refinerycms-authentication-devise 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0f9178a82fd347d8cf3c9a6295541017ddc1a476
+  data.tar.gz: 06a1f4a6d52a5e766a3a2181385f105ae463e2ea
+SHA512:
+  metadata.gz: 6e65a2c356403d884ee5c891bd923ddb78794c3f7225bc2b753def48a13740e2c3999448bbcae1b9395eecbb6eafba37af0ce8c18e5db10bd5c62b6fb2a85fa1
+  data.tar.gz: 3731dd94959dfca809697acaea225966b87be47ef9e83a6ebd40ee2a886682a1132202e271be9db4ab3ac9b9aa11e2f151a4df9bb012fff43a9b46105e60096a

data/.gitignore

@@ -0,0 +1,89 @@
+# Rails
+.bundle
+db/*.sqlite3
+db/*.sqlite3-journal
+*.log
+tmp/**/*
+
+# Documentation
+doc/api
+doc/app
+doc/*
+.yardoc
+.yardopts
+
+# Public Uploads
+public/system/*
+public/themes/*
+
+# Public Cache
+public/javascripts/cache
+public/stylesheets/cache
+
+# Vendor Cache
+vendor/cache
+
+# Acts as Indexed
+index/**/*
+
+# Refinery Specific
+*.tmproj
+*.autobackupbyrefinery.*
+/refinerycms-*.gem
+.autotest
+
+# Mac
+.DS_Store
+
+# Windows
+Thumbs.db
+
+# NetBeans
+nbproject
+
+# Eclipse
+.project
+
+# Redcar
+.redcar
+
+# Rubinius
+*.rbc
+
+# Vim
+*.swp
+*.swo
+
+# RubyMine
+.idea
+
+# Backup
+*~
+
+# Capybara Bug
+capybara-*html
+
+# sass
+.sass-cache
+.sass-cache/*
+
+#rvm
+.rvmrc
+.rvmrc.*
+
+# REFINERY CMS DEVELOPMENT ====================================================
+# Always keep this section at the bottom.
+
+config/database.yml
+config/amazon_s3.yml
+config/rackspace_cloudfiles.yml
+your_*.*
+db/schema.rb
+
+# END REFINERY CMS DEVELOPMENT =================================================
+
+Gemfile.lock
+spec/dummy
+
+# Local Gemfile for developing without sharing dependencies
+.gemfile

data/.travis.yml

@@ -0,0 +1,15 @@
+language: ruby
+cache: bundler
+bundler_args: --without development
+before_script: "bin/rake refinery:testing:dummy_app"
+env:
+  - DB=postgresql
+  - DB=mysql
+notifications:
+  webhooks:
+    - https://webhooks.gitter.im/e/b5d48907cdc89864b874
+rvm:
+  - 2.2
+  - 2.1
+  - 2.0.0
+sudo: false

data/Gemfile

@@ -0,0 +1,50 @@
+source "https://rubygems.org"
+
+gemspec
+
+git "https://github.com/refinery/refinerycms", branch: "auth-for-real-yo-tmp" do
+  gem "refinerycms"
+
+  group :test do
+    gem "refinerycms-testing"
+  end
+end
+
+# Database Configuration
+unless ENV["TRAVIS"]
+  gem "activerecord-jdbcsqlite3-adapter", :platform => :jruby
+  gem "sqlite3", :platform => :ruby
+end
+
+if !ENV["TRAVIS"] || ENV["DB"] == "mysql"
+  gem "activerecord-jdbcmysql-adapter", :platform => :jruby
+  gem "jdbc-mysql", "= 5.1.13", :platform => :jruby
+  gem "mysql2", :platform => :ruby
+end
+
+if !ENV["TRAVIS"] || ENV["DB"] == "postgresql"
+  gem "activerecord-jdbcpostgresql-adapter", :platform => :jruby
+  gem "pg", :platform => :ruby
+end
+
+gem "jruby-openssl", :platform => :jruby
+
+# Refinery/rails should pull in the proper versions of these
+group :assets do
+  gem "sass-rails"
+  gem "coffee-rails"
+  gem "uglifier"
+end
+
+group :development do
+  gem 'quiet_assets'
+end
+
+group :test do
+  gem "launchy"
+end
+
+# Load local gems according to Refinery developer preference.
+if File.exist? local_gemfile = File.expand_path("../.gemfile", __FILE__)
+  eval File.read(local_gemfile)
+end

data/Rakefile

@@ -0,0 +1,20 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+ENGINE_PATH = File.dirname(__FILE__)
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+
+if File.exists?(APP_RAKEFILE)
+  load 'rails/tasks/engine.rake'
+end
+
+require "refinerycms-testing"
+Refinery::Testing::Railtie.load_dummy_tasks(ENGINE_PATH)
+
+load File.expand_path('../tasks/rspec.rake', __FILE__)
+
+task :default => :spec

data/app/controllers/refinery/authentication/devise/admin/users_controller.rb

@@ -0,0 +1,147 @@
+module Refinery
+  module Authentication
+    module Devise
+      module Admin
+        class UsersController < Refinery::AdminController
+
+          crudify :'refinery/authentication/devise/user',
+                  :order => 'username ASC',
+                  :title_attribute => 'username'
+
+          before_action :find_available_plugins, :find_available_roles,
+                        :only => [:new, :create, :edit, :update]
+          before_action :redirect_unless_user_editable!, :only => [:edit, :update]
+          before_action :exclude_password_assignment_when_blank!, :only => :update
+
+          def new
+            @user = Refinery::Authentication::Devise::User.new
+            @selected_plugin_names = []
+          end
+
+          def create
+            @user = Refinery::Authentication::Devise::User.new user_params.except(:roles)
+            @selected_plugin_names = params[:user][:plugins] || []
+            @selected_role_names = params[:user][:roles] || []
+
+            if @user.save
+              create_successful
+            else
+              create_failed
+            end
+          end
+
+          def edit
+            @selected_plugin_names = find_user.plugins.map(&:name)
+          end
+
+          def update
+            # Store what the user selected.
+            @selected_role_names = params[:user].delete(:roles) || []
+            @selected_role_names = @user.roles.select(:title).map(&:title) unless user_can_assign_roles?
+            @selected_plugin_names = params[:user][:plugins]
+
+            if user_is_locking_themselves_out?
+              flash.now[:error] = t('lockout_prevented', :scope => 'refinery.authentication.devise.admin.users.update')
+              render :edit and return
+            end
+
+            store_user_memento
+
+            @user.roles = @selected_role_names.map { |r| Refinery::Authentication::Devise::Role[r.downcase] }
+            if @user.update_attributes user_params
+              update_successful
+            else
+              update_failed
+            end
+          end
+
+          protected
+
+          def create_successful
+            @user.plugins = @selected_plugin_names
+
+            # if the user is a superuser and can assign roles according to this site's
+            # settings then the roles are set with the POST data.
+            if user_can_assign_roles?
+              @user.roles = @selected_role_names.map { |r| Refinery::Authentication::Devise::Role[r.downcase] }
+            else
+              @user.add_role :refinery
+            end
+
+            redirect_to refinery.authentication_devise_admin_users_path,
+                        :notice => t('created', :what => @user.username, :scope => 'refinery.crudify')
+          end
+
+          def create_failed
+            render 'new'
+          end
+
+          def update_successful
+            redirect_to refinery.authentication_devise_admin_users_path,
+                        :notice => t('updated', :what => @user.username, :scope => 'refinery.crudify')
+          end
+
+          def update_failed
+            user_memento_rollback!
+
+            render :edit
+          end
+
+          def find_available_plugins
+            @available_plugins = Refinery::Plugins.registered.in_menu.map { |a|
+              { :name => a.name, :title => a.title }
+            }.sort_by { |a| a[:title] }
+          end
+
+          def find_available_roles
+            @available_roles = Refinery::Authentication::Devise::Role.all
+          end
+
+          def redirect_unless_user_editable!
+            unless current_refinery_user.can_edit? find_user
+              redirect_to refinery.authentication_devise_admin_users_path
+            end
+          end
+
+          private
+          def exclude_password_assignment_when_blank!
+            if params[:user][:password].blank? && params[:user][:password_confirmation].blank?
+              params[:user].except!(:password, :password_confirmation)
+            end
+          end
+
+          def user_can_assign_roles?
+            Refinery::Authentication::Devise.superuser_can_assign_roles &&
+              current_refinery_user.has_role?(:superuser)
+          end
+
+          def user_is_locking_themselves_out?
+            return false if current_refinery_user.id != @user.id || @selected_plugin_names.blank?
+
+            @selected_plugin_names.exclude?('refinery_authentication_devise') || # removing user plugin access
+              @selected_role_names.map(&:downcase).exclude?('refinery') # Or we're removing the refinery role
+          end
+
+          def store_user_memento
+            # Store the current plugins and roles for this user.
+            @previously_selected_plugin_names = @user.plugins.map(&:name)
+            @previously_selected_roles = @user.roles
+          end
+
+          def user_memento_rollback!
+            @user.plugins = @previously_selected_plugin_names
+            @user.roles = @previously_selected_roles
+            @user.save
+          end
+
+          def user_params
+            params.require(:user).permit(
+              :email, :password, :password_confirmation, :remember_me, :username,
+              :login, :full_name, plugins: []
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/refinery/authentication/devise/passwords_controller.rb

@@ -0,0 +1,58 @@
+module Refinery
+  module Authentication
+    module Devise
+      class PasswordsController < ::Devise::PasswordsController
+        helper Refinery::Core::Engine.helpers
+        layout 'refinery/layouts/login'
+
+        before_action :store_password_reset_return_to, :only => [:update]
+        def store_password_reset_return_to
+          session[:'return_to'] = Refinery::Core.backend_path
+        end
+        protected :store_password_reset_return_to
+
+        # Rather than overriding devise, it seems better to just apply the notice here.
+        after_action :give_notice, :only => [:update]
+        def give_notice
+          if %w(notice error alert).exclude?(flash.keys.map(&:to_s)) or self.resource.errors.any?
+            flash[:notice] = t('successful', :scope => 'refinery.authentication.devise.users.reset', :email => self.resource.email)
+          end
+        end
+        protected :give_notice
+
+        # GET /registrations/password/edit?reset_password_token=abcdef
+        def edit
+          if @reset_password_token = params[:reset_password_token]
+            self.resource = User.find_or_initialize_with_error_by_reset_password_token(params[:reset_password_token])
+            respond_with(self.resource) and return
+          end
+
+          redirect_to refinery.new_authentication_devise_user_password_path,
+                      :flash => ({ :error => t('code_invalid', :scope => 'refinery.authentication.devise.users.reset') })
+        end
+
+        # POST /registrations/password
+        def create
+          if params[:authentication_devise_user].present? && (email = params[:authentication_devise_user][:email]).present? &&
+             (user = User.where(:email => email).first).present?
+
+            token = user.generate_reset_password_token!
+            UserMailer.reset_notification(user, request, token).deliver_now
+            redirect_to refinery.login_path,
+                        :notice => t('email_reset_sent', :scope => 'refinery.authentication.devise.users.forgot')
+          else
+            flash.now[:error] = if (email = params[:authentication_devise_user][:email]).blank?
+              t('blank_email', :scope => 'refinery.authentication.devise.users.forgot')
+            else
+              t('email_not_associated_with_account_html', :email => ERB::Util.html_escape(email), :scope => 'refinery.authentication.devise.users.forgot').html_safe
+            end
+
+            self.new
+
+            render :new
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/refinery/authentication/devise/sessions_controller.rb

@@ -0,0 +1,39 @@
+module Refinery
+  module Authentication
+    module Devise
+      class SessionsController < ::Devise::SessionsController
+        helper Refinery::Core::Engine.helpers
+        layout 'refinery/layouts/login'
+
+        before_action :clear_unauthenticated_flash, :only => [:new]
+        before_action :force_signup_when_no_users!
+        after_action :detect_authentication_devise_user!, only: [:create]
+
+        def create
+          super
+        rescue ::BCrypt::Errors::InvalidSalt, ::BCrypt::Errors::InvalidHash
+          flash[:error] = t('password_encryption', :scope => 'refinery.authentication.devise.users.forgot')
+          redirect_to refinery.new_authentication_devise_user_password_path
+        end
+
+        protected
+
+        # We don't like this alert.
+        def clear_unauthenticated_flash
+          if flash.keys.include?(:alert) and flash.any?{ |k, v|
+            ['unauthenticated', t('unauthenticated', :scope => 'devise.failure')].include?(v)
+          }
+            flash.delete(:alert)
+          end
+        end
+
+        def force_signup_when_no_users!
+          return if refinery_users_exist?
+
+          redirect_to refinery.signup_path and return
+        end
+
+      end
+    end
+  end
+end

data/app/controllers/refinery/authentication/devise/users_controller.rb

@@ -0,0 +1,50 @@
+module Refinery
+  module Authentication
+    module Devise
+      class UsersController < ::Devise::RegistrationsController
+
+        # Protect these actions behind an admin login
+        before_action :redirect?, :only => [:new, :create]
+
+        helper Refinery::Core::Engine.helpers
+        layout 'refinery/layouts/login'
+
+        def new
+          @user = User.new
+        end
+
+        # This method should only be used to create the first Refinery user.
+        def create
+          @user = User.new(user_params)
+
+          if @user.create_first
+            flash[:message] = t('welcome', scope: 'refinery.authentication.devise.users.create', who: @user)
+
+            sign_in(@user)
+            redirect_back_or_default(Refinery::Core.backend_path)
+          else
+            render :new
+          end
+        end
+
+        protected
+
+        def redirect?
+          if current_refinery_user.has_role?(:refinery)
+            redirect_to refinery.authentication_devise_admin_users_path
+          elsif refinery_users_exist?
+            redirect_to refinery.login_path
+          end
+        end
+
+        def user_params
+          params.require(:user).permit(
+            :email, :password, :password_confirmation, :remember_me, :username,
+            :plugins, :login, :full_name
+          )
+        end
+
+      end
+    end
+  end
+end

data/app/decorators/controllers/action_controller_base_decorator.rb

@@ -0,0 +1,25 @@
+require "refinery/authentication/devise/authorisation_manager"
+
+module RefineryAuthenticationDeviseActionControllerBaseDecoration
+  def self.prepended(base)
+    base.prepend_before_action :detect_authentication_devise_user!
+  end
+
+  protected
+  def refinery_users_exist?
+    Refinery::Authentication::Devise::Role[:refinery].users.any?
+  end
+
+  private
+  def refinery_authorisation_manager
+    @refinery_authorisation_manager ||= ::Refinery::Authentication::Devise::AuthorisationManager.new
+  end
+
+  def detect_authentication_devise_user!
+    if current_authentication_devise_user
+      refinery_authorisation_manager.set_user!(current_authentication_devise_user)
+    end
+  end
+end
+
+ActionController::Base.send :prepend, RefineryAuthenticationDeviseActionControllerBaseDecoration

data/app/decorators/controllers/refinery/admin_controller_decorator.rb

@@ -0,0 +1,20 @@
+module RefineryAuthenticationDeviseAdminControllerDecorator
+  protected
+  # this is an override of an existing method in Refinery::AdminController
+  def authenticate_refinery_user!
+    begin
+      super
+    rescue Zilch::Authorisation::NotAuthorisedException
+      session["return_to"] = request.path
+      redirect_to refinery.login_path and return
+    end
+  end
+
+  private
+  def authorisation_manager
+    # defined in app/decorators/controllers/action_controller_base_decorator.rb
+    refinery_authorisation_manager
+  end
+end
+
+Refinery::AdminController.send :prepend, RefineryAuthenticationDeviseAdminControllerDecorator

data/app/decorators/controllers/refinery/application_controller_decorator.rb

@@ -0,0 +1,7 @@
+Refinery::ApplicationController.module_eval do
+  private
+  def authorisation_manager
+    # defined in app/decorators/controllers/action_controller_base_decorator.rb
+    refinery_authorisation_manager
+  end
+end

data/app/mailers/refinery/authentication/devise/user_mailer.rb

@@ -0,0 +1,26 @@
+module Refinery
+  module Authentication
+    module Devise
+      class UserMailer < ActionMailer::Base
+
+        def reset_notification(user, request, reset_password_token)
+          @user = user
+          @url = refinery.edit_authentication_devise_user_password_url({
+            :host => request.host_with_port,
+            :reset_password_token => reset_password_token
+          })
+
+          mail(:to => user.email,
+               :subject => t('subject', :scope => 'refinery.authentication.devise.user_mailer.reset_notification'),
+               :from => "\"#{Refinery::Core.site_name}\" <#{Refinery::Authentication::Devise.email_from_name}@#{request.domain}>")
+        end
+
+      protected
+
+        def url_prefix(request)
+          "#{request.protocol}#{request.host_with_port}"
+        end
+      end
+    end
+  end
+end

data/app/models/refinery/authentication/devise/nil_user.rb

@@ -0,0 +1,31 @@
+require 'refinery/core/nil_user'
+
+module Refinery
+  module Authentication
+    module Devise
+      class NilUser < Refinery::Core::NilUser
+
+        def plugins
+          Refinery::Plugins.new
+        end
+
+        def has_role?(role)
+          false
+        end
+
+        def has_plugin?(name)
+          false
+        end
+
+        def can_edit?(user)
+          false
+        end
+
+        def landing_url
+          Refinery::Core.backend_path
+        end
+
+      end
+    end
+  end
+end

data/app/models/refinery/authentication/devise/role.rb

@@ -0,0 +1,22 @@
+module Refinery
+  module Authentication
+    module Devise
+      class Role < Refinery::Core::BaseModel
+
+        has_and_belongs_to_many :users, :join_table => :refinery_authentication_devise_roles_users
+
+        before_validation :camelize_title
+        validates :title, :uniqueness => true
+
+        def camelize_title(role_title = self.title)
+          self.title = role_title.to_s.camelize
+        end
+
+        def self.[](title)
+          where(:title => title.to_s.camelize).first_or_create!
+        end
+
+      end
+    end
+  end
+end

data/app/models/refinery/authentication/devise/roles_users.rb

@@ -0,0 +1,12 @@
+module Refinery
+  module Authentication
+    module Devise
+      class RolesUsers < Refinery::Core::BaseModel
+
+        belongs_to :role
+        belongs_to :user
+
+      end
+    end
+  end
+end