spree_auth 0.30.0.beta1 → 0.30.0

data/README.md

@@ -18,14 +18,11 @@ Running Tests
 
 You need to do a quick one-time creation of a test application and then you can use it to run the tests.
 
-    rails new testapp -m spec/test_template.rb -T -J
-    cd testapp
-    rails g spree_core:install
-    rake db:migrate db:seed db:test:prepare
+    rake test_app
 
 Then run the tests
 
-    rspec spec
+    rake spec
 
 Misc
 ----

data/app/controllers/checkout_controller_decorator.rb

@@ -2,17 +2,20 @@ CheckoutController.class_eval do
   before_filter :check_authorization
   before_filter :check_registration, :except => [:registration, :update_registration]
 
+  helper :users
+
   def registration
     @user = User.new
   end
 
   def update_registration
-    @user = current_order.user
-    @user.email = params[:user][:email]
-    if @user.save
-      redirect_to checkout_path and return
+    # hack - temporarily change the state to something other than cart so we can validate the order email address
+    current_order.state = "address"
+    if current_order.update_attributes(params[:order])
+      redirect_to checkout_path
     else
-      render :registration and return
+      @user = User.new
+      render 'registration'
     end
   end
 
@@ -24,7 +27,16 @@ CheckoutController.class_eval do
   # Introduces a registration step whenever the +registration_step+ preference is true.
   def check_registration
     return unless Spree::Auth::Config[:registration_step]
-    return if current_user or not current_order.user.anonymous?
+    return if current_user or current_order.email
+    store_location
     redirect_to checkout_registration_path
   end
-end
+
+  # Overrides the equivalent method defined in spree_core.  This variation of the method will ensure that users
+  # are redirected to the tokenized order url unless authenticated as a registered user.
+  def completion_route
+    return order_path(@order) if current_user
+    token_order_path(@order, @order.user.token)
+  end
+
+end

data/app/controllers/orders_controller_decorator.rb

@@ -3,16 +3,20 @@ OrdersController.class_eval do
   before_filter :check_authorization
 
   private
+
   def store_guest
     return if current_user
-    session[:guest_token] ||= @order.user.authentication_token
+    session[:guest_token] ||= @order.user.persistence_token
   end
 
   def check_authorization
-    if current_order
-      authorize! :edit, current_order
+    session[:guest_token] ||= params[:token]
+    order = current_order || Order.find_by_number(params[:id])
+    if order
+      authorize! :edit, order
     else
       authorize! :create, Order
     end
   end
-end
+
+end

data/app/controllers/resource_controller_decorator.rb

@@ -12,4 +12,4 @@ module ResourceController
       end
     end
   end
-end
+end

data/app/controllers/spree/base_controller_decorator.rb

@@ -1,4 +1,5 @@
 Spree::BaseController.class_eval do
+  before_filter :check_guest
 
   include Spree::AuthUser
 
@@ -6,6 +7,25 @@ Spree::BaseController.class_eval do
   rescue_from CanCan::AccessDenied, :with => :unauthorized
 
   private
+  # authorize the user as a guest if the have a valid token
+  def check_guest
+    session[:guest_token] ||= params[:token]
+  end
+
+  def current_user_session
+    return @current_user_session if defined?(@current_user_session)
+    @current_user_session = UserSession.find
+  end
+
+  def current_user
+    return @current_user if defined?(@current_user)
+    @current_user = current_user_session && current_user_session.user
+  end
+
+  helper_method :current_user_session, :current_user
+
+
+
 
   # Redirect as appropriate when an access request fails.  The default action is to redirect to the login screen.
   # Override this method in your controllers if you want to have special behavior in case the user is not authorized
@@ -18,7 +38,7 @@ Spree::BaseController.class_eval do
           render 'shared/unauthorized', :layout => 'spree_application'
         else
           store_location
-          redirect_to new_user_session_path and return
+          redirect_to login_path and return
         end
       end
       format.xml do
@@ -29,10 +49,11 @@ Spree::BaseController.class_eval do
 
   def store_location
     # disallow return to login, logout, signup pages
-    disallowed_urls = [new_user_registration_path, new_user_session_path, destroy_user_session_path]
+    disallowed_urls = [signup_url, login_url, logout_url]
     disallowed_urls.map!{|url| url[/\/\w+$/]}
     unless disallowed_urls.include?(request.fullpath)
       session[:return_to] = request.fullpath
     end
   end
-end
+
+end

data/app/controllers/user_sessions_controller.rb

@@ -0,0 +1,116 @@
+class UserSessionsController < Spree::BaseController
+  include Spree::CurrentOrder
+  include Spree::AuthUser
+
+  after_filter :associate_user, :only => :create
+
+  ssl_required :new, :create, :destroy, :update
+  ssl_allowed :login_bar
+
+  def new
+    @user_session = UserSession.new
+  end
+
+  def create
+    create_user_session(params[:user_session])
+    # not_need_user_auto_creation =
+    #     user_without_openid(params[:user_session]) ||
+    #     user_with_openid_exists?(:openid_identifier => params['openid.identity']) ||
+    #     user_with_openid_exists?(params[:user_session])
+
+    # if not_need_user_auto_creation
+    #   create_user_session(params[:user_session])
+    # else
+    #   create_user(params[:user_session])
+    # end
+  end
+
+  def destroy
+    current_user_session.destroy
+    session.clear
+    flash[:notice] = t("logged_out")
+    redirect_to products_path
+  end
+
+  def nav_bar
+    render :partial => "shared/nav_bar"
+  end
+
+  private
+
+  def associate_user
+    return unless current_user and current_order
+    current_order.associate_user!(current_user)
+    session[:guest_token] = nil
+  end
+
+  def user_with_openid_exists?(data)
+    data && !data[:openid_identifier].blank? &&
+      !!User.find(:first, :conditions => ["openid_identifier LIKE ?", "%#{data[:openid_identifier]}%"])
+  end
+
+  def user_without_openid(data)
+    data && data[:openid_identifier].blank?
+  end
+
+  def create_user_session(data)
+    @user_session = UserSession.new(data)
+    @user_session.save do |result|
+      if result
+        # Should restore last uncompleted order and add current(guest) order to it, if exists.
+        order = @user_session.record.orders.last(:conditions => {:completed_at => nil})
+        if order
+          if (session[:order_token] && guest_order = Order.find(:first, :conditions => {:token => session[:order_token], :user_id => nil, :completed_at => nil}))
+            guest_order.line_items.each do |line_item|
+              order.add_variant(line_item.variant, line_item.quantity)
+            end
+            order.save
+            session[:return_to].gsub!(guest_order.number, order.number) if session[:return_to]
+            guest_order.destroy
+          end
+          session[:order_token] = order.token
+          session[:order_id] = order.id
+        end
+
+        respond_to do |format|
+          format.html {
+            flash[:notice] = t("logged_in_succesfully") unless session[:return_to]
+            redirect_back_or_default products_path
+          }
+          format.js {
+            user = @user_session.record
+            render :json => {:ship_address => user.ship_address, :bill_address => user.bill_address}.to_json
+          }
+        end
+      else
+        respond_to do |format|
+          format.html {
+            flash.now[:error] = t("login_failed")
+            render :action => :new
+          }
+          format.js { render :json => false }
+        end
+      end
+    end
+    redirect_back_or_default(products_path) unless performed?
+  end
+
+  def create_user(data)
+    @user = User.new(data)
+
+    @user.save do |result|
+      if result
+        flash[:notice] = t(:user_created_successfully) unless session[:return_to]
+        redirect_back_or_default products_url
+      else
+        flash[:notice] = t(:missing_required_information)
+        redirect_to :controller => :users, :action => :new, :user => {:openid_identifier => @user.openid_identifier}
+      end
+    end
+  end
+
+  def accurate_title
+    I18n.t(:log_in)
+  end
+
+end

data/app/controllers/users_controller.rb

@@ -0,0 +1,54 @@
+class UsersController < Spree::BaseController
+  resource_controller
+
+  ssl_required :new, :create, :edit, :update, :show
+
+  actions :all, :except => [:index, :destroy]
+
+  show.before do
+    @orders = @user.orders.complete
+  end
+
+  create.after do
+    create_session
+    associate_user
+  end
+
+  create.flash nil
+  create.wants.html { redirect_back_or_default(root_url) }
+
+  new_action.before do
+    flash.now[:notice] = I18n.t(:please_create_user) unless User.admin_created?
+  end
+
+  update.wants.html { redirect_to account_url }
+
+  update.after do
+    create_session
+  end
+
+  update.flash I18n.t("account_updated")
+
+  private
+  def object
+    @object ||= current_user
+  end
+
+  def accurate_title
+    I18n.t(:account)
+  end
+
+  def associate_user
+    return unless current_order and @user.valid?
+    current_order.associate_user!(@user)
+    session[:guest_token] = nil
+  end
+
+  def create_session
+    session_params = params[:user]
+    session_params[:login] = session_params[:email]
+    UserSession.create session_params
+  end
+
+end
+

data/app/models/ability.rb

@@ -1,12 +1,28 @@
+# Implementation class for Cancan gem.  Instead of overriding this class, consider adding new permissions
+# using the special +register_ability+ method which allows extensions to add their own abilities.
+#
+# See http://github.com/ryanb/cancan for more details on cancan.
 class Ability
   include CanCan::Ability
 
+  class_inheritable_accessor :abilities
+  self.abilities = Set.new
+
+  # Allows us to go beyond the standard cancan initialize method which makes it difficult for engines to
+  # modify the default +Ability+ of an application.  The +ability+ argument must be a class that includes
+  # the +CanCan::Ability+ module.  The registered ability should behave properly as a stand-alone class
+  # and therefore should be easy to test in isolation.
+  def self.register_ability(ability)
+    self.abilities.add(ability)
+  end
+
   def initialize(user)
     self.clear_aliased_actions
 
     # override cancan default aliasing (we don't want to differentiate between read and index)
     alias_action :edit, :to => :update
     alias_action :new, :to => :create
+    alias_action :new_action, :to => :create
     alias_action :show, :to => :read
 
     user ||= User.new
@@ -37,5 +53,12 @@ class Ability
       can :index, Taxon
       #############################
     end
+
+    #include any abilities registered by extensions, etc.
+    Ability.abilities.each do |clazz|
+      ability = clazz.send(:new, user)
+      @can_definitions = can_definitions + ability.send(:can_definitions)
+    end
+
   end
-end
+end

data/app/models/order_decorator.rb

@@ -1,12 +1,15 @@
 Order.class_eval do
+  delegate :token, :to => :user
+
   # Associates the specified user with the order and destroys any previous association with guest user if
   # necessary.
   def associate_user!(user)
     self.user = user
-    save!
+    self.email = user.email
+    # disable validations since this can cause issues when associating an incomplete address during the address step
+    save(:validate => false)
   end
 
-  def token
-    user.token if user.anonymous?
-  end
-end
+  validates_format_of :email, :with => Authlogic::Regex.email, :if => :require_email
+
+end

data/app/models/spree_current_order_decorator.rb

@@ -0,0 +1,8 @@
+Spree::CurrentOrder.module_eval do
+
+  # Associate the new order with the currently authenticated user before saving
+  def before_save_new_order
+    @current_order.user = auth_user
+  end
+
+end

data/app/models/user.rb

@@ -6,38 +6,71 @@ class User < ActiveRecord::Base
   belongs_to :bill_address, :foreign_key => "bill_address_id", :class_name => "Address"
 
   before_save :check_admin
+  before_validation :set_login
 
-  # Include default devise modules. Others available are:
-  # :confirmable, :lockable and :timeoutable
-  devise :database_authenticatable, :registerable, :token_authenticatable,
-         :recoverable, :rememberable, :trackable, :validatable
+  acts_as_authentic do |c|
+    c.transition_from_restful_authentication = true
+    c.maintain_sessions = false
+    #AuthLogic defaults
+    #c.validate_email_field = true
+    #c.validates_length_of_email_field_options = {:within => 6..100}
+    #c.validates_format_of_email_field_options = {:with => email_regex, :message => I18n.t(‘error_messages.email_invalid’, :default => “should look like an email address.”)}
+    #c.validate_password_field = true
+    #c.validates_length_of_password_field_options = {:minimum => 4, :if => :require_password?}
+    #for more defaults check the AuthLogic documentation
+  end
 
   # Setup accessible (or protected) attributes for your model
-  attr_accessible :email, :password, :password_confirmation, :remember_me, :anonymous
-  after_save :ensure_authentication_token!
+  attr_accessible :email, :password, :password_confirmation, :remember_me
 
-  alias_attribute :token, :authentication_token
+  alias_attribute :token, :persistence_token
 
   # has_role? simply needs to return true or false whether a user has a role or not.
   def has_role?(role_in_question)
     roles.any? { |role| role.name == role_in_question.to_s }
   end
 
+  # Creates an anonymous user.  An anonymous user is basically an auto-generated +User+ account that is created for the customer
+  # behind the scenes and its completely transparently to the customer.  All +Orders+ must have a +User+ so this is necessary
+  # when adding to the "cart" (which is really an order) and before the customer has a chance to provide an email or to register.
   def self.anonymous!
-    token = User.generate_token(:authentication_token)
-    User.create(:email => "#{token}@example.com", :password => token, :password_confirmation => token, :anonymous => true)
+    token = User.generate_token(:persistence_token)
+    User.create(:email => "#{token}@example.net", :password => token, :password_confirmation => token)
+  end
+
+  def self.admin_created?
+    Role.where(:name => "admin").includes(:users).count > 0
   end
 
-  def email=(email)
-    self.anonymous = false unless email.include?("example.com")
-    write_attribute :email, email
+  def deliver_password_reset_instructions!
+    reset_perishable_token!
+    UserMailer.password_reset_instructions(self).deliver
   end
 
   private
+
   def check_admin
-    if User.where("roles.name" => "admin").includes(:roles).empty?
-      self.roles << Role.find_by_name("admin")
+    return if self.class.admin_created?
+    admin_role = Role.find_or_create_by_name "admin"
+    self.roles << admin_role
+  end
+
+  def set_login
+    # for now force login to be same as email, eventually we will make this configurable, etc.
+    self.login ||= self.email if self.email
+  end
+
+  # Generate a friendly string randomically to be used as token.
+  def self.friendly_token
+    ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
+  end
+
+  # Generate a token by looping and ensuring does not already exist.
+  def self.generate_token(column)
+    loop do
+      token = friendly_token
+      break token unless find(:first, :conditions => { column => token })
     end
-    true
   end
+
 end

data/app/models/user_mailer.rb

@@ -0,0 +1,12 @@
+class UserMailer < ActionMailer::Base
+  default_url_options[:host] = Spree::Config[:site_url]
+  default :from => Spree::Config[:mails_from]
+
+  def password_reset_instructions(user)
+    @edit_password_reset_url = edit_password_reset_url(user.perishable_token)
+    mail(:to => user.email,
+         :subject => Spree::Config[:site_name] + ' ' + I18n.t("password_reset_instructions"))
+  end
+
+end
+

data/app/models/user_session.rb

@@ -0,0 +1,3 @@
+class UserSession < Authlogic::Session::Base
+end
+

data/app/views/checkout/registration.html.erb

@@ -2,12 +2,13 @@
 <h2><%= t("registration")%></h2>
 <div id="registration">
   <div id="account">
-    <!-- TODO: add partial with devise registration form -->
+    <%= render :file => 'users/new' %>
   </div>
   <% if Spree::Config[:allow_guest_checkout] %>
     <div id="guest_checkout">
+      <%= render "shared/error_messages", :target => @order %>
       <h2><%= t(:guest_user_account) %></h2>
-      <%= form_for :user, :url => update_checkout_registration_path, :html => { :method => :put, :id => "checkout_form_registration"} do |f| %>
+      <%= form_for @order, :url => update_checkout_registration_path, :html => { :method => :put, :id => "checkout_form_registration"} do |f| %>
         <p>
           <%= f.label :email, t("email") %><br />
           <%= f.text_field :email, :class => 'title'  %>

data/app/views/password_resets/edit.html.erb

@@ -0,0 +1,12 @@
+<h1><%= t(:change_my_password) %></h1>
+ 
+<%= form_for @user, :url => password_reset_path, :method => :put do |f| %>
+  <%= f.error_messages %>
+  <%= f.label :password %><br />
+  <%= f.password_field :password %><br />
+  <br />
+  <%= f.label :password_confirmation %><br />
+  <%= f.password_field :password_confirmation %><br />
+  <br />
+  <%= f.submit t("update_password") %>
+<% end %>

data/app/views/password_resets/new.html.erb

@@ -0,0 +1,13 @@
+<h1><%= t(:forgot_password) %></h1>
+
+<p><%= t(:instructions_to_reset_password) %></p>
+ 
+<%= form_tag password_resets_path do %>
+  <p>
+    <label><%= t(:email) %>:</label><br />
+    <%= text_field_tag "email", params[:email], :size => 30 %>
+  </p>
+  <p>
+    <%= submit_tag t("reset_password") %>
+  </p>
+<% end %>

data/app/views/shared/_error_messages.html.erb

@@ -0,0 +1,10 @@
+<% if target.errors.any? %>
+<div id="errorExplanation">
+  <h2><%= pluralize(target.errors.count, "error") %> prohibited this record from being saved:</h2>
+  <ul>
+  <% target.errors.full_messages.each do |msg| %>
+    <li><%= msg %></li>
+  <% end %>
+  </ul>
+</div>
+<% end %>

data/app/views/shared/_flashes.html.erb

@@ -0,0 +1,9 @@
+<% if flash.any? %>
+  <div id="flash">
+    <% flash.each do |key, value| %>
+      <p>
+        <%= value %>
+      </p>
+    <% end %>
+  </div>
+<% end%>

data/app/views/shared/_login_bar.html.erb

@@ -1,6 +1,6 @@
 <% if current_user %>
-  <li><%= link_to t('my_account'), edit_user_registration_path(current_user) %></li>
-  <li><%= link_to t('logout'), destroy_user_session_path %></li>
+  <li><%= link_to t('my_account'), account_path %></li>
+  <li><%= link_to t('logout'), logout_path %></li>
 <% else %>
-  <li><%= link_to t('log_in'), new_user_session_path %></li>
-<% end %>
+  <li><%= link_to t('log_in'), login_path %></li>
+<% end %>

data/app/views/user_mailer/password_reset_instructions.erb

@@ -0,0 +1,10 @@
+A request to reset your password has been made. 
+If you did not make this request, simply ignore this email. 
+
+If you did make this request just click the link below:
+ 
+<%= @edit_password_reset_url %>
+ 
+If the above URL does not work try copying and pasting it into your browser. 
+If you continue to have problem please feel free to contact us.
+

data/app/views/user_sessions/authorization_failure.html.erb

@@ -0,0 +1,4 @@
+<div style="height:50px; padding-top: 20px">
+  <strong><%= t("authorization_failure")%></strong>
+</div>   
+<!-- Add your own custom access denied message here if you like -->

data/app/views/user_sessions/new.html.erb

@@ -0,0 +1,9 @@
+<% @body_id = 'login' %>
+<div id="existing-customer">
+  <h2><%= t("login_as_existing") %></h2>
+  <%= hook :login do %>
+    <%= render :partial => 'shared/login' %>
+    <%= t("or") %> <%= link_to t("create_a_new_account"), signup_path %> | <%= link_to t("forgot_password"), new_password_reset_path %>
+  <% end %>
+</div>
+

data/app/views/users/edit.html.erb

@@ -0,0 +1,11 @@
+<%= render "shared/error_messages", :target => @user %>
+
+<h1><%= t("editing_user") %></h1>
+
+<% form_for(:user, :url => object_url, :html => { :method => :put }) do |f| %>
+  <%= render 'shared/user_form', :f => f %>
+  <p>
+    <%=submit_tag t("update") %>
+  </p>
+<% end %>
+

data/app/views/users/new.html.erb

@@ -0,0 +1,23 @@
+<% @body_id = 'signup' %>
+
+<%= render "shared/error_messages", :target => @user %>
+
+<div id="new-customer">
+  <h2><%= t("new_customer") %></h2>
+
+  <%= hook :signup do %>
+
+    <%= form_for(@user) do |f| %>
+
+      <%= hook :signup_inside_form do %>
+        <%= render 'shared/user_form', :f => f %>
+        <p><%= submit_tag t("create"), :class => 'button primary' %></p>
+      <% end %>
+
+    <% end %>
+    <%= t("or") %> <%= link_to t("login_as_existing"), login_path %>
+
+  <% end %>
+
+</div>
+