parlement 0.14 → 0.17

data/app/models/person_notify.rb

@@ -3,11 +3,11 @@ class PersonNotify < ActionMailer::Base
 		# Email header info MUST be added here
 		@recipients = person.user.email
 		@subject = "[parlement] email verification"
-    @from = LoginEngine.config(:email_from).to_s
+    @from = LOGIN_ENGINE[:email_from].to_s
 
 		# Email body substitutions go here
 		@body["name"] = person.name
 		@body["url"] = url
-    @body["app_name"] = LoginEngine.config(:app_name).to_s
+    @body["app_name"] = LOGIN_ENGINE[:app_name].to_s
 	end
 end

data/app/models/user.rb

@@ -1,7 +1,133 @@
 class User < ActiveRecord::Base
-  include LoginEngine::AuthenticatedUser
+	attr_accessor :new_password
 
-  # all logic has been moved into login_engine/lib/login_engine/authenticated_user.rb
+	validates_presence_of :login
+	validates_length_of :login, :within => 3..40
+	validates_uniqueness_of :login
+	validates_uniqueness_of :email
+	validates_format_of :email, :with => /^[^@]+@.+$/
 
+	validates_presence_of :password, :if => :validate_password?
+	validates_confirmation_of :password, :if => :validate_password?
+	validates_length_of :password, { :minimum => 5, :if => :validate_password? }
+	validates_length_of :password, { :maximum => 40, :if => :validate_password? }
+  
+	protected 
+
+	attr_accessor :password, :password_confirmation
+
+	after_save :falsify_new_password
+	after_validation :crypt_password
+
+	public
+
+	def User.authenticate(login, pass)
+		u = find(:first, :conditions => ["login = ? AND verified = 1 AND deleted = 0", login])
+		return nil if u.nil?
+		find(:first, :conditions => ["login = ? AND salted_password = ? AND verified = 1", login, salted_password(u.salt, hashed(pass))])
+	end
+
+	def User.authenticate_by_token(id, token)
+		# Allow logins for deleted accounts, but only via this method (and
+		# not the regular authenticate call)
+		u = find(:first, :conditions => ["#{User.primary_key} = ? AND security_token = ?", id, token])
+		return nil if u.nil? or u.token_expired?
+		return nil if false == u.update_expiry
+		u
+	end
+
+	protected
+
+	def self.hashed(str)
+		# check if a salt has been set...
+		if LOGIN_ENGINE[:salt] == nil
+			raise "You must define a :salt value in the configuration for the LoginEngine module."
+		end
+
+		return Digest::SHA1.hexdigest("#{LOGIN_ENGINE[:salt]}--#{str}--}")[0..39]
+	end
+
+	def self.salted_password(salt, hashed_password)
+		hashed(salt + hashed_password)
+	end
+
+	public
+
+	# hmmm, how does this interact with the developer's own User model initialize?
+	# We would have to *insist* that the User.initialize method called 'super'
+	def initialize(attributes = nil)
+		super
+		@new_password = false
+	end
+
+	def token_expired?
+		self.security_token and self.token_expiry and (Time.now > self.token_expiry)
+	end
+
+	def update_expiry
+		write_attribute('token_expiry', [self.token_expiry, Time.at(Time.now.to_i + 600 * 1000)].min)
+		write_attribute('authenticated_by_token', true)
+		write_attribute("verified", 1)
+		update_without_callbacks
+	end
+
+	def generate_security_token(hours = nil)
+		if not hours.nil? or self.security_token.nil? or self.token_expiry.nil? or 
+			(Time.now.to_i + token_lifetime / 2) >= self.token_expiry.to_i
+			return new_security_token(hours)
+		else
+			return self.security_token
+		end
+	end
+
+	def set_delete_after
+		hours = LOGIN_ENGINE[:delayed_delete_days] * 24
+		write_attribute('deleted', 1)
+		write_attribute('delete_after', Time.at(Time.now.to_i + hours * 60 * 60))
+
+		# Generate and return a token here, so that it expires at
+		# the same time that the account deletion takes effect.
+		return generate_security_token(hours)
+	end
+
+	def change_password(pass, confirm = nil)
+		self.password = pass
+		self.password_confirmation = confirm.nil? ? pass : confirm
+		@new_password = true
+	end
+
+	protected
+
+	def validate_password?
+		@new_password
+	end
+
+
+	def crypt_password
+		if @new_password
+			write_attribute("salt", User.hashed("salt-#{Time.now}"))
+			write_attribute("salted_password", User.salted_password(salt, User.hashed(@password)))
+		end
+	end
+
+	def falsify_new_password
+		@new_password = false
+		true
+	end
+
+	def new_security_token(hours = nil)
+		write_attribute('security_token', User.hashed(self.salted_password + Time.now.to_i.to_s + rand.to_s))
+		write_attribute('token_expiry', Time.at(Time.now.to_i + token_lifetime(hours)))
+		update_without_callbacks
+		return self.security_token
+	end
+
+	def token_lifetime(hours = nil)
+		if hours.nil?
+			LOGIN_ENGINE[:security_token_life_hours] * 60 * 60
+		else
+			hours * 60 * 60
+		end
+	end
 end
 

data/app/models/user_notify.rb

@@ -3,14 +3,14 @@ class UserNotify < ActionMailer::Base
     setup_email(user)
 
     # Email header info
-    @subject += "Welcome to #{LoginEngine.config(:app_name)}!"
+    @subject += "Welcome to #{LOGIN_ENGINE[:app_name]}!"
 
     # Email body substitutions
     @body["name"] = "#{user.firstname} #{user.lastname}"
     @body["login"] = user.login
     @body["password"] = password
-    @body["url"] = url || LoginEngine.config(:app_url).to_s
-    @body["app_name"] = LoginEngine.config(:app_name).to_s
+    @body["url"] = url || LOGIN_ENGINE[:app_url].to_s
+    @body["app_name"] = LOGIN_ENGINE[:app_name].to_s
   end
 
   def forgot_password(user, url=nil)
@@ -22,8 +22,8 @@ class UserNotify < ActionMailer::Base
     # Email body substitutions
     @body["name"] = "#{user.firstname} #{user.lastname}"
     @body["login"] = user.login
-    @body["url"] = url || LoginEngine.config(:app_url).to_s
-    @body["app_name"] = LoginEngine.config(:app_name).to_s
+    @body["url"] = url || LOGIN_ENGINE[:app_url].to_s
+    @body["app_name"] = LOGIN_ENGINE[:app_name].to_s
   end
 
   def change_password(user, password, url=nil)
@@ -36,8 +36,8 @@ class UserNotify < ActionMailer::Base
     @body["name"] = "#{user.firstname} #{user.lastname}"
     @body["login"] = user.login
     @body["password"] = password
-    @body["url"] = url || LoginEngine.config(:app_url).to_s
-    @body["app_name"] = LoginEngine.config(:app_name).to_s
+    @body["url"] = url || LOGIN_ENGINE[:app_url].to_s
+    @body["app_name"] = LOGIN_ENGINE[:app_name].to_s
   end
 
   def pending_delete(user, url=nil)
@@ -48,9 +48,9 @@ class UserNotify < ActionMailer::Base
 
     # Email body substitutions
     @body["name"] = "#{user.firstname} #{user.lastname}"
-    @body["url"] = url || LoginEngine.config(:app_url).to_s
-    @body["app_name"] = LoginEngine.config(:app_name).to_s
-    @body["days"] = LoginEngine.config(:delayed_delete_days).to_s
+    @body["url"] = url || LOGIN_ENGINE[:app_url].to_s
+    @body["app_name"] = LOGIN_ENGINE[:app_name].to_s
+    @body["days"] = LOGIN_ENGINE[:delayed_delete_days].to_s
   end
 
   def delete(user, url=nil)
@@ -61,15 +61,15 @@ class UserNotify < ActionMailer::Base
 
     # Email body substitutions
     @body["name"] = "#{user.firstname} #{user.lastname}"
-    @body["url"] = url || LoginEngine.config(:app_url).to_s
-    @body["app_name"] = LoginEngine.config(:app_name).to_s
+    @body["url"] = url || LOGIN_ENGINE[:app_url].to_s
+    @body["app_name"] = LOGIN_ENGINE[:app_name].to_s
   end
 
   def setup_email(user)
     @recipients = "#{user.email}"
-    @from       = LoginEngine.config(:email_from).to_s
-    @subject    = "[#{LoginEngine.config(:app_name)}] "
+    @from       = LOGIN_ENGINE[:email_from].to_s
+    @subject    = "[#{LOGIN_ENGINE[:app_name]}] "
     @sent_on    = Time.now
-    @headers['Content-Type'] = "text/plain; charset=#{LoginEngine.config(:mail_charset)}; format=flowed"
+    @headers['Content-Type'] = "text/plain; charset=#{LOGIN_ENGINE[:mail_charset]}; format=flowed"
   end
 end

data/app/views/account/_login.rhtml

@@ -1,44 +1,44 @@
 <% form_remote_tag(
 	:update => 'identity',
 	:url => { :controller => 'account', :action => 'login', :elt => @elt },
-  :before => visual_effect(:BlindUp, 'identity', { :queue => 'login' }) \
-    +";resetChoices();",
-  :loaded => visual_effect(:BlindDown, 'identity', { :queue => 'login' }) \
-    +visual_effect(:BlindDown, 'subscriptionLink')) do %>
-
-  <fieldset>
-    <label for="person_name"><%= _('Pseudo') %>:</label>
-    <%= text_field "person", "name", :size => 10 %>
-    <script type="text/javascript">Form.focusFirstElement(document.forms[0]);</script>
-
-    <%= link_to_function('<span class="icon">&gt;&gt;</span>',
-      "Element.toggle(this);" \
-        +visual_effect(:Grow, 'user_password_identity') \
-        +"Form.focusFirstElement(document.forms[0])") %>
-
-    <span id="user_password_identity" style="display: none">
-      <br />
-      <label for="user_password"><%= _('Password') %>:</label>
-      <%= password_field "user", "password", :size => 10 %>
-
-      <%= link_to_function('<span class="icon">&gt;&gt;</span>',
-        "Element.toggle(this);" \
-          +visual_effect(:Grow, 'person_email_identity') \
-          +"Form.focusFirstElement(document.forms[0])") %>
-    </span>
-
-    <span id="person_email_identity" style="display: none">
-      <br />
-      <label for="person_email"><%= _('Email (or check key)') %>:</label>
-      <%= text_field "person", "email", :size => 20 %>
-    </span>
-
-    <%= submit_tag 'OK' %>
-
-    <%= render :partial => '/help',
-      :locals => {
-        :divId => 'login',
-        :content => _('<p>You can participate with:</p> <ul><li>no pseudo</li> <li>an unprotected pseudo</li> <li>a password protected pseudo (click on "<span class="icon">&gt;&gt;</span>")</li> <li>a password protected and email verified pseudo</li></ul> <p> The last method is the only secure way to protect a nickname on <strong>this</strong> server.</p> <p>If a pseudo is not protected <strong>and</strong> verified, anybody else can protect it for themselves if they at least supply a password <em>and</em> an email.</p> <p>A login must contain [3..40] characters, a password [5..40].</p>') } %>
-  </fieldset>
+	:before => visual_effect(:DropOut, 'identity', { :queue => 'end' }),
+	:after => "resetChoices()",
+	:loading => visual_effect(:BlindDown, 'identity', { :queue => 'end' }),
+	:complete => visual_effect(:BlindDown, 'subscriptionLink')) do %>
+
+	<fieldset>
+		<label for="person_name"><%= _('Pseudo') %>:</label>
+		<%= text_field "person", "name", :size => 10 %>
+		<script type="text/javascript">Form.focusFirstElement(document.forms[0]);</script>
+
+		<%= link_to_function('<span class="icon">&gt;&gt;</span>',
+			"Element.toggle(this);" \
+				+visual_effect(:Grow, 'user_password_identity') \
+				+"Form.focusFirstElement(document.forms[0])") %>
+
+		<span id="user_password_identity" style="display: none">
+			<br />
+			<label for="user_password"><%= _('Password') %>:</label>
+			<%= password_field "user", "password", :size => 10 %>
+
+			<%= link_to_function('<span class="icon">&gt;&gt;</span>',
+				"Element.toggle(this);" \
+					+visual_effect(:Grow, 'person_email_identity') \
+					+"Form.focusFirstElement(document.forms[0])") %>
+		</span>
+
+		<span id="person_email_identity" style="display: none">
+			<br />
+			<label for="person_email"><%= _('Email (or check key)') %>:</label>
+			<%= text_field "person", "email", :size => 20 %>
+		</span>
+
+		<%= submit_tag 'OK' %>
+
+		<%= render :partial => '/help',
+			:locals => {
+				:divId => 'login',
+				:content => _('<p>You can participate with:</p> <ul><li>no pseudo</li> <li>an unprotected pseudo</li> <li>a password protected pseudo (click on "<span class="icon">&gt;&gt;</span>")</li> <li>a password protected and email verified pseudo</li></ul> <p> The last method is the only secure way to protect a nickname on <strong>this</strong> server.</p> <p>If a pseudo is not protected <strong>and</strong> verified, anybody else can protect it for themselves if they at least supply a password <em>and</em> an email.</p> <p>A login must contain [3..40] characters, a password [5..40].</p>') } %>
+	</fieldset>
 <% end %>
 

data/app/views/account/_show.rhtml

@@ -11,14 +11,14 @@
 	<!-- Here are updated all choices, watch out, javascript! -->
 	<span class="choicesToUpdate">
 		<script type="text/javascript">
-      updateChoices(
-          {<%= choices.collect { |c| "'elt_#{ c.elt_id }' : '#{ c.value }'" }.join(', ') %>}
+			updateChoices(
+					{<%= choices.collect { |c| "'elt_#{ c.elt_id }' : '#{ c.value }'" }.join(', ') %>}
 			);
 		</script>
 	</span>
 <% end %>
 
-<% if @person = session[:person] %>
+<% if @person = Person.find_by_id(session[:person_id]) %>
 	<script type="text/javascript">
 		if ($('subscriptionLink')) {
 			Element.show($('subscriptionLink'));
@@ -28,21 +28,19 @@
 	</script>
 
 	<span class="author">
-		&lt;<%= link_to session[:person].name,
+		&lt;<%= link_to @person.name,
 			:controller => 'person',
 			:action => 'show',
-			:id => session[:person] %>&gt;
+			:id => @person %>&gt;
 	</span>
 
 	<span class="logout">
 		<%= link_to_remote('[X]',
 			{ :update => 'identity',
 				:url => { :controller => 'account', :action => 'logout', :elt => @elt },
-        :before => visual_effect(:BlindUp, 'identity', { :queue => 'login' }) \
-          +visual_effect(:BlindUp, 'subscriptionLink', { :queue => 'login' }) \
-          +"resetChoices();",
-				:loaded => visual_effect(:BlindDown, 'identity', { :queue => 'login' }) },
-			{ :href => url_for(:controller => 'account', :action => 'logout') }) %>
+        :before => { visual_effect(:DropOut, 'identity', { :queue => 'end' }), "resetChoices()" },
+        :after => visual_effect(:DropOut, 'subscriptionLink'),
+        :loading => visual_effect(:BlindDown, 'identity', { :queue => 'end' }) }) %>
 	</span>
 
 	<div>
@@ -50,42 +48,36 @@
 			:id => "person_avatar", :class => "avatar" %>
 	</div>
 
-  <fieldset id="edit">
-    <legend><%= _('Edit') %></legend>
-		<% form_remote_tag(
-			:update => 'identity',
-			:url => { :controller => 'account', :action => 'setPassword' },
-			:before => visual_effect(:BlindUp, 'identity'),
-			:loaded => visual_effect(:BlindDown, 'identity')) do %>
-      <label for="user_password"><%= _('Password') %>:</label>
+	<fieldset id="identityEdition">
+		<legend><%= _('Edit') %></legend>
+		<% form_remote_tag(:update => 'identity',
+			:url => { :controller => 'account', :action => 'setPassword' }) do %>
+			<label for="user_password"><%= _('Password') %>:</label>
 			<%= password_field "user", "password", :size => 12 %>
 			<%= submit_tag 'OK' %>
 		<% end %>
 
-		<% form_remote_tag(
-			:update => 'identity',
-			:url => { :controller => 'account', :action => 'setEmail' },
-			:before => visual_effect(:BlindUp, 'identity'),
-			:loaded => visual_effect(:BlindDown, 'identity')) do %>
-      <label for="person_email"><%= _('Email') %>:</label>
+		<% form_remote_tag(:update => 'identity',
+			:url => { :controller => 'account', :action => 'setEmail' }) do %>
+			<label for="person_email"><%= _('Email') %>:</label>
 			<%= text_field "person", "email", :size => 16 %>
 			<%= submit_tag 'OK' %>
 		<% end %>
 
 		<% form_tag( { :controller => "account", :action => "setAvatar"},
 				:multipart => true, :target => "avatar", :class => "setAvatar") do %>
-      <label><%= _('Avatar') %>:</label>
-			<%= file_field "person", "image", :onchange => "submit()", :size => 3 %>
+			<label><%= _('Avatar') %>:</label>
+			<%= file_field :person, :image, :size => 8 %>
 			<%= submit_tag 'OK' %>
 		<% end %>
 	</fieldset>
 
 	<iframe id="avatar" name="avatar" style="display: none"></iframe>
 <% else %>
-  <script type="text/javascript">
-    Element.removeClassName(document.body, "logged");
-    Element.addClassName(document.body, "anon");
-  </script>
+	<script type="text/javascript">
+		Element.removeClassName(document.body, "logged");
+		Element.addClassName(document.body, "anon");
+	</script>
 
 	<%= render :partial => '/account/login' %>
 <% end %>

data/app/views/account/signup.rhtml

@@ -1,4 +1,4 @@
-<%= start_form_tag :action=> "signup" %>
+<% form_tag "signup" do %>
 
 <div title="Account signup" id="signupform" class="form">
   <h3>Signup</h3>
@@ -13,5 +13,5 @@
 
 <input type="submit" value="Signup &#187;" class="primary" />
 
-<%= end_form_tag %>
+<% end %>
 

data/app/views/elt/_choice.rhtml

@@ -1,5 +1,5 @@
 <%
-	choice = Choice.find_by_elt_id_and_person_id elt.id, session[:person].id if session[:person]
+	choice = Choice.find_by_elt_id_and_person_id elt.id, session[:person_id]
 	result = elt.result
 %>
 
@@ -9,12 +9,12 @@
 	{ :update => 'eltChoice_'+elt.id.to_s,
 		:url => { :action => 'vote', :id => elt, 'choice[value]' => '-1' },
 		:before => visual_effect(:DropOut, 'eltChoice_'+elt.id.to_s, { :queue => 'end' }),
-		:loaded => visual_effect(:Grow, 'eltChoice_'+elt.id.to_s, { :queue => 'end' }) },
+		:complete => visual_effect(:Grow, 'eltChoice_'+elt.id.to_s, { :queue => 'end' }) },
 	{ :href => url_for(:controller => 'elt', :action => 'vote', 'choice[value]' => '-1') }) %>
 
 <%= link_to_remote("%+d" % result,
-	{ :update => 'result_'+elt.id,
-		:position => :top,
+	{ :update => 'eltChoice_'+elt.id,
+		:position => :after,
 		:url => { :action => 'choices', :id => elt } },
 	{ :class => 'result' + ((choice and choice.value != 0) ? ' selected' : ''),
 		:id => "result_#{ elt.id}",
@@ -26,7 +26,7 @@
   { :update => 'eltChoice_'+elt.id.to_s,
     :url => { :action => 'vote', :id => elt, 'choice[value]' => '+1' },
     :before => visual_effect(:DropOut, 'eltChoice_'+elt.id.to_s, { :queue => 'end' }),
-    :loaded => visual_effect(:Grow, 'eltChoice_'+elt.id.to_s, { :queue => 'end' }) },
+    :complete => visual_effect(:Grow, 'eltChoice_'+elt.id.to_s, { :queue => 'end' }) },
   { :href => url_for(:controller => 'elt', :action => 'vote', 'choice[value]' => '1') }) %>
 
 <script type="text/javascript">setKnob($('elt_<%= elt.id %>'), 0<%= result %>);</script>
@@ -35,7 +35,7 @@
 	<%= link_to_remote(image_tag('write.png'),
 		{ :update => 'eltNew_'+elt.id.to_s,
 			:url => { :controller => 'elt', :action => 'new', :id => elt },
-			:loaded => visual_effect(:BlindDown, 'eltNew_'+elt.id.to_s)+
+			:complete => visual_effect(:BlindDown, 'eltNew_'+elt.id.to_s)+
 				visual_effect(:BlindDown, 'eltSubsClose_'+elt.id.to_s) },
 		{ :href => url_for(:controller => 'elt', :action => 'new', :id => elt.id)}) %>
 </span>