spree_auth 0.30.2 → 0.40.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of spree_auth might be problematic. Click here for more details.

Files changed (42) hide show
  1. data/app/controllers/checkout_controller_decorator.rb +2 -2
  2. data/app/controllers/orders_controller_decorator.rb +4 -3
  3. data/app/controllers/resource_controller_decorator.rb +6 -2
  4. data/app/controllers/spree/base_controller_decorator.rb +8 -25
  5. data/app/controllers/user_password_resets_controller.rb +20 -0
  6. data/app/controllers/user_registrations_controller.rb +56 -0
  7. data/app/controllers/user_sessions_controller.rb +21 -82
  8. data/app/controllers/users_controller.rb +1 -13
  9. data/app/helpers/users_helper.rb +13 -0
  10. data/app/models/ability.rb +4 -4
  11. data/app/models/order_decorator.rb +4 -3
  12. data/app/models/spree_current_order_decorator.rb +1 -1
  13. data/app/models/tokenized_permission.rb +3 -0
  14. data/app/models/user.rb +14 -16
  15. data/app/models/user_mailer.rb +2 -3
  16. data/app/views/checkout/registration.html.erb +1 -1
  17. data/app/views/shared/_error_messages.html.erb +1 -1
  18. data/app/views/shared/_login.html.erb +20 -0
  19. data/app/views/shared/_login_bar.html.erb +1 -1
  20. data/app/views/shared/_user_form.html.erb +17 -0
  21. data/app/views/user_mailer/{password_reset_instructions.erb → reset_password_instructions.text.erb} +0 -0
  22. data/app/views/user_password_resets/edit.html.erb +15 -0
  23. data/app/views/{password_resets → user_password_resets}/new.html.erb +4 -4
  24. data/app/views/{users → user_registrations}/new.html.erb +2 -2
  25. data/app/views/user_sessions/new.html.erb +6 -2
  26. data/app/views/users/edit.html.erb +1 -1
  27. data/config/initializers/devise.rb +136 -0
  28. data/config/locales/en.yml +45 -0
  29. data/config/routes.rb +14 -7
  30. data/db/migrate/20101101185116_rename_columns_for_devise.rb +38 -0
  31. data/db/migrate/20101214150824_convert_user_remember_field.rb +11 -0
  32. data/db/migrate/20101217012656_create_tokenized_permissions.rb +18 -0
  33. data/db/migrate/20101219201531_tokens_for_legacy_orders.rb +12 -0
  34. data/db/sample/users.rb +1 -1
  35. data/lib/spree/token_resource.rb +23 -0
  36. data/lib/spree_auth.rb +13 -2
  37. data/lib/tasks/install.rake +0 -1
  38. metadata +35 -23
  39. data/app/models/user_session.rb +0 -3
  40. data/app/views/password_resets/edit.html.erb +0 -12
  41. data/lib/cancan/controller_additions.rb +0 -60
  42. data/lib/spree/auth_user.rb +0 -16
data/app/controllers/checkout_controller_decorator.rb CHANGED
@@ -21,7 +21,7 @@ CheckoutController.class_eval do
21
21
 
22
22
  private
23
23
  def check_authorization
24
- authorize!(:edit, current_order)
24
+ authorize!(:edit, current_order, session[:access_token])
25
25
  end
26
26
 
27
27
  # Introduces a registration step whenever the +registration_step+ preference is true.
@@ -36,7 +36,7 @@ CheckoutController.class_eval do
36
36
  # are redirected to the tokenized order url unless authenticated as a registered user.
37
37
  def completion_route
38
38
  return order_path(@order) if current_user
39
- token_order_path(@order, @order.user.token)
39
+ token_order_path(@order, @order.token)
40
40
  end
41
41
 
42
42
  end
data/app/controllers/orders_controller_decorator.rb CHANGED
@@ -6,14 +6,15 @@ OrdersController.class_eval do
6
6
 
7
7
  def store_guest
8
8
  return if current_user
9
- session[:guest_token] ||= @order.user.persistence_token
9
+ session[:access_token] = @order.token
10
10
  end
11
11
 
12
12
  def check_authorization
13
- session[:guest_token] ||= params[:token]
13
+ session[:access_token] ||= params[:token]
14
14
  order = current_order || Order.find_by_number(params[:id])
15
+
15
16
  if order
16
- authorize! :edit, order
17
+ authorize! :edit, order, session[:access_token]
17
18
  else
18
19
  authorize! :create, Order
19
20
  end
data/app/controllers/resource_controller_decorator.rb CHANGED
@@ -5,15 +5,19 @@ module ResourceController
5
5
  module Internal
6
6
  protected
7
7
  # Calls the before block for the action, if one is present.
8
- #
9
8
  def before(action)
9
+
10
10
  resource = case action
11
11
  when :index, :new, :create
12
12
  model
13
13
  else object
14
14
  end
15
15
 
16
- authorize! action, resource
16
+ if resource.respond_to? :token
17
+ authorize! action, resource, session[:access_token]
18
+ else
19
+ authorize! action, resource
20
+ end
17
21
  invoke_callbacks *self.class.send(action).before
18
22
  end
19
23
  end
data/app/controllers/spree/base_controller_decorator.rb CHANGED
@@ -1,31 +1,11 @@
1
1
  Spree::BaseController.class_eval do
2
- before_filter :check_guest
3
-
4
- include Spree::AuthUser
5
2
 
6
3
  # graceful error handling for cancan authorization exceptions
7
- rescue_from CanCan::AccessDenied, :with => :unauthorized
8
-
9
- private
10
- # authorize the user as a guest if the have a valid token
11
- def check_guest
12
- session[:guest_token] ||= params[:token]
13
- end
14
-
15
- def current_user_session
16
- return @current_user_session if defined?(@current_user_session)
17
- @current_user_session = UserSession.find
18
- end
19
-
20
- def current_user
21
- return @current_user if defined?(@current_user)
22
- @current_user = current_user_session && current_user_session.user
4
+ rescue_from CanCan::AccessDenied do |exception|
5
+ return unauthorized
23
6
  end
24
7
 
25
- helper_method :current_user_session, :current_user
26
-
27
-
28
-
8
+ private
29
9
 
30
10
  # Redirect as appropriate when an access request fails. The default action is to redirect to the login screen.
31
11
  # Override this method in your controllers if you want to have special behavior in case the user is not authorized
@@ -44,15 +24,18 @@ Spree::BaseController.class_eval do
44
24
  format.xml do
45
25
  request_http_basic_authentication 'Web Password'
46
26
  end
27
+ format.json do
28
+ render :text => "Not Authorized \n", :status => 401
29
+ end
47
30
  end
48
31
  end
49
32
 
50
33
  def store_location
51
34
  # disallow return to login, logout, signup pages
52
- disallowed_urls = [signup_url, login_url, logout_url]
35
+ disallowed_urls = [signup_url, login_url, destroy_user_session_path]
53
36
  disallowed_urls.map!{|url| url[/\/\w+$/]}
54
37
  unless disallowed_urls.include?(request.fullpath)
55
- session[:return_to] = request.fullpath
38
+ session["user_return_to"] = request.fullpath
56
39
  end
57
40
  end
58
41
 
data/app/controllers/user_password_resets_controller.rb ADDED
@@ -0,0 +1,20 @@
1
+ class UserPasswordResetsController < Devise::PasswordsController
2
+ include SpreeBase
3
+ helper :users, 'spree/base'
4
+
5
+ def new
6
+ super
7
+ end
8
+
9
+ def create
10
+ super
11
+ end
12
+
13
+ def edit
14
+ super
15
+ end
16
+
17
+ def update
18
+ super
19
+ end
20
+ end
data/app/controllers/user_registrations_controller.rb ADDED
@@ -0,0 +1,56 @@
1
+ class UserRegistrationsController < Devise::RegistrationsController
2
+ include SpreeBase
3
+ helper :users, 'spree/base'
4
+
5
+ before_filter :check_permissions, :only => [:edit, :update]
6
+ skip_before_filter :require_no_authentication
7
+
8
+ # GET /resource/sign_up
9
+ def new
10
+ super
11
+ end
12
+
13
+ # POST /resource/sign_up
14
+ def create
15
+ @user = build_resource(params[:user])
16
+ logger.debug(@user)
17
+ if resource.save
18
+ set_flash_message(:notice, :signed_up)
19
+ sign_in_and_redirect(:user, @user)
20
+ else
21
+ clean_up_passwords(resource)
22
+ render_with_scope(:new)
23
+ end
24
+ end
25
+
26
+ # GET /resource/edit
27
+ def edit
28
+ super
29
+ end
30
+
31
+ # PUT /resource
32
+ def update
33
+ super
34
+ end
35
+
36
+ # DELETE /resource
37
+ def destroy
38
+ super
39
+ end
40
+
41
+ # GET /resource/cancel
42
+ # Forces the session data which is usually expired after sign
43
+ # in to be expired now. This is useful if the user wants to
44
+ # cancel oauth signing in/up in the middle of the process,
45
+ # removing all OAuth session data.
46
+ def cancel
47
+ super
48
+ end
49
+
50
+ protected
51
+
52
+ def check_permissions
53
+ authorize!(:create, resource)
54
+ end
55
+
56
+ end
data/app/controllers/user_sessions_controller.rb CHANGED
@@ -1,35 +1,39 @@
1
- class UserSessionsController < Spree::BaseController
1
+ class UserSessionsController < Devise::SessionsController
2
+ include SpreeBase
3
+ helper :users, 'spree/base'
4
+
2
5
  include Spree::CurrentOrder
3
- include Spree::AuthUser
4
6
 
5
7
  after_filter :associate_user, :only => :create
6
8
 
7
9
  ssl_required :new, :create, :destroy, :update
8
10
  ssl_allowed :login_bar
9
11
 
12
+ # GET /resource/sign_in
10
13
  def new
11
- @user_session = UserSession.new
14
+ super
12
15
  end
13
16
 
14
17
  def create
15
- create_user_session(params[:user_session])
16
- # not_need_user_auto_creation =
17
- # user_without_openid(params[:user_session]) ||
18
- # user_with_openid_exists?(:openid_identifier => params['openid.identity']) ||
19
- # user_with_openid_exists?(params[:user_session])
20
-
21
- # if not_need_user_auto_creation
22
- # create_user_session(params[:user_session])
23
- # else
24
- # create_user(params[:user_session])
25
- # end
18
+ authenticate_user!
19
+
20
+ if user_signed_in?
21
+ respond_to do |format|
22
+ format.html {
23
+ flash[:notice] = t("logged_in_succesfully")
24
+ redirect_back_or_default(products_path)
25
+ }
26
+ format.js {
27
+ user = resource.record
28
+ render :json => {:ship_address => user.ship_address, :bill_address => user.bill_address}.to_json
29
+ }
30
+ end
31
+ end
26
32
  end
27
33
 
28
34
  def destroy
29
- current_user_session.destroy
30
35
  session.clear
31
- flash[:notice] = t("logged_out")
32
- redirect_to products_path
36
+ super
33
37
  end
34
38
 
35
39
  def nav_bar
@@ -44,71 +48,6 @@ class UserSessionsController < Spree::BaseController
44
48
  session[:guest_token] = nil
45
49
  end
46
50
 
47
- def user_with_openid_exists?(data)
48
- data && !data[:openid_identifier].blank? &&
49
- !!User.find(:first, :conditions => ["openid_identifier LIKE ?", "%#{data[:openid_identifier]}%"])
50
- end
51
-
52
- def user_without_openid(data)
53
- data && data[:openid_identifier].blank?
54
- end
55
-
56
- def create_user_session(data)
57
- @user_session = UserSession.new(data)
58
- @user_session.save do |result|
59
- if result
60
- # Should restore last uncompleted order and add current(guest) order to it, if exists.
61
- order = @user_session.record.orders.last(:conditions => {:completed_at => nil})
62
- if order
63
- if (session[:order_token] && guest_order = Order.find(:first, :conditions => {:token => session[:order_token], :user_id => nil, :completed_at => nil}))
64
- guest_order.line_items.each do |line_item|
65
- order.add_variant(line_item.variant, line_item.quantity)
66
- end
67
- order.save
68
- session[:return_to].gsub!(guest_order.number, order.number) if session[:return_to]
69
- guest_order.destroy
70
- end
71
- session[:order_token] = order.token
72
- session[:order_id] = order.id
73
- end
74
-
75
- respond_to do |format|
76
- format.html {
77
- flash[:notice] = t("logged_in_succesfully") unless session[:return_to]
78
- redirect_back_or_default products_path
79
- }
80
- format.js {
81
- user = @user_session.record
82
- render :json => {:ship_address => user.ship_address, :bill_address => user.bill_address}.to_json
83
- }
84
- end
85
- else
86
- respond_to do |format|
87
- format.html {
88
- flash.now[:error] = t("login_failed")
89
- render :action => :new
90
- }
91
- format.js { render :json => false }
92
- end
93
- end
94
- end
95
- redirect_back_or_default(products_path) unless performed?
96
- end
97
-
98
- def create_user(data)
99
- @user = User.new(data)
100
-
101
- @user.save do |result|
102
- if result
103
- flash[:notice] = t(:user_created_successfully) unless session[:return_to]
104
- redirect_back_or_default products_url
105
- else
106
- flash[:notice] = t(:missing_required_information)
107
- redirect_to :controller => :users, :action => :new, :user => {:openid_identifier => @user.openid_identifier}
108
- end
109
- end
110
- end
111
-
112
51
  def accurate_title
113
52
  I18n.t(:log_in)
114
53
  end
data/app/controllers/users_controller.rb CHANGED
@@ -10,7 +10,6 @@ class UsersController < Spree::BaseController
10
10
  end
11
11
 
12
12
  create.after do
13
- create_session
14
13
  associate_user
15
14
  end
16
15
 
@@ -22,12 +21,7 @@ class UsersController < Spree::BaseController
22
21
  end
23
22
 
24
23
  update.wants.html { redirect_to account_url }
25
-
26
- update.after do
27
- create_session
28
- end
29
-
30
- update.flash I18n.t("account_updated")
24
+ update.flash { I18n.t("account_updated") }
31
25
 
32
26
  private
33
27
  def object
@@ -44,11 +38,5 @@ class UsersController < Spree::BaseController
44
38
  session[:guest_token] = nil
45
39
  end
46
40
 
47
- def create_session
48
- session_params = params[:user]
49
- session_params[:login] = session_params[:email]
50
- UserSession.create session_params
51
- end
52
-
53
41
  end
54
42
 
data/app/helpers/users_helper.rb ADDED
@@ -0,0 +1,13 @@
1
+ module UsersHelper
2
+ def password_style(user)
3
+ ActiveSupport::Deprecation.warn "[SPREE] Password style has be depreciated due to the removal of OpenID from the Auth Gem. "
4
+ "Please install the spree_social gem to regain this functionality and more."
5
+ ""
6
+ end
7
+ def openid_style(user)
8
+ ActiveSupport::Deprecation.warn "[SPREE] Password style has be depreciated due to the removal of OpenID from the Auth Gem. "
9
+ "Please install the spree_social gem to regain this functionality and more."
10
+ "display:none"
11
+ end
12
+
13
+ end
data/app/models/ability.rb CHANGED
@@ -38,11 +38,11 @@ class Ability
38
38
  end
39
39
  can :create, User
40
40
  #############################
41
- can :read, Order do |order|
42
- order.user == user
41
+ can :read, Order do |order, token|
42
+ order.user == user || order.token && token == order.token
43
43
  end
44
- can :update, Order do |order|
45
- order.user == user
44
+ can :update, Order do |order, token|
45
+ order.user == user || order.token && token == order.token
46
46
  end
47
47
  can :create, Order
48
48
  #############################
data/app/models/order_decorator.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  Order.class_eval do
2
- delegate :token, :to => :user
2
+ token_resource
3
3
 
4
4
  # Associates the specified user with the order and destroys any previous association with guest user if
5
5
  # necessary.
@@ -10,6 +10,7 @@ Order.class_eval do
10
10
  save(:validate => false)
11
11
  end
12
12
 
13
- validates_format_of :email, :with => Authlogic::Regex.email, :if => :require_email
14
-
13
+ # TODO: validate the format of the email as well (but we can't rely on authlogic anymore to help with validation)
14
+ validates_presence_of :email, :if => :require_email
15
+ validates_format_of :email, :with => /^([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})$/i, :if => :require_email
15
16
  end
data/app/models/spree_current_order_decorator.rb CHANGED
@@ -2,7 +2,7 @@ Spree::CurrentOrder.module_eval do
2
2
 
3
3
  # Associate the new order with the currently authenticated user before saving
4
4
  def before_save_new_order
5
- @current_order.user = auth_user
5
+ @current_order.user ||= current_user
6
6
  end
7
7
 
8
8
  end
data/app/models/tokenized_permission.rb ADDED
@@ -0,0 +1,3 @@
1
+ class TokenizedPermission < ActiveRecord::Base
2
+ belongs_to :permissable, :polymorphic => true
3
+ end
data/app/models/user.rb CHANGED
@@ -1,5 +1,8 @@
1
1
  class User < ActiveRecord::Base
2
2
 
3
+ devise :database_authenticatable, :token_authenticatable, :registerable, :recoverable,
4
+ :rememberable, :trackable, :validatable, :encryptable, :encryptor => "authlogic_sha512"
5
+
3
6
  has_many :orders
4
7
  has_and_belongs_to_many :roles
5
8
  belongs_to :ship_address, :foreign_key => "ship_address_id", :class_name => "Address"
@@ -8,22 +11,8 @@ class User < ActiveRecord::Base
8
11
  before_save :check_admin
9
12
  before_validation :set_login
10
13
 
11
- acts_as_authentic do |c|
12
- c.transition_from_restful_authentication = true
13
- c.maintain_sessions = false
14
- #AuthLogic defaults
15
- #c.validate_email_field = true
16
- #c.validates_length_of_email_field_options = {:within => 6..100}
17
- #c.validates_format_of_email_field_options = {:with => email_regex, :message => I18n.t(‘error_messages.email_invalid’, :default => “should look like an email address.”)}
18
- #c.validate_password_field = true
19
- #c.validates_length_of_password_field_options = {:minimum => 4, :if => :require_password?}
20
- #for more defaults check the AuthLogic documentation
21
- end
22
-
23
14
  # Setup accessible (or protected) attributes for your model
24
- attr_accessible :email, :password, :password_confirmation, :remember_me
25
-
26
- alias_attribute :token, :persistence_token
15
+ attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token
27
16
 
28
17
  # has_role? simply needs to return true or false whether a user has a role or not.
29
18
  def has_role?(role_in_question)
@@ -35,18 +24,27 @@ class User < ActiveRecord::Base
35
24
  # when adding to the "cart" (which is really an order) and before the customer has a chance to provide an email or to register.
36
25
  def self.anonymous!
37
26
  token = User.generate_token(:persistence_token)
38
- User.create(:email => "#{token}@example.net", :password => token, :password_confirmation => token)
27
+ User.create(:email => "#{token}@example.net", :password => token, :password_confirmation => token, :persistence_token => token)
39
28
  end
40
29
 
41
30
  def self.admin_created?
42
31
  Role.where(:name => "admin").includes(:users).count > 0
43
32
  end
44
33
 
34
+ def anonymous?
35
+ email =~ /@example.net$/
36
+ end
37
+
45
38
  def deliver_password_reset_instructions!
46
39
  reset_perishable_token!
47
40
  UserMailer.password_reset_instructions(self).deliver
48
41
  end
49
42
 
43
+ protected
44
+ def password_required?
45
+ !persisted? || password.present? || password_confirmation.present?
46
+ end
47
+
50
48
  private
51
49
 
52
50
  def check_admin