model_security_generator 0.0.7 → 0.0.8

data/model_security_generator.rb

@@ -18,6 +18,7 @@ class ModelSecurityGenerator < Rails::Generator::NamedBase
 
       # User
       m.file "models/user.rb", "app/models/user.rb"
+      m.file "models/user_configuration.rb", "app/models/user_configuration.rb"
       m.file "controllers/user_controller.rb", "app/controllers/user_controller.rb"
 
       # User mailer
@@ -33,7 +34,9 @@ class ModelSecurityGenerator < Rails::Generator::NamedBase
 
       # Schemas, configuration and miscellaneous
       m.file "db/demo.sql", "db/demo.sql"
+      m.file "db/schema.sql", "db/schema.sql"
       m.file "db/users.sql", "db/users.sql"
+      m.file "db/user_configurations.sql", "db/user_configurations.sql"
 
       # Layout and stylesheet.
 
@@ -54,13 +57,14 @@ class ModelSecurityGenerator < Rails::Generator::NamedBase
       m.file "README", "manuals/ModelSecurity/README"
       m.file "USAGE", "manuals/ModelSecurity/USAGE"
       m.file "RUN_DEMO", "manuals/ModelSecurity/RUN_DEMO"
+      m.file "Tutorial.html", "manuals/ModelSecurity/Tutorial.html"
       m.file "ADD_TO_APPLICATION_CONTROLLER",
        "app/controllers/ADD_TO_APPLICATION_CONTROLLER.ModelSecurity"
     end
   end
 
   def user_views
-    %w(activate admin_created created forgot_password forgot_password_done login login_admin logout new success)
+    %w(activate admin_created configure created forgot_password forgot_password_done list login logout new success)
   end
 
   def mailer_views

data/templates/Tutorial.html

@@ -0,0 +1,669 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta name="generator" content=
+  "HTML Tidy for Linux/x86 (vers 12 April 2005), see www.w3.org" />
+
+  <title>Securing your Rails models with ModelSecurity</title>
+</head>
+
+<body>
+  <h1>Securing your Rails models with ModelSecurity.</h1><i>Bruce
+  Perens<br />
+  <a href="mailto:bruce@perens.com">bruce@perens.com</a><br />
+  Vice President, Sourcelabs.</i><br />
+  Last modified: Wed Oct 5 14:26:14 PDT 2005<br />
+
+  <p><b>ModelSecurity</b> helps Ruby on Rails developers implement
+  a security <i>defense in depth</i> by implementing access control
+  within the data model.</p>
+
+  <p>If you are like most developers, you think about security when
+  you program controllers and views. But a bug in your controller
+  or view can compromise the security of your application, unless
+  your data model has <i>also</i> been secured.</p>
+
+  <p>The economical, flexible, and extremely readable means of
+  specifying access controls provided by ModelSecurity makes it
+  easier for the developer to <i>think</i> about security, and
+  makes security assumptions that might otherwise live in one
+  developers head <i>concrete</i> and <i>communicable to
+  others.</i></p>
+
+  <p><i>Defense in depth</i> is a common military strategy to
+  prevent an attack from succeeding. If the attacker gets through
+  the first level of defense, there's another level there to meet
+  him. Defense in depth is useful to programmers because it will
+  reveal a flaw for repair in the first level while simultaneously
+  stopping the attack at the second level. Most developers
+  implement some security features in their controllers and views:
+  for example, a controller will generally not allow access to
+  administrative features unless the user is logged in as an
+  administrator, and your views should not display data that is
+  inappropriate for a particular user. This is the "first layer of
+  defense". At that point, we come to the data model access
+  permissions: your second layer of defense. If you've specified
+  them, ActiveRecord will not allow the data to be revealed or
+  modified in an inappropriate manner. Views will in general
+  quietly fail to present non-permitted material in a way that can
+  be exploited: it will be blank if it's not readable, and will be
+  presented as static data rather than in an edit field if it's not
+  writable. This behavior facilitates scaffolding, which would
+  display and allow modification of everything if not told
+  otherwise. A non-permitted controller access to the data model
+  will result in a <code>SecurityViolation</code> exception being
+  raised, which causes the action to terminate and logs diagnostic
+  information that will assist the developer to locate the
+  controller bug.</p>
+
+  <p>ModelSecurity adds these facilities to Rails:</p>
+
+  <ul>
+    <li><code>let_read,</code> <code>let_write</code>, and
+    <code>let_access</code> are added to model declarations. They
+    allow fine-grained security permissions to be specified for
+    each model attribute, or for all of them at once.</li>
+
+    <li>Security conditions are specified as blocks or the names of
+    functions. Each returns a boolean, and <code>true</code>
+    indicates that the access should proceed while
+    <code>false</code> causes it to be denied. This mechanism
+    allows any user authorization system to be wired into
+    ModelSecurity with only a few statements.</li>
+
+    <li>The facilities that are most commonly used to write Rails
+    views, forms, and scaffolds heed the data model security
+    settings. They will not present or allow the modification of an
+    ActiveRecord attribute if that action is prohibited by the
+    access controls on the data model.</li>
+
+    <li>ModelSecurity provides a <code>let_display</code> facility
+    that works similarly to the security specifications, and tells
+    Rails scaffolds and views what fields of a data model are
+    "interesting" and what fields need not be shown to a particular
+    user.</li>
+
+    <li>A simple <b>User</b> model with a login facility, already
+    configured to work with ModelSecurity, is part of the
+    package.</li>
+
+    <li>The <b>UserSupport</b> controller mixin provides a login
+    facility with HTTP authentication to the entire application:
+
+      <ul>
+        <li><code>User_setup</code> is a before-filter for the
+        entire application. It handles login control and session
+        management without additional attention from the
+        programmer.</li>
+
+        <li>The before-filters <code>require_login</code> and
+        <code>require_admin</code> ensure that a user logs in with
+        proper privilege and then will complete the requested
+        action.</li>
+      </ul>
+    </li>
+
+    <li>
+      <b>Modal</b>, a means to handle two common interactions in
+      web design:
+
+      <ul>
+        <li>Modal web forms such as login dialogues that
+        "interrupt" an action and then allow it to complete after
+        the form has been submitted.</li>
+
+        <li>Modal forms that are called from a page to which they
+        will later return the user, such as comment forms within a
+        weblog.</li>
+      </ul>
+    </li>
+  </ul>
+
+  <h2>Getting Started</h2>
+
+  <p>Before we go through the features of ModelSecuity, it's useful
+  to get working code on your system. To go through this demo,
+  you'll need to have Rails, RubyGems, and MySQL installed.</p>
+
+  <p>Generate a rails program called <i>test</i>, and change to its
+  directory:</p>
+
+  <blockquote>
+    <pre>
+rails test
+cd test
+</pre>
+  </blockquote>
+
+  <p>Install the model_security gem:</p>
+
+  <blockquote>
+    <pre>
+gem install model_security_generator
+  
+</pre>
+  </blockquote>
+
+  <p>Generate model_security for your application</p>
+
+  <blockquote>
+    <pre>
+script/generate model_security -
+  
+</pre>
+  </blockquote>
+
+  <p>Have MySQL execute the script to create the database and a
+  MySQL user ID for the rails program:</p>
+
+  <blockquote>
+    <pre>
+cd db/
+mysql -u <i>MYSQL-ADMIN-NAME</i> -p &lt; demo.sql
+</pre>
+  </blockquote>
+
+  <p>Examine demo.sql and users.sql . users.sql defines the table
+  of users. An accessory table defined by user_configurations.sql
+  is used to hold configuration choices for the user system. When
+  you include ModelSecurity in another Rails program, you'll skip
+  demo.sql and use users.sql and user_configurations.sql to create
+  their tables.</p>
+
+  <p>Edit the database configuration in db/database.yml to look
+  like this:</p>
+
+  <blockquote>
+    <pre>
+development:
+  adapter: mysql
+  database: model_security_demo
+  host: localhost
+  username: m_s_demo
+  password: 
+</pre>
+  </blockquote>
+
+  <p>Add some necessary facilities to your brand new application
+  controller:</p>
+
+  <blockquote>
+    <pre>
+cd ../app/controllers
+cp ADD_TO_APPLICATION_CONTROLLER.ModelSecurity application.rb
+cd ../..
+</pre>
+  </blockquote>
+
+  <p>If this wasn't a new controller, you would edit application.rb
+  to add the facilities requested, rather than copying over the
+  file.</p>
+
+  <p>Start the rails server:</p>
+
+  <blockquote>
+    <pre>
+script/server &amp;
+</pre>
+  </blockquote>
+
+  <p>Open a web browser to http://localhost:3000/user/new Use the
+  form to create a new user. That user will automatically be
+  granted the administrator role, and will be activated
+  immediately.</p>
+
+  <p>Subsequent users will <i>not</i> automatically get the
+  administrator role, although an administrator can grant it to
+  them by editing their record with /user/edit/<i>user-name</i> .
+  Subsequent users will not have their login activated immediately
+  when they create it. Instead, they will be sent an email
+  containing a URL that they must use to activate their login.</p>
+
+  <p>Now, you can play with the demo. The user controller responds
+  to:</p>
+
+  <dl>
+    <dt>
+    <code>/user/activate/<i>id</i>?token=<i>security-token</i></code></dt>
+
+    <dd>Activate a user, after the user's login has been
+    created.</dd>
+
+    <dt><code>/user/configure/<i>id</i></code></dt>
+
+    <dd>
+      Configure the User system. Currently allows you to choose:
+
+      <ul>
+        <li>Whether new users must go through email confirmation
+        before they can log in.</li>
+
+        <li>What the sender address is for emails generated by this
+        software.</li>
+      </ul>The configure function requires the administrator role.
+    </dd>
+
+    <dt><code>/user/destroy/<i>id</i></code></dt>
+
+    <dd>Destroy a user. Requires the administrator role.</dd>
+
+    <dt><code>/user/edit/<i>id</i></code></dt>
+
+    <dd>Edit the attributes of a user. Administrators are allowed
+    to edit more fields than normal users, and normal are allowed
+    to edit their own record, not anyone else's.</dd>
+
+    <dt><code>/user/forgot_password</code></dt>
+
+    <dd>Send an email to the user that facilitates password
+    recovery.</dd>
+
+    <dt><code>/user/list</code></dt>
+
+    <dd>List the users. Administrators can see more information
+    than normal users. Normal users can see some information on
+    their own record that they will not see in the records of other
+    users.</dd>
+
+    <dt><code>/user/login</code></dt>
+
+    <dd>Perform HTTP authentication to log in a user. If that
+    doesn't work, fall back on a login form.</dd>
+
+    <dt><code>/user/logout</code></dt>
+
+    <dd>Log a user out. Actually loops back to the login action,
+    because the only way to get the browser to stop sending HTTP
+    authentication data with every request is to ask it to get new
+    authentication data from the user.</dd>
+
+    <dt><code>/user/new</code></dt>
+
+    <dd>Create a new user.</dd>
+
+    <dt><code>/user/show</code></dt>
+
+    <dd>Display information about a user. Administrators can see
+    more information than normal users. Normal users can see some
+    information on their own record that they will not see in the
+    records of other users.</dd>
+  </dl>
+
+  <p>Now that you have the software running, create a user using
+  <code>/user/new</code> The first user that you create will
+  automatically be granted the administrative privilege, sort of
+  like "super-user" status on a Unix or Linux system, and will be
+  logged in immediately.</p>
+
+  <p>You <i>should</i> be able to grant administrative status to
+  subsequent users by editing their record and setting the
+  <i>admin</i> field to 1, due to a Rails bug (at this writing,
+  October 2005), the scaffold views aren't capable of editing
+  boolean database fields. We won't need that facility to go
+  through our demo.</p>
+
+  <p>Log out of the application via the /user/logout action. Your
+  browser will present a login panel using HTTP authentication. Use
+  the <i>cancel</i> button or whatever mechanism your browser
+  provides to get rid of that panel. You should now see a login
+  form in an HTML page. Don't log in.</p>
+
+  <p>Run the <code>/user/list</code> action. This action requies a
+  login before it will complete. The browser will present the login
+  panel again. Log in to the application as your administrative
+  user. You'll now see the list of users.</p>
+
+  <h2>Learning About Login Management And The User Object</h2>
+
+  <p>Let's look at the code that made that login panel happen. In
+  app/controllers/user_controller.rb, you will find this code:</p>
+
+  <blockquote>
+    <pre>
+# Require_login will require a login before the action can be completed.
+# It uses Modal, so it will continue to the action if the login is
+# successful.
+before_filter :require_login, :only =&gt; [ :list, :show ]
+  
+</pre>
+  </blockquote>
+
+  <p>That code causes require_login to be called before the
+  <code>list</code> or <code>show</code> actions. Require_login
+  will keep trying to get a user logged in until the login succeeds
+  or the user bails out of the process using the back button. If
+  you don't yet understand how <i>before-filters</i> work, you'll
+  need to peruse the Rails documentation. If a user is already
+  logged in, require_login returns <code>true</code> and execution
+  proceeds. If no user is logged in, <code>require_login</code>
+  will save the current action and then redirect the browser to the
+  <code>/usr/login</code> action. Once the user is logged in
+  successfully, the browser will be redirected to the previous
+  action.</p>
+
+  <p>Although you might believe that all of this is taking place
+  sequentially in your Rails application, that's not the case. It's
+  achieved by sending a redirect to the browser as each step
+  completes. At each step the browser requests the URL it's been
+  redirected to, and Rails carries out an individual action.
+  Execution proceeds this way if the user asks for
+  <code>/user/list</code> while not logged in:</p>
+
+  <ol>
+    <li>The user asks for <code>/user/list</code></li>
+
+    <li>Rails redirects the browser to
+    <code>/user/login</code></li>
+
+    <li>The browser asks for <code>/user/login</code></li>
+
+    <li>Rails sets the HTTP header to request HTTP authentication
+    and sends a login form.</li>
+
+    <li>The browser sends login information.</li>
+
+    <li>Rails redirects the browser to <code>/user/list</code></li>
+
+    <li>The browser requests <code>/user/list</code></li>
+
+    <li>Rails finally sends the list of users.</li>
+  </ol>Fortunately, all of this complication is handled for you.
+  All you need to know is that you should set
+  <code>require_login</code> as a before-filter for any action that
+  should only be executed for logged-in users.
+
+  <p>There's also a <code>require_admin</code> filter. This one is
+  used with the <code>destroy</code> action of the user controller,
+  as shown by this code:</p>
+
+  <blockquote>
+    <pre>
+# Require_admin will require an administrative login before the action
+# can be called. It uses Modal, so it will continue to the action if the 
+# login is successful.
+before_filter :require_admin, :only =&gt; [ :destroy ]
+  
+</pre>
+  </blockquote>
+
+  <p>That will prevent the <code>destroy</code> action from being
+  executed unless the user successfully logs in as an
+  administrator.</p>
+
+  <p><code>require_admin</code> and <code>require_login</code> are
+  part of your controller-based security setup. As the first line
+  of defense, they will be where potential security violations
+  <i>should</i> stop.</p>
+
+  <p>There's only a little more to learn about logging in and
+  users. Take a look at the file
+  <code>app/controllers/application.rb</code> . You'll see these
+  lines:</p>
+
+  <blockquote>
+    <code>require 'user_support'<br />
+    <br />
+    class ApplicationController &lt;
+    ActionController::Base<br /></code>
+
+    <blockquote>
+      <code>helper :ModelSecurity</code><br />
+      <b><code>include UserSupport</code></b><br />
+      <b><code>before_filter :user_setup</code></b>
+    </blockquote><code>end</code>
+  </blockquote>
+
+  <p>Requiring the file <code>user_support</code> and including the
+  module <code>UserSupport</code> mix the login and user-management
+  capabilities into the application controller's class. The
+  before-filter <code>user_setup</code> handles session control and
+  login management for the entire application. Once
+  <code>user_setup</code> has run, the <code>User</code> object for
+  the currently-logged-in user can be accessed through
+  <code>User.current</code> .</p>
+
+  <h2>Introducing ModelSecurity</h2>
+
+  <p>That's all you need to know to use the <code>User</code>
+  system to manage logins. But we'll keep looking at the
+  <code>User</code> code to see how it secures its own data using
+  <code>ModelSecurity</code>.</p>
+
+  <p>Create a second user with <code>/user/new</code> . This user
+  won't be privileged. The system will send you an email with
+  instructions on how to confirm that user's login. Just in case
+  email delivery isn't working on your server, you can get the
+  email text out of the log file <code>logs/development.log</code>
+  . Confirm the user's login.</p>
+
+  <p>Logged in as your administrative user, visit
+  <code>/user/list</code> . That will display a list of the users
+  you've created so far. Because you are the administrator, their
+  emails will be visible to you. Now, log out using
+  <code>/user/logout</code> and log back in as the non-privileged
+  user you created. Visit <code>/user/list</code> again. Now,
+  you'll be able to see your own email, but not that of other
+  users.</p>
+
+  <p>Let's look at the code that makes that happen. Edit
+  <code>app/models/user.rb</code> and find these lines:</p>
+
+  <blockquote>
+    <pre>
+# If this is a new (never saved) record, or if this record corresponds to
+# the currently-logged-in user, allow reading of the email address.
+let_read :email, :if =&gt; :new_or_me_or_logging_in?
+  
+</pre>
+  </blockquote>
+
+  <p>This code, in the declaration of the User class, says that the
+  <code>email</code> attribute of the model can be read if the
+  function <code>new_or_me_or_logging_in?</code> returns true.
+  Let's look at that function:</p>
+
+  <blockquote>
+    <pre>
+# Return true if the user record is new (never been saved) or if it
+# corresponds to the currently-logged-in user, or if the current user
+# is the special "login" user. This security test is a common pattern
+# applied to a number of user record attributes.
+def new_or_me_or_logging_in?
+  new_record? or User.current == self or logging_in?
+end
+  
+</pre>
+  </blockquote>
+
+  <p>The first condition is the Rails function
+  <code>new_record?</code> which would return true if the record
+  has never been saved. The second condition would return true if
+  the record refers to the currently-logged-in user, and this is
+  what allows the user to see his own email address. The third
+  condition returns true if there is currently no logged-in user
+  (it contains the expression <code>User.current == nil</code>).
+  These are all of the cases in which the application should allow
+  reading of the <code>email</code> attribute of a
+  <code>User</code> record, <i>except one.</i></p>
+
+  <p>NOTE: at this time, there is a app/views/user/list.rhtml
+  template installed by the generator that overrides the scaffold.
+  The difference between this file and the scaffold template is
+  that ActiveRecord#readable? is used to determine if a datum
+  should be displayed or not. This file will move to
+  app/views/scaffolds/list.rhtml once I figure out how to override
+  the scaffold template location. - Bruce</p>
+
+  <p>What tells the software that the administrator can read
+  everyone's email address? That's another line in the
+  <code>User</code> model declaration:</p>
+
+  <blockquote>
+    <pre>
+# Let the administrator access all data. This implements a Unix-like
+# super-user. Note that the coarse-grained override of the super-user
+# is not a _necessary_ pattern for the ModelSecurity module, you can
+# implement controls as fine-grained as you like.
+let_access :all, :if =&gt; :admin?
+
+</pre>
+  </blockquote>
+
+  <p><code>let_access</code> calls <code>let_read</code> and
+  <code>let_write</code> with the same arguments, and thus sets
+  both read and write permissions. <code>:all</code> is a special
+  name that means the permission applies to all of the attributes
+  of the data model, not just one database field. And
+  <code>admin?</code> is a function that returns true if the
+  currently-logged-in user has the administrative privilege. It
+  just tests the value of a model attribute called
+  <code>admin</code>. The effect of all of this is that the
+  administrative user can read or write any datum.</p>
+
+  <p>You must start by setting the permissions for
+  <code>:all</code> in your model if you are using ModelSecurity,
+  as the default is to permit all accesses. If you won't be setting
+  up an administrative user, as above, it would be a good idea to
+  make the default "no access". You can do that with the following
+  code:</p>
+
+  <blockquote>
+    <pre>
+# Set the default to "no access".
+let_access :all, :if =&gt; :never?
+
+</pre>
+  </blockquote>
+
+  <p>The <code>never?</code> test is provided with ModelSecurity,
+  and always returns <code>false</code>. A companion test
+  <code>always?</code> reliably returns <code>true</code>.</p>
+
+  <p>ModelSecurity has two mechanisms for protecting data. One
+  protects the actual data model and will throw a exception upon an
+  unpermitted access. But that's not what we've been seeing: our
+  views have quietly refused to display some unpermitted data,
+  without any exceptions. A second mechanism prevents the common
+  view functions, including those used by templates, from
+  displaying or editing data inappropriately. You activate that
+  mechanism by declaring <code>ModelSecurityHelper</code> in your
+  application, as below in
+  <code>app/controllers/application.rb</code>:</p>
+
+  <blockquote>
+    <code>require 'user_support'<br />
+    <br />
+    class ApplicationController &lt;
+    ActionController::Base<br /></code>
+
+    <blockquote>
+      <b><code>helper :ModelSecurity</code></b><br />
+      <code>include UserSupport</code><br />
+      <br />
+      <code>before_filter :user_setup</code>
+    </blockquote><code>end</code>
+  </blockquote>
+
+  <p>This makes the code in <code>ModelSecurityHelper</code>
+  available to all views in the application. ModelSecurityHelper
+  redefines these common view functions to respect the data model
+  permissions:</p>
+
+  <ul style="list-style-type: none">
+    <li>check_box</li>
+
+    <li>file_field</li>
+
+    <li>hidden_field</li>
+
+    <li>password_field</li>
+
+    <li>radio_button</li>
+
+    <li>text_area</li>
+
+    <li>text_field</li>
+  </ul>Views that use those functions exclusively to display and
+  edit database fields will always refrain from making
+  inappropriate read or write accesses.
+
+  <p>One complication of the view protection is that instance
+  variables of your model that are not related to database fields
+  are effected in the same way as model attributes. So, when you
+  declare the accessors for those instance variables with code like
+  this:</p>
+
+  <blockquote>
+    <pre>
+attr_accessible :password, :password_confirmation, :old_password
+</pre>
+  </blockquote>
+
+  <p>You should also declare security permissions on those same
+  variables:</p>
+
+  <blockquote>
+    <pre>
+# NOTE: :password, :password_confirmation, and :old_password
+# are not attributes of the record, they are instance variables of the
+# class and aren't written to disk under those names. But I declare them
+# here because otherwise ModelSecurityHelper (which doesn't know that)
+# isn't going to allow me to enter them into a form field.
+#
+# I like how fine-grained I can get.
+let_write :password, :if =&gt; :new_or_me_or_logging_in?
+let_write :password_confirmation, :if =&gt; :new_or_me?
+let_write :old_password, :if =&gt; :me?
+</pre>
+  </blockquote>
+
+  <h2>Display Control</h2>
+
+  <p>You may also have noticed that there are more fields in the
+  database, and more attributes in the User object, than the view
+  displays when you visit <code>/user/list</code> . But a quick
+  perusal of the code will show that it's a scaffold view. You
+  would have expected a scaffold to display all fields. But
+  ModelSecurity allows us to override that with the
+  <code>let_display</code> declaration. Take a look at its use in
+  the <code>User</code> model declaration:</p>
+
+  <blockquote>
+    <pre>
+# These just control display.
+let_display :all, :if =&gt; :never? # Set default to don't display, override below.
+let_display :admin, :activated, :if =&gt; :admin?
+let_display :login, :name, :email
+</pre>
+  </blockquote>
+
+  <p>This declaration will cause the scaffold view to present
+  information about three fields, <code>login</code>,
+  <code>name</code> and <code>email</code> to all users (although a
+  <code>let_read</code> declaration further restricts whose email
+  address a non-privileged user can see, as above). Administrative
+  users will also see the fields <code>admin</code> and
+  <code>activated</code>. Nobody will see the fields
+  <code>cypher</code> and <code>salt</code>, they are long strings
+  of encrypted or random cybercrud that nobody wants to read. Note
+  that the scaffold view will format the display as a table with
+  columns only for the data that it will display. All of this is
+  achieved by overloading the <code>content_columns</code> method
+  of <code>ActiveRecord</code> to filter the columns it reports
+  using the data in the <code>let_display</code> declaration.</p>
+
+  <p>While the tests used with <code>let_read</code>,
+  <code>let_write</code>, and <code>let_access</code> are instance
+  methods of your <code>ActiveRecord</code> class, tests used with
+  <code>let_display</code> must be class methods. This is because
+  the decision of what columns to display is made before the first
+  row's instance is accessed. Rails makes it easy enough to declare
+  a method to work with both an instance and its class.</p>
+
+  <p>You've now completed the ModelSecurity tutorial. For more
+  information, see the <a href=
+  "http://perens.com/FreeSoftware/ModelSecurity/Reference/">reference</a>.</p>
+</body>
+</html>

data/templates/controllers/user_controller.rb

@@ -20,7 +20,7 @@ private
   # Require_admin will require an administrative login before the action
   # can be called. It uses Modal, so it will continue to the action if the 
   # login is successful.
-  before_filter :require_admin, :only => [ :destroy ]
+  before_filter :require_admin, :only => [ :configure, :destroy ]
 
   # Require_login will require a login before the action
   # can be called. It uses Modal, so it will continue to the action if the 
@@ -36,6 +36,26 @@ private
     render :status => 401
   end
 
+  # Promote the first user to be an administrator, and don't make that user
+  # confirm.
+  def promote
+    @user.activated = 1
+    @user.admin = 1
+    @user.save
+  end
+
+  # Send an email to a user with details on how to confirm his login.
+  def send_confirmation_email(params)
+    url_params = {
+      :controller => 'user',
+      :action => 'activate',
+      :id => @user.id,
+      :token => @user.new_token
+    }
+    url = url_for(url_params)
+    UserMailer.deliver_new_user(params, url, @user.token_expiry)
+  end
+
 public
 
   # Activate a new user, having logged in with a security token. All of the
@@ -43,6 +63,102 @@ public
   def activate
   end
 
+  before_filter :require_admin, :only => [ :configure, :destroy ]
+
+  # Require_login will require a login before the action
+  # can be called. It uses Modal, so it will continue to the action if the 
+  # login is successful.
+  before_filter :require_login, :only => [ :list, :show ]
+
+  # Cause HTTP Basic validation.
+  # FIX: Basic is not secure. Change to Digest authentication.
+  def http_authorize(realm=@request.domain(2))
+    # This will cause the browser to send HTTP authorization information.
+    @response.headers["Status"] = "Unauthorized" 
+    @response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\"" 
+    render :status => 401
+  end
+
+  # Activate a new user, having logged in with a security token. All of the
+  # work goes on in user_support.
+  def activate
+  end
+
+  # Send out a forgot-password email.
+  def forgot_password
+    case @request.method
+    when :get
+      @user = User.new
+    when :post
+      @user = User.find_first(['email = ?', @params['user']['email']])
+      if @user
+        url = url_for(:controller => 'user', :action => 'activate', :id => @user.id, :token => @user.new_token)
+        UserMailer.deliver_forgot_password(@user, url)
+        render :action => 'forgot_password_done'
+      else
+        flash['notice'] = "Can't find a user with email #{@params['email']}."
+        @user = User.new
+      end
+    end
+  end
+
+  # Tell the user the email's on the way.
+  def forgot_password_done
+  end
+
+  def list
+    @users = User.find_all
+  end
+
+  # Attempt HTTP authentication, and fall back on a login form.
+  # If this method is called login_admin (it's an alias), keep trying
+  # until an administrator logs in or the user pushes the "back" button.
+  def login
+    if flash[:login_succeeded]
+      redirect_back_or_default :action => :success
+      return
+    end
+
+    @user = User.new
+    
+    flash[:login_succeeded] = false
+    http_authorize
+  end
+
+  # Log in an administrator. If a non-administrator logs in, keep trying
+  # until an administrator logs in or the user pushes the "back" button.
+  alias login_admin login
+
+  # Log out the current user, attempt HTTP authentication to log in a new
+  # user. The session information skip_user_setup=true tells the server to
+  # generate a new HTTP authentication request and ignore the current HTTP
+  # authentication data.
+  # We have to request new HTTP authentication here to make the browser
+  # forget the old authentication data. Otherwise, the browser keeps sending
+  # it!
+  def logout
+    User.sign_off
+    reset_session
+    flash[:skip_user_setup] = true
+    redirect_to :action => 'login'
+  end
+
+  # Configure this system.
+  def configure
+    case @request.method
+    when :get
+      @user_configuration = UserConfiguration.get
+    when :post
+      c = (@user_configuration = UserConfiguration.get)
+      c.attributes = @params['user_configuration']
+      if c.save
+        flash['notice'] = "Configuration saved."
+      else
+        flash['notice'] = "Configuration NOT saved."
+      end
+    end
+  end
+
   # Send out a forgot-password email.
   def forgot_password
     case @request.method
@@ -106,27 +222,27 @@ public
     when :post
       p = @params['user']
       @user = User.new(p)
+
+      if UserConfiguration.get.email_confirmation == 0
+        @user.activated = 1
+      end
+      
       if @user.save
         flash['notice'] = 'User created.'
         # Promote the very first user to be an administrator.
         if @user.id == 1
-          @user.admin = 1
-          @user.activated = 1
-          @user.save
+          promote
           User.current = @user
           render :action => 'admin_created'
-	# Mail the user instructions on how to activate their account.
         else
-          url_params = {
-            :controller => 'user',
-            :action => 'activate',
-            :id => @user.id,
-            :token => @user.new_token
-          }
-          url = url_for(url_params)
-          UserMailer.deliver_new_user(p, url, @user.token_expiry)
-          @email = p['email']
-          render :action => 'created'
+          # Mail the user instructions on how to activate their account.
+          if UserConfiguration.get.email_confirmation == 1
+            send_confirmation_email(p)
+            @email = p['email']
+            render :action => 'created'
+          else
+            render :action => 'success'
+          end
         end
       else
         flash['notice'] = 'Creation of new user failed.'

data/templates/db/demo.sql

@@ -1,4 +1,4 @@
 create database model_security_demo;
 use model_security_demo;
-source users.sql;
+source schema.sql;
 grant all on model_security_demo.* to 'm_s_demo'@'localhost';

data/templates/db/schema.sql

@@ -0,0 +1,2 @@
+source users.sql;
+source user_configurations.sql;

data/templates/db/user_configurations.sql

@@ -0,0 +1,7 @@
+create table user_configurations (
+	id		integer unsigned not null auto_increment primary key,
+	email_confirmation tinyint unsigned not null default 1,
+        email_sender	text not null,
+	created_on	timestamp not null,
+	updated_on	timestamp not null
+);

data/templates/helpers/model_security_helper.rb

@@ -5,7 +5,7 @@ end
 
 module ActiveRecord
   class Base
-    once('@instanceAliasesDone') {
+    once('@modelSecurityInstanceAliasesDone') {
       # Provides access to the pre-overload version of read_attribute, which
       # is called by the overloaded version.
       alias :old_read_attribute :read_attribute
@@ -15,9 +15,17 @@ module ActiveRecord
       alias :old_write_attribute :write_attribute
     }
 
+    def readable?(name)
+      true
+    end
+
+    def writable?(name)
+      true
+    end
+
     class << self
     private
-      once('@classAliasesDone') {
+      once('@modelSecurityClassAliasesDone') {
         # Provides access to the pre-overload version of content_columns, which
         # is called by the overloaded version.
         alias :old_content_columns :content_columns
@@ -32,6 +40,11 @@ module ActiveRecord
           not display?(c.name)
         }
       end
+
+      # Always return true. ModelSecurity.display? will override this.
+      def display?(name)
+        true
+      end
     end
   end
 end
@@ -96,7 +109,7 @@ module ActionView
     
       # Evaluating the aliases twice would break them.
       # Evaluating the constant definition twice causes a complaint.
-      once ('@aliasesDone') {
+      once ('@modelSecurityAliasesDone') {
         alias :old_check_box :check_box
         alias :old_radio_button :radio_button
       }

data/templates/lib/modal.rb

@@ -32,12 +32,15 @@ module Modal
     if r = @params['ret']
       logger.info("modal_setup: Save location #{r.sub(/\.L/, '#L')}")
       self.return_location = r.sub(/\.L/, '#L')
-    elsif return_location.nil?
-      r = @request.env['HTTP_REFERER']
-      if r
-        logger.info("modal_setup: Save HTTP Referer #{r}")
-        self.return_location = @request.env['HTTP_REFERER']
-      end
+  # This results in redirection loops, as currently written.
+  # It needs a hueristic to carefully avoid them before we try it again.
+  #
+  # elsif return_location.nil?
+  #   r = @request.env['HTTP_REFERER']
+  #   if r
+  #     logger.info("modal_setup: Save HTTP Referer #{r}")
+  #     self.return_location = @request.env['HTTP_REFERER']
+  #   end
     end
     true
   end

data/templates/models/user_configuration.rb

@@ -0,0 +1,18 @@
+class UserConfiguration < ActiveRecord::Base
+public
+  attr_accessible :email_confirmation, :email_sender
+
+  def self.get
+    begin
+      u = self.find(1)
+    rescue
+      c =  self.new
+    end
+  end
+
+  def initialize(parameters = nil)
+    super
+    self.email_confirmation = 1
+    self.email_sender = ''
+  end
+end

data/templates/models/user_mailer.rb

@@ -2,7 +2,15 @@ ActionMailer::Base.delivery_method = :sendmail
 
 # Send mail to a user to administer that user's login. Called by UserController.
 class UserMailer < ActionMailer::Base
+private
+  def set_sender
+    s = UserConfiguration.get.email_sender
+    if s.length > 0
+      from s
+    end
+  end
 
+public
   # Send a forgot-password email, allowing the user to regain their login name
   # and password.
   def forgot_password(user, url)
@@ -11,8 +19,7 @@ class UserMailer < ActionMailer::Base
 
     recipients	user.email
     subject	'Login and password recovery.'
-    from	'bruce@perens.com'
-
+    set_sender
   end
 
   # Send a new-user email, providing the user with a URL used to validate
@@ -24,7 +31,6 @@ class UserMailer < ActionMailer::Base
 
     recipients	params['email']
     subject	'Your new login is ready'
-    from	'bruce@perens.com'
-
+    set_sender
   end
 end

data/templates/views/configure.rhtml

@@ -0,0 +1,26 @@
+<h1>Configure the User System</h1>
+
+<% if flash['notice'] %>
+  <p><%= flash['notice'] %></p>
+<% end %>
+
+<%= error_messages_for 'user_configuration' %>
+<%= form_tag :action => 'configure' %>
+  <table>
+    <tr>
+      <th><label for="user_configuration_email_confirmation">
+        Email confirmation:
+      </label></th>
+      <td>
+        <%= check_box 'user_configuration', 'email_confirmation' %>
+      </td>
+    </tr>
+    <tr>
+      <th><label for="user_configuration_email_sender">
+        Email Sender:
+      </label></th>
+      <td><%= text_field 'user_configuration', 'email_sender' %></td>
+    </tr>
+  </table>
+  <%= submit_tag "Save" %>
+<%= end_form_tag %>

data/templates/views/list.rhtml

@@ -0,0 +1,28 @@
+<h1>Listing <%= @scaffold_plural_name %></h1>
+
+<table>
+  <tr>
+  <% for column in User.content_columns %>
+    <th><%= column.human_name %></th>
+  <% end %>
+  </tr>
+  
+<% for entry in @users %>
+  <tr>
+  <% for column in User.content_columns %>
+    <td>
+      <% if entry.readable?(column.name) %>
+        <%= entry.send(column.name) %>
+      <% end %>
+    </td>
+  <% end %>
+    <td><%= link_to "Show", :action => "show", :id => entry %></td>
+    <td><%= link_to "Edit", :action => "edit", :id => entry %></td>
+    <td><%= link_to "Destroy", {:action => "destroy", :id => entry}, {:confirm => "Are you sure?"} %></td>
+  </tr>
+<% end %>
+</table>
+
+<br />
+
+<%= link_to "New User", :action => "new" %>

metadata

@@ -3,8 +3,8 @@ rubygems_version: 0.8.4
 specification_version: 1
 name: model_security_generator
 version: !ruby/object:Gem::Version 
-  version: 0.0.7
-date: 2005-10-11
+  version: 0.0.8
+date: 2005-10-12
 summary: "[Rails] Model security and authentication generator."
 require_paths: 
   - "."
@@ -32,10 +32,13 @@ files:
   - templates/README
   - templates/USAGE
   - templates/RUN_DEMO
+  - templates/Tutorial.html
   - templates/ADD_TO_APPLICATION_CONTROLLER
   - templates/controllers/user_controller.rb
   - templates/db/demo.sql
+  - templates/db/schema.sql
   - templates/db/users.sql
+  - templates/db/user_configurations.sql
   - templates/helpers/modal_helper.rb
   - templates/helpers/model_security_helper.rb
   - templates/lib/modal.rb
@@ -45,6 +48,7 @@ files:
   - templates/mailer/forgot_password.rhtml
   - templates/mailer/new_user.rhtml
   - templates/models/user.rb
+  - templates/models/user_configuration.rb
   - templates/models/user_mailer.rb
   - templates/test/mock_mailer.rb
   - templates/test/mock_time.rb
@@ -53,11 +57,12 @@ files:
   - templates/test/users.yml
   - templates/views/activate.rhtml
   - templates/views/admin_created.rhtml
+  - templates/views/configure.rhtml
   - templates/views/created.rhtml
   - templates/views/forgot_password.rhtml
   - templates/views/forgot_password_done.rhtml
+  - templates/views/list.rhtml
   - templates/views/login.rhtml
-  - templates/views/login_admin.rhtml
   - templates/views/logout.rhtml
   - templates/views/new.rhtml
   - templates/views/success.rhtml

data/templates/views/login_admin.rhtml

@@ -1,16 +0,0 @@
-<p>
-You must have the administrator role to proceed.<br/>
-If you aren't an administrator, please use the "back" button in your browser to exit this action.
-</p>
-<p>
-<b>Administrator login</b>
-</p>
-<%= start_form_tag %>
-  <p><label for="user_login">User ID</label><br/>
-  <%= text_field 'user', 'login'  %></p>
-  
-  <p><label for="user_password">Password</label><br/>
-  <%= password_field 'user', 'password'  %></p>
-
-  <%= submit_tag 'Login' %>
-<%= end_form_tag %>