protected 1.0.0

data/app/controllers/protected/admin/protected_controller.rb

@@ -0,0 +1,14 @@
+module Protected
+  module Admin
+    class ProtectedController < Protected::ApplicationController
+      before_filter :admin_only
+
+      protected
+      def admin_only
+        if !current_user.is_admin?
+          redirect_to not_authorized_url
+        end
+      end
+    end
+  end
+end

data/app/controllers/protected/admin/users_controller.rb

@@ -0,0 +1,70 @@
+module Protected
+  module Admin
+    class UsersController < ProtectedController
+      before_filter :find_user, :except => [:index, :new, :create, :new_search, :search]
+      def index
+        @users = User.paginate(pagination_params)
+      end
+
+      def new
+        @user = User.new
+        @user.is_admin = false
+      end
+
+      def update
+        @user.is_admin = params[:user][:is_admin] unless current_user == @user
+        params[:user].delete(:is_admin)
+        if @user.update_without_password(params[:user])
+          flash[:success] = "User #{@user.name} updated successfully."
+          redirect_to admin_users_url
+        else
+          render :action => 'edit'
+        end
+      end
+
+      def destroy
+        unless @user == current_user
+          @user.destroy
+          flash[:success] = "The user was deleted"
+          redirect_to ['admin','users']
+        else
+          flash[:error] = "The user could not be deleted"
+          redirect_to ['admin',@user]
+        end
+      end
+
+      def create
+        @user = User.new
+        if params[:user].present?
+          @user.is_admin = params[:user][:is_admin]
+          params[:user].delete(:is_admin)
+        end
+        @user.attributes = params[:user]
+        @user.random_password
+        if @user.save
+          flash[:success] = "User #{@user.name} created successfully."
+          redirect_to ['admin','users']
+        else
+          render :action => :new
+        end
+      rescue Errno::ETIMEDOUT
+        @user.errors.add(:base, I18n.t('devise.failure.user.service_error'))
+        render :action => :new
+      end
+
+      def unlock
+        @user.unlock_access!
+        flash[:success] = "User's account has been unlocked"
+        redirect_to admin_users_url
+      end
+
+      protected
+        def find_user
+          @user = User.find(params[:id])
+        rescue ActiveRecord::RecordNotFound => e
+          flash[:error] = e.message
+          redirect_to ['admin','users']
+        end
+    end
+  end
+end

data/app/controllers/protected/application_controller.rb

@@ -0,0 +1,18 @@
+module Protected
+  class ApplicationController < ActionController::Base
+    before_filter :authenticate_user!
+    before_filter :set_cache_buster
+
+    protect_from_forgery
+
+    def pagination_params(opts = {})
+      { :page => params[:page].present? ? params[:page].to_i : 1, :per_page => params[:per_page].present? ? params[:per_page].to_i : 12 }.merge(opts)
+    end
+
+    def set_cache_buster
+      response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
+      response.headers["Pragma"] = "no-cache"
+      response.headers["Expires"] = "Fri, 01 Jan 1990 00:00:00 GMT"
+    end
+  end
+end

data/app/controllers/protected/passwords_controller.rb

@@ -0,0 +1,39 @@
+module Protected
+  class PasswordsController < Devise::PasswordsController
+    def update
+      self.resource = resource_class.reset_password_by_token(params[resource_name])
+      if resource.errors.empty?
+        flash[:notice] = "Your password has been changed, please log in again."
+        sign_out_all_scopes
+        redirect_to new_user_session_url and return false
+      end
+      render :template => 'protected/passwords/edit.html.haml'
+    end
+
+    def new
+      build_resource({})
+    end
+
+    def edit
+      unless params[:reset_password_token].present?
+        flash[:notice] = "A valid password token was not found"
+        redirect_to root_url and return false
+      else
+        self.resource = resource_class.new
+        resource.reset_password_token = params[:reset_password_token]
+      end
+    end
+
+    def create
+
+      # Refactor Me:
+      # This currently redireccts the user to a success message regardless if the email is in the database or not.
+      # This is done to prevent others from determining what emails are "good" within the system but may confuse 
+      # a user who tries to reset their password but uses an incorrect address. Because they know they have an
+      # account and received a success message they will infer the application is broken when no email arrives.
+      self.resource = resource_class.reset_password_and_send_password_instructions(params[resource_name])
+      flash[:notice] = "Instructions on how to reset your password have been sent to #{resource.email}."
+      redirect_to new_user_session_url
+    end
+  end
+end

data/app/controllers/protected/sessions_controller.rb

@@ -0,0 +1,44 @@
+module Protected
+  class SessionsController < Devise::SessionsController
+    before_filter :first_login?, :except => [:destroy, :first_login, :update_first_login]
+    skip_before_filter :authenticate_user!, :only => [:not_authorized, :new, :create]
+
+    helper 'protected/application'
+
+    def first_login
+      redirect_to root_url unless current_user
+    end
+
+    def update_first_login
+      current_user.update_on_first_login!(params[:user])
+      if current_user.errors.any?
+        render :action => :first_login
+      else
+        sign_out_all_scopes
+        flash[:notice] = "Your password has been changed, please log in again."
+        redirect_to new_user_session_url
+      end
+    rescue PasswordAlreadyUsedException => e
+      current_user.errors.add(:password, e.message)
+      render :action => :first_login
+    rescue ActiveRecord::RecordInvalid => f
+      render :action => :first_login
+    end
+
+    protected
+    def first_login?
+      if current_user.present? && (current_user.first_login? || params[:wants_first_login] == '1')
+        params.delete(:wants_first_login)
+        redirect_to first_login_url and return true
+      end
+    end
+
+    def after_sign_in_path_for(resource_or_scope)
+      if(current_user.is_admin?)
+        admin_users_url
+      else
+        stored_location_for(resource_or_scope) || signed_in_root_path(resource_or_scope)
+      end
+    end
+  end
+end

data/app/controllers/protected/users_controller.rb

@@ -0,0 +1,12 @@
+module Protected
+  class UsersController < ApplicationController
+    def update
+      if current_user.update_without_password(params[:user])
+        flash[:success] = "Your changes have been saved."
+        redirect_to current_user
+      else
+        render :action => :edit
+      end
+    end
+  end
+end

data/app/helpers/protected/application_helper.rb

@@ -0,0 +1,4 @@
+module Protected
+  module ApplicationHelper
+  end
+end

data/app/helpers/protected/passwords_helper.rb

@@ -0,0 +1,21 @@
+module Protected
+  module PasswordsHelper
+    MESSAGES = {'match confirmation'      => "Passwords should match confirmation",
+                '8 characters long'       => "Password should be at least 8 characters long",
+                'special character'       => "Password should have at least 1 digit, 1 capital letter and 1 special character \(\!\@\#\$\%\^\&\*\(\)\_\-\=\+\)",
+                'previous five passwords' => "You can not use previous five passwords",
+                'password token'          => "You must have a valid reset password token" }
+
+    def password_instructions(messages)
+      section = ""
+      MESSAGES.each do |error, message|
+        section << "<div class=\"alert-message #{ message_class(messages, error) }\">#{message}</div>"
+      end
+      section.html_safe
+    end
+
+    def message_class(messages, error)
+      messages.include?(error) ? "block-message error" : ""
+    end
+  end
+end

data/app/mailers/user_mailer.rb

@@ -0,0 +1,9 @@
+class UserMailer <Devise::Mailer
+  def welcome_login_instructions(record)
+    devise_mail(record, :welcome_login_instructions)
+  end
+
+  def welcome_password_instructions(record)
+    devise_mail(record, :welcome_password_instructions)
+  end
+end

data/app/models/protected.rb

@@ -0,0 +1,5 @@
+module Protected
+  def self.table_name_prefix
+    'protected_'
+  end
+end

data/app/models/protected/old_password.rb

@@ -0,0 +1,18 @@
+# == Schema Information
+#
+# Table name: old_passwords
+#
+#  id                       :integer(4)      not null, primary key
+#  encrypted_password       :string(128)     not null
+#  password_salt            :string(255)
+#  password_archivable_id   :integer(4)      not null
+#  password_archivable_type :string(255)     not null
+#  created_at               :datetime
+#
+module Protected
+  class OldPassword < ActiveRecord::Base
+    belongs_to :password_archivable, :polymorphic => true
+
+    attr_accessible :encrypted_password, :password_salt, :password_archivable, :password_archivable_type, :password_archivable_id
+  end
+end

data/app/models/protected/user.rb

@@ -0,0 +1,165 @@
+
+  # == Schema Information
+  #
+  # Table name: users
+  #
+  #  id                     :integer(4)      not null, primary key
+  #  first_name             :string(255)
+  #  last_name              :string(255)
+  #  company                :string(255)
+  #  password_salt          :string(255)     default(""), not null
+  #  remember_token         :string(255)
+  #  first_login            :boolean(1)      default(TRUE)
+  #  is_admin               :boolean(1)
+  #  created_at             :datetime
+  #  updated_at             :datetime
+  #  email                  :string(255)     default(""), not null
+  #  encrypted_password     :string(128)     default(""), not null
+  #  reset_password_token   :string(255)
+  #  reset_password_sent_at :datetime
+  #  remember_created_at    :datetime
+  #  sign_in_count          :integer(4)      default(0)
+  #  current_sign_in_at     :datetime
+  #  last_sign_in_at        :datetime
+  #  current_sign_in_ip     :string(255)
+  #  last_sign_in_ip        :string(255)
+  #  failed_attempts        :integer(4)      default(0)
+  #  unlock_token           :string(255)
+  #  locked_at              :datetime
+  #  login                  :string(255)
+  #
+class LoginFormatValidator < ActiveModel::EachValidator
+  def validate_each(object, attribute, value)
+    if value.present?
+      unless value.gsub(" ",'') == value
+        object.errors[attribute] << (options[:message] || "cannot contain any whitespace")
+      end
+      if [value[0], value[-1]].any?{ |x| x == "." }
+        object.errors[attribute] << (options[:message] || "cannot contain a period at the start or end")
+      end
+      unless value =~ /[a-zA-Z]/
+        object.errors[attribute] << (options[:message] || "must contain at least one letter")
+      end
+      unless value =~ /[0-9]/
+        object.errors[attribute] << (options[:message] || "must contain at least one number")
+      end
+      unless value =~ /[_\-.]/
+        object.errors[attribute] << (options[:message] || "must contain at least one these special characters \"-_.\"")
+      end
+      unless value =~ /^[a-zA-Z0-9_\-.]+$/
+        object.errors[attribute] << (options[:message] || "can only contain letters number and special characters \"-_.\"")
+      end
+    end
+  end
+end
+
+class UnchangeableValidator < ActiveModel::EachValidator
+  def validate_each(object, attribute, value)
+    if !object.new_record? && value.present?
+      original = object.class.send(:where, "id = #{object.id}").select("id, #{attribute.to_s}").first
+      if original.send(attribute) != value
+        object.errors[attribute] << (options[:message] || "cannot be changed once assigned")
+      end
+    end
+  end
+end
+
+module Protected
+  require  File.dirname(__FILE__) + '/../../../lib/protected/devise_recoverable_extensions'
+  require  File.dirname(__FILE__) + '/../../../lib/protected/password_utils'
+
+  class User < ActiveRecord::Base
+    # devise :database_authenticatable, :recoverable, :trackable, :validatable, :lockable, :timeoutable, :password_archivable,
+    #  :maximum_attempts => 4, :unlock_strategy => :none
+    devise :database_authenticatable, :recoverable, :trackable, :validatable, :lockable, :timeoutable,
+    :maximum_attempts => 4, :unlock_strategy => :none
+
+    has_many :old_passwords, :as => :password_archivable, :dependent => :destroy
+
+    validates :first_name, :presence => true, :format => { :with => /^[a-zA-Z0-9_\s\-.]+$/ }
+    validates :last_name, :presence => true, :format => { :with => /^[a-zA-Z0-9_\s\-.]+$/ }, :uniqueness => { :scope => :first_name, :message => "has alredy been taken by another user with the same first name" }
+    validate :validate_password_strength, :if => lambda{new_record? || (not password.blank?)}
+    validates :login, :unchangeable => true, :presence => true, :login_format => true, :uniqueness => { :case_sensitive => false }, :length => { :maximum => 64, :minimum => 6 }
+    validates :email, :unchangeable => true
+
+    # Setup accessible (or protected) attributes for your model
+    attr_accessible :login, :email, :password, :password_confirmation, :remember_me, :first_name, :last_name, :company, :locked_at, :failed_attempts, :first_login, :current_password
+    attr_accessor :current_password
+
+    after_save :send_mail_if_needed
+
+    # TODO: Extract this code into security pack extension
+    def archive_password
+      if(self.encrypted_password_changed?)
+        self.old_passwords.create! :encrypted_password => self.encrypted_password, :password_salt => self.password_salt, :password_archivable_id => self.id, :password_archivable_type => self.class.to_s
+      end
+    end
+
+    def update_on_first_login!(modified_user)
+      if password_used?(modified_user[:password])
+        raise PasswordAlreadyUsedException
+      else
+        update_attributes!(
+          :password => modified_user[:password],
+          :password_confirmation => modified_user[:password_confirmation],
+          :first_login => false)
+        archive_password
+      end
+    end
+
+    def name
+      [first_name, last_name].join(' ')
+    end
+
+    def password_used?(password)
+      self.password = password
+      return password_archive_included?
+    end
+
+    def reset_password!(pass,conf)
+      if reset_password_token.present? and
+         pass == conf and
+         encrypted_password_changed? and
+         password_archive_included?
+         errors.add(:base, I18n.t('errors.messages.taken_in_past'))
+      else
+        super
+      end
+      self
+    end
+
+    def random_password
+      self.password = self.password_confirmation = PasswordUtils.generate_random_password
+    end
+
+    def send_mail_if_needed
+      if !self.changes.empty? &&
+        self.changes[:id].present? &&
+        self.changes[:id][0].nil? &&
+        self.changes[:id][1].present?
+        if self.first_login?
+          self.archive_password
+          UserMailer.welcome_login_instructions(self).deliver
+          UserMailer.welcome_password_instructions(self).deliver
+        end
+      end
+    end
+
+    class << self
+      def reset_password_and_send_password_instructions(params)
+        record = find_by_email(params["email"])
+        record.random_password && record.save unless record.nil?
+        send_reset_password_instructions(params)
+      end
+    end
+
+    # NOTE: To audit the devise actions we need to ensure we include this after devise has been added. This is a bug in the gem
+    # and should be fixed.
+    audit :methods => [:destroy, :unlock_access!], :attributes => [:first_name,:last_name, :company, :is_admin]
+
+    private
+    def validate_password_strength
+      errors.add(:password, I18n.t('devise.passwords.password_strength')) if not PasswordUtils.strong?(password)
+    end
+  end
+end

data/app/views/layouts/protected/application.html.haml

@@ -0,0 +1,38 @@
+!!!
+%html{:lang => "en"}
+  %head
+    %meta{:charset => "utf-8"}
+    %title 
+    %meta{:content => "width=device-width, initial-scale=1.0", :name => "viewport"}
+    %meta{:content => "", :name => "description"}
+    %meta{:content => "", :name => "author"}
+    = stylesheet_link_tag    "protected/application"
+
+  %body{ :class => "#{Rails.env} #{params[:controller]} #{params[:action]}" }
+    .navbar.navbar-fixed-top
+      .navbar-inner
+        .container-fluid
+          %a.btn.btn-navbar{"data-target" => ".nav-collapse", "data-toggle" => "collapse"}
+            %span.icon-bar
+            %span.icon-bar
+            %span.icon-bar
+          %a.brand{:href => "#"} Project name
+          .nav-collapse
+            - if current_user
+              %ul.nav
+                %li= link_to "Admin", admin_url
+                %li= link_to "Users", ['admin','users']
+                %li= link_to "Live Site", root_url
+              %ul.nav.right
+                %li= link_to "Account Settings", ['edit','admin',current_user]
+                %li= link_to 'Sign Out', destroy_user_session_url
+
+    .container-fluid
+      .row-fluid
+        - flash.each do |name, msg|
+          %div{:class => "alert alert-#{name == :notice ? "success" : "error"}"}
+            %a.close{"data-dismiss" => "alert"} ×
+            = content_tag :div, msg, :id => "flash_#{name}" if msg.is_a?(String)
+        = yield
+
+    = javascript_include_tag "protected/application"