refinerycms-authentication 1.0.11 → 2.0.0

data/app/controllers/refinery/admin/users_controller.rb

@@ -0,0 +1,100 @@
+module Refinery
+  module Admin
+    class UsersController < Refinery::AdminController
+
+      crudify :'refinery/user',
+              :order => 'username ASC',
+              :title_attribute => 'username',
+              :xhr_paging => true
+
+      before_filter :load_available_plugins_and_roles, :only => [:new, :create, :edit, :update]
+
+      def new
+        @user = Refinery::User.new
+        @selected_plugin_names = []
+      end
+
+      def create
+        @user = Refinery::User.new(params[:user])
+        @selected_plugin_names = params[:user][:plugins] || []
+        @selected_role_names = params[:user][:roles] || []
+
+        if @user.save
+          @user.plugins = @selected_plugin_names
+          # if the user is a superuser and can assign roles according to this site's
+          # settings then the roles are set with the POST data.
+          unless current_refinery_user.has_role?(:superuser) and Refinery::Authentication.superuser_can_assign_roles
+            @user.add_role(:refinery)
+          else
+            @user.roles = @selected_role_names.collect { |r| Refinery::Role[r.downcase.to_sym] }
+          end
+
+          redirect_to refinery.admin_users_path,
+                      :notice => t('created', :what => @user.username, :scope => 'refinery.crudify')
+        else
+          render :action => 'new'
+        end
+      end
+
+      def edit
+        @user = Refinery::User.find(params[:id])
+
+        redirect_unless_user_editable!
+
+        @selected_plugin_names = @user.plugins.collect(&:name)
+      end
+
+      def update
+        redirect_unless_user_editable!
+
+        # Store what the user selected.
+        @selected_role_names = params[:user].delete(:roles) || []
+        unless current_refinery_user.has_role?(:superuser) and Refinery::Authentication.superuser_can_assign_roles
+          @selected_role_names = @user.roles.collect(&:title)
+        end
+        @selected_plugin_names = params[:user][:plugins]
+
+        # Prevent the current user from locking themselves out of the User manager
+        if current_refinery_user.id == @user.id and (params[:user][:plugins].exclude?("refinery_users") || @selected_role_names.map(&:downcase).exclude?("refinery"))
+          flash.now[:error] = t('cannot_remove_user_plugin_from_current_user', :scope => 'refinery.admin.users.update')
+          render :edit
+        else
+          # Store the current plugins and roles for this user.
+          @previously_selected_plugin_names = @user.plugins.collect(&:name)
+          @previously_selected_roles = @user.roles
+          @user.roles = @selected_role_names.collect { |r| Refinery::Role[r.downcase.to_sym] }
+          if params[:user][:password].blank? and params[:user][:password_confirmation].blank?
+            params[:user].except!(:password, :password_confirmation)
+          end
+
+          if @user.update_attributes(params[:user])
+            redirect_to refinery.admin_users_path,
+                        :notice => t('updated', :what => @user.username, :scope => 'refinery.crudify')
+          else
+            @user.plugins = @previously_selected_plugin_names
+            @user.roles = @previously_selected_roles
+            @user.save
+            render :edit
+          end
+        end
+      end
+
+    protected
+
+    def load_available_plugins_and_roles
+      @available_plugins = Refinery::Plugins.registered.in_menu.collect { |a|
+        { :name => a.name, :title => a.title }
+      }.sort_by { |a| a[:title] }
+
+      @available_roles = Refinery::Role.all
+    end
+
+      def redirect_unless_user_editable!
+        unless current_refinery_user.can_edit?(@user)
+          redirect_to(main_app.refinery_admin_users_path) and return
+        end
+      end
+
+    end
+  end
+end

data/app/controllers/refinery/passwords_controller.rb

@@ -0,0 +1,51 @@
+module Refinery
+  class PasswordsController < Devise::PasswordsController
+    layout 'refinery/layouts/login'
+
+    before_filter :store_password_reset_return_to, :only => [:update]
+    def store_password_reset_return_to
+      session[:'refinery_user_return_to'] = refinery.admin_root_path
+    end
+    protected :store_password_reset_return_to
+
+    # Rather than overriding devise, it seems better to just apply the notice here.
+    after_filter :give_notice, :only => [:update]
+    def give_notice
+      if %w(notice error alert).exclude?(flash.keys.map(&:to_s)) or @refinery_user.errors.any?
+        flash[:notice] = t('successful', :scope => 'refinery.users.reset', :email => @refinery_user.email)
+      end
+    end
+    protected :give_notice
+
+    # GET /registrations/password/edit?reset_password_token=abcdef
+    def edit
+      if params[:reset_password_token] and (@refinery_user = User.where(:reset_password_token => params[:reset_password_token]).first).present?
+        respond_with(@refinery_user)
+      else
+        redirect_to refinery.new_refinery_user_password_path,
+                    :flash => ({ :error => t('code_invalid', :scope => 'refinery.users.reset') })
+      end
+    end
+
+    # POST /registrations/password
+    def create
+      if params[:refinery_user].present? and (email = params[:refinery_user][:email]).present? and
+         (user = User.where(:email => email).first).present?
+
+        # Call devise reset function.
+        user.send(:generate_reset_password_token!)
+        UserMailer.reset_notification(user, request).deliver
+        redirect_to refinery.new_refinery_user_session_path,
+                    :notice => t('email_reset_sent', :scope => 'refinery.users.forgot')
+      else
+        @refinery_user = User.new(params[:refinery_user])
+        flash.now[:error] = if @refinery_user.email.blank?
+          t('blank_email', :scope => 'refinery.users.forgot')
+        else
+          t('email_not_associated_with_account_html', :email => @refinery_user.email, :scope => 'refinery.users.forgot').html_safe
+        end
+        render :new
+      end
+    end
+  end
+end

data/app/controllers/refinery/sessions_controller.rb

@@ -0,0 +1,26 @@
+module Refinery
+  class SessionsController < Devise::SessionsController
+    layout 'refinery/layouts/login'
+
+    before_filter :clear_unauthenticated_flash, :only => [:new]
+
+    def create
+      super
+    rescue ::BCrypt::Errors::InvalidSalt, ::BCrypt::Errors::InvalidHash
+      flash[:error] = t('password_encryption', :scope => 'refinery.users.forgot')
+      redirect_to refinery.new_refinery_user_password_path
+    end
+
+  protected
+
+    # We don't like this alert.
+    def clear_unauthenticated_flash
+      if flash.keys.include?(:alert) and flash.any?{|k, v|
+        ['unauthenticated', t('unauthenticated', :scope => 'devise.failure')].include?(v)
+      }
+        flash.delete(:alert)
+      end
+    end
+
+  end
+end

data/app/controllers/refinery/users_controller.rb

@@ -0,0 +1,42 @@
+module Refinery
+  class UsersController < Devise::RegistrationsController
+
+    # Protect these actions behind an admin login
+    before_filter :redirect?, :only => [:new, :create]
+
+    layout 'refinery/layouts/login'
+
+    def new
+      @user = User.new
+    end
+
+    # This method should only be used to create the first Refinery user.
+    def create
+      @user = User.new(params[:user])
+
+      if @user.create_first
+        flash[:message] = "<h2>#{t('welcome', :scope => 'refinery.users.create', :who => @user.username).gsub(/\.$/, '')}.</h2>".html_safe
+
+        sign_in(@user)
+        redirect_back_or_default(refinery.admin_root_path)
+      else
+        render :new
+      end
+    end
+
+    protected
+
+    def redirect?
+      if refinery_user?
+        redirect_to refinery.admin_users_path
+      elsif refinery_users_exist?
+        redirect_to refinery.new_refinery_user_session_path
+      end
+    end
+
+    def refinery_users_exist?
+      Refinery::Role[:refinery].users.any?
+    end
+
+  end
+end

data/app/helpers/refinery/sessions_helper.rb

@@ -0,0 +1,4 @@
+module Refinery
+  module SessionsHelper
+  end
+end

data/app/helpers/refinery/users_helper.rb

@@ -0,0 +1,4 @@
+module Refinery
+  module UsersHelper
+  end
+end

data/app/mailers/refinery/user_mailer.rb

@@ -0,0 +1,22 @@
+module Refinery
+  class UserMailer < ActionMailer::Base
+
+    def reset_notification(user, request)
+      @user = user
+      @url = refinery.edit_refinery_user_password_url({
+        :host => request.host_with_port,
+        :reset_password_token => @user.reset_password_token
+      })
+
+      mail(:to => user.email,
+           :subject => t('subject', :scope => 'refinery.user_mailer.reset_notification'),
+           :from => "\"#{Refinery::Core.site_name}\" <no-reply@#{request.domain}>")
+    end
+
+  protected
+
+    def url_prefix(request)
+      "#{request.protocol}#{request.host_with_port}"
+    end
+  end
+end

data/app/models/refinery/role.rb

@@ -0,0 +1,18 @@
+module Refinery
+  class Role < Refinery::Core::BaseModel
+
+    has_and_belongs_to_many :users, :join_table => :refinery_roles_users
+
+    before_validation :camelize_title
+    validates :title, :uniqueness => true
+
+    def camelize_title(role_title = self.title)
+      self.title = role_title.to_s.camelize
+    end
+
+    def self.[](title)
+      find_or_create_by_title(title.to_s.camelize)
+    end
+
+  end
+end

data/app/models/refinery/roles_users.rb

@@ -0,0 +1,8 @@
+module Refinery
+  class RolesUsers < Refinery::Core::BaseModel
+
+    belongs_to :role
+    belongs_to :user
+
+  end
+end

data/app/models/refinery/user.rb

@@ -0,0 +1,94 @@
+require 'devise'
+
+module Refinery
+  class User < Refinery::Core::BaseModel
+    extend FriendlyId
+
+    has_and_belongs_to_many :roles, :join_table => :refinery_roles_users
+
+    has_many :plugins, :class_name => "UserPlugin", :order => "position ASC", :dependent => :destroy
+    friendly_id :username
+
+    # Include default devise modules. Others available are:
+    # :token_authenticatable, :confirmable, :lockable and :timeoutable
+    if self.respond_to?(:devise)
+      devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :authentication_keys => [:login]
+    end
+
+    # Setup accessible (or protected) attributes for your model
+    # :login is a virtual attribute for authenticating by either username or email
+    # This is in addition to a real persisted field like 'username'
+    attr_accessor :login
+    attr_accessible :email, :password, :password_confirmation, :remember_me, :username, :plugins, :login
+
+    validates :username, :presence => true, :uniqueness => true
+
+    class << self
+      # Find user by email or username.
+      # https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-sign_in-using-their-username-or-email-address
+      def find_for_database_authentication(conditions)
+        value = conditions[authentication_keys.first]
+        where(["username = :value OR email = :value", { :value => value }]).first
+      end
+    end
+
+    def plugins=(plugin_names)
+      if persisted? # don't add plugins when the user_id is nil.
+        UserPlugin.delete_all(:user_id => id)
+
+        plugin_names.each_with_index do |plugin_name, index|
+          plugins.create(:name => plugin_name, :position => index) if plugin_name.is_a?(String)
+        end
+      end
+    end
+
+    def authorized_plugins
+      plugins.collect { |p| p.name } | ::Refinery::Plugins.always_allowed.names
+    end
+
+    def can_delete?(user_to_delete = self)
+      user_to_delete.persisted? &&
+        !user_to_delete.has_role?(:superuser) &&
+        ::Refinery::Role[:refinery].users.any? &&
+        id != user_to_delete.id
+    end
+
+    def can_edit?(user_to_edit = self)
+      user_to_edit.persisted? && (
+        user_to_edit == self ||
+        self.has_role?(:superuser)
+      )
+    end
+
+    def add_role(title)
+      raise ArgumentException, "Role should be the title of the role not a role object." if title.is_a?(::Refinery::Role)
+      roles << ::Refinery::Role[title] unless has_role?(title)
+    end
+
+    def has_role?(title)
+      raise ArgumentException, "Role should be the title of the role not a role object." if title.is_a?(::Refinery::Role)
+      roles.any?{|r| r.title == title.to_s.camelize}
+    end
+
+    def create_first
+      if valid?
+        # first we need to save user
+        save
+        # add refinery role
+        add_role(:refinery)
+        # add superuser role
+        add_role(:superuser) if ::Refinery::Role[:refinery].users.count == 1
+        # add plugins
+        self.plugins = Refinery::Plugins.registered.in_menu.names
+      end
+
+      # return true/false based on validations
+      valid?
+    end
+
+    def to_s
+      username
+    end
+
+  end
+end

data/app/models/refinery/user_plugin.rb

@@ -0,0 +1,8 @@
+module Refinery
+  class UserPlugin < Refinery::Core::BaseModel
+
+    belongs_to :user
+    attr_accessible :user_id, :name, :position
+
+  end
+end

data/app/views/refinery/admin/users/_actions.html.erb

@@ -0,0 +1,6 @@
+<ul>
+  <li>
+    <%= link_to t('.create_new_user'),
+                refinery.new_admin_user_path, :class => "add_icon" %>
+  </li>
+</ul>

data/app/views/{admin → refinery/admin}/users/_form.html.erb

@@ -1,10 +1,6 @@
-<%= form_for [:admin, @user] do |f| %>
+<%= form_for [refinery, :admin, @user] do |f| %>
 
-  <%= render :partial => "/shared/admin/error_messages",
-             :locals => {
-               :object => @user,
-               :include_object_name => true
-             } %>
+  <%= render '/refinery/admin/error_messages', :object => @user, :include_object_name => true %>
 
   <div class='field'>
     <%= f.label :username %>
@@ -17,7 +13,10 @@
   <div class='field'>
     <%= f.label :password %>
     <%= f.password_field :password, :autocomplete => 'off' %>
-    <%= "<br /><span class='preview'>#{t('.blank_password_keeps_current')}</span>".html_safe if @user.persisted? %>
+    <% if @user.persisted? %>
+      <%= content_tag(:br) %>
+      <%= content_tag(:span, t('.blank_password_keeps_current')) %>
+    <% end %>
   </div>
   <div class='field'>
     <%= f.label :password_confirmation %>
@@ -31,7 +30,7 @@
     <ul id='plugins' class='checkboxes'>
       <% @available_plugins.each do |plugin| -%>
         <% if Refinery::Plugins.always_allowed.names.include?(plugin[:name]) or
-              (plugin[:name] == 'refinery_users' and @user.id == current_user.id) %>
+              (plugin[:name] == 'refinery_users' and @user.id == current_refinery_user.id) %>
           <%= hidden_field_tag 'user[plugins][]', plugin[:name],
                                :id => "plugins_#{plugin[:name]}" %>
         <% else %>
@@ -40,7 +39,7 @@
                               @selected_plugin_names.include?(plugin[:name]),
                               :id => "plugins_#{plugin[:name]}" %>
             <%= f.label 'user[plugins][]',
-                        t('title', :scope => "plugins.#{plugin[:name].downcase}", :default => plugin[:title]),
+                        t('title', :scope => "refinery.plugins.#{plugin[:name].downcase}", :default => plugin[:title]),
                         :class => "stripped",
                         :for => "plugins_#{plugin[:name]}" %>
           </li>
@@ -49,7 +48,7 @@
     </ul>
   </div>
 
-  <% if current_user.has_role?(:superuser) and RefinerySetting.find_or_set(:superuser_can_assign_roles, false) %>
+  <% if current_refinery_user.has_role?(:superuser) and Refinery::Authentication.superuser_can_assign_roles %>
     <div class='field role_access'>
       <span class='label_with_help'>
         <%= f.label :role_access, t('.role_access'), :class => "title_label" %>
@@ -61,7 +60,7 @@
             <%= check_box_tag 'user[roles][]', downcased_title, @user.has_role?(title),
                               :id => "roles_#{downcased_title}" %>
             <%= f.label 'user[roles][]',
-                        t(downcased_title, :scope => 'roles', :default => title),
+                        t(downcased_title, :scope => 'refinery.roles', :default => title),
                         :class => 'stripped',
                         :for => "roles_#{downcased_title}" %>
           </li>
@@ -70,14 +69,11 @@
     </div>
   <% end %>
 
-  <%= render :partial => "/shared/admin/form_actions",
-             :locals => {
-               :f => f,
-               :continue_editing => false,
-               :hide_delete => !current_user.can_delete?(@user),
-               :delete_title => t('delete', :scope => 'admin.users'),
-               :delete_confirmation => t('message', :scope => 'shared.admin.delete', :title => @user.username)
-             } %>
+  <%= render '/refinery/admin/form_actions', :f => f,
+             :continue_editing => false,
+             :hide_delete => !current_refinery_user.can_delete?(@user),
+             :delete_title => t('delete', :scope => 'refinery.admin.users'),
+             :delete_confirmation => t('message', :scope => 'refinery.admin.delete', :title => @user.username) %>
 <% end %>
 
 <% content_for :javascripts do %>

data/app/views/{admin → refinery/admin}/users/_records.html.erb

@@ -1,3 +1,3 @@
 <div class='pagination_container'>
-  <%= render :partial => 'users' %>
+  <%= render 'users' %>
 </div>

data/app/views/refinery/admin/users/_user.html.erb

@@ -0,0 +1,21 @@
+<li id="sortable_<%= user.id %>" class='clearfix record <%= cycle("on", "on-hover") %>'>
+  <span class='title'>
+    <strong><%= user.username %></strong>
+    <span class="preview">
+      <%= t('.preview', :who => user.email, :created_at => l(user.created_at, :format => :short)) %>
+    </span>
+  </span>
+  <span class='actions'>
+    <%= mail_to user.email, refinery_icon_tag('email_go.png'),
+                :title => t('.email_user') %>
+    <%= link_to refinery_icon_tag('application_edit.png'),
+                refinery.edit_admin_user_path(user),
+                :title => t('edit', :scope => 'refinery.admin.users') if current_refinery_user.can_edit?(user) %>
+    <%= link_to refinery_icon_tag('delete.png'),
+                refinery.admin_user_path(user),
+                :class => "cancel confirm-delete",
+                :title => t('delete', :scope => 'refinery.admin.users'),
+                :method => :delete,
+                :confirm => t('message', :scope => 'refinery.admin.delete', :title => user.username) if current_refinery_user.can_delete?(user) %>
+  </span>
+</li>

data/app/views/refinery/admin/users/_users.html.erb

@@ -0,0 +1,4 @@
+<%= will_paginate @users %>
+<ul>
+  <%= render :partial => 'user', :collection => @users %>
+</ul>

data/app/views/refinery/admin/users/edit.html.erb

@@ -0,0 +1 @@
+<%= render 'form' %>

data/app/views/refinery/admin/users/index.html.erb

@@ -0,0 +1,6 @@
+<section id='records'>
+  <%= render 'records' %>
+</section>
+<aside id='actions'>
+  <%= render 'actions' %>
+</aside>

data/app/views/refinery/admin/users/new.html.erb

@@ -0,0 +1 @@
+<%= render 'form' %>

data/app/views/{layouts → refinery/layouts}/login.html.erb

@@ -1,6 +1,6 @@
 <!DOCTYPE html>
-<%= render :partial => "/shared/html_tag" %>
-  <%= render :partial => "/admin/head", :locals => {:login => true} %>
+<%= render '/refinery/html_tag' %>
+  <%= render '/refinery/admin/head' %>
   <body class='login <%= I18n.locale %>'>
     <div id='tooltip_container'></div>
     <header>
@@ -10,12 +10,11 @@
       <div id="page">
         <div id="content" class="clearfix">
           <div id="flash_container">
-            <%= render :partial => "/shared/message" %>
+            <%= render '/refinery/message' %>
           </div>
           <%= yield %>
         </div>
       </div>
     </div>
-    <%= render :partial => "/admin/javascripts", :locals => {:login => true} %>
   </body>
 </html>

data/app/views/refinery/passwords/edit.html.erb

@@ -0,0 +1,26 @@
+<% content_for :header, t('pick_new_password_for', :scope => 'refinery.users.reset', :email => @refinery_user.email) %>
+
+<%= form_for resource, :as => resource_name,
+             :url => refinery.refinery_user_password_path,
+             :html => { :method => :put } do |f| %>
+  <%= f.hidden_field :reset_password_token %>
+
+  <%= render '/refinery/admin/error_messages', :object => @refinery_user, :include_object_name => true %>
+
+  <div class='field'>
+    <%= f.label :password %>
+    <%= f.password_field :password, :class => 'larger widest' %>
+  </div>
+
+  <div class='field'>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation, :class => 'larger widest' %>
+  </div>
+
+  <%= render '/refinery/admin/form_actions', :f => f,
+             :continue_editing => false,
+             :submit_button_text => t('reset_password', :scope => 'refinery.users.reset'),
+             :cancel_url => refinery.new_refinery_user_session_path,
+             :cancel_title => nil,
+             :hide_delete => true -%>
+<% end -%>

data/app/views/refinery/passwords/new.html.erb

@@ -0,0 +1,17 @@
+<% content_for :header, t('enter_email_address', :scope => 'refinery.users.forgot') %>
+
+<%= form_for resource, :as => resource_name,
+                       :url => refinery.refinery_user_password_path,
+                       :html => { :method => :post } do |f| %>
+
+  <div class='field'>
+    <%= f.text_field :email, :class => "larger widest",
+                     :placeholder => t('email_address', :scope => 'refinery.users.forgot') %>
+  </div>
+
+  <%= render '/refinery/admin/form_actions', :f => f,
+             :continue_editing => false,
+             :submit_button_text => t('reset_password', :scope => 'refinery.users.forgot'),
+             :cancel_url => refinery.refinery_user_session_path,
+             :cancel_title => nil -%>
+<% end -%>

data/app/views/{sessions → refinery/sessions}/new.html.erb

@@ -1,6 +1,7 @@
 <% content_for :header, t('.hello_please_sign_in') %>
 
-<%= form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %>
+<%= form_for resource, :as => resource_name,
+                       :url => refinery.refinery_user_session_path do |f| %>
   <div class='field session_username clearfix'>
     <%= f.label :login %>
     <%= f.text_field :login, :class => 'larger widest' %>
@@ -17,13 +18,10 @@
       </div>
     <% end %>
     <div class='field forgot_password'>
-      <%= link_to t('.forgot_password'), new_password_path(resource_name) %>
+      <%= link_to t('.forgot_password'), refinery.new_refinery_user_password_path %>
     </div>
   </div>
-  <%= render :partial => "/shared/admin/form_actions",
-             :locals => {
-               :f => f,
-               :submit_button_text => t('.sign_in'),
-               :hide_cancel => true
-             } %>
+  <%= render '/refinery/admin/form_actions', :f => f,
+             :submit_button_text => t('.sign_in'),
+             :hide_cancel => true %>
 <% end -%>

data/app/views/refinery/user_mailer/reset_notification.html.erb

@@ -0,0 +1,12 @@
+<p>
+  <%= t('reset_request_received_for', :scope => 'refinery.user_mailer.reset_notification', :username => @user.username) %>
+</p>
+<p>
+  <%= t('visit_this_url', :scope => 'refinery.user_mailer.reset_notification') %>:
+</p>
+<p>
+  <%= @url %>
+</p>
+<p>
+  (<%= t('remain_same_if_no_action', :scope => 'refinery.user_mailer.reset_notification') %>)
+</p>

data/app/views/refinery/user_mailer/reset_notification.text.plain.erb

@@ -0,0 +1,7 @@
+<%= t('reset_request_received_for', :scope => 'refinery.user_mailer.reset_notification', :username => @user.username) %>
+
+<%= t('visit_this_url', :scope => 'refinery.user_mailer.reset_notification') %>:
+
+<%= @url %>
+
+(<%= t('remain_same_if_no_action', :scope => 'refinery.user_mailer.reset_notification') %>)