spree_auth_devise 1.3.1 → 3.0.5

data/config/routes.rb

@@ -1,31 +1,48 @@
-Spree::Core::Engine.routes.draw do
-  devise_for :user,
+Spree::Core::Engine.add_routes do
+  devise_for :spree_user,
              :class_name => 'Spree::User',
              :controllers => { :sessions => 'spree/user_sessions',
                                :registrations => 'spree/user_registrations',
-                               :passwords => 'spree/user_passwords' },
+                               :passwords => 'spree/user_passwords',
+                               :confirmations => 'spree/user_confirmations' },
              :skip => [:unlocks, :omniauth_callbacks],
-             :path_names => { :sign_out => 'logout' }
-end
+             :path_names => { :sign_out => 'logout' },
+             :path_prefix => :user
 
-Spree::Core::Engine.routes.prepend do
   resources :users, :only => [:edit, :update]
 
-  devise_scope :user do
+  devise_scope :spree_user do
     get '/login' => 'user_sessions#new', :as => :login
+    post '/login' => 'user_sessions#create', :as => :create_new_session
+    get '/logout' => 'user_sessions#destroy', :as => :logout
     get '/signup' => 'user_registrations#new', :as => :signup
+    post '/signup' => 'user_registrations#create', :as => :registration
+    get '/password/recover' => 'user_passwords#new', :as => :recover_password
+    post '/password/recover' => 'user_passwords#create', :as => :reset_password
+    get '/password/change' => 'user_passwords#edit', :as => :edit_password
+    put '/password/change' => 'user_passwords#update', :as => :update_password
+    get '/confirm' => 'user_confirmations#show', :as => :confirmation if Spree::Auth::Config[:confirmable]
   end
 
-  match '/checkout/registration' => 'checkout#registration', :via => :get, :as => :checkout_registration
-  match '/checkout/registration' => 'checkout#update_registration', :via => :put, :as => :update_checkout_registration
+  get '/checkout/registration' => 'checkout#registration', :as => :checkout_registration
+  put '/checkout/registration' => 'checkout#update_registration', :as => :update_checkout_registration
 
-  match '/orders/:id/token/:token' => 'orders#show', :via => :get, :as => :token_order
+  resource :account, :controller => 'users'
 
-  resource :session do
-    member do
-      get :nav_bar
+  namespace :admin do
+    devise_for :spree_user,
+               :class_name => 'Spree::User',
+               :controllers => { :sessions => 'spree/admin/user_sessions',
+                                 :passwords => 'spree/admin/user_passwords' },
+               :skip => [:unlocks, :omniauth_callbacks, :registrations],
+               :path_names => { :sign_out => 'logout' },
+               :path_prefix => :user
+    devise_scope :spree_user do
+      get '/authorization_failure', :to => 'user_sessions#authorization_failure', :as => :unauthorized
+      get '/login' => 'user_sessions#new', :as => :login
+      post '/login' => 'user_sessions#create', :as => :create_new_session
+      get '/logout' => 'user_sessions#destroy', :as => :logout
     end
-  end
 
-  resource :account, :controller => 'users'
+  end
 end

data/db/default/users.rb

@@ -55,11 +55,19 @@ def create_admin_user
   if Spree::User.find_by_email(email)
     say "\nWARNING: There is already a user with the email: #{email}, so no account changes were made.  If you wish to create an additional admin user, please run rake spree_auth:admin:create again with a different email.\n\n"
   else
-    admin = Spree::User.create(attributes)
-    # create an admin role and and assign the admin user to that role
-    role = Spree::Role.find_or_create_by_name 'admin'
-    admin.spree_roles << role
-    admin.save
+    admin = Spree::User.new(attributes)
+    if admin.save
+      role = Spree::Role.find_or_create_by(name: 'admin')
+      admin.spree_roles << role
+      admin.save
+      admin.generate_spree_api_key!
+      say "Done!"
+    else
+      say "There was some problems with persisting new admin user:"
+      admin.errors.full_messages.each do |error|
+        say error
+      end
+    end
   end
 end
 
@@ -73,4 +81,3 @@ else
     puts 'No admin user created.'
   end
 end
-

data/db/migrate/20140904000425_add_deleted_at_to_users.rb

@@ -0,0 +1,6 @@
+class AddDeletedAtToUsers < ActiveRecord::Migration
+  def change
+    add_column :spree_users, :deleted_at, :datetime
+    add_index :spree_users, :deleted_at
+  end
+end

data/db/migrate/20141002154641_add_confirmable_to_users.rb

@@ -0,0 +1,7 @@
+class AddConfirmableToUsers < ActiveRecord::Migration
+  def change
+    add_column :spree_users, :confirmation_token, :string
+    add_column :spree_users, :confirmed_at, :datetime
+    add_column :spree_users, :confirmation_sent_at, :datetime
+  end
+end

data/lib/assets/javascripts/spree/backend/spree_auth.js.erb

@@ -0,0 +1 @@
+//= require spree/backend

data/lib/assets/javascripts/spree/frontend/spree_auth.js.erb

@@ -0,0 +1 @@
+//= require spree/frontend

data/lib/assets/stylesheets/spree/backend/spree_auth.css.erb

@@ -0,0 +1,3 @@
+/*
+ *= require spree/backend
+*/

data/lib/assets/stylesheets/spree/frontend/spree_auth.css.erb

@@ -0,0 +1,3 @@
+/*
+ *= require spree/frontend
+*/

data/lib/controllers/backend/spree/admin/admin_controller_decorator.rb

@@ -0,0 +1,26 @@
+Spree::Admin::BaseController.class_eval do
+
+  # Redirect as appropriate when an access request fails.  The default action is to redirect to the login screen.
+  # Override this method in your controllers if you want to have special behavior in case the user is not authorized
+  # to access the requested action.  For example, a popup window might simply close itself.
+  def unauthorized
+    if try_spree_current_user
+      flash[:error] = Spree.t(:authorization_failure)
+      redirect_to spree.admin_unauthorized_path
+    else
+      store_location
+      redirect_to spree.admin_login_path
+    end
+  end
+
+  protected
+
+    def model_class
+      const_name = controller_name.classify
+      if Spree.const_defined?(const_name, false)
+        return "Spree::#{const_name}".constantize
+      end
+      nil
+    end
+
+end

data/lib/controllers/backend/spree/admin/admin_orders_controller_decorator.rb

@@ -0,0 +1,20 @@
+Spree::Admin::OrdersController.class_eval do
+  before_filter :check_authorization
+
+  private
+    def load_order_action
+      [:edit, :update, :cancel, :resume, :approve, :resend, :open_adjustments, :close_adjustments, :cart]
+    end
+  
+    def check_authorization
+      action = params[:action].to_sym
+      if load_order_action.include?(action)
+        load_order
+        session[:access_token] ||= params[:token]
+        resource = @order || Spree::Order.new
+        authorize! action, resource, session[:access_token]
+      else
+        authorize! :index, Spree::Order
+      end
+    end
+end

data/{app/controllers/spree/admin/admin_orders_controller_decorator.rb → lib/controllers/backend/spree/admin/orders/customer_details_controller_decorator.rb}

@@ -1,4 +1,4 @@
-Spree::Admin::OrdersController.class_eval do
+Spree::Admin::Orders::CustomerDetailsController.class_eval do
   before_filter :check_authorization
 
   private
@@ -6,8 +6,9 @@ Spree::Admin::OrdersController.class_eval do
       load_order
       session[:access_token] ||= params[:token]
 
-      resource = @order || Spree::Order.new
+      resource = @order
       action = params[:action].to_sym
+      action = :edit if action == :show # show route renders :edit for this controller
 
       authorize! action, resource, session[:access_token]
     end

data/lib/controllers/backend/spree/admin/user_passwords_controller.rb

@@ -0,0 +1,42 @@
+class Spree::Admin::UserPasswordsController < Devise::PasswordsController
+  helper 'spree/base'
+
+  include Spree::Core::ControllerHelpers::Auth
+  include Spree::Core::ControllerHelpers::Common
+  include Spree::Core::ControllerHelpers::Store
+
+  helper 'spree/admin/navigation'
+  helper 'spree/admin/tables'
+  layout 'spree/layouts/admin'
+
+  # Overridden due to bug in Devise.
+  #   respond_with resource, :location => new_session_path(resource_name)
+  # is generating bad url /session/new.user
+  #
+  # overridden to:
+  #   respond_with resource, :location => spree.login_path
+  #
+  def create
+    self.resource = resource_class.send_reset_password_instructions(params[resource_name])
+
+    if resource.errors.empty?
+      set_flash_message(:notice, :send_instructions) if is_navigational_format?
+      respond_with resource, :location => spree.admin_login_path
+    else
+      respond_with_navigational(resource) { render :new }
+    end
+  end
+
+  # Devise::PasswordsController allows for blank passwords.
+  # Silly Devise::PasswordsController!
+  # Fixes spree/spree#2190.
+  def update
+    if params[:spree_user][:password].blank?
+      set_flash_message(:error, :cannot_be_blank)
+      render :edit
+    else
+      super
+    end
+  end
+
+end

data/lib/controllers/backend/spree/admin/user_sessions_controller.rb

@@ -0,0 +1,53 @@
+class Spree::Admin::UserSessionsController < Devise::SessionsController
+  helper 'spree/base'
+
+  include Spree::Core::ControllerHelpers::Auth
+  include Spree::Core::ControllerHelpers::Common
+  include Spree::Core::ControllerHelpers::Store
+
+  helper 'spree/admin/navigation'
+  helper 'spree/admin/tables'
+  layout :resolve_layout
+
+  def create
+    authenticate_spree_user!
+
+    if spree_user_signed_in?
+      respond_to do |format|
+        format.html {
+          flash[:success] = Spree.t(:logged_in_succesfully)
+          redirect_back_or_default(after_sign_in_path_for(spree_current_user))
+        }
+        format.js {
+          user = resource.record
+          render :json => {:ship_address => user.ship_address, :bill_address => user.bill_address}.to_json
+        }
+      end
+    else
+      flash.now[:error] = t('devise.failure.invalid')
+      render :new
+    end
+  end
+
+  def authorization_failure
+  end
+
+  private
+    def accurate_title
+      Spree.t(:login)
+    end
+
+    def redirect_back_or_default(default)
+      redirect_to(session["spree_user_return_to"] || default)
+      session["spree_user_return_to"] = nil
+    end
+
+    def resolve_layout
+      case action_name
+      when "new", "create"
+        "spree/layouts/login"
+      else
+        "spree/layouts/admin"
+      end
+    end
+end

data/{app/controllers → lib/controllers/frontend}/spree/checkout_controller_decorator.rb

@@ -1,33 +1,33 @@
+require 'spree/core/validators/email'
 Spree::CheckoutController.class_eval do
   before_filter :check_authorization
   before_filter :check_registration, :except => [:registration, :update_registration]
 
-  helper 'spree/users'
-
   def registration
     @user = Spree::User.new
   end
 
   def update_registration
-    fire_event("spree.user.signup", :order => current_order)
-    # hack - temporarily change the state to something other than cart so we can validate the order email address
-    current_order.state = 'address'
-    if current_order.update_attributes(params[:order])
-      redirect_to checkout_path
+    if params[:order][:email] =~ Devise.email_regexp && current_order.update_attribute(:email, params[:order][:email])
+      redirect_to spree.checkout_path
     else
+      flash[:registration_error] = t(:email_is_invalid, :scope => [:errors, :messages])
       @user = Spree::User.new
       render 'registration'
     end
   end
 
   private
+    def order_params
+      params[:order] ? params.require(:order).permit(:email) : {}
+    end
 
     def skip_state_validation?
       %w(registration update_registration).include?(params[:action])
     end
 
     def check_authorization
-      authorize!(:edit, current_order, session[:access_token])
+      authorize!(:edit, current_order, cookies.signed[:guest_token])
     end
 
     # Introduces a registration step whenever the +registration_step+ preference is true.
@@ -37,11 +37,4 @@ Spree::CheckoutController.class_eval do
       store_location
       redirect_to spree.checkout_registration_path
     end
-
-    # Overrides the equivalent method defined in Spree::Core.  This variation of the method will ensure that users
-    # are redirected to the tokenized order url unless authenticated as a registered user.
-    def completion_route
-      return order_path(@order) if spree_current_user
-      spree.token_order_path(@order, @order.token)
-    end
 end

data/lib/controllers/frontend/spree/user_confirmations_controller.rb

@@ -0,0 +1,14 @@
+class Spree::UserConfirmationsController < Devise::ConfirmationsController
+  helper 'spree/base'
+
+  include Spree::Core::ControllerHelpers::Auth
+  include Spree::Core::ControllerHelpers::Common
+  include Spree::Core::ControllerHelpers::Order
+  include Spree::Core::ControllerHelpers::Store
+
+  protected
+
+  def after_confirmation_path_for(resource_name, resource)
+    signed_in?(resource_name) ? signed_in_root_path(resource) : spree.login_path
+  end
+end

data/{app/controllers → lib/controllers/frontend}/spree/user_passwords_controller.rb

@@ -1,16 +1,10 @@
 class Spree::UserPasswordsController < Devise::PasswordsController
-  include SslRequirement
-  helper 'spree/users', 'spree/base'
-
-  if defined?(Spree::Dash)
-    helper 'spree/analytics'
-  end
+  helper 'spree/base'
 
   include Spree::Core::ControllerHelpers::Auth
   include Spree::Core::ControllerHelpers::Common
   include Spree::Core::ControllerHelpers::Order
-
-  ssl_required
+  include Spree::Core::ControllerHelpers::Store
 
   # Overridden due to bug in Devise.
   #   respond_with resource, :location => new_session_path(resource_name)
@@ -34,7 +28,9 @@ class Spree::UserPasswordsController < Devise::PasswordsController
   # Silly Devise::PasswordsController!
   # Fixes spree/spree#2190.
   def update
-    if params[:user][:password].blank?
+    if params[:spree_user][:password].blank?
+      self.resource = resource_class.new
+      resource.reset_password_token = params[:spree_user][:reset_password_token]
       set_flash_message(:error, :cannot_be_blank)
       render :edit
     else
@@ -42,4 +38,9 @@ class Spree::UserPasswordsController < Devise::PasswordsController
     end
   end
 
+  protected
+
+  def new_session_path(resource_name)
+    spree.send("new_#{resource_name}_session_path")
+  end
 end

data/{app/controllers → lib/controllers/frontend}/spree/user_registrations_controller.rb

@@ -1,34 +1,31 @@
 class Spree::UserRegistrationsController < Devise::RegistrationsController
-
-  include SslRequirement
-  helper 'spree/users', 'spree/base'
-
-  if defined?(Spree::Dash)
-    helper 'spree/analytics'
-  end
+  helper 'spree/base'
 
   include Spree::Core::ControllerHelpers::Auth
   include Spree::Core::ControllerHelpers::Common
   include Spree::Core::ControllerHelpers::Order
+  include Spree::Core::ControllerHelpers::Store
 
-  ssl_required
   before_filter :check_permissions, :only => [:edit, :update]
   skip_before_filter :require_no_authentication
 
   # GET /resource/sign_up
   def new
     super
+    @user = resource
   end
 
   # POST /resource/sign_up
   def create
-    @user = build_resource(params[:user])
+    @user = build_resource(spree_user_params)
     if resource.save
       set_flash_message(:notice, :signed_up)
-      sign_in(:user, @user)
+      if current_order
+        current_order.associate_user! @user
+      end
+      sign_in(:spree_user, @user)
       session[:spree_user_signup] = true
-      associate_user
-      sign_in_and_redirect(:user, @user)
+      respond_with resource, location: after_sign_up_path_for(resource)
     else
       clean_up_passwords(resource)
       render :new
@@ -60,8 +57,14 @@ class Spree::UserRegistrationsController < Devise::RegistrationsController
   end
 
   protected
-    def check_permissions
-      authorize!(:create, resource)
-    end
 
+  def check_permissions
+    authorize!(:create, resource)
+  end
+
+  private
+
+  def spree_user_params
+    params.require(:spree_user).permit(Spree::PermittedAttributes.user_attributes)
+  end
 end