 +54,7 @@ dependencies:
|
|
|
54
54
|
version: '0'
|
|
55
55
|
type: :development
|
|
56
56
|
prerelease: false
|
|
57
|
-
version_requirements: *
|
|
57
|
+
version_requirements: *17266540
|
|
58
58
|
description: A minimal authentication module for Rails
|
|
59
59
|
email:
|
|
60
60
|
- t-kuroda@oiax.jp
|
|
@@ -92,9 +92,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
92
92
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
93
93
|
none: false
|
|
94
94
|
requirements:
|
|
95
|
-
- - ! '
|
|
95
|
+
- - ! '>='
|
|
96
96
|
- !ruby/object:Gem::Version
|
|
97
|
-
version:
|
|
97
|
+
version: '0'
|
|
98
98
|
requirements: []
|
|
99
99
|
rubyforge_project: mini_auth
|
|
100
100
|
rubygems_version: 1.8.10
|