railscart 0.0.1

data/starter-app/doc/README_FOR_APP

@@ -0,0 +1,2 @@
+Use this README file to introduce your application and point to useful places in the API for learning more.
+Run "rake appdoc" to generate API documentation for your models and controllers.

data/starter-app/lib/authenticated_system.rb

@@ -0,0 +1,116 @@
+module AuthenticatedSystem
+  protected
+    # Returns true or false if the user is logged in.
+    # Preloads @current_user with the user model if they're logged in.
+    def logged_in?
+      current_user != :false
+    end
+
+    # Accesses the current user from the session.  Set it to :false if login fails
+    # so that future calls do not hit the database.
+    def current_user
+      @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie || :false)
+    end
+
+    # Store the given user id in the session.
+    def current_user=(new_user)
+      session[:user_id] = (new_user.nil? || new_user.is_a?(Symbol)) ? nil : new_user.id
+      @current_user = new_user || :false
+    end
+
+    # Check if the user is authorized
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the user
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorized?
+    #    current_user.login != "bob"
+    #  end
+    def authorized?
+      logged_in?
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_filter :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_filter :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_filter :login_required
+    #
+    def login_required
+      authorized? || access_denied
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the user is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |format|
+        format.html do
+          store_location
+          redirect_to :controller => '/session', :action => 'new'
+        end
+        format.xml do
+          request_http_basic_authentication 'Web Password'
+        end
+      end
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location
+      session[:return_to] = request.request_uri
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.
+    def redirect_back_or_default(default)
+      redirect_to(session[:return_to] || default)
+      session[:return_to] = nil
+    end
+
+    # Inclusion hook to make #current_user and #logged_in?
+    # available as ActionView helper methods.
+    def self.included(base)
+      base.send :helper_method, :current_user, :logged_in?
+    end
+
+    # Called from #current_user.  First attempt to login by the user id stored in the session.
+    def login_from_session
+      self.current_user = User.find(session[:user_id]) if session[:user_id]
+    end
+
+    # Called from #current_user.  Now, attempt to login by basic authentication information.
+    def login_from_basic_auth
+      authenticate_with_http_basic do |username, password|
+        self.current_user = User.authenticate(username, password)
+      end
+    end
+
+    # Called from #current_user.  Finaly, attempt to login by an expiring token in the cookie.
+    def login_from_cookie
+      user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token])
+      if user && user.remember_token?
+        user.remember_me
+        cookies[:auth_token] = { :value => user.remember_token, :expires => user.remember_token_expires_at }
+        self.current_user = user
+      end
+    end
+end

data/starter-app/lib/authenticated_test_helper.rb

@@ -0,0 +1,10 @@
+module AuthenticatedTestHelper
+  # Sets the current user in the session from the user fixtures.
+  def login_as(user)
+    @request.session[:user_id] = user ? users(user).id : nil
+  end
+
+  def authorize_as(user)
+    @request.env["HTTP_AUTHORIZATION"] = user ? ActionController::HttpAuthentication::Basic.encode_credentials(users(user).login, 'test') : nil
+  end
+end

data/starter-app/lib/custom_fixtures.rb

@@ -0,0 +1,7 @@
+require 'active_record/fixtures'
+
+class Fixtures < YAML::Omap
+  def delete_existing_fixtures
+    # do nothing - we're intentionally not emptying the database since it has some structural data in it
+  end
+end    

data/starter-app/lib/hijacker.rb

@@ -0,0 +1,78 @@
+# Hijacker class
+#
+# This class is used by RoleRequirementTestHelper to temporarily hijack a controller action for testing
+#
+# It can be used for other tests as well.
+#
+# You can contract the author with questions
+#   Tim C. Harper - irb(main):001:0> ( 'tim_see_harperATgmail._see_om'.gsub('_see_', 'c').gsub('AT', '@') )
+#
+#
+# Example usage:
+#   hijacker = Hijacker.new(ListingsController)
+#   hijacker.hijack_instance_method("index", "render :text => 'hello world!'" )
+#   get :index        # will return "hello world"
+#   hijacker.restore  # put things back the way you found it
+
+class Hijacker
+  def initialize(klass)
+    @target_klass = klass
+    @method_stores = {}
+  end
+  
+  def hijack_class_method(method_name, eval_string = nil, arg_names = [], &block)
+    hijack_method(class_self_instance, method_name, eval_string, arg_names, &block )
+  end
+  
+  def hijack_instance_method(method_name, eval_string = nil, arg_names = [], &block)
+    hijack_method(@target_klass, method_name, eval_string, arg_names, &block )
+  end
+  
+  # restore all 
+  def restore
+    @method_stores.each_pair{|klass, method_stores|
+      method_stores.reverse_each{ |method_name, method| 
+        klass.send :undef_method, method_name
+        klass.send :define_method, method_name, method if method
+      }
+    }
+    @method_stores.clear
+    true
+  rescue
+    false
+  end
+  
+protected  
+
+  def class_self_instance
+    @target_klass.send :eval, "class << self; self; end;"
+  end
+  
+  def hijack_method(klass, method_name, eval_string = nil, arg_names = [], &block)
+    method_name = method_name.to_s
+    # You have got love ruby!  What other language allows you to pillage and plunder a class like this? 
+    
+    (@method_stores[klass]||=[]) << [
+      method_name, 
+      klass.instance_methods.include?(method_name) && klass.instance_method(method_name)
+    ]
+    
+    klass.send :undef_method, method_name
+    if Symbol === eval_string
+      klass.send :define_method, method_name, klass.instance_methods(eval_string)
+    elsif String === eval_string
+      klass.class_eval <<-EOF 
+        def #{method_name}(#{arg_names * ','})
+          #{eval_string}
+        end
+      EOF
+    elsif block_given?
+      klass.send :define_method, method_name, block
+    end
+    
+    true
+  rescue
+    false
+  end
+  
+end

data/starter-app/lib/role_requirement_system.rb

@@ -0,0 +1,142 @@
+# Main module for authentication.  
+# Include this in ApplicationController to activate RoleRequirement
+#
+# See RoleSecurityClassMethods for some methods it provides.
+module RoleRequirementSystem
+  def self.included(klass)
+    klass.send :class_inheritable_array, :role_requirements
+    klass.send :include, RoleSecurityInstanceMethods
+    klass.send :extend, RoleSecurityClassMethods
+    klass.send :helper_method, :url_options_authenticate? 
+    
+    klass.send :role_requirements=, []
+    
+  end
+  
+  module RoleSecurityClassMethods
+    
+    def reset_role_requirements!
+      self.role_requirements.clear
+    end
+    
+    # Add this to the top of your controller to require a role in order to access it.
+    # Example Usage:
+    # 
+    #    require_role "contractor"
+    #    require_role "admin", :only => :destroy # don't allow contractors to destroy
+    #    require_role "admin", :only => :update, :unless => "current_user.authorized_for_listing?(params[:id]) "
+    #
+    # Valid options
+    #
+    #  * :only - Only require the role for the given actions
+    #  * :except - Require the role for everything but 
+    #  * :if - a Proc or a string to evaluate.  If it evaluates to true, the role is required.
+    #  * :unless - The inverse of :if
+    #    
+    def require_role(roles, options = {})
+      options.assert_valid_keys(:if, :unless,
+        :for, :only, 
+        :for_all_except, :except
+      )
+      
+      # only declare that before filter once
+      unless (@before_filter_declared||=false)
+        @before_filter_declared=true
+        before_filter :check_roles
+      end
+      
+      # convert to an array if it isn't already
+      roles = [roles] unless Array===roles
+      
+      options[:only] ||= options[:for] if options[:for]
+      options[:except] ||= options[:for_all_except] if options[:for_all_except]
+      
+      # convert any actions into symbols
+      for key in [:only, :except]
+        if options.has_key?(key)
+          options[key] = [options[key]] unless Array === options[key]
+          options[key] = options[key].compact.collect{|v| v.to_sym}
+        end 
+      end
+      
+      self.role_requirements||=[]
+      self.role_requirements << {:roles => roles, :options => options }
+    end
+    
+    # This is the core of RoleRequirement.  Here is where it discerns if a user can access a controller or not./
+    def user_authorized_for?(user, params = {}, binding = self.binding)
+      return true unless Array===self.role_requirements
+      self.role_requirements.each{| role_requirement|
+        roles = role_requirement[:roles]
+        options = role_requirement[:options]
+        # do the options match the params?
+        
+        # check the action
+        if options.has_key?(:only)
+          next unless options[:only].include?( (params[:action]||"index").to_sym )
+        end
+        
+        if options.has_key?(:except)
+          next if options[:except].include?( (params[:action]||"index").to_sym)
+        end
+        
+        if options.has_key?(:if)
+          # execute the proc.  if the procedure returns false, we don't need to authenticate these roles
+          next unless ( String===options[:if] ? eval(options[:if], binding) : options[:if].call(params) )
+        end
+        
+        if options.has_key?(:unless)
+          # execute the proc.  if the procedure returns true, we don't need to authenticate these roles
+          next if ( String===options[:unless] ? eval(options[:unless], binding) : options[:unless].call(params) )
+        end
+        
+        # check to see if they have one of the required roles
+        passed = false
+        roles.each { |role|
+          passed = true if user.has_role?(role)
+        } unless (user==:false || user==false)
+        
+        return false unless passed
+      }
+      
+      return true
+    end
+  end
+  
+  module RoleSecurityInstanceMethods
+    def self.included(klass)
+      raise "Because role_requirement extends acts_as_authenticated, You must include AuthenticatedSystem first before including RoleRequirementSystem!" unless klass.included_modules.include?(AuthenticatedSystem)
+    end
+    
+    def access_denied
+      if logged_in?
+        render :nothing => true, :status => 401
+        return false
+      else
+        super
+      end
+    end
+    
+    def check_roles       
+      return access_denied unless self.class.user_authorized_for?(current_user, params, binding)
+      
+      true
+    end
+    
+  protected
+    # receives a :controller, :action, and :params.  Finds the given controller and runs user_authorized_for? on it.
+    # This can be called in your views, and is for advanced users only.  If you are using :if / :unless eval expressions, 
+    #   then this may or may not work (eval strings use the current binding to execute, not the binding of the target 
+    #   controller)
+    def url_options_authenticate?(params = {})
+      params = params.symbolize_keys
+      if params[:controller]
+        # find the controller class
+        klass = eval("#{params[:controller]}_controller".classify)
+      else
+        klass = self.class
+      end
+      klass.user_authorized_for?(current_user, params, binding)
+    end
+  end
+end

data/starter-app/lib/role_requirement_test_helper.rb

@@ -0,0 +1,86 @@
+# Include this is test_helper.rb to enable test-case helper support for RoleRequirement via:
+#   include RoleRequirementTestHelper
+#
+# RoleRequirementTestHelper uses the power of ruby to temporarily "hijack" your target action.  (don't worry, it puts things back the way it was after it runs)
+# This means that the only thing that will be tested is whether or not the action can be accessed with a given circumstances.
+# Any authentication you implement inside of your action will be ignored.
+#
+module RoleRequirementTestHelper
+
+  # Makes sure a user can access the given action
+  #
+  # Example:
+  #
+  #   assert_user_can_access(:quentin, "index")
+  # 
+  def assert_user_can_access(user, actions, params = {})
+    assert_user_access_check(true, user, actions, params)
+  end
+  
+  # Makes sure a user cant access the given action
+  #
+  # Example:
+  #
+  #   assert_user_cant_access(:quentin, "destroy", :listing_id => 1)
+  # 
+  def assert_user_cant_access(user, actions, params = {})
+    assert_user_access_check(false, user, actions, params)
+  end
+  
+  # Check a list of users against a set of actions with parameters.
+  # 
+  # Parameters:
+  #   users_access_list - a hash where the key is the label for a fixture, and the value is a boolean.
+  #   actions - a list of actions to test against
+  #   params - a hash containing the parameters to pass to each test call to the controller.
+  # 
+  # Example:
+  #   assert_user_access(
+  #     {:admin => true, :quentin => false }, 
+  #     [:show, :edit], 
+  #     {:listing_id => 1})
+  def assert_users_access(users_access_list, actions, params = {})
+    users_access_list.each_pair {|user, access| 
+      assert_user_access_check(access, user, actions, params)
+    }
+  end
+  
+  alias :assert_user_cannot_access :assert_user_cant_access
+
+private
+  def assert_user_access_check(should_access, user, actions, params = {})
+    params = HashWithIndifferentAccess.new(params)
+    
+    (Array===actions ? actions : [actions]).each { |action|
+      # reset the controller, request, and response
+      @controller = @controller.class.new
+      @request = @request.class.new
+      @response = @response.class.new
+      login_as user
+      if should_access
+        assert request_passes_role_security_system?(action, params), "request to #{@controller.class}##{action} with user #{user} and params #{params.inspect} should have passed "
+      else
+        assert ! request_passes_role_security_system?(action, params), "request to #{@controller.class}##{action} with user #{user} and params #{params.inspect} should have been denied"
+      end
+    }
+  end
+  
+  # This is the core of the test system.
+  def request_passes_role_security_system?(action, params)
+    did_it_pass = false
+    
+    action = action.to_s
+    hijacker = Hijacker.new(@controller.class)
+    
+    begin
+      assert hijacker.hijack_instance_method(action, "@last_action_passed='#{action}'; render :text => 'passed'"), "unable to hijack method '#{action}'.  Are you sure the action exists?"
+      get action, params
+    rescue
+      assert false, "error occurred while trying to access action '#{action}' -- #{$!.to_s}.\nCheck to make sure that you are passing needed parameters.\n#{$!.backtrace * "\n"} "
+    ensure
+      hijacker.restore
+    end
+    
+    did_it_pass = (action.to_s == assigns(:last_action_passed)) # make sure it actually made it through
+  end
+end