model_security_generator 0.0.1 → 0.0.2

data/templates/{user_controller.rb → controllers/user_controller.rb}

@@ -80,7 +80,7 @@ public
         render :action => 'forgot_password_done'
       else
         flash['notice'] = "Can't find a user with email #{@params['email']}."
-	@user = User.new
+        @user = User.new
       end
     end
   end
@@ -121,27 +121,17 @@ public
   alias login_admin login
 
   # Log out the current user, attempt HTTP authentication to log in a new
-  # user. The real reason we put up HTTP authentication here is to make
-  # the browser forget the old authentication data. Otherwise, the browser
-  # keeps sending it!
+  # user. The session information skip_user_setup=true tells the server to
+  # generate a new HTTP authentication request and ignore the current HTTP
+  # authentication data.
+  # We have to request new HTTP authentication here to make the browser
+  # forget the old authentication data. Otherwise, the browser keeps sending
+  # it!
   def logout
-    if User.current and @session[:new_login] != true
-      @session[:new_login] = true
-      User.sign_off
-      session[:user_id] = nil
-      @response.headers["Status"] = "Unauthorized" 
-      @response.headers["WWW-Authenticate"] = \
-       "Basic realm=\"#{@request.domain(2)}\"" 
-      @user = User.new
-      render :action => 'login', :status => 401
-    else
-      @session[:new_login] = false
-      if User.current
-        redirect_to :action => 'success'
-      else
-        redirect_to :action => 'login'
-      end
-    end
+    User.sign_off
+    session[:user_id] = nil
+    session[:skip_user_setup] = true
+    redirect_to :action => 'login'
   end
 
   # Create a new user.
@@ -150,14 +140,29 @@ public
     when :get
       @user = User.new
     when :post
-      @user = User.new(@params['user'])
-      # FIX: Save may fail. Create the email before the record is saved,
-      # deliver it afterward.
-      url = url_for(:controller => 'user', :action => 'activate', :id => @user.id, :token => @user.new_token)
-      UserMailer.deliver_new_user(@user, url)
+      p = @params['user']
+      @user = User.new(p)
       if @user.save
         flash['notice'] = 'User created.'
-        redirect_to :action => 'success'
+        # Promote the very first user to be an administrator.
+        if @user.id == 1
+          @user.admin = 1
+          @user.activated = 1
+          @user.save
+          User.sign_on_by_session(1)
+          render :file => 'app/views/user/admin_created.rhtml'
+	# Mail the user instructions on how to activate their account.
+        else
+          url_params = {
+            :controller => 'user',
+            :action => 'activate',
+            :id => @user.id,
+            :token => @user.new_token
+          }
+          url = url_for(url_params)
+          UserMailer.deliver_new_user(p, url, @user.token_expiry)
+          render :file => 'app/views/user/created.rhtml'
+        end
       else
         flash['notice'] = 'Creation of new user failed.'
       end

data/templates/{model_security.rb → lib/model_security.rb}

@@ -153,7 +153,6 @@ end
 module ModelSecurity
   include ModelSecurity::BothClassAndInstanceMethods
 
-private
   # This does the permission test for readable? or writable?.
   def test_permission(permission, attribute)
     if (d = self.class.read_inheritable_attribute(permission))
@@ -162,6 +161,7 @@ private
       return true
     end
   end
+private
 
   # Responsible for raising an exception when an unpermitted security
   # access is attempted. *permission* is :let_read or :let_write.
@@ -200,8 +200,13 @@ public
   def self.append_features(base)
     super
     base.extend(ClassMethods)
+
+    # Define default permissions for attributes like :id that are used by
+    # Rails.
+    base.default_permissions
   end
 
+
   # Return true if a read of *attribute* is permitted.
   # *attribute* should be a symbol, and should be the
   # name of a database field for this model.
@@ -242,11 +247,6 @@ end
 # Uses a Rails-internal inheritable-attribute mechanism so that this data in a
 # derived class survives modification of similar data in its base class.
 #
-# I'm not sure that write_inheritable_attribute() is the right way to go, either
-# here or in the way that validators are declared. Why not declare the data
-# independently in each subclass and then use *super* to traverse the
-# inheritance graph when accessing it?
-# 
 module ModelSecurity::ClassMethods
 private
   include ModelSecurity::BothClassAndInstanceMethods
@@ -286,6 +286,33 @@ private
   end
 
 public
+
+  # Install default permissions for all of the attributes that Rails defines.
+  #
+  # Readable:
+  #	created_at, created_on, type, id, updated_at, updated_on,
+  #	lock_version, position, parent_id, lft, rgt,
+  #	table_name + '_count'
+  #
+  # Writable:
+  #	updated_at, updated_on, lock_version, position, parent_id, lft, rgt
+  #
+  # Writable only before the first save of an Active Record:
+  #	created_at, created_on, type, id
+  #
+  def default_permissions
+    let_read :created_at, :created_on, :type, :id, :updated_at, \
+     :updated_on, :lock_version, :position, :parent_id, :lft, :rgt, \
+     (table_name + '_count').to_sym
+
+    # These shouldn't change after the first save.
+    let_write :created_at, :created_on, :type, :id, :if => :new_record?
+
+    # These can change.
+    let_write :updated_at, :updated_on, :lock_version, :position, :parent_id, \
+     :lft, :rgt
+  end
+
   # Return true if display of the attribute is permitted. *attribute* is a
   # symbol, and should match a field in the database schema corresponding to
   # this model.

data/templates/{user_support.rb → lib/user_support.rb}

@@ -62,6 +62,15 @@ module UserSupport
   # that expects login information.
   #
   def user_setup
+    # This is used by the logout action to discard the old HTTP authentiction.
+    # Logout redirects to login and that generates a new authentication
+    # request. That request is the only input that can tell the browser to
+    # stop sending the old authentication data with every request!
+    if @session[:skip_user_setup] == true
+      @session[:skip_user_setup] = false
+      return true
+    end
+
     user = login = password = nil
 
     r = @request.env

data/templates/mailer/new_user.rhtml

@@ -0,0 +1,13 @@
+Dear <%= @params['name'] %>,
+
+Your login
+'<%= @params['login' %>'
+has been created, but you must now activate it.
+To do so, please access the following URL before
+<%= @token_expiry %>:
+
+<%= @url %>
+
+  Many Thanks
+
+  The Management

data/templates/{user.rb → models/user.rb}

@@ -110,20 +110,19 @@ private
   # used as a security test, as security tests can access all attributes
   # with impunity. Login and name are public information.
   #
-  # FIX: Reading "id" is necessary for Rails internals.
-  # Make it readable by default in the ModelSecurity module.
-  let_read :admin, :id, :login, :name
+  let_read :admin, :login, :name
 
+  # Allow the very first user to be promoted to administrator.
+  # Once there's an admin, that user has "let_access :all" and can
+  # promote others to administrator.
+  let_write :admin, :if => :initial_self_promotion
+  
   # If this is a new (never saved) record, or if this record corresponds to
-  # the currently-logged-in user, allow reading of the email address,
-  # timestamps and lock_version.
-  #
-  # FIX: Lock_version is read by rails internals when a record is saved, 
-  # make it readable by default in the ModelSecurity module. 
-  let_read :created_on, :email, :updated_on, :lock_version, :if => :new_or_me_or_logging_in?
+  # the currently-logged-in user, allow reading of the email address.
+  let_read :email, :if => :new_or_me_or_logging_in?
 
   # These attributes are concerned with login security, and can only be read
-  # while a user is logging in. We create a pseudo-user for the process of
+  # while a user is logging in. We create a pseudo-user for the process of= 1
   # logging in and a security test :logging_in? that tests for that user.
   let_read :activated, :cypher, :salt, :token, :token_expiry, \
    :if => :logging_in?
@@ -132,24 +131,15 @@ private
 
   # Only in the case of a new (never saved) record can these fields be written.
   #
-  # FIX: Rails internals writes the ID and created_on. Make this test a
-  # default for :id and :created_on within the ModelSecurity module. Document
-  # it to the user.
-  let_write :id, :created_on, :login, :name, :if => :new_record?
+  let_write :login, :name, :if => :new_record?
 
   # Only allow this information to be updated by the user who owns the record,
   # unless this record is new (has never been saved).
-  #
-  # FIX: There should be a default write permission for updated_on and
-  # lock_version within the ModelSecurity module, as Rails internals
-  # write them.
   let_write :cypher, :email, :salt, :if => :new_or_me?
 
   # The security token can only be changed if we're the special "login" user.
   let_write :activated, :token, :token_expiry, :if => :logging_in?
 
-  let_write :updated_on, :lock_version, :if => :new_or_me_or_logging_in?
-
 public
   attr_accessor :password, :password_confirmation, :old_password
 
@@ -197,6 +187,13 @@ public
     return User.admin?
   end
 
+  # Return true if the user's ID is 1 and the user is attempting to promote
+  # himself to administrator. This is used to bootstrap the first administrator
+  # and for no other purpose.
+  def initial_self_promotion?
+    return (self == User.current and id == 1 and not admin?)
+  end
+
   # Return true if the user is currently logging in. This security test allows
   # us to designate model fields to be visible *only* while a user is logging
   # in.

data/templates/{user_mailer.rb → models/user_mailer.rb}

@@ -17,11 +17,12 @@ class UserMailer < ActionMailer::Base
 
   # Send a new-user email, providing the user with a URL used to validate
   # that user's login.
-  def new_user(user, url)
-    @body['user'] = user
+  def new_user(params, url, token_expiry)
+    @body['params'] = params
     @body['url'] = url
+    @body['token_expiry'] = token_expiry
 
-    recipients	user.email
+    recipients	params['email']
     subject	'Your new login is ready'
     from	'bruce@perens.com'
 

data/templates/views/admin_created.rhtml

@@ -0,0 +1,3 @@
+Your login has been created,
+you are an administrator,
+and you are now logged in.

data/templates/views/created.rhtml

@@ -0,0 +1,4 @@
+Your login has been created.
+An email is being sent to 
+<%= @email %>
+with information required to activate the new account.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification 
-rubygems_version: 0.8.8
+rubygems_version: 0.8.4
 specification_version: 1
 name: model_security_generator
 version: !ruby/object:Gem::Version 
-  version: 0.0.1
-date: 2005-08-12
+  version: 0.0.2
+date: 2005-09-23
 summary: "[Rails] Model security and authentication generator."
 require_paths: 
   - "."
-email: ''
+email: bruce@perens.com
 homepage: 
 rubyforge_project: 
 description: Generates Rails code implementing a model security and authentication system for your Rails app.
@@ -28,42 +28,39 @@ authors:
   - Bruce Perens
   - Joe Hosteny
 files: 
-  - USAGE
-  - README
-  - model_security_generator.rb
-  - templates/modal.rb
-  - templates/modal_helper.rb
-  - templates/model_security.rb
-  - templates/model_security_helper.rb
-  - templates/once.rb
-  - templates/user_support.rb
-  - templates/user.rb
-  - templates/user_controller.rb
-  - templates/user_mailer.rb
-  - templates/user_controller_test.rb
-  - templates/user_test.rb
-  - templates/mock_mailer.rb
-  - templates/mock_time.rb
-  - templates/users.yml
-  - templates/schema.sql
-  - templates/users.sql
-  - templates/scaffold.css
-  - templates/scaffold.rhtml
-  - templates/standard.css
-  - templates/standard.rhtml
-  - templates/_view_form.rhtml
-  - templates/mailer_forgot_password.rhtml
-  - templates/mailer_new_user.rhtml
-  - templates/view_activate.rhtml
-  - templates/view_edit.rhtml
-  - templates/view_forgot_password_done.rhtml
-  - templates/view_list.rhtml
-  - templates/view_login.rhtml
-  - templates/view_login_admin.rhtml
-  - templates/view_logout.rhtml
-  - templates/view_new.rhtml
-  - templates/view_show.rhtml
-  - templates/view_success.rhtml
+  - templates/README
+  - templates/USAGE
+  - templates/controllers/user_controller.rb
+  - templates/db/demo.sql
+  - templates/db/users.sql
+  - templates/helpers/modal_helper.rb
+  - templates/helpers/model_security_helper.rb
+  - templates/lib/modal.rb
+  - templates/lib/model_security.rb
+  - templates/lib/once.rb
+  - templates/lib/user_support.rb
+  - templates/mailer/forgot_password.rhtml
+  - templates/mailer/new_user.rhtml
+  - templates/models/user.rb
+  - templates/models/user_mailer.rb
+  - templates/test/mock_mailer.rb
+  - templates/test/mock_time.rb
+  - templates/test/user_controller_test.rb
+  - templates/test/user_test.rb
+  - templates/test/users.yml
+  - templates/views/_form.rhtml
+  - templates/views/activate.rhtml
+  - templates/views/admin_created.rhtml
+  - templates/views/created.rhtml
+  - templates/views/edit.rhtml
+  - templates/views/forgot_password_done.rhtml
+  - templates/views/list.rhtml
+  - templates/views/login.rhtml
+  - templates/views/login_admin.rhtml
+  - templates/views/logout.rhtml
+  - templates/views/new.rhtml
+  - templates/views/show.rhtml
+  - templates/views/success.rhtml
 test_files: []
 rdoc_options: []
 extra_rdoc_files: []

data/model_security_generator.rb

@@ -1,75 +0,0 @@
-class ModelSecurityGenerator < Rails::Generator::NamedBase
-  def manifest
-    record do |m|
-      # Check for class naming collisions.
-      m.class_collisions class_path, "User", "UserController", "UserMailer", "UserSupport", "Modal", "ModalHelper", "ModelSecurity", "ModelSecurityHelper"
-
-      # Libraries
-      m.file "modal.rb", "lib/modal.rb"
-      m.file "model_security.rb", "lib/model_security.rb"
-      m.file "once.rb", "lib/once.rb"
-      m.file "user_support.rb", "lib/user_support.rb"
-
-      # Helpers
-      m.file "modal_helper.rb", "app/helpers/modal_helper.rb"
-      m.file "model_security_helper.rb", "app/helpers/model_security_helper.rb"
-
-      # User
-      m.file "user.rb", File.join("app/models", "user.rb")
-      m.file "user_controller.rb", File.join("app/controllers", "user_controller.rb")
-
-      # User mailer
-      m.file "user_mailer.rb", File.join("app/models", "user_mailer.rb")
-
-      # Testing related stuff
-      m.file "user_controller_test.rb", "test/functional/user_controller_test.rb"
-      m.file "user_test.rb", "test/unit/user_test.rb"
-      m.file "mock_mailer.rb", "test/mocks/test/user_mailer.rb"
-      m.file "mock_time.rb", "test/mocks/test/time.rb"
-      m.file "users.yml", "test/fixtures/users.yml"
-
-      # Schemas, configuration and miscellaneous
-      m.file "schema.sql", "db/schema.sql"
-      m.file "users.sql", "db/users.sql"
-
-      # Layout and stylesheet.
-      m.file "scaffold.rhtml", "app/views/layouts/scaffold.rhtml"
-      m.file "scaffold.css", "public/stylesheets/scaffold.css"
-      m.file "standard.rhtml", "app/views/layouts/standard.rhtml"
-      m.file "standard.css", "public/stylesheets/standard.css"
-
-      # Views
-      m.directory File.join("app/views", "user", file_name)
-      user_views.each do |action|
-        m.file "view_#{action}.rhtml",
-        File.join("app/views", "user", file_name, "#{action}.rhtml")
-      end
-
-      # Partials
-      m.directory File.join("app/views", "user", file_name)
-      partial_views.each do |action|
-        m.file "_view_#{action}.rhtml",
-        File.join("app/views", "user", file_name, "_#{action}.rhtml")
-      end
-
-      # Mailer
-      m.directory File.join("app/views", "user_mailer")
-      mailer_views.each do |action|
-        m.file "mailer_#{action}.rhtml",
-        File.join("app/views", "user_mailer", "#{action}.rhtml")
-      end
-    end
-  end
-
-  def user_views
-    %w(activate edit forgot_password_done list login login_admin logout new show success)
-  end
-
-  def partial_views
-    %w(form)
-  end
-
-  def mailer_views
-    %w(forgot_password new_user)
-  end
-end

data/templates/mailer_new_user.rhtml

@@ -1,10 +0,0 @@
-Dear <%= @user.name %>,
-
-Your login '<%= @user.login %>' has been created, but you must now activate it.
-To do so, please access the following URL before <%= @user.token_expiry %>:
-
-<%= @url %>
-
-  Many Thanks
-
-  The Management

data/templates/scaffold.css

@@ -1,74 +0,0 @@
-body { background-color: #fff; color: #333; }
-
-body, p, ol, ul, td {
-  font-family: verdana, arial, helvetica, sans-serif;
-  font-size:   13px;
-  line-height: 18px;
-}
-
-pre {
-  background-color: #eee;
-  padding: 10px;
-  font-size: 11px;
-}
-
-a { color: #000; }
-a:visited { color: #666; }
-a:hover { color: #fff; background-color:#000; }
-
-.fieldWithErrors {
-  padding: 2px;
-  background-color: red;
-  display: table;
-}
-
-#ErrorExplanation {
-  width: 400px;
-  border: 2px solid 'red';
-  padding: 7px;
-  padding-bottom: 12px;
-  margin-bottom: 20px;
-  background-color: #f0f0f0;
-}
-
-#ErrorExplanation h2 {
-  text-align: left;
-  font-weight: bold;
-  padding: 5px 5px 5px 15px;
-  font-size: 12px;
-  margin: -7px;
-  background-color: #c00;
-  color: #fff;
-}
-
-#ErrorExplanation p {
-  color: #333;
-  margin-bottom: 0;
-  padding: 5px;
-}
-
-#ErrorExplanation ul li {
-  font-size: 12px;
-  list-style: square;
-}
-
-div.uploadStatus {
-  margin: 5px;
-}
-
-div.progressBar {
-  margin: 5px;
-}
-
-div.progressBar div.border {
-  background-color: #fff;
-  border: 1px solid grey;
-  width: 100%;
-}
-
-div.progressBar div.background {
-  background-color: #333;
-  height: 18px;
-  width: 0%;
-}
-

data/templates/scaffold.rhtml

@@ -1,11 +0,0 @@
-<html>
-<head>
-  <title>: <%= controller.action_name %></title>
-  <%= stylesheet_link_tag 'scaffold' %>
-</head>
-<body>
-
-<%= @content_for_layout %>
-
-</body>
-</html>

data/templates/standard.css

@@ -1,7 +0,0 @@
-.flash {
-	text-align: center;
-	background-color: #C0C0FF;
-	border: medium double #FF0000;
-	margin: 4px;
-}
-

data/templates/standard.rhtml

@@ -1,16 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
-<head>
-  <link href="/stylesheets/standard.css" rel="stylesheet" type="text/css" /> 
-</head>
-<body class="page">
-<% if flash['notice'] %>
-  <center>
-  <div class="flash">
-    <%=h flash['notice'] %>
-  </div>
-  </center>
-<% end %>
-<%= @content_for_layout %>
-</body>
-</html>