refinerycms-authentication 0.9.9.1

data/app/controllers/admin/users_controller.rb

@@ -0,0 +1,90 @@
+module Admin
+  class UsersController < Admin::BaseController
+
+    crudify :user, :order => 'username ASC', :title_attribute => 'username'
+
+    before_filter :load_available_plugins_and_roles, :only => [:new, :create, :edit, :update]
+
+    def index
+      search_all_users if searching?
+      paginate_all_users
+
+      render :partial => 'users' if request.xhr?
+    end
+
+    def new
+      @user = User.new
+      @selected_plugin_names = []
+    end
+
+    def create
+      @user = User.new(params[:user])
+      @selected_plugin_names = params[:user][:plugins] || []
+      @selected_role_names = params[:user][:roles] || []
+
+      if @user.save
+        @user.plugins = @selected_plugin_names
+        # if the user is a superuser and can assign roles according to this site's
+        # settings then the roles are set with the POST data.
+        unless current_user.has_role?(:superuser) and RefinerySetting.find_or_set(:superuser_can_assign_roles, false)
+          @user.add_role(:refinery)
+        else
+          @user.roles = @selected_role_names.collect{|r| Role[r.downcase.to_sym]}
+        end
+
+        redirect_to(admin_users_url, :notice => t('created', :what => @user.username, :scope => 'refinery.crudify'))
+      else
+        render :action => 'new'
+      end
+    end
+
+    def edit
+      @user = User.find params[:id]
+      @selected_plugin_names = @user.plugins.collect{|p| p.name}
+    end
+
+    def update
+      # Store what the user selected.
+      @selected_role_names = params[:user].delete(:roles) || []
+      unless current_user.has_role?(:superuser) and RefinerySetting.find_or_set(:superuser_can_assign_roles, false)
+        @selected_role_names = @user.roles.collect{|r| r.title}
+      end
+      @selected_plugin_names = params[:user][:plugins]
+
+      # Prevent the current user from locking themselves out of the User manager
+      if current_user.id == @user.id and (params[:user][:plugins].exclude?("refinery_users") || @selected_role_names.map(&:downcase).exclude?("refinery"))
+        flash.now[:error] = t('cannot_remove_user_plugin_from_current_user', :scope => 'admin.users.update')
+        render :action => "edit"
+      else
+        # Store the current plugins and roles for this user.
+        @previously_selected_plugin_names = @user.plugins.collect{|p| p.name}
+        @previously_selected_roles = @user.roles
+        @user.roles = @selected_role_names.collect{|r| Role[r.downcase.to_sym]}
+        if params[:user][:password].blank? and params[:user][:password_confirmation].blank?
+          params[:user].delete(:password)
+          params[:user].delete(:password_confirmation)
+        end
+
+        if @user.update_attributes(params[:user])
+          redirect_to admin_users_url, :notice => t('updated', :what => @user.username, :scope => 'refinery.crudify')
+        else
+          @user.plugins = @previously_selected_plugin_names
+          @user.roles = @previously_selected_roles
+          @user.save
+          render :action => 'edit'
+        end
+      end
+    end
+
+  protected
+
+    def load_available_plugins_and_roles
+      @available_plugins = ::Refinery::Plugins.registered.in_menu.collect{|a|
+        {:name => a.name, :title => a.title}
+      }.sort_by {|a| a[:title]}
+
+      @available_roles = Role.all
+    end
+
+  end
+end

data/app/controllers/passwords_controller.rb

@@ -0,0 +1,43 @@
+class PasswordsController < ::Devise::PasswordsController
+  layout 'login'
+
+  # Rather than overriding devise, it seems better to just apply the notice here.
+  after_filter :give_notice, :only => [:update]
+  def give_notice
+    unless %w(notice error alert).include?(flash.keys.map(&:to_s)) or @user.errors.any?
+      flash[:notice] = t('successful', :scope => 'users.reset', :email => @user.email)
+    end
+  end
+  protected :give_notice
+
+  # GET /registrations/password/edit?reset_password_token=abcdef
+  def edit
+    if params[:reset_password_token] and (@user = User.find_by_reset_password_token(params[:reset_password_token])).present?
+      render_with_scope :edit
+    else
+      redirect_to(new_user_password_url, :flash => ({
+        :error => t('code_invalid', :scope => 'users.reset')
+      }))
+    end
+  end
+
+  # POST /registrations/password
+  def create
+    if params[:user].present? and (email = params[:user][:email]).present? and
+       (user = User.find_by_email(email)).present?
+
+      # Call devise reset function.
+      user.send(:generate_reset_password_token!)
+      UserMailer.reset_notification(user, request).deliver
+      redirect_to new_user_session_path, :notice => t('email_reset_sent', :scope => 'users.forgot') and return
+    else
+      @user = User.new(params[:user])
+      flash.now[:error] = if (email = params[:user][:email]).blank?
+        t('blank_email', :scope => 'users.forgot')
+      else
+        t('email_not_associated_with_account_html', :email => email, :scope => 'users.forgot').html_safe
+      end
+      render_with_scope :new
+    end
+  end
+end

data/app/controllers/registrations_controller.rb

@@ -0,0 +1,67 @@
+class RegistrationsController < ::Devise::RegistrationsController
+
+  # Protect these actions behind an admin login
+  before_filter :redirect?, :only => [:new, :create]
+
+  layout 'login'
+
+  def new
+    @user = User.new
+  end
+
+  # This method should only be used to create the first Refinery user.
+  def create
+    @user = User.new(params[:user])
+    @selected_plugin_titles = params[:user][:plugins] || []
+
+    @user.save if @user.valid?
+
+    if @user.errors.empty?
+      @user.add_role(:refinery)
+      @user.plugins = @selected_plugin_titles
+      @user.save
+      if Role[:refinery].users.count == 1
+        # this is the superuser if this user is the only user.
+        @user.add_role(:superuser)
+        @user.save
+
+        # set this user as the recipient of inquiry notifications, if we're using that engine.
+        if defined?(InquirySetting) and
+          (notification_recipients = InquirySetting.find_or_create_by_name("Notification Recipients")).present?
+          notification_recipients.update_attributes({
+            :value => @user.email,
+            :destroyable => false
+          })
+        end
+      end
+
+      flash[:message] = "<h2>#{t('welcome', :scope => 'users.create', :who => @user.username).gsub(/\.$/, '')}.</h2>".html_safe
+
+      site_name_setting = RefinerySetting.find_or_create_by_name('site_name', :value => "Company Name")
+      if site_name_setting.value.to_s =~ /^(|Company\ Name)$/ or Role[:refinery].users.count == 1
+        flash[:message] << "<p>#{t('setup_website_name_html', :scope => 'users',
+                                   :link => edit_admin_refinery_setting_url(site_name_setting, :dialog => true),
+                                   :title => t('edit', :scope => 'admin.refinery_settings'))}</p>".html_safe
+      end
+      sign_in(@user)
+      redirect_back_or_default(admin_root_url)
+    else
+      render :action => 'new'
+    end
+  end
+
+protected
+
+  def redirect?
+    if refinery_user?
+      redirect_to admin_users_url
+    elsif refinery_users_exist?
+      redirect_to new_user_session_path
+    end
+  end
+
+  def refinery_users_exist?
+    Role[:refinery].users.any?
+  end
+
+end

data/app/controllers/sessions_controller.rb

@@ -0,0 +1,23 @@
+class SessionsController < ::Devise::SessionsController
+  layout 'login'
+
+  before_filter :clear_unauthenticated_flash, :only => [:new]
+
+  def create
+    super
+  rescue BCrypt::Errors::InvalidSalt
+    flash[:error] = t('password_encryption', :scope => 'users.forgot')
+    redirect_to new_user_password_path
+  end
+
+protected
+  # We don't like this alert.
+  def clear_unauthenticated_flash
+    if flash.keys.include?(:alert) and flash.values.any?{|v|
+      ['unauthenticated', t('unauthenticated', :scope => 'devise.failure')].include?(v)
+    }
+      flash.delete(:alert)
+    end
+  end
+
+end

data/app/helpers/sessions_helper.rb

@@ -0,0 +1,2 @@
+module SessionsHelper
+end

data/app/helpers/users_helper.rb

@@ -0,0 +1,2 @@
+module UsersHelper
+end

data/app/mailers/user_mailer.rb

@@ -0,0 +1,20 @@
+class UserMailer < ActionMailer::Base
+
+  def reset_notification(user, request)
+    @user = user
+    @url = edit_user_password_url(:host => request.host_with_port,
+                                  :reset_password_token => @user.reset_password_token)
+
+    domain = request.domain(RefinerySetting.find_or_set(:tld_length, 1))
+
+    mail(:to => user.email,
+         :subject => t('subject', :scope => 'user_mailer.reset_notification'),
+         :from => "\"#{RefinerySetting[:site_name]}\" <no-reply@#{domain}>")
+  end
+
+protected
+
+  def url_prefix(request)
+    "#{request.protocol}#{request.host_with_port}"
+  end
+end

data/app/models/role.rb

@@ -0,0 +1,16 @@
+class Role < ActiveRecord::Base
+
+  has_and_belongs_to_many :users
+
+  before_validation :camelize_title
+  validates :title, :uniqueness => true
+
+  def camelize_title(role_title = self.title)
+    self.title = role_title.to_s.camelize
+  end
+
+  def self.[](title)
+    find_or_create_by_title(title.to_s.camelize)
+  end
+
+end

data/app/models/roles_users.rb

@@ -0,0 +1,6 @@
+class RolesUsers < ActiveRecord::Base
+
+  belongs_to :role
+  belongs_to :user
+
+end

data/app/models/user.rb

@@ -0,0 +1,60 @@
+require 'devise'
+
+class User < ActiveRecord::Base
+  has_and_belongs_to_many :roles
+  has_many :plugins, :class_name => "UserPlugin", :order => "position ASC", :dependent => :destroy
+  has_friendly_id :username, :use_slug => true
+
+  # Include default devise modules. Others available are:
+  # :token_authenticatable, :confirmable, :lockable and :timeoutable
+  devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable
+
+  # Setup accessible (or protected) attributes for your model
+  # :login is a virtual attribute for authenticating by either username or email
+  # This is in addition to a real persisted field like 'username'
+  attr_accessor :login
+  attr_accessible :email, :password, :password_confirmation, :remember_me, :username, :plugins, :login
+
+  validates :username, :presence => true, :uniqueness => true
+
+  class << self
+    # Find user by email or username.
+    # https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-sign_in-using-their-username-or-email-address
+    def find_for_database_authentication(conditions)
+      value = conditions[authentication_keys.first]
+      where(["username = :value OR email = :value", { :value => value }]).first
+    end
+  end
+
+  def plugins=(plugin_names)
+    if persisted? # don't add plugins when the user_id is nil.
+      UserPlugin.delete_all(:user_id => id)
+
+      plugin_names.each_with_index do |plugin_name, index|
+        plugins.create(:name => plugin_name, :position => index) if plugin_name.is_a?(String)
+      end
+    end
+  end
+
+  def authorized_plugins
+    plugins.collect { |p| p.name } | Refinery::Plugins.always_allowed.names
+  end
+
+  def can_delete?(user_to_delete = self)
+    user_to_delete.persisted? and
+    !user_to_delete.has_role?(:superuser) and
+    Role[:refinery].users.count > 1 and
+    id != user_to_delete.id
+  end
+
+  def add_role(title)
+    raise ArgumentException, "Role should be the title of the role not a role object." if title.is_a?(Role)
+    roles << Role[title] unless has_role?(title)
+  end
+
+  def has_role?(title)
+    raise ArgumentException, "Role should be the title of the role not a role object." if title.is_a?(Role)
+    (role = Role.find_by_title(title.to_s.camelize)).present? and roles.collect{|r| r.id}.include?(role.id)
+  end
+
+end

data/app/models/user_plugin.rb

@@ -0,0 +1,5 @@
+class UserPlugin < ActiveRecord::Base
+
+  belongs_to :user
+
+end

data/app/views/admin/users/_form.html.erb

@@ -0,0 +1,92 @@
+<%= form_for [:admin, @user] do |f| %>
+
+  <%= render :partial => "/shared/admin/error_messages",
+             :locals => {
+               :object => @user,
+               :include_object_name => true
+             } %>
+
+  <div class='field'>
+    <%= f.label :username %>
+    <%= f.text_field :username %>
+  </div>
+  <div class='field'>
+    <%= f.label :email %>
+    <%= f.text_field :email %>
+  </div>
+  <div class='field'>
+    <%= f.label :password %>
+    <%= f.password_field :password, :autocomplete => 'off' %>
+    <%= "<br /><span class='preview'>#{t('.blank_password_keeps_current')}</span>".html_safe if @user.persisted? %>
+  </div>
+  <div class='field'>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation, :autocomplete => 'off' %>
+  </div>
+  <div class='field plugin_access'>
+    <span class='label_with_help'>
+      <%= f.label :plugin_access, t('.plugin_access'), :class => "title_label" %>
+      <%= link_to "(#{t('.enable_all')})", "", :id => "user_plugins_enable_all" %>
+    </span>
+    <ul id='plugins' class='checkboxes'>
+      <% @available_plugins.each do |plugin| -%>
+        <% if Refinery::Plugins.always_allowed.names.include?(plugin[:name]) or
+              (plugin[:name] == 'refinery_users' and @user.id == current_user.id) %>
+          <%= hidden_field_tag 'user[plugins][]', plugin[:name],
+                               :id => "plugins_#{plugin[:name]}" %>
+        <% else %>
+          <li>
+            <%= check_box_tag 'user[plugins][]', plugin[:name],
+                              @selected_plugin_names.include?(plugin[:name]),
+                              :id => "plugins_#{plugin[:name]}" %>
+            <%= f.label 'user[plugins][]',
+                        t('title', :scope => "plugins.#{plugin[:name].downcase}", :default => plugin[:title]),
+                        :class => "stripped",
+                        :for => "plugins_#{plugin[:name]}" %>
+          </li>
+        <% end %>
+      <% end %>
+    </ul>
+  </div>
+
+  <% if current_user.has_role?(:superuser) and RefinerySetting.find_or_set(:superuser_can_assign_roles, false) %>
+    <div class='field role_access'>
+      <span class='label_with_help'>
+        <%= f.label :role_access, t('.role_access'), :class => "title_label" %>
+      </span>
+      <ul id='roles' class='checkboxes'>
+        <% @available_roles.each do |role|
+          downcased_title = (title = role[:title]).downcase -%>
+          <li>
+            <%= check_box_tag 'user[roles][]', downcased_title, @user.has_role?(title),
+                              :id => "roles_#{downcased_title}" %>
+            <%= f.label 'user[roles][]',
+                        t(downcased_title, :scope => 'roles', :default => title),
+                        :class => 'stripped',
+                        :for => "roles_#{downcased_title}" %>
+          </li>
+        <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <%= render :partial => "/shared/admin/form_actions",
+             :locals => {
+               :f => f,
+               :continue_editing => false,
+               :hide_delete => !current_user.can_delete?(@user),
+               :delete_title => t('delete', :scope => 'admin.users'),
+               :delete_confirmation => t('message', :scope => 'shared.admin.delete', :title => @user.username)
+             } %>
+<% end %>
+
+<% content_for :javascripts do %>
+  <script>
+    $(document).ready(function() {
+      $('#user_plugins_enable_all').click(function(e, a) {
+        $('div.field.plugin_access ul#plugins li input:checkbox').attr('checked', true);
+        e.preventDefault();
+      });
+    });
+  </script>
+<% end %>