restful_authentication 1.1.6

data/generators/authenticated/templates/features/step_definitions/ra_env.rb

@@ -0,0 +1,7 @@
+begin
+  ApplicationController.send(:public, :logged_in?, :current_<%= file_name %>, :authorized?)
+rescue NameError => e
+  puts "An exception occurred: #{e}"
+  puts 'Did you forget to move "include AuthenticatedSystem" from sessions_controller.rb to application_controller.rb?'
+  exit!
+end

data/generators/authenticated/templates/features/step_definitions/user_steps.rb

@@ -0,0 +1,31 @@
+Given /^I am not logged in$/ do
+  visit '/logout'
+end
+
+Given /^I am logged in$/ do
+  <%= file_name %> = <%= class_name %>.make
+  visit '/login'
+  fill_in 'login', :with => <%= file_name %>.login
+  fill_in 'password', :with => <%= file_name %>.password
+  click_button 'Log in'
+end
+
+Then /^I should not be logged in$/ do
+  controller.current_<%= file_name %>.should be_nil
+end
+
+Then /^I should be logged in$/ do
+  controller.current_<%= file_name %>.should_not be_nil
+end
+
+Given /^someone with the login "([^\"]*)" already exists$/ do |login|
+  <%= class_name %>.make(:login => login)
+end
+
+Then /^I should have a remember token$/ do
+  controller.current_<%= file_name %>.remember_token.should_not be_nil
+end
+
+Then /^I should not have a remember token$/ do
+  controller.current_<%= file_name %>.remember_token.should be_nil
+end

data/generators/authenticated/templates/helper.rb

@@ -0,0 +1,2 @@
+module <%= controller_class_name %>Helper
+end

data/generators/authenticated/templates/login.html.erb

@@ -0,0 +1,14 @@
+<h1>Log In</h1>
+
+<%% form_tag <%= controller_routing_name %>_path do -%>
+<p><%%= label_tag 'login' %><br />
+<%%= text_field_tag 'login', @login %></p>
+
+<p><%%= label_tag 'password' %><br/>
+<%%= password_field_tag 'password', nil %></p>
+
+<p><%%= label_tag 'remember_me', 'Remember me' %>
+<%%= check_box_tag 'remember_me', '1', @remember_me %></p>
+
+<p><%%= submit_tag 'Log in' %></p>
+<%% end -%>

data/generators/authenticated/templates/machinist_spec.rb

@@ -0,0 +1,5 @@
+require 'machinist/active_record'
+require 'sham'
+require 'faker'
+
+Dir["#{RAILS_ROOT}/spec/blueprints/*.rb"].each { |f| require f }

data/generators/authenticated/templates/machinist_test.rb

@@ -0,0 +1,5 @@
+require 'machinist/active_record'
+require 'sham'
+require 'faker'
+
+Dir["#{RAILS_ROOT}/test/blueprints/*.rb"].each { |f| require f }

data/generators/authenticated/templates/mailer.rb

@@ -0,0 +1,25 @@
+class <%= class_name %>Mailer < ActionMailer::Base
+  def signup_notification(<%= file_name %>)
+    setup_email(<%= file_name %>)
+    @subject    += 'Please activate your new account'
+  <% if options[:include_activation] %>
+    @body[:url]  = "http://YOURSITE/activate/#{<%= file_name %>.activation_code}"
+  <% else %>
+    @body[:url]  = "http://YOURSITE/login/" <% end %>
+  end
+  
+  def activation(<%= file_name %>)
+    setup_email(<%= file_name %>)
+    @subject    += 'Your account has been activated!'
+    @body[:url]  = "http://YOURSITE/"
+  end
+  
+  protected
+    def setup_email(<%= file_name %>)
+      @recipients  = "#{<%= file_name %>.email}"
+      @from        = "ADMINEMAIL"
+      @subject     = "[YOURSITE] "
+      @sent_on     = Time.now
+      @body[:<%= file_name %>] = <%= file_name %>
+    end
+end

data/generators/authenticated/templates/migration.rb

@@ -0,0 +1,24 @@
+class <%= migration_name %> < ActiveRecord::Migration
+  def self.up
+    create_table :<%= table_name %>, :force => true do |t|
+      t.string :login, :crypted_password, :salt, :remember_token, :limit => 40
+      t.datetime :remember_token_expires_at
+      t.string :name,                      :limit => 100, :default => '', :null => true
+      t.string :email,                     :limit => 100
+<% if options[:include_activation] -%>
+      t.string :activation_code,           :limit => 40
+      t.datetime :activated_at
+<% end -%>
+<% if options[:stateful] -%>
+      t.string :state,                     :null => :no, :default => 'passive'
+      t.datetime :deleted_at
+<% end -%>
+      t.timestamps
+    end
+    add_index :<%= table_name %>, :login, :unique => true
+  end
+
+  def self.down
+    drop_table :<%= table_name %>
+  end
+end

data/generators/authenticated/templates/model.rb

@@ -0,0 +1,83 @@
+require 'digest/sha1'
+
+class <%= class_name %> < ActiveRecord::Base
+  include Authentication
+  include Authentication::ByPassword
+  include Authentication::ByCookieToken
+<% if options[:aasm] -%>
+  include Authorization::AasmRoles
+<% elsif options[:stateful] -%>
+  include Authorization::StatefulRoles<% end %>
+  validates_presence_of     :login
+  validates_length_of       :login,    :within => 3..40
+  validates_uniqueness_of   :login
+  validates_format_of       :login,    :with => Authentication.login_regex, :message => Authentication.bad_login_message
+
+  validates_format_of       :name,     :with => Authentication.name_regex,  :message => Authentication.bad_name_message, :allow_nil => true
+  validates_length_of       :name,     :maximum => 100
+
+  validates_presence_of     :email
+  validates_length_of       :email,    :within => 6..100 #r@a.wk
+  validates_uniqueness_of   :email
+  validates_format_of       :email,    :with => Authentication.email_regex, :message => Authentication.bad_email_message
+
+  <% if options[:include_activation] && !options[:stateful] %>before_create :make_activation_code <% end %>
+
+  # HACK HACK HACK -- how to do attr_accessible from here?
+  # prevents a user from submitting a crafted form that bypasses activation
+  # anything else you want your user to change should be added here.
+  attr_accessible :login, :email, :name, :password, :password_confirmation
+
+<% if options[:include_activation] && !options[:stateful] %>
+  # Activates the user in the database.
+  def activate!
+    @activated = true
+    self.activated_at = Time.now.utc
+    self.activation_code = nil
+    save(false)
+  end
+
+  # Returns true if the user has just been activated.
+  def recently_activated?
+    @activated
+  end
+
+  def active?
+    # the existence of an activation code means they have not activated yet
+    activation_code.nil?
+  end<% end %>
+
+  # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
+  #
+  # uff.  this is really an authorization, not authentication routine.  
+  # We really need a Dispatch Chain here or something.
+  # This will also let us return a human error message.
+  #
+  def self.authenticate(login, password)
+    return nil if login.blank? || password.blank?
+    u = <% if    options[:stateful]           %>find_in_state :first, :active, :conditions => {:login => login.downcase}<%
+           elsif options[:include_activation] %>find :first, :conditions => ['login = ? and activated_at IS NOT NULL', login]<%
+           else %>find_by_login(login.downcase)<% end %> # need to get the salt
+    u && u.authenticated?(password) ? u : nil
+  end
+
+  def login=(value)
+    write_attribute :login, (value ? value.downcase : nil)
+  end
+
+  def email=(value)
+    write_attribute :email, (value ? value.downcase : nil)
+  end
+
+  protected
+    
+<% if options[:include_activation] -%>
+    def make_activation_code
+  <% if options[:stateful] -%>
+      self.deleted_at = nil
+  <% end -%>
+      self.activation_code = self.class.make_token
+    end
+<% end %>
+
+end

data/generators/authenticated/templates/model_controller.rb

@@ -0,0 +1,96 @@
+class <%= model_controller_class_name %>Controller < ApplicationController
+  # Be sure to include AuthenticationSystem in Application Controller instead
+  include AuthenticatedSystem
+  <% if options[:stateful] %>
+  # Protect these actions behind an admin login
+  # before_filter :admin_required, :only => [:suspend, :unsuspend, :destroy, :purge]
+  before_filter :find_<%= file_name %>, :only => [:suspend, :unsuspend, :destroy, :purge]
+  <% end %>
+
+  # render new.html.erb
+  def new
+    @<%= file_name %> = <%= class_name %>.new
+  end
+ 
+  def create
+    logout_keeping_session!
+    @<%= file_name %> = <%= class_name %>.new(params[:<%= file_name %>])
+<% if options[:stateful] -%>
+    @<%= file_name %>.register! if @<%= file_name %> && @<%= file_name %>.valid?
+    success = @<%= file_name %> && @<%= file_name %>.valid?
+<% else -%>
+    success = @<%= file_name %> && @<%= file_name %>.save
+<% end -%>
+    if success && @<%= file_name %>.errors.empty?
+<% if !options[:include_activation] -%>
+      # Protects against session fixation attacks, causes request forgery
+      # protection if visitor resubmits an earlier form using back
+      # button. Uncomment if you understand the tradeoffs.
+      # reset session
+      self.current_<%= file_name %> = @<%= file_name %> # !! now logged in
+      <% end -%>redirect_back_or_default('/')
+<% if options[:include_activation] -%>
+      flash[:notice] = "Thanks for signing up!  We're sending you an email with your activation code."
+<% else -%>
+      flash[:notice] = "Thanks for signing up!"
+<% end -%>
+    else
+<% if options[:include_activation] -%>
+      flash[:error] = "We couldn't set up that account, sorry.  Please try again, or contact an admin (link is above)."
+<% else -%>
+      flash[:error] = "We couldn't create your account, sorry."
+<% end -%>
+      render :action => 'new'
+    end
+  end
+  
+<% if options[:include_activation] -%>
+  def activate
+    logout_keeping_session!
+    <%= file_name %> = <%= class_name %>.find_by_activation_code(params[:activation_code]) unless params[:activation_code].blank?
+    case
+    when (!params[:activation_code].blank?) && <%= file_name %> && !<%= file_name %>.active?
+      <%= file_name %>.activate!
+      flash[:notice] = "Signup complete! Please sign in to continue."
+      redirect_to '/login'
+    when params[:activation_code].blank?
+      flash[:error] = "The activation code was missing.  Please follow the URL from your email."
+      redirect_back_or_default('/')
+    else 
+      flash[:error]  = "We couldn't find a <%= file_name %> with that activation code -- check your email? Or maybe you've already activated -- try signing in."
+      redirect_back_or_default('/')
+    end
+  end
+<% end -%>
+
+<% if options[:stateful] -%>
+  def suspend
+    @<%= file_name %>.suspend! 
+    redirect_to <%= model_controller_routing_name %>_path
+  end
+
+  def unsuspend
+    @<%= file_name %>.unsuspend! 
+    redirect_to <%= model_controller_routing_name %>_path
+  end
+
+  def destroy
+    @<%= file_name %>.delete!
+    redirect_to <%= model_controller_routing_name %>_path
+  end
+
+  def purge
+    @<%= file_name %>.destroy
+    redirect_to <%= model_controller_routing_name %>_path
+  end
+  
+  # There's no page here to update or destroy a <%= file_name %>.  If you add those, be
+  # smart -- make sure you check that the visitor is authorized to do so, that they
+  # supply their old password along with a new one to update it, etc.
+
+protected
+  def find_<%= file_name %>
+    @<%= file_name %> = <%= class_name %>.find(params[:id])
+  end
+<% end -%>
+end

data/generators/authenticated/templates/model_helper.rb

@@ -0,0 +1,93 @@
+module <%= model_controller_class_name %>Helper
+  
+  #
+  # Use this to wrap view elements that the user can't access.
+  # !! Note: this is an *interface*, not *security* feature !!
+  # You need to do all access control at the controller level.
+  #
+  # Example:
+  # <%%= if_authorized?(:index,   User)  do link_to('List all users', users_path) end %> |
+  # <%%= if_authorized?(:edit,    @user) do link_to('Edit this user', edit_user_path) end %> |
+  # <%%= if_authorized?(:destroy, @user) do link_to 'Destroy', @user, :confirm => 'Are you sure?', :method => :delete end %> 
+  #
+  #
+  def if_authorized?(action, resource, &block)
+    if authorized?(action, resource)
+      yield action, resource
+    end
+  end
+
+  #
+  # Link to user's page ('<%= table_name %>/1')
+  #
+  # By default, their login is used as link text and link title (tooltip)
+  #
+  # Takes options
+  # * :content_text => 'Content text in place of <%= file_name %>.login', escaped with
+  #   the standard h() function.
+  # * :content_method => :<%= file_name %>_instance_method_to_call_for_content_text
+  # * :title_method => :<%= file_name %>_instance_method_to_call_for_title_attribute
+  # * as well as link_to()'s standard options
+  #
+  # Examples:
+  #   link_to_<%= file_name %> @<%= file_name %>
+  #   # => <a href="/<%= table_name %>/3" title="barmy">barmy</a>
+  #
+  #   # if you've added a .name attribute:
+  #  content_tag :span, :class => :vcard do
+  #    (link_to_<%= file_name %> <%= file_name %>, :class => 'fn n', :title_method => :login, :content_method => :name) +
+  #          ': ' + (content_tag :span, <%= file_name %>.email, :class => 'email')
+  #   end
+  #   # => <span class="vcard"><a href="/<%= table_name %>/3" title="barmy" class="fn n">Cyril Fotheringay-Phipps</a>: <span class="email">barmy@blandings.com</span></span>
+  #
+  #   link_to_<%= file_name %> @<%= file_name %>, :content_text => 'Your user page'
+  #   # => <a href="/<%= table_name %>/3" title="barmy" class="nickname">Your user page</a>
+  #
+  def link_to_<%= file_name %>(<%= file_name %>, options={})
+    raise "Invalid <%= file_name %>" unless <%= file_name %>
+    options.reverse_merge! :content_method => :login, :title_method => :login, :class => :nickname
+    content_text      = options.delete(:content_text)
+    content_text    ||= <%= file_name %>.send(options.delete(:content_method))
+    options[:title] ||= <%= file_name %>.send(options.delete(:title_method))
+    link_to h(content_text), <%= model_controller_routing_name.singularize %>_path(<%= file_name %>), options
+  end
+
+  #
+  # Link to login page using remote ip address as link content
+  #
+  # The :title (and thus, tooltip) is set to the IP address 
+  #
+  # Examples:
+  #   link_to_login_with_IP
+  #   # => <a href="/login" title="169.69.69.69">169.69.69.69</a>
+  #
+  #   link_to_login_with_IP :content_text => 'not signed in'
+  #   # => <a href="/login" title="169.69.69.69">not signed in</a>
+  #
+  def link_to_login_with_IP content_text=nil, options={}
+    ip_addr           = request.remote_ip
+    content_text    ||= ip_addr
+    options.reverse_merge! :title => ip_addr
+    if tag = options.delete(:tag)
+      content_tag tag, h(content_text), options
+    else
+      link_to h(content_text), login_path, options
+    end
+  end
+
+  #
+  # Link to the current user's page (using link_to_<%= file_name %>) or to the login page
+  # (using link_to_login_with_IP).
+  #
+  def link_to_current_<%= file_name %>(options={})
+    if current_<%= file_name %>
+      link_to_<%= file_name %> current_<%= file_name %>, options
+    else
+      content_text = options.delete(:content_text) || 'not signed in'
+      # kill ignored options from link_to_<%= file_name %>
+      [:content_method, :title_method].each{|opt| options.delete(opt)} 
+      link_to_login_with_IP content_text, options
+    end
+  end
+
+end

data/generators/authenticated/templates/model_helper_spec.rb

@@ -0,0 +1,157 @@
+require File.dirname(__FILE__) + '/../spec_helper'
+include ApplicationHelper
+include <%= model_controller_class_name %>Helper
+
+describe "<%= model_controller_class_name %>Helper.link_to_<%= file_name %>" do
+  before do
+    @<%= file_name %> = <%= class_name %>.new({
+        :name  => '<%= class_name %> Name',
+        :login => '<%= file_name %>_name',
+      })
+    @<%= file_name %>.id = 1 # set non-attr_accessible specifically
+  end
+
+  it "should give an error on a nil <%= file_name %>" do
+    lambda { link_to_<%= file_name %>(nil) }.should raise_error('Invalid <%= file_name %>')
+  end
+
+  it "should link to the given <%= file_name %>" do
+    link_to_<%= file_name %>(@<%= file_name %>).should have_tag("a[href='/<%= table_name %>/1']")
+  end
+
+  it "should use given link text if :content_text is specified" do
+    link_to_<%= file_name %>(@<%= file_name %>, :content_text => 'Hello there!').should have_tag("a", 'Hello there!')
+  end
+
+  it "should use the login as link text with no :content_method specified" do
+    link_to_<%= file_name %>(@<%= file_name %>).should have_tag("a", '<%= file_name %>_name')
+  end
+
+  it "should use the name as link text with :content_method => :name" do
+    link_to_<%= file_name %>(@<%= file_name %>, :content_method => :name).should have_tag("a", '<%= class_name %> Name')
+  end
+
+  it "should use the login as title with no :title_method specified" do
+    link_to_<%= file_name %>(@<%= file_name %>).should have_tag("a[title='<%= file_name %>_name']")
+  end
+
+  it "should use the name as link title with :content_method => :name" do
+    link_to_<%= file_name %>(@<%= file_name %>, :title_method => :name).should have_tag("a[title='<%= class_name %> Name']")
+  end
+
+  it "should have nickname as a class by default" do
+    link_to_<%= file_name %>(@<%= file_name %>).should have_tag("a.nickname")
+  end
+
+  it "should take other classes and no longer have the nickname class" do
+    result = link_to_<%= file_name %>(@<%= file_name %>, :class => 'foo bar')
+    result.should have_tag("a.foo")
+    result.should have_tag("a.bar")
+  end
+end
+
+describe "<%= model_controller_class_name %>Helper.link_to_signin_with_IP" do
+  before do
+  end
+
+  it "should link to the signin_path" do
+    link_to_signin_with_IP().should have_tag("a[href='/signin']")
+  end
+
+  it "should use given link text if :content_text is specified" do
+    link_to_signin_with_IP(:content_text => 'Hello there!').should have_tag("a", 'Hello there!')
+  end
+
+  it "should use the login as link text with no :content_method specified" do
+    link_to_signin_with_IP().should have_tag("a", '0.0.0.0')
+  end
+
+  it "should use the ip address as title" do
+    link_to_signin_with_IP().should have_tag("a[title='0.0.0.0']")
+  end
+
+  it "should by default be like school in summer and have no class" do
+    link_to_signin_with_IP().should_not have_tag("a.nickname")
+  end
+  
+  it "should have some class if you tell it to" do
+    result = link_to_signin_with_IP(:class => 'foo bar')
+    result.should have_tag("a.foo")
+    result.should have_tag("a.bar")
+  end
+end
+
+describe "<%= model_controller_class_name %>Helper.link_to_current_<%= file_name %>, When logged in" do
+  include AuthenticatedTestHelper
+  before do
+    log_in
+  end
+
+  it "should link to the given <%= file_name %>" do
+    link_to_current_<%= file_name %>().should have_tag("a[href='/<%= table_name %>/1']")
+  end
+
+  it "should use given link text if :content_text is specified" do
+    link_to_current_<%= file_name %>(:content_text => 'Hello there!').should have_tag("a", 'Hello there!')
+  end
+
+  it "should use the login as link text with no :content_method specified" do
+    link_to_current_<%= file_name %>().should have_tag("a", 'quentin')
+  end
+
+  it "should use the name as link text with :content_method => :name" do
+    link_to_current_<%= file_name %>(:content_method => :name).should have_tag("a", 'Quentin')
+  end
+
+  it "should use the login as title with no :title_method specified" do
+    link_to_current_<%= file_name %>().should have_tag("a[title='quentin']")
+  end
+
+  it "should use the name as link title with :content_method => :name" do
+    link_to_current_<%= file_name %>(:title_method => :name).should have_tag("a[title='Quentin']")
+  end
+
+  it "should have nickname as a class" do
+    link_to_current_<%= file_name %>().should have_tag("a.nickname")
+  end
+
+  it "should take other classes and no longer have the nickname class" do
+    result = link_to_current_<%= file_name %>(:class => 'foo bar')
+    result.should have_tag("a.foo")
+    result.should have_tag("a.bar")
+  end
+end
+
+
+
+describe "<%= model_controller_class_name %>Helper.link_to_current_<%= file_name %>, When logged out" do
+  include AuthenticatedTestHelper
+  before do
+  end
+
+  it "should link to the signin_path" do
+    link_to_current_<%= file_name %>().should have_tag("a[href='/signin']")
+  end
+
+  it "should use given link text if :content_text is specified" do
+    link_to_current_<%= file_name %>(:content_text => 'Hello there!').should have_tag("a", 'Hello there!')
+  end
+
+  it "should use the IP address as link text with no :content_method specified" do
+    link_to_current_<%= file_name %>().should have_tag("a", '0.0.0.0')
+  end
+
+  it "should use the ip address as title" do
+    link_to_current_<%= file_name %>().should have_tag("a[title='0.0.0.0']")
+  end
+
+  it "should by default be like school in summer and have no class" do
+    link_to_current_<%= file_name %>().should_not have_tag("a.nickname")
+  end
+
+  it "should have some class if you tell it to" do
+    result = link_to_current_<%= file_name %>(:class => 'foo bar')
+    result.should have_tag("a.foo")
+    result.should have_tag("a.bar")
+  end
+end