spree_auth 0.70.7 → 1.0.0.rc1

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2007-2011, Rails Dog LLC and other contributors
+Copyright (c) 2007-2011, Spree Commerce, Inc. and other contributors
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,
@@ -23,4 +23,4 @@ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -30,10 +30,6 @@ Then run the rspec tests
 
     bundle exec rake spec
 
-Then run the cucumber tests
-
-    bundle exec cucumber
-
 Misc
 ----
 

data/app/controllers/resource_controller_decorator.rb

@@ -4,22 +4,22 @@ module ResourceController
   module Helpers
     module Internal
       protected
-      # Calls the before block for the action, if one is present.
-      def before(action)
+        # Calls the before block for the action, if one is present.
+        def before(action)
 
-        resource = case action
-        when :index, :new, :create
-          model
-        else object
-        end
+          resource = case action
+          when :index, :new, :create
+            model
+          else object
+          end
 
-        if resource.respond_to? :token
-          authorize! action, resource, session[:access_token]
-        else
-          authorize! action, resource
+          if resource.respond_to? :token
+            authorize! action, resource, session[:access_token]
+          else
+            authorize! action, resource
+          end
+          invoke_callbacks *self.class.send(action).before
         end
-        invoke_callbacks *self.class.send(action).before
-      end
     end
   end
 end

data/app/controllers/spree/admin/admin_controller_decorator.rb

@@ -0,0 +1,19 @@
+require File.expand_path('../../base_controller_decorator', __FILE__)
+Spree::Admin::BaseController.class_eval do
+  before_filter :authorize_admin
+
+  def authorize_admin
+    begin
+      model = model_class
+    rescue
+      model = Object
+    end
+    authorize! :admin, model
+    authorize! params[:action].to_sym, model
+  end
+
+  protected
+    def model_class
+      "Spree::#{controller_name.classify}".constantize
+    end
+end

data/app/controllers/spree/admin/admin_orders_controller_decorator.rb

@@ -0,0 +1,14 @@
+Spree::Admin::OrdersController.class_eval do
+  before_filter :check_authorization
+
+  private
+    def check_authorization
+      load_order
+      session[:access_token] ||= params[:token]
+
+      resource = @order || Spree::Order
+      action = params[:action].to_sym
+
+      authorize! action, resource, session[:access_token]
+    end
+end

data/app/controllers/spree/admin/admin_resource_controller_decorator.rb

@@ -0,0 +1,3 @@
+Spree::Admin::ResourceController.class_eval do
+   authorize_resource :class => lambda { model_class }
+end

data/app/controllers/spree/base_controller_decorator.rb

@@ -1,5 +1,4 @@
 Spree::BaseController.class_eval do
-
   before_filter :set_current_user
 
   # graceful error handling for cancan authorization exceptions
@@ -8,41 +7,43 @@ Spree::BaseController.class_eval do
   end
 
   private
-
-  # Redirect as appropriate when an access request fails.  The default action is to redirect to the login screen.
-  # Override this method in your controllers if you want to have special behavior in case the user is not authorized
-  # to access the requested action.  For example, a popup window might simply close itself.
-  def unauthorized
-    respond_to do |format|
-      format.html do
-        if current_user
-          flash.now[:error] = I18n.t(:authorization_failure)
-          render 'shared/unauthorized', :layout => 'spree_application'
-        else
-          store_location
-          redirect_to login_path and return
+    # Needs to be overriden so that we use Spree's Ability rather than anyone else's.
+    def current_ability
+      @current_ability ||= Spree::Ability.new(current_user)
+    end
+    # Redirect as appropriate when an access request fails.  The default action is to redirect to the login screen.
+    # Override this method in your controllers if you want to have special behavior in case the user is not authorized
+    # to access the requested action.  For example, a popup window might simply close itself.
+    def unauthorized
+      respond_to do |format|
+        format.html do
+          if current_user
+            flash.now[:error] = t(:authorization_failure)
+            render 'spree/shared/unauthorized', :layout => '/spree/layouts/spree_application'
+          else
+            store_location
+            redirect_to spree.login_path and return
+          end
+        end
+        format.xml do
+          request_http_basic_authentication 'Web Password'
+        end
+        format.json do
+          render :text => "Not Authorized \n", :status => 401
         end
-      end
-      format.xml do
-        request_http_basic_authentication 'Web Password'
-      end
-      format.json do
-        render :text => "Not Authorized \n", :status => 401
       end
     end
-  end
 
-  def store_location
-    # disallow return to login, logout, signup pages
-    disallowed_urls = [signup_url, login_url, destroy_user_session_path]
-    disallowed_urls.map!{|url| url[/\/\w+$/]}
-    unless disallowed_urls.include?(request.fullpath)
-      session["user_return_to"] = request.fullpath
+    def store_location
+      # disallow return to login, logout, signup pages
+      disallowed_urls = [spree.signup_url, spree.login_url, spree.destroy_user_session_path]
+      disallowed_urls.map!{ |url| url[/\/\w+$/] }
+      unless disallowed_urls.include?(request.fullpath)
+        session['user_return_to'] = request.fullpath.gsub('//', '/')
+      end
     end
-  end
-
-  def set_current_user
-    User.current = current_user
-  end
 
+    def set_current_user
+      Spree::User.current = current_user
+    end
 end

data/app/controllers/spree/checkout_controller_decorator.rb

@@ -0,0 +1,41 @@
+Spree::CheckoutController.class_eval do
+  before_filter :check_authorization
+  before_filter :check_registration, :except => [:registration, :update_registration]
+
+  helper 'spree/users'
+
+  def registration
+    @user = Spree::User.new
+  end
+
+  def update_registration
+    # hack - temporarily change the state to something other than cart so we can validate the order email address
+    current_order.state = 'address'
+    if current_order.update_attributes(params[:order])
+      redirect_to checkout_path
+    else
+      @user = Spree::User.new
+      render 'registration'
+    end
+  end
+
+  private
+    def check_authorization
+      authorize!(:edit, current_order, session[:access_token])
+    end
+
+    # Introduces a registration step whenever the +registration_step+ preference is true.
+    def check_registration
+      return unless Spree::Auth::Config[:registration_step]
+      return if current_user or current_order.email
+      store_location
+      redirect_to spree.checkout_registration_path
+    end
+
+    # Overrides the equivalent method defined in Spree::Core.  This variation of the method will ensure that users
+    # are redirected to the tokenized order url unless authenticated as a registered user.
+    def completion_route
+      return order_path(@order) if current_user
+      spree.token_order_path(@order, @order.token)
+    end
+end

data/app/controllers/spree/orders_controller_decorator.rb

@@ -0,0 +1,15 @@
+Spree::OrdersController.class_eval do
+  before_filter :check_authorization
+
+  private
+    def check_authorization
+      session[:access_token] ||= params[:token]
+      order = current_order || Spree::Order.find_by_number(params[:id])
+
+      if order
+        authorize! :edit, order, session[:access_token]
+      else
+        authorize! :create, Spree::Order
+      end
+    end
+end

data/app/controllers/{user_passwords_controller.rb → spree/user_passwords_controller.rb}

@@ -1,8 +1,8 @@
-class UserPasswordsController < Devise::PasswordsController
-  include SpreeBase
-  helper :users, 'spree/base'
-  
-  after_filter :associate_user, :only => :update
+class Spree::UserPasswordsController < Devise::PasswordsController
+  include Spree::Core::ControllerHelpers
+  helper 'spree/users', 'spree/base'
+
+  after_filter :associate_user
 
   def new
     super
@@ -21,7 +21,7 @@ class UserPasswordsController < Devise::PasswordsController
 
     if resource.errors.empty?
       set_flash_message(:notice, :send_instructions) if is_navigational_format?
-      respond_with resource, :location => login_path 
+      respond_with resource, :location => spree.login_path
     else
       respond_with_navigational(resource){ render_with_scope :new }
     end
@@ -34,13 +34,12 @@ class UserPasswordsController < Devise::PasswordsController
   def update
     super
   end
-  
+
   private
-  
-  def associate_user
-    return unless current_user and current_order
-    current_order.associate_user!(current_user)
-    session[:guest_token] = nil
-  end
-  
+
+    def associate_user
+      return unless current_user and current_order
+      current_order.associate_user!(current_user)
+      session[:guest_token] = nil
+    end
 end

data/app/controllers/{user_registrations_controller.rb → spree/user_registrations_controller.rb}

@@ -1,6 +1,6 @@
-class UserRegistrationsController < Devise::RegistrationsController
-  include SpreeBase
-  helper :users, 'spree/base'
+class Spree::UserRegistrationsController < Devise::RegistrationsController
+  include Spree::Core::ControllerHelpers
+  helper 'spree/users', 'spree/base'
 
   ssl_required
   after_filter :associate_user, :only => :create
@@ -51,15 +51,13 @@ class UserRegistrationsController < Devise::RegistrationsController
   end
 
   protected
+    def check_permissions
+      authorize!(:create, resource)
+    end
 
-  def check_permissions
-    authorize!(:create, resource)
-  end
-
-  def associate_user
-    return unless current_user and current_order
-    current_order.associate_user!(current_user)
-    session[:guest_token] = nil
-  end
-
+    def associate_user
+      return unless current_user and current_order
+      current_order.associate_user!(current_user)
+      session[:guest_token] = nil
+    end
 end

data/app/controllers/{user_sessions_controller.rb → spree/user_sessions_controller.rb}

@@ -1,8 +1,8 @@
-class UserSessionsController < Devise::SessionsController
-  include SpreeBase
-  helper :users, 'spree/base'
+class Spree::UserSessionsController < Devise::SessionsController
+  include Spree::Core::ControllerHelpers
+  helper 'spree/users', 'spree/base'
 
-  include Spree::CurrentOrder
+  include Spree::Core::CurrentOrder
 
   after_filter :associate_user, :only => :create
 
@@ -20,7 +20,7 @@ class UserSessionsController < Devise::SessionsController
     if user_signed_in?
       respond_to do |format|
         format.html {
-          flash[:notice] = I18n.t("logged_in_succesfully")
+          flash.notice = t(:logged_in_succesfully)
           redirect_back_or_default(products_path)
         }
         format.js {
@@ -29,7 +29,7 @@ class UserSessionsController < Devise::SessionsController
         }
       end
     else
-      flash[:error] = I18n.t("devise.failure.invalid")
+      flash.now[:error] = t('devise.failure.invalid')
       render :new
     end
   end
@@ -40,19 +40,17 @@ class UserSessionsController < Devise::SessionsController
   end
 
   def nav_bar
-    render :partial => "shared/nav_bar"
+    render :partial => 'spree/shared/nav_bar'
   end
 
   private
+    def associate_user
+      return unless current_user and current_order
+      current_order.associate_user!(current_user)
+      session[:guest_token] = nil
+    end
 
-  def associate_user
-    return unless current_user and current_order
-    current_order.associate_user!(current_user)
-    session[:guest_token] = nil
-  end
-
-  def accurate_title
-    I18n.t(:log_in)
-  end
-
+    def accurate_title
+      t(:log_in)
+    end
 end

data/app/controllers/{users_controller.rb → spree/users_controller.rb}

@@ -1,4 +1,4 @@
-class UsersController < Spree::BaseController
+class Spree::UsersController < Spree::BaseController
   prepend_before_filter :load_object, :only => [:show, :edit, :update]
   prepend_before_filter :authorize_actions, :only => :new
 
@@ -7,7 +7,7 @@ class UsersController < Spree::BaseController
   end
 
   def create
-    @user = User.new(params[:user])
+    @user = Spree::User.new(params[:user])
     if @user.save
 
       if current_order
@@ -17,24 +17,21 @@ class UsersController < Spree::BaseController
 
       redirect_back_or_default(root_url)
     else
-      render 'new'
+      render :new
     end
-
   end
 
   def update
     if @user.update_attributes(params[:user])
       if params[:user][:password].present?
         # this logic needed b/c devise wants to log us out after password changes
-        user = User.reset_password_by_token(params[:user])
+        user = Spree::User.reset_password_by_token(params[:user])
         sign_in(@user, :event => :authentication, :bypass => !Spree::Auth::Config[:signout_after_password_change])
       end
-      flash.notice = I18n.t("account_updated")
-      redirect_to account_url
+      redirect_to spree.account_url, :notice => t(:account_updated)
     else
-      render 'edit'
+      render :edit
     end
-
   end
 
   private
@@ -44,11 +41,10 @@ class UsersController < Spree::BaseController
     end
 
     def authorize_actions
-      authorize! params[:action].to_sym, User
+      authorize! params[:action].to_sym, Spree::User
     end
 
     def accurate_title
-      I18n.t(:account)
+      t(:my_account)
     end
-
 end

data/app/helpers/spree/users_helper.rb

@@ -0,0 +1,15 @@
+module Spree
+  module UsersHelper
+    def password_style(user)
+      ActiveSupport::Deprecation.warn '[SPREE] Password style has be depreciated due to the removal of OpenID from the Auth Gem. '
+        'Please install the spree_social gem to regain this functionality and more.'
+      ''
+    end
+
+    def openid_style(user)
+      ActiveSupport::Deprecation.warn '[SPREE] Password style has be depreciated due to the removal of OpenID from the Auth Gem. '
+        'Please install the spree_social gem to regain this functionality and more.'
+      'display:none'
+    end
+  end
+end

data/app/mailers/spree/user_mailer.rb

@@ -0,0 +1,10 @@
+class Spree::UserMailer < ActionMailer::Base
+  def reset_password_instructions(user)
+    default_url_options[:host] = Spree::Config[:site_url]
+
+    @edit_password_reset_url = spree.edit_user_password_url(:reset_password_token => user.reset_password_token)
+
+    mail(:to => user.email,
+         :subject => Spree::Config[:site_name] + ' ' + I18n.t(:password_reset_instructions))
+  end
+end

data/app/models/spree/ability.rb

@@ -0,0 +1,65 @@
+# Implementation class for Cancan gem.  Instead of overriding this class, consider adding new permissions
+# using the special +register_ability+ method which allows extensions to add their own abilities.
+#
+# See http://github.com/ryanb/cancan for more details on cancan.
+module Spree
+  class Ability
+    include CanCan::Ability
+
+    class_attribute :abilities
+    self.abilities = Set.new
+
+    # Allows us to go beyond the standard cancan initialize method which makes it difficult for engines to
+    # modify the default +Ability+ of an application.  The +ability+ argument must be a class that includes
+    # the +CanCan::Ability+ module.  The registered ability should behave properly as a stand-alone class
+    # and therefore should be easy to test in isolation.
+    def self.register_ability(ability)
+      self.abilities.add(ability)
+    end
+
+    def initialize(user)
+      self.clear_aliased_actions
+
+      # override cancan default aliasing (we don't want to differentiate between read and index)
+      alias_action :edit, :to => :update
+      alias_action :new, :to => :create
+      alias_action :new_action, :to => :create
+      alias_action :show, :to => :read
+
+      user ||= Spree::User.new
+      if user.has_role? 'admin'
+        can :manage, :all
+      else
+        #############################
+        can :read, User do |resource|
+          resource == user
+        end
+        can :update, User do |resource|
+          resource == user
+        end
+        can :create, User
+        #############################
+        can :read, Order do |order, token|
+          order.user == user || order.token && token == order.token
+        end
+        can :update, Order do |order, token|
+          order.user == user || order.token && token == order.token
+        end
+        can :create, Order
+        #############################
+        can :read, Product
+        can :index, Product
+        #############################
+        can :read, Taxon
+        can :index, Taxon
+        #############################
+      end
+
+      #include any abilities registered by extensions, etc.
+      Ability.abilities.each do |clazz|
+        ability = clazz.send(:new, user)
+        @rules = rules + ability.send(:rules)
+      end
+    end
+  end
+end

data/app/models/spree/auth_configuration.rb

@@ -0,0 +1,6 @@
+module Spree
+  class AuthConfiguration < Preferences::Configuration
+    preference :registration_step, :boolean, :default => true
+    preference :signout_after_password_change, :boolean, :default => true
+  end
+end

data/app/models/{spree_current_order_decorator.rb → spree/current_order_decorator.rb}

@@ -1,5 +1,4 @@
-Spree::CurrentOrder.module_eval do
-
+Spree::Core::CurrentOrder.module_eval do
   # Associate the new order with the currently authenticated user before saving
   def before_save_new_order
     @current_order.user ||= current_user
@@ -10,5 +9,4 @@ Spree::CurrentOrder.module_eval do
     return if current_user
     session[:access_token] = @current_order.token
   end
-
 end

data/app/models/{order_decorator.rb → spree/order_decorator.rb}

@@ -1,4 +1,4 @@
-Order.class_eval do
+Spree::Order.class_eval do
   token_resource
 
   # Associates the specified user with the order and destroys any previous association with guest user if

data/app/models/spree/tokenized_permission.rb

@@ -0,0 +1,5 @@
+module Spree
+  class TokenizedPermission < ActiveRecord::Base
+    belongs_to :permissable, :polymorphic => true
+  end
+end

data/app/models/spree/user.rb

@@ -0,0 +1,87 @@
+module Spree
+  class User < ActiveRecord::Base
+    devise :database_authenticatable, :token_authenticatable, :registerable, :recoverable,
+           :rememberable, :trackable, :validatable, :encryptable, :encryptor => 'authlogic_sha512'
+
+    has_many :orders
+    has_and_belongs_to_many :roles, :join_table => 'spree_roles_users'
+    belongs_to :ship_address, :foreign_key => 'ship_address_id', :class_name => 'Spree::Address'
+    belongs_to :bill_address, :foreign_key => 'bill_address_id', :class_name => 'Spree::Address'
+
+    before_save :check_admin
+    before_validation :set_login
+
+    # Setup accessible (or protected) attributes for your model
+    attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token
+
+    users_table_name = User.table_name
+    roles_table_name = Role.table_name
+
+    scope :admin, lambda { includes(:roles).where("#{roles_table_name}.name" => "admin") }
+    scope :registered, where("#{users_table_name}.email NOT LIKE ?", "%@example.net")
+
+    # has_role? simply needs to return true or false whether a user has a role or not.
+    def has_role?(role_in_question)
+      roles.any? { |role| role.name == role_in_question.to_s }
+    end
+
+    # Creates an anonymous user.  An anonymous user is basically an auto-generated +User+ account that is created for the customer
+    # behind the scenes and its completely transparently to the customer.  All +Orders+ must have a +User+ so this is necessary
+    # when adding to the "cart" (which is really an order) and before the customer has a chance to provide an email or to register.
+    def self.anonymous!
+      token = User.generate_token(:persistence_token)
+      User.create(:email => "#{token}@example.net", :password => token, :password_confirmation => token, :persistence_token => token)
+    end
+
+    def self.admin_created?
+      User.admin.count > 0
+    end
+
+    def anonymous?
+      email =~ /@example.net$/
+    end
+
+    def send_reset_password_instructions
+      generate_reset_password_token!
+      UserMailer.reset_password_instructions(self).deliver
+    end
+
+    protected
+      def password_required?
+        !persisted? || password.present? || password_confirmation.present?
+      end
+
+    private
+      def check_admin
+        return if self.class.admin_created?
+        admin_role = Role.find_or_create_by_name 'admin'
+        self.roles << admin_role
+      end
+
+      def set_login
+        # for now force login to be same as email, eventually we will make this configurable, etc.
+        self.login ||= self.email if self.email
+      end
+
+      # Generate a friendly string randomically to be used as token.
+      def self.friendly_token
+        SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
+      end
+
+      # Generate a token by looping and ensuring does not already exist.
+      def self.generate_token(column)
+        loop do
+          token = friendly_token
+          break token unless find(:first, :conditions => { column => token })
+        end
+      end
+
+      def self.current
+        Thread.current[:user]
+      end
+
+      def self.current=(user)
+        Thread.current[:user] = user
+      end
+  end
+end

data/app/overrides/auth_admin_login_navigation_bar.rb

@@ -1,4 +1,4 @@
-Deface::Override.new(:virtual_path => "layouts/admin",
+Deface::Override.new(:virtual_path => "spree/layouts/admin",
                      :name => "auth_admin_login_navigation_bar",
                      :replace => "[data-hook='admin_login_navigation_bar'], #admin_login_navigation_bar[data-hook]",
-                     :partial => "layouts/admin/login_nav")
+                     :partial => "spree/layouts/admin/login_nav")

data/app/overrides/auth_shared_login_bar.rb

@@ -1,6 +1,6 @@
-Deface::Override.new(:virtual_path => "shared/_nav_bar",
+Deface::Override.new(:virtual_path => "spree/shared/_nav_bar",
                      :name => "auth_shared_login_bar",
                      :insert_after => "li#search-bar",
-                     :partial => "shared/login_bar",
+                     :partial => "spree/shared/login_bar",
                      :disabled => false)