model_security_generator 0.0.6 → 0.0.7

data/templates/controllers/user_controller.rb

@@ -69,13 +69,14 @@ public
   # If this method is called login_admin (it's an alias), keep trying
   # until an administrator logs in or the user pushes the "back" button.
   def login
-    if User.current and (admin? or action_name != 'login_admin')
+    if flash[:login_succeeded]
       redirect_back_or_default :action => :success
       return
     end
 
     @user = User.new
     
+    flash[:login_succeeded] = false
     http_authorize
   end
 
@@ -93,7 +94,7 @@ public
   def logout
     User.sign_off
     reset_session
-    session[:skip_user_setup] = true
+    flash[:skip_user_setup] = true
     redirect_to :action => 'login'
   end
 
@@ -112,8 +113,7 @@ public
           @user.admin = 1
           @user.activated = 1
           @user.save
-          User.sign_on_by_session(1)
-          session[:user_id] = 1
+          User.current = @user
           render :action => 'admin_created'
 	# Mail the user instructions on how to activate their account.
         else

data/templates/lib/modal.rb

@@ -30,9 +30,14 @@ module Modal
   def modal_setup
     # Set modal return.
     if r = @params['ret']
+      logger.info("modal_setup: Save location #{r.sub(/\.L/, '#L')}")
       self.return_location = r.sub(/\.L/, '#L')
     elsif return_location.nil?
-      self.return_location = @request.env['HTTP_REFERER']
+      r = @request.env['HTTP_REFERER']
+      if r
+        logger.info("modal_setup: Save HTTP Referer #{r}")
+        self.return_location = @request.env['HTTP_REFERER']
+      end
     end
     true
   end
@@ -40,19 +45,22 @@ module Modal
   # Get the location to return to after a modal action. The argument should
   # be a string containing a URL.
   def return_location
-    @session[:return_to]
+    session[:return_to]
   end
 
   # Set the location to return to after a modal action. The return value should
   # be a string containing a URL.
   def return_location= a
-    @session[:return_to] = a
+    logger.info("return_location= #{a}")
+    session[:return_to] = a
   end
 
   # Store the location to return to after a modal action from the request URI.
   # This is usually called before redirecting to another action.
   def store_location
-    self.return_location = @request.request_uri
+    uri = @request.request_uri
+    logger.info("Store location: #{uri}")
+    self.return_location = uri
   end
 
   # Redirect to the stored return location. If no stored return location
@@ -61,11 +69,17 @@ module Modal
   def redirect_back_or_default(attributes = {}, *method_params)
     r = return_location
     if r
-      redirect_to_url r
-      self.return_location = nil
-    else
-      redirect_to attributes, method_params
+      if r == @request.request_uri
+        logger.info("redirect_back_or_default: BREAKING REDIRECTION LOOP #{r}.")
+      else
+        logger.info("redirect_back_or_default: return to #{r}")
+        self.return_location = nil
+        redirect_to_url r
+        return
+      end
     end
+    logger.info("redirect_back_or_default: go to default #{attributes.inspect}, #{method_params.inspect}")
+    redirect_to attributes, method_params
   end
 
   # Create a URL optionally including an internal anchor. If the +id+ argument

data/templates/lib/user_support.rb

@@ -22,23 +22,28 @@ module UserSupport
   end
 
   
-  # FIX: This only works for require_login and require_admin for now, because
-  # I'm not passing the block across invocations.
-  #
   # This is meant to be used as a before_filter. 
   # A condition that is dependent on the user's login is in the block.
   # If the condition isn't true, a login panel is put up, and the explanation 
   # that is passed as an argument may (or may not) be presented to the user,
   # depending on whether we're using HTTP authentication or not.
   # Once the condition is met, it resumes the action it was protecting.
-  def require_condition(e)
+  def require_condition(header = nil, message = nil)
     if yield
       return true
     else
-      if controller_name != 'user' and (action_name != 'login' and action_name != 'login_admin')
+      if controller_name != 'user' or (action_name != 'login' and action_name != 'login_admin')
         store_location
       end
-      redirect_to :controller => 'user', :action => 'login', :explanation => e
+
+      # This test is to avoid writing the flash unnecessarily.
+      # Currently, writing the flash causes the entire session, not just the
+      # variables in question, to be written twice.
+      if header or message
+        flash[:login_header] = header
+        flash[:login_message] = message
+      end
+      redirect_to :controller => 'user', :action => 'login'
       return false
     end
   end
@@ -48,7 +53,11 @@ module UserSupport
   # isn't currently logged in. Once the administrator logs in, it resumes
   # the action it was protecting.
   def require_admin
-    require_condition("Administrative user required.") { admin? }
+    header = "Administrative user required."
+    message = "You must be an administrative user to perform this action. " \
+     + "If you don't have an administrative login, please use the back button "\
+     + "of your browser to cancel this action."
+    require_condition(header, message) { admin? }
   end
 
   # This is meant to be used as a before_filter. It requires a
@@ -56,7 +65,7 @@ module UserSupport
   # logged in. Once a user logs in, it resumes the action it was
   # protecting.
   def require_login
-    require_condition("Login required.") { User.current }
+    require_condition(nil, "You must be logged in to perform this action.") { User.current }
   end
 
   # This is a before filter for the entire application, used to set up the
@@ -72,23 +81,30 @@ module UserSupport
   # security tests of ModelSecurity that are based on User, or anything
   # that expects login information.
   #
+  # Keep this function in sync with User.current() and User.current=().
+  # It's aware of the way those functions store the user information.
+  #
   def user_setup
     # require_* use Modal to return to what they were doing after HTTP
     # authentication.
     modal_setup
 
+    # User.current=() needs a thread-global reference to the session.
+    Thread.current[:session] = session
+    logger.info("Session is #{Thread.current[:session]}")
+
     # This is used by the logout action to discard the old HTTP authentiction.
     # Logout redirects to login and that generates a new authentication
     # request. That request is the only input that can tell the browser to
     # stop sending the old authentication data with every request!
-    if @session[:skip_user_setup] == true
-      @session[:skip_user_setup] = false
+    if flash[:skip_user_setup] == true
+      flash[:skip_user_setup] = false
       return true
     end
 
-    user = login = password = nil
-
+    login = password = nil
     r = @request.env
+    old_user = user = session[:user]
 
     # If the request contains an HTTP authentication, decode it.
     # Don't use it to authenticate the user yet.
@@ -102,11 +118,6 @@ module UserSupport
       end
     end
 
-    # If the user is already logged into the session, get the user record.
-    if (id = @session[:user_id])
-      user = User.sign_on_by_session(id)
-    end
-
     # If the HTTP authentication is for a different user name, the user wants
     # to change logins. This can happen if an operation requires an
     # administrative login and the current user isn't the administrator but
@@ -137,11 +148,13 @@ module UserSupport
       user = User.sign_on_by_token(@params[:id], @params['token'])
     end
 
-    if user
-      User.current = user
-      @session[:user_id] = user.id
+    # User.current must always be set with each request. It's backed by a
+    # class-global variable.
+    User.current = user
+
+    if user != old_user
+      flash[:login_succeeded] = true
     end
-    logger.info("Current user is #{User.current.inspect}.")
 
     true
   end

data/templates/models/user.rb

@@ -156,6 +156,53 @@ public
   let_write :password_confirmation, :if => :new_or_me?
   let_write :old_password, :if => :me?
 
+  # Return the user for the current request. It is guaranteed that this is
+  # set for each request in the before_filter for the application.
+  #
+  # This function uses the Ruby Thread class to do thread-local storage,
+  # which will be overkill if the Rails server implementation isn't also
+  # using Ruby threads, but works everywhere.
+  #
+  # User.current(), User.current=(), and UserSupport#user_setup encapsulate
+  # session storage of user information. Only these three functions should
+  # know whether we store the entire User object in the session or only
+  # User#id.
+  #
+  def User.current
+    # This does not refer to the session because the application has set
+    # this from the session in user_setup.
+    Thread.current[:user]
+  end
+
+  # Set the user for the current request. It is guaranteed that this is
+  # set for each request in the before_filter for the application.
+  #
+  # This function uses the Ruby Thread class to do thread-local storage,
+  # which will be overkill if the Rails server implementation isn't also
+  # using Ruby threads, but works everywhere.
+  #
+  # User.current(), User.current=(), and UserSupport#user_setup encapsulate
+  # session storage of user information. Only these three functions should
+  # know whether we store the entire User object in the session or only
+  # User#id.
+  #
+  def User.current=(u)
+    Thread.current[:user] = u
+
+    session = Thread.current[:session]
+
+    if session.nil?
+      message = "Programming error: Please add \"before_filter :user_setup\" to your application controller. See the ModelSecurity documentation."
+
+      raise RuntimeError.new(message)
+    end
+
+    # Don't cause a session store unnecessarily
+    if session[:user] != u
+      session[:user] = u
+    end
+  end
+
   # Change the user's password. Confirm the old password while doing so.
   def change_password(attributes)
     @password_is_new = true
@@ -172,26 +219,18 @@ public
     self.old_password = attributes['old_password']
   end
 
-  # Return the currently-logged-in user.
-  def User.current
-    @current_user
-  end
-
-  # Set the currently-logged-in user.
-  def User.current=(u)
-    @current_user = u
-  end
-
   # Return true if this record corresponds to the currently-logged-in user.
   # This is used as a security test.
   def me?
-    User.current and User.current.id == id
+    u = User.current
+    u and u.id == id
   end
 
   # Return true if the currently-logged-in user is the administrator.
   # Class method. This is used as a pseudo-security test by let_display.
   def User.admin?
-    return ((current != nil ) and (current.admin.to_i == 1))
+    u = User.current
+    return ((u != nil ) and (u.admin.to_i == 1))
   end
 
   # Return true if the currently-logged-in user is the administrator.
@@ -305,16 +344,6 @@ public
     end
   end
 
-  # Continue the current login, from the session data.
-  # This should be called by User.setup .
-  def User.sign_on_by_session(user_id)
-    begin
-      return (User.current = User.find(user_id))
-    rescue
-    end
-    return nil
-  end
-
   # Sign on the user using a security token. Instance method.
   def sign_on_by_token(t)
     User.current = User.login_user
@@ -323,7 +352,7 @@ public
       self.token_expiry = Time.now
       self.activated = 1
       save
-      User::current = self
+      User.current = self
       return self;
     end
     return nil

data/templates/views/login.rhtml

@@ -1,6 +1,16 @@
-<h1>Please login</h1>
+<h1>
+  <% if flash[:login_header] %>
+    <%= flash[:login_header] + '. ' %>
+  <% end %>
+  Please log in.
+</h1>
 
-<%= start_form_tag :action => 'login' %>
+<% if flash[:login_message] %>
+  <p>
+  <%= flash[:login_message] %>
+  </p>
+<% end %>
+<%= form_tag :action => 'login' %>
   <p><label for="user_login">User ID</label><br/>
   <%= text_field 'user', 'login'  %></p>
   

metadata

@@ -3,8 +3,8 @@ rubygems_version: 0.8.4
 specification_version: 1
 name: model_security_generator
 version: !ruby/object:Gem::Version 
-  version: 0.0.6
-date: 2005-10-10
+  version: 0.0.7
+date: 2005-10-11
 summary: "[Rails] Model security and authentication generator."
 require_paths: 
   - "."