spree_auth 0.30.2 → 0.40.0

data/app/controllers/checkout_controller_decorator.rb

@@ -21,7 +21,7 @@ CheckoutController.class_eval do
 
   private
   def check_authorization
-    authorize!(:edit, current_order)
+    authorize!(:edit, current_order, session[:access_token])
   end
 
   # Introduces a registration step whenever the +registration_step+ preference is true.
@@ -36,7 +36,7 @@ CheckoutController.class_eval do
   # are redirected to the tokenized order url unless authenticated as a registered user.
   def completion_route
     return order_path(@order) if current_user
-    token_order_path(@order, @order.user.token)
+    token_order_path(@order, @order.token)
   end
 
 end

data/app/controllers/orders_controller_decorator.rb

@@ -6,14 +6,15 @@ OrdersController.class_eval do
 
   def store_guest
     return if current_user
-    session[:guest_token] ||= @order.user.persistence_token
+    session[:access_token] = @order.token
   end
 
   def check_authorization
-    session[:guest_token] ||= params[:token]
+    session[:access_token] ||= params[:token]
     order = current_order || Order.find_by_number(params[:id])
+
     if order
-      authorize! :edit, order
+      authorize! :edit, order, session[:access_token]
     else
       authorize! :create, Order
     end

data/app/controllers/resource_controller_decorator.rb

@@ -5,15 +5,19 @@ module ResourceController
     module Internal
       protected
       # Calls the before block for the action, if one is present.
-      #
       def before(action)
+
         resource = case action
         when :index, :new, :create
           model
         else object
         end
 
-        authorize! action, resource
+        if resource.respond_to? :token
+          authorize! action, resource, session[:access_token]
+        else
+          authorize! action, resource
+        end
         invoke_callbacks *self.class.send(action).before
       end
     end

data/app/controllers/spree/base_controller_decorator.rb

@@ -1,31 +1,11 @@
 Spree::BaseController.class_eval do
-  before_filter :check_guest
-
-  include Spree::AuthUser
 
   # graceful error handling for cancan authorization exceptions
-  rescue_from CanCan::AccessDenied, :with => :unauthorized
-
-  private
-  # authorize the user as a guest if the have a valid token
-  def check_guest
-    session[:guest_token] ||= params[:token]
-  end
-
-  def current_user_session
-    return @current_user_session if defined?(@current_user_session)
-    @current_user_session = UserSession.find
-  end
-
-  def current_user
-    return @current_user if defined?(@current_user)
-    @current_user = current_user_session && current_user_session.user
+  rescue_from CanCan::AccessDenied do |exception|
+    return unauthorized
   end
 
-  helper_method :current_user_session, :current_user
-
-
-
+  private
 
   # Redirect as appropriate when an access request fails.  The default action is to redirect to the login screen.
   # Override this method in your controllers if you want to have special behavior in case the user is not authorized
@@ -44,15 +24,18 @@ Spree::BaseController.class_eval do
       format.xml do
         request_http_basic_authentication 'Web Password'
       end
+      format.json do
+        render :text => "Not Authorized \n", :status => 401
+      end
     end
   end
 
   def store_location
     # disallow return to login, logout, signup pages
-    disallowed_urls = [signup_url, login_url, logout_url]
+    disallowed_urls = [signup_url, login_url, destroy_user_session_path]
     disallowed_urls.map!{|url| url[/\/\w+$/]}
     unless disallowed_urls.include?(request.fullpath)
-      session[:return_to] = request.fullpath
+      session["user_return_to"] = request.fullpath
     end
   end
 

data/app/controllers/user_password_resets_controller.rb

@@ -0,0 +1,20 @@
+class UserPasswordResetsController < Devise::PasswordsController
+  include SpreeBase
+  helper :users, 'spree/base'
+
+  def new
+    super
+  end
+
+  def create
+    super
+  end
+
+  def edit
+    super
+  end
+
+  def update
+    super
+  end
+end

data/app/controllers/user_registrations_controller.rb

@@ -0,0 +1,56 @@
+class UserRegistrationsController < Devise::RegistrationsController
+  include SpreeBase
+  helper :users, 'spree/base'
+
+  before_filter :check_permissions, :only => [:edit, :update]
+  skip_before_filter :require_no_authentication
+
+  # GET /resource/sign_up
+  def new
+    super
+  end
+
+  # POST /resource/sign_up
+  def create
+    @user = build_resource(params[:user])
+    logger.debug(@user)
+    if resource.save
+      set_flash_message(:notice, :signed_up)
+      sign_in_and_redirect(:user, @user)
+    else
+      clean_up_passwords(resource)
+      render_with_scope(:new)
+    end
+  end
+
+  # GET /resource/edit
+  def edit
+    super
+  end
+
+  # PUT /resource
+  def update
+    super
+  end
+
+  # DELETE /resource
+  def destroy
+    super
+  end
+
+  # GET /resource/cancel
+  # Forces the session data which is usually expired after sign
+  # in to be expired now. This is useful if the user wants to
+  # cancel oauth signing in/up in the middle of the process,
+  # removing all OAuth session data.
+  def cancel
+    super
+  end
+
+  protected
+
+  def check_permissions
+    authorize!(:create, resource)
+  end
+
+end

data/app/controllers/user_sessions_controller.rb

@@ -1,35 +1,39 @@
-class UserSessionsController < Spree::BaseController
+class UserSessionsController < Devise::SessionsController
+  include SpreeBase
+  helper :users, 'spree/base'
+
   include Spree::CurrentOrder
-  include Spree::AuthUser
 
   after_filter :associate_user, :only => :create
 
   ssl_required :new, :create, :destroy, :update
   ssl_allowed :login_bar
 
+  # GET /resource/sign_in
   def new
-    @user_session = UserSession.new
+    super
   end
 
   def create
-    create_user_session(params[:user_session])
-    # not_need_user_auto_creation =
-    #     user_without_openid(params[:user_session]) ||
-    #     user_with_openid_exists?(:openid_identifier => params['openid.identity']) ||
-    #     user_with_openid_exists?(params[:user_session])
-
-    # if not_need_user_auto_creation
-    #   create_user_session(params[:user_session])
-    # else
-    #   create_user(params[:user_session])
-    # end
+    authenticate_user!
+
+    if user_signed_in?
+      respond_to do |format|
+        format.html {
+          flash[:notice] = t("logged_in_succesfully")
+          redirect_back_or_default(products_path)
+        }
+        format.js {
+          user = resource.record
+          render :json => {:ship_address => user.ship_address, :bill_address => user.bill_address}.to_json
+        }
+      end
+    end
   end
 
   def destroy
-    current_user_session.destroy
     session.clear
-    flash[:notice] = t("logged_out")
-    redirect_to products_path
+    super
   end
 
   def nav_bar
@@ -44,71 +48,6 @@ class UserSessionsController < Spree::BaseController
     session[:guest_token] = nil
   end
 
-  def user_with_openid_exists?(data)
-    data && !data[:openid_identifier].blank? &&
-      !!User.find(:first, :conditions => ["openid_identifier LIKE ?", "%#{data[:openid_identifier]}%"])
-  end
-
-  def user_without_openid(data)
-    data && data[:openid_identifier].blank?
-  end
-
-  def create_user_session(data)
-    @user_session = UserSession.new(data)
-    @user_session.save do |result|
-      if result
-        # Should restore last uncompleted order and add current(guest) order to it, if exists.
-        order = @user_session.record.orders.last(:conditions => {:completed_at => nil})
-        if order
-          if (session[:order_token] && guest_order = Order.find(:first, :conditions => {:token => session[:order_token], :user_id => nil, :completed_at => nil}))
-            guest_order.line_items.each do |line_item|
-              order.add_variant(line_item.variant, line_item.quantity)
-            end
-            order.save
-            session[:return_to].gsub!(guest_order.number, order.number) if session[:return_to]
-            guest_order.destroy
-          end
-          session[:order_token] = order.token
-          session[:order_id] = order.id
-        end
-
-        respond_to do |format|
-          format.html {
-            flash[:notice] = t("logged_in_succesfully") unless session[:return_to]
-            redirect_back_or_default products_path
-          }
-          format.js {
-            user = @user_session.record
-            render :json => {:ship_address => user.ship_address, :bill_address => user.bill_address}.to_json
-          }
-        end
-      else
-        respond_to do |format|
-          format.html {
-            flash.now[:error] = t("login_failed")
-            render :action => :new
-          }
-          format.js { render :json => false }
-        end
-      end
-    end
-    redirect_back_or_default(products_path) unless performed?
-  end
-
-  def create_user(data)
-    @user = User.new(data)
-
-    @user.save do |result|
-      if result
-        flash[:notice] = t(:user_created_successfully) unless session[:return_to]
-        redirect_back_or_default products_url
-      else
-        flash[:notice] = t(:missing_required_information)
-        redirect_to :controller => :users, :action => :new, :user => {:openid_identifier => @user.openid_identifier}
-      end
-    end
-  end
-
   def accurate_title
     I18n.t(:log_in)
   end

data/app/controllers/users_controller.rb

@@ -10,7 +10,6 @@ class UsersController < Spree::BaseController
   end
 
   create.after do
-    create_session
     associate_user
   end
 
@@ -22,12 +21,7 @@ class UsersController < Spree::BaseController
   end
 
   update.wants.html { redirect_to account_url }
-
-  update.after do
-    create_session
-  end
-
-  update.flash I18n.t("account_updated")
+  update.flash { I18n.t("account_updated") }
 
   private
   def object
@@ -44,11 +38,5 @@ class UsersController < Spree::BaseController
     session[:guest_token] = nil
   end
 
-  def create_session
-    session_params = params[:user]
-    session_params[:login] = session_params[:email]
-    UserSession.create session_params
-  end
-
 end
 

data/app/helpers/users_helper.rb

@@ -0,0 +1,13 @@
+module UsersHelper       
+  def password_style(user)
+    ActiveSupport::Deprecation.warn "[SPREE] Password style has be depreciated due to the removal of OpenID from the Auth Gem. "
+      "Please install the spree_social gem to regain this functionality and more."
+    ""
+  end         
+  def openid_style(user) 
+    ActiveSupport::Deprecation.warn "[SPREE] Password style has be depreciated due to the removal of OpenID from the Auth Gem. "
+      "Please install the spree_social gem to regain this functionality and more."
+    "display:none"
+  end
+
+end

data/app/models/ability.rb

@@ -38,11 +38,11 @@ class Ability
       end
       can :create, User
       #############################
-      can :read, Order do |order|
-        order.user == user
+      can :read, Order do |order, token|
+        order.user == user || order.token && token == order.token
       end
-      can :update, Order do |order|
-        order.user == user
+      can :update, Order do |order, token|
+        order.user == user || order.token && token == order.token
       end
       can :create, Order
       #############################

data/app/models/order_decorator.rb

@@ -1,5 +1,5 @@
 Order.class_eval do
-  delegate :token, :to => :user
+  token_resource
 
   # Associates the specified user with the order and destroys any previous association with guest user if
   # necessary.
@@ -10,6 +10,7 @@ Order.class_eval do
     save(:validate => false)
   end
 
-  validates_format_of :email, :with => Authlogic::Regex.email, :if => :require_email
-
+  # TODO: validate the format of the email as well (but we can't rely on authlogic anymore to help with validation)
+  validates_presence_of :email, :if => :require_email
+  validates_format_of :email, :with => /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i, :if => :require_email
 end

data/app/models/spree_current_order_decorator.rb

@@ -2,7 +2,7 @@ Spree::CurrentOrder.module_eval do
 
   # Associate the new order with the currently authenticated user before saving
   def before_save_new_order
-    @current_order.user = auth_user
+    @current_order.user ||= current_user
   end
 
 end

data/app/models/tokenized_permission.rb

@@ -0,0 +1,3 @@
+class TokenizedPermission < ActiveRecord::Base
+  belongs_to :permissable, :polymorphic => true
+end

data/app/models/user.rb

@@ -1,5 +1,8 @@
 class User < ActiveRecord::Base
 
+  devise :database_authenticatable, :token_authenticatable, :registerable, :recoverable,
+         :rememberable, :trackable, :validatable, :encryptable, :encryptor => "authlogic_sha512"
+
   has_many :orders
   has_and_belongs_to_many :roles
   belongs_to :ship_address, :foreign_key => "ship_address_id", :class_name => "Address"
@@ -8,22 +11,8 @@ class User < ActiveRecord::Base
   before_save :check_admin
   before_validation :set_login
 
-  acts_as_authentic do |c|
-    c.transition_from_restful_authentication = true
-    c.maintain_sessions = false
-    #AuthLogic defaults
-    #c.validate_email_field = true
-    #c.validates_length_of_email_field_options = {:within => 6..100}
-    #c.validates_format_of_email_field_options = {:with => email_regex, :message => I18n.t(‘error_messages.email_invalid’, :default => “should look like an email address.”)}
-    #c.validate_password_field = true
-    #c.validates_length_of_password_field_options = {:minimum => 4, :if => :require_password?}
-    #for more defaults check the AuthLogic documentation
-  end
-
   # Setup accessible (or protected) attributes for your model
-  attr_accessible :email, :password, :password_confirmation, :remember_me
-
-  alias_attribute :token, :persistence_token
+  attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token
 
   # has_role? simply needs to return true or false whether a user has a role or not.
   def has_role?(role_in_question)
@@ -35,18 +24,27 @@ class User < ActiveRecord::Base
   # when adding to the "cart" (which is really an order) and before the customer has a chance to provide an email or to register.
   def self.anonymous!
     token = User.generate_token(:persistence_token)
-    User.create(:email => "#{token}@example.net", :password => token, :password_confirmation => token)
+    User.create(:email => "#{token}@example.net", :password => token, :password_confirmation => token, :persistence_token => token)
   end
 
   def self.admin_created?
     Role.where(:name => "admin").includes(:users).count > 0
   end
 
+  def anonymous?
+    email =~ /@example.net$/
+  end
+
   def deliver_password_reset_instructions!
     reset_perishable_token!
     UserMailer.password_reset_instructions(self).deliver
   end
 
+  protected
+  def password_required?
+    !persisted? || password.present? || password_confirmation.present?
+  end
+
   private
 
   def check_admin