spree_auth 0.30.0.beta1

data/LICENSE

@@ -0,0 +1,26 @@
+Copyright (c) 2007-2010, Rails Dog LLC and other contributors
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name Spree nor the names of its contributors may be used to
+      endorse or promote products derived from this software without specific
+      prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,35 @@
+Overview
+--------
+
+This gem provides the so-called "core" functionality of Spree and is a requirement for any Spree application or
+store.  The basic data models as well as product catalog and admin functionality are all provided by this gem.
+
+
+Security Warning
+----------------
+
+*This gem provides absolutely no authentication and authorization.  You are strongly encouraged to install
+and use the spree-auth gem in addition to spree-core in order to restrict access to orders and other admin
+functionality.*
+
+
+Running Tests
+-------------
+
+You need to do a quick one-time creation of a test application and then you can use it to run the tests.
+
+    rails new testapp -m spec/test_template.rb -T -J
+    cd testapp
+    rails g spree_core:install
+    rake db:migrate db:seed db:test:prepare
+
+Then run the tests
+
+    rspec spec
+
+Misc
+----
+
+authentication by token example
+
+    http://localhost:3000/?auth_token=oWBSN16k6dWx46TtSGcp

data/app/controllers/admin_controller_decorator.rb

@@ -0,0 +1,7 @@
+Admin::BaseController.class_eval do
+  before_filter :authorize_admin
+
+  def authorize_admin
+    authorize! :admin, Object
+  end
+end

data/app/controllers/checkout_controller_decorator.rb

@@ -0,0 +1,30 @@
+CheckoutController.class_eval do
+  before_filter :check_authorization
+  before_filter :check_registration, :except => [:registration, :update_registration]
+
+  def registration
+    @user = User.new
+  end
+
+  def update_registration
+    @user = current_order.user
+    @user.email = params[:user][:email]
+    if @user.save
+      redirect_to checkout_path and return
+    else
+      render :registration and return
+    end
+  end
+
+  private
+  def check_authorization
+    authorize!(:edit, current_order)
+  end
+
+  # Introduces a registration step whenever the +registration_step+ preference is true.
+  def check_registration
+    return unless Spree::Auth::Config[:registration_step]
+    return if current_user or not current_order.user.anonymous?
+    redirect_to checkout_registration_path
+  end
+end

data/app/controllers/devise/sessions_controller_decorator.rb

@@ -0,0 +1,12 @@
+Devise::SessionsController.class_eval do
+  after_filter :associate_user, :only => :create
+
+  include Spree::CurrentOrder
+  include Spree::AuthUser
+
+  def associate_user
+    return unless current_user and current_order
+    current_order.associate_user!(current_user) if can? :edit, current_order
+    session[:guest_token] = nil
+  end
+end

data/app/controllers/orders_controller_decorator.rb

@@ -0,0 +1,18 @@
+OrdersController.class_eval do
+  after_filter :store_guest, :only => :populate
+  before_filter :check_authorization
+
+  private
+  def store_guest
+    return if current_user
+    session[:guest_token] ||= @order.user.authentication_token
+  end
+
+  def check_authorization
+    if current_order
+      authorize! :edit, current_order
+    else
+      authorize! :create, Order
+    end
+  end
+end

data/app/controllers/resource_controller_decorator.rb

@@ -0,0 +1,15 @@
+# This overrides the before method provided by resource_controller so that the current_user is authorized
+# for each action before proceding.
+module ResourceController
+  module Helpers
+    module Internal
+      protected
+      # Calls the before block for the action, if one is present.
+      #
+      def before(action)
+        authorize! action, object || model
+        invoke_callbacks *self.class.send(action).before
+      end
+    end
+  end
+end

data/app/controllers/spree/base_controller_decorator.rb

@@ -0,0 +1,38 @@
+Spree::BaseController.class_eval do
+
+  include Spree::AuthUser
+
+  # graceful error handling for cancan authorization exceptions
+  rescue_from CanCan::AccessDenied, :with => :unauthorized
+
+  private
+
+  # Redirect as appropriate when an access request fails.  The default action is to redirect to the login screen.
+  # Override this method in your controllers if you want to have special behavior in case the user is not authorized
+  # to access the requested action.  For example, a popup window might simply close itself.
+  def unauthorized
+    respond_to do |format|
+      format.html do
+        if current_user
+          flash.now[:error] = I18n.t(:authorization_failure)
+          render 'shared/unauthorized', :layout => 'spree_application'
+        else
+          store_location
+          redirect_to new_user_session_path and return
+        end
+      end
+      format.xml do
+        request_http_basic_authentication 'Web Password'
+      end
+    end
+  end
+
+  def store_location
+    # disallow return to login, logout, signup pages
+    disallowed_urls = [new_user_registration_path, new_user_session_path, destroy_user_session_path]
+    disallowed_urls.map!{|url| url[/\/\w+$/]}
+    unless disallowed_urls.include?(request.fullpath)
+      session[:return_to] = request.fullpath
+    end
+  end
+end

data/app/models/ability.rb

@@ -0,0 +1,41 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    self.clear_aliased_actions
+
+    # override cancan default aliasing (we don't want to differentiate between read and index)
+    alias_action :edit, :to => :update
+    alias_action :new, :to => :create
+    alias_action :show, :to => :read
+
+    user ||= User.new
+    if user.has_role? 'admin'
+      can :manage, :all
+    else
+      #############################
+      can :read, User do |resource|
+        resource == user
+      end
+      can :update, User do |resource|
+        resource == user
+      end
+      can :create, User
+      #############################
+      can :read, Order do |order|
+        order.user == user
+      end
+      can :update, Order do |order|
+        order.user == user
+      end
+      can :create, Order
+      #############################
+      can :read, Product
+      can :index, Product
+      #############################
+      can :read, Taxon
+      can :index, Taxon
+      #############################
+    end
+  end
+end

data/app/models/order_decorator.rb

@@ -0,0 +1,12 @@
+Order.class_eval do
+  # Associates the specified user with the order and destroys any previous association with guest user if
+  # necessary.
+  def associate_user!(user)
+    self.user = user
+    save!
+  end
+
+  def token
+    user.token if user.anonymous?
+  end
+end

data/app/models/spree_auth_configuration.rb

@@ -0,0 +1,3 @@
+class SpreeAuthConfiguration < Configuration
+  preference :registration_step, :boolean, :default => true
+end

data/app/models/user.rb

@@ -0,0 +1,43 @@
+class User < ActiveRecord::Base
+
+  has_many :orders
+  has_and_belongs_to_many :roles
+  belongs_to :ship_address, :foreign_key => "ship_address_id", :class_name => "Address"
+  belongs_to :bill_address, :foreign_key => "bill_address_id", :class_name => "Address"
+
+  before_save :check_admin
+
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable and :timeoutable
+  devise :database_authenticatable, :registerable, :token_authenticatable,
+         :recoverable, :rememberable, :trackable, :validatable
+
+  # Setup accessible (or protected) attributes for your model
+  attr_accessible :email, :password, :password_confirmation, :remember_me, :anonymous
+  after_save :ensure_authentication_token!
+
+  alias_attribute :token, :authentication_token
+
+  # has_role? simply needs to return true or false whether a user has a role or not.
+  def has_role?(role_in_question)
+    roles.any? { |role| role.name == role_in_question.to_s }
+  end
+
+  def self.anonymous!
+    token = User.generate_token(:authentication_token)
+    User.create(:email => "#{token}@example.com", :password => token, :password_confirmation => token, :anonymous => true)
+  end
+
+  def email=(email)
+    self.anonymous = false unless email.include?("example.com")
+    write_attribute :email, email
+  end
+
+  private
+  def check_admin
+    if User.where("roles.name" => "admin").includes(:roles).empty?
+      self.roles << Role.find_by_name("admin")
+    end
+    true
+  end
+end

data/app/views/checkout/registration.html.erb

@@ -0,0 +1,19 @@
+<%= render "shared/error_messages", :target => @user %>
+<h2><%= t("registration")%></h2>
+<div id="registration">
+  <div id="account">
+    <!-- TODO: add partial with devise registration form -->
+  </div>
+  <% if Spree::Config[:allow_guest_checkout] %>
+    <div id="guest_checkout">
+      <h2><%= t(:guest_user_account) %></h2>
+      <%= form_for :user, :url => update_checkout_registration_path, :html => { :method => :put, :id => "checkout_form_registration"} do |f| %>
+        <p>
+          <%= f.label :email, t("email") %><br />
+          <%= f.text_field :email, :class => 'title'  %>
+        </p>
+        <p><%= submit_tag t("continue"), :class => 'button primary' %></p>
+      <% end %>
+    </div>
+  <% end %>
+</div>

data/app/views/devise/confirmations/new.html.erb

@@ -0,0 +1,12 @@
+<h2><%= t(:resend_confirmation_instructions) %></h2>
+
+<%= form_for(resource, :as => resource_name, :url => confirmation_path(resource_name), :html => { :method => :post }) do |f| %>
+  <%= devise_error_messages! %>
+
+  <p><%= f.label :email %><br />
+  <%= f.text_field :email %></p>
+
+  <p><%= f.submit t(:resend_confirmation_instructions) %></p>
+<% end %>
+
+<%= render :partial => "devise/shared/links" %>

data/app/views/devise/mailer/confirmation_instructions.html.erb

@@ -0,0 +1,5 @@
+<p>Welcome <%= @resource.email %>!</p>
+
+<p>You can confirm your account through the link below:</p>
+
+<p><%= link_to 'Confirm my account', confirmation_url(@resource, :confirmation_token => @resource.confirmation_token) %></p>

data/app/views/devise/mailer/reset_password_instructions.html.erb

@@ -0,0 +1,8 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>Someone has requested a link to change your password, and you can do this through the link below.</p>
+
+<p><%= link_to 'Change my password', edit_password_url(@resource, :reset_password_token => @resource.reset_password_token) %></p>
+
+<p>If you didn't request this, please ignore this email.</p>
+<p>Your password won't change until you access the link above and create a new one.</p>

data/app/views/devise/mailer/unlock_instructions.html.erb

@@ -0,0 +1,7 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>Your account has been locked due to an excessive amount of unsuccessful sign in attempts.</p>
+
+<p>Click the link below to unlock your account:</p>
+
+<p><%= link_to 'Unlock my account', unlock_url(@resource, :unlock_token => @resource.unlock_token) %></p>

data/app/views/devise/passwords/edit.html.erb

@@ -0,0 +1,16 @@
+<h2><%= t(:change_my_password) %></h2>
+
+<%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :put }) do |f| %>
+  <%= devise_error_messages! %>
+  <%= f.hidden_field :reset_password_token %>
+
+  <p><%= f.label :password %><br />
+  <%= f.password_field :password %></p>
+
+  <p><%= f.label :password_confirmation %><br />
+  <%= f.password_field :password_confirmation %></p>
+
+  <p><%= f.submit t(:change_my_password) %></p>
+<% end %>
+
+<%= render :partial => "devise/shared/links" %>

data/app/views/devise/passwords/new.html.erb

@@ -0,0 +1,12 @@
+<h2><%= t(:forgot_password) %></h2>
+
+<%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :post }) do |f| %>
+  <%= devise_error_messages! %>
+
+  <p><%= f.label :email %><br />
+  <%= f.text_field :email %></p>
+
+  <p><%= f.submit t(:send_me_reset_password_instructions) %></p>
+<% end %>
+
+<%= render :partial => "devise/shared/links" %>

data/app/views/devise/registrations/edit.html.erb

@@ -0,0 +1,25 @@
+<h2><%= t(:my_account) %></h2>
+
+<%= form_for(resource, :as => resource_name, :url => registration_path(resource_name), :html => { :method => :put }) do |f| %>
+  <%= devise_error_messages! %>
+
+  <p><%= f.label :email %><br />
+  <%= f.text_field :email %></p>
+
+  <p><%= f.label :password %> <i><%= t(:leave_blank_to_not_change) %></i><br />
+  <%= f.password_field :password %></p>
+
+  <p><%= f.label :password_confirmation %><br />
+  <%= f.password_field :password_confirmation %></p>
+
+  <p><%= f.label :current_password %> <i><%= t(:enter_password_to_confirm) %></i><br />
+  <%= f.password_field :current_password %></p>
+
+  <p><%= f.submit t(:update) %></p>
+<% end %>
+
+<h3><%= t(:cancel_my_account) %></h3>
+
+<p><%= t(:cancel_my_account_description) %> <%= link_to t(:cancel_my_account), registration_path(resource_name), :confirm => t(:are_you_sure), :method => :delete %>.</p>
+
+<%= link_to t(:back), :back %>

data/app/views/devise/registrations/new.html.erb

@@ -0,0 +1,22 @@
+<% @body_id = 'signup' %>
+
+<div id="new-customer">
+  <h2><%= t("new_customer") %></h2>
+
+  <%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>
+    <%= devise_error_messages! %>
+
+    <p><%= f.label :email %><br />
+    <%= f.text_field :email %></p>
+
+    <p><%= f.label :password %><br />
+    <%= f.password_field :password %></p>
+
+    <p><%= f.label :password_confirmation %><br />
+    <%= f.password_field :password_confirmation %></p>
+
+    <p><%= f.submit t(:sign_up) %></p>
+  <% end %>
+
+  <%= render :partial => "devise/shared/links" %>
+</div>

data/app/views/devise/sessions/new.html.erb

@@ -0,0 +1,20 @@
+<% @body_id = 'login' %>
+<div id="existing-customer">
+  <h2><%= t("login_as_existing") %></h2>
+
+  <%= form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %>
+    <p><%= f.label :email %><br />
+    <%= f.text_field :email %></p>
+
+    <p><%= f.label :password %><br />
+    <%= f.password_field :password %></p>
+
+    <% if devise_mapping.rememberable? -%>
+      <p><%= f.check_box :remember_me %> <%= f.label :remember_me %></p>
+    <% end -%>
+
+    <p><%= f.submit t(:log_in) %></p>
+  <% end %>
+
+  <%= render :partial => "devise/shared/links" %>
+</div>

data/app/views/devise/shared/_links.erb

@@ -0,0 +1,19 @@
+<%- if controller_name != 'sessions' %>
+  <%= link_to t(:log_in), new_session_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.registerable? && controller_name != 'registrations' %>
+  <%= link_to t(:sign_up), new_registration_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.recoverable? && controller_name != 'passwords' %>
+  <%= link_to t(:forgot_password), new_password_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
+  <%= link_to t(:didnt_receive_confirmation_instructions), new_confirmation_path(resource_name) %><br />
+<% end -%>
+
+<%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %>
+  <%= link_to t(:didnt_receive_unlock_instructions), new_unlock_path(resource_name) %><br />
+<% end -%>

data/app/views/devise/unlocks/new.html.erb

@@ -0,0 +1,12 @@
+<h2><%= t(:resend_unlock_instructions) %></h2>
+
+<%= form_for(resource, :as => resource_name, :url => unlock_path(resource_name), :html => { :method => :post }) do |f| %>
+  <%= devise_error_messages! %>
+
+  <p><%= f.label :email %><br />
+  <%= f.text_field :email %></p>
+
+  <p><%= f.submit t(:resend_unlock_instructions) %></p>
+<% end %>
+
+<%= render :partial => "devise/shared/links" %>

data/app/views/shared/_login_bar.html.erb

@@ -0,0 +1,6 @@
+<% if current_user %>
+  <li><%= link_to t('my_account'), edit_user_registration_path(current_user) %></li>
+  <li><%= link_to t('logout'), destroy_user_session_path %></li>
+<% else %>
+  <li><%= link_to t('log_in'), new_user_session_path %></li>
+<% end %>

data/config/routes.rb

@@ -0,0 +1,4 @@
+Rails.application.routes.draw do
+  match '/checkout/registration' => 'checkout#registration', :via => :get, :as => :checkout_registration
+  match '/checkout/registration' => 'checkout#update_registration', :via => :put, :as => :update_checkout_registration
+end

data/lib/generators/spree_auth/install_generator.rb

@@ -0,0 +1,25 @@
+module SpreeAuth
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("../../templates", __FILE__)
+
+      desc "Configures your Rails application for use with spree_auth."
+
+      def setup_routes
+        route 'devise_for :users'
+      end
+
+      def copy_initializer
+        template "devise.rb", "config/initializers/devise.rb"
+      end
+
+      def copy_migrations
+        directory "db"
+      end
+
+      # def show_readme
+      #   readme "README" if behavior == :invoke
+      # end
+    end
+  end
+end

data/lib/generators/templates/db/migrate/20100811003924_switch_to_devise.rb

@@ -0,0 +1,31 @@
+class SwitchToDevise < ActiveRecord::Migration
+  def self.up
+    change_table(:users) do |t|
+      t.rename :crypted_password, :encrypted_password
+      t.rename :salt, :password_salt
+      t.rename :remember_token_expires_at, :remember_created_at
+      t.rename :persistence_token, :authentication_token
+      t.rename :single_access_token, :reset_password_token
+      t.remove :perishable_token
+      t.rename :login_count, :sign_in_count
+      t.remove :failed_login_count
+      t.remove :last_request_at
+      t.rename :current_login_at, :current_sign_in_at
+      t.rename :last_login_at, :last_sign_in_at
+      t.rename :current_login_ip, :current_sign_in_ip
+      t.rename :last_login_ip, :last_sign_in_ip
+      t.remove :login
+      t.remove :openid_identifier
+      t.remove :api_key
+    end
+    drop_table :open_id_authentication_associations
+    drop_table :open_id_authentication_nonces
+
+    add_index :users, :email,                :unique => true
+    add_index :users, :reset_password_token, :unique => true
+  end
+
+  def self.down
+    # no going back!
+  end
+end

data/lib/generators/templates/devise.rb

@@ -0,0 +1,146 @@
+# Use this hook to configure devise mailer, warden hooks and so forth. The first
+# four configuration values can also be set straight in your models.
+Devise.setup do |config|
+  # ==> Mailer Configuration
+  # Configure the e-mail address which will be shown in DeviseMailer.
+  config.mailer_sender = "please-change-me@config-initializers-devise.com"
+
+  # Configure the class responsible to send e-mails.
+  # config.mailer = "Devise::Mailer"
+
+  # ==> ORM configuration
+  # Load and configure the ORM. Supports :active_record (default) and
+  # :mongoid (bson_ext recommended) by default. Other ORMs may be
+  # available as additional gems.
+  require 'devise/orm/active_record'
+
+  # ==> Configuration for any authentication mechanism
+  # Configure which keys are used when authenticating an user. By default is
+  # just :email. You can configure it to use [:username, :subdomain], so for
+  # authenticating an user, both parameters are required. Remember that those
+  # parameters are used only when authenticating and not when retrieving from
+  # session. If you need permissions, you should implement that in a before filter.
+  # config.authentication_keys = [ :email ]
+
+  # Tell if authentication through request.params is enabled. True by default.
+  # config.params_authenticatable = true
+
+  # Tell if authentication through HTTP Basic Auth is enabled. True by default.
+  # config.http_authenticatable = true
+
+  # Set this to true to use Basic Auth for AJAX requests.  True by default.
+  # config.http_authenticatable_on_xhr = true
+
+  # The realm used in Http Basic Authentication
+  # config.http_authentication_realm = "Application"
+
+  # ==> Configuration for :database_authenticatable
+  # Define which will be the encryption algorithm. Devise also supports encryptors
+  # from others authentication tools as :clearance_sha1, :authlogic_sha512 (then
+  # you should set stretches above to 20 for default behavior) and :restful_authentication_sha1
+  # (then you should set stretches to 10, and copy REST_AUTH_SITE_KEY to pepper)
+  config.encryptor = :bcrypt
+
+  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
+  # using other encryptors, it sets how many times you want the password re-encrypted.
+  config.stretches = 10
+
+  # Setup a pepper to generate the encrypted password.
+  config.pepper = <%= ActiveSupport::SecureRandom.hex(64).inspect %>
+
+  # ==> Configuration for :confirmable
+  # The time you want to give your user to confirm his account. During this time
+  # he will be able to access your application without confirming. Default is nil.
+  # When confirm_within is zero, the user won't be able to sign in without confirming.
+  # You can use this to let your user access some features of your application
+  # without confirming the account, but blocking it after a certain period
+  # (ie 2 days).
+  # config.confirm_within = 2.days
+
+  # ==> Configuration for :rememberable
+  # The time the user will be remembered without asking for credentials again.
+  # config.remember_for = 2.weeks
+
+  # If true, a valid remember token can be re-used between multiple browsers.
+  # config.remember_across_browsers = true
+
+  # If true, extends the user's remember period when remembered via cookie.
+  # config.extend_remember_period = false
+
+  # ==> Configuration for :validatable
+  # Range for password length
+  # config.password_length = 6..20
+
+  # Regex to use to validate the email address
+  # config.email_regexp = /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i
+
+  # ==> Configuration for :timeoutable
+  # The time you want to timeout the user session without activity. After this
+  # time the user will be asked for credentials again.
+  # config.timeout_in = 10.minutes
+
+  # ==> Configuration for :lockable
+  # Defines which strategy will be used to lock an account.
+  # :failed_attempts = Locks an account after a number of failed attempts to sign in.
+  # :none            = No lock strategy. You should handle locking by yourself.
+  # config.lock_strategy = :failed_attempts
+
+  # Defines which strategy will be used to unlock an account.
+  # :email = Sends an unlock link to the user email
+  # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
+  # :both  = Enables both strategies
+  # :none  = No unlock strategy. You should handle unlocking by yourself.
+  # config.unlock_strategy = :both
+
+  # Number of authentication tries before locking an account if lock_strategy
+  # is failed attempts.
+  # config.maximum_attempts = 20
+
+  # Time interval to unlock the account if :time is enabled as unlock_strategy.
+  # config.unlock_in = 1.hour
+
+  # ==> Configuration for :token_authenticatable
+  # Defines name of the authentication token params key
+  # config.token_authentication_key = :auth_token
+
+  # ==> Scopes configuration
+  # Turn scoped views on. Before rendering "sessions/new", it will first check for
+  # "users/sessions/new". It's turned off by default because it's slower if you
+  # are using only default views.
+  # config.scoped_views = true
+
+  # Configure the default scope given to Warden. By default it's the first
+  # devise role declared in your routes.
+  # config.default_scope = :user
+
+  # Configure sign_out behavior.
+  # By default sign_out is scoped (i.e. /users/sign_out affects only :user scope).
+  # In case of sign_out_all_scopes set to true any logout action will sign out all active scopes.
+  # config.sign_out_all_scopes = false
+
+  # ==> Navigation configuration
+  # Lists the formats that should be treated as navigational. Formats like
+  # :html, should redirect to the sign in page when the user does not have
+  # access, but formats like :xml or :json, should return 401.
+  # If you have any extra navigational formats, like :iphone or :mobile, you
+  # should add them to the navigational formats lists. Default is [:html]
+  # config.navigational_formats = [:html, :iphone]
+
+  # ==> OAuth2
+  # Add a new OAuth2 provider. Check the README for more information on setting
+  # up on your models and hooks.
+  # config.oauth :github, 'APP_ID', 'APP_SECRET',
+  #   :site              => 'https://github.com/',
+  #   :authorize_path    => '/login/oauth/authorize',
+  #   :access_token_path => '/login/oauth/access_token',
+  #   :scope             => %w(user public_repo)
+
+  # ==> Warden configuration
+  # If you want to use other strategies, that are not supported by Devise, or
+  # change the failure app, you can configure them inside the config.warden block.
+  #
+  # config.warden do |manager|
+  #   manager.failure_app = AnotherApp
+  #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
+  # end
+end

data/lib/spree/auth/config.rb

@@ -0,0 +1,22 @@
+module Spree
+  module Auth
+    # Singleton class to access the shipping configuration object (ActiveShippingConfiguration.first by default) and it's preferences.
+    #
+    # Usage:
+    #   Spree::Auth::Config[:foo]                  # Returns the foo preference
+    #   Spree::Auth::Config[]                      # Returns a Hash with all the tax preferences
+    #   Spree::Auth::Config.instance               # Returns the configuration object (AuthConfiguration.first)
+    #   Spree::Auth::Config.set(preferences_hash)  # Set the spree auth preferences as especified in +preference_hash+
+    class Config
+      include Singleton
+      include Spree::PreferenceAccess
+
+      class << self
+        def instance
+          return nil unless ActiveRecord::Base.connection.tables.include?('configurations')
+          SpreeAuthConfiguration.find_or_create_by_name("Default spree_auth configuration")
+        end
+      end
+    end
+  end
+end

data/lib/spree/auth_user.rb

@@ -0,0 +1,20 @@
+module Spree
+  module AuthUser
+
+    # Gives controllers the ability to learn the +auth_user+ as opposed to limiting them to just the standard
+    # +current_user.+  The +auth_user+ method will return the user corresponding to the +guest_token+ if present,
+    # otherwise it will return the +current_user.+  This allows us to check authorization against a guest user
+    # without requiring that user to be signed in via warden/devise.  This means the guest can later sign up for
+    # an acccount (or log in to an existing account.)
+    def auth_user
+      return current_user unless session[:guest_token]
+      User.find_by_authentication_token(session[:guest_token])
+    end
+
+    # Overrides the default method used by Cancan so that we can use the guest_token in addition to current_user.
+    def current_ability
+      @current_ability ||= ::Ability.new(auth_user)
+    end
+
+  end
+end

data/lib/spree_auth.rb

@@ -0,0 +1,19 @@
+require 'spree_core'
+
+require 'devise'
+require 'devise/orm/active_record'
+require 'cancan'
+
+require 'spree/auth_user'
+require 'spree/auth/config'
+
+module SpreeAuth
+  class Engine < Rails::Engine
+    def self.activate
+      Dir.glob(File.join(File.dirname(__FILE__), "../app/**/*_decorator*.rb")) do |c|
+        Rails.env == "production" ? require(c) : load(c)
+      end
+    end
+    config.to_prepare &method(:activate).to_proc
+  end
+end

metadata

@@ -0,0 +1,141 @@
+--- !ruby/object:Gem::Specification 
+name: spree_auth
+version: !ruby/object:Gem::Version 
+  prerelease: true
+  segments: 
+  - 0
+  - 30
+  - 0
+  - beta1
+  version: 0.30.0.beta1
+platform: ruby
+authors: 
+- Sean Schofield
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-09-03 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: spree_core
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        - 30
+        - 0
+        - beta1
+        version: 0.30.0.beta1
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: devise
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 1
+        - 2
+        version: 1.1.2
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: cancan
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 1
+        - 3
+        - 3
+        version: 1.3.3
+  type: :runtime
+  version_requirements: *id003
+description: Required dependancy for Spree
+email: sean@railsdog.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- LICENSE
+- README.md
+- app/controllers/admin_controller_decorator.rb
+- app/controllers/checkout_controller_decorator.rb
+- app/controllers/devise/sessions_controller_decorator.rb
+- app/controllers/orders_controller_decorator.rb
+- app/controllers/resource_controller_decorator.rb
+- app/controllers/spree/base_controller_decorator.rb
+- app/models/ability.rb
+- app/models/order_decorator.rb
+- app/models/spree_auth_configuration.rb
+- app/models/user.rb
+- app/views/checkout/registration.html.erb
+- app/views/devise/confirmations/new.html.erb
+- app/views/devise/mailer/confirmation_instructions.html.erb
+- app/views/devise/mailer/reset_password_instructions.html.erb
+- app/views/devise/mailer/unlock_instructions.html.erb
+- app/views/devise/passwords/edit.html.erb
+- app/views/devise/passwords/new.html.erb
+- app/views/devise/registrations/edit.html.erb
+- app/views/devise/registrations/new.html.erb
+- app/views/devise/sessions/new.html.erb
+- app/views/devise/shared/_links.erb
+- app/views/devise/unlocks/new.html.erb
+- app/views/shared/_login_bar.html.erb
+- app/views/shared/unauthorized.html.erb
+- config/routes.rb
+- lib/generators/spree_auth/install_generator.rb
+- lib/generators/templates/db/migrate/20100811003924_switch_to_devise.rb
+- lib/generators/templates/devise.rb
+- lib/spree/auth/config.rb
+- lib/spree/auth_user.rb
+- lib/spree_auth.rb
+has_rdoc: true
+homepage: http://spreecommerce.com
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 1
+      - 8
+      - 7
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">"
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 1
+      - 3
+      - 1
+      version: 1.3.1
+requirements: 
+- none
+rubyforge_project: spree_auth
+rubygems_version: 1.3.6
+signing_key: 
+specification_version: 3
+summary: Provides authentication and authorization services for use with Spree.
+test_files: []
+