spree_auth_devise 1.0.0

data/LICENSE

@@ -0,0 +1,26 @@
+Copyright (c) 2007-2012, Spree Commerce, Inc. and other contributors
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name Spree nor the names of its contributors may be used to
+      endorse or promote products derived from this software without specific
+      prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,39 @@
+# Spree Auth (Devise)
+
+Provides authentication services for Spree, using the Devise gem.
+
+## Installation
+
+At one stage in the past, this used to be the auth component for Spree. If that's the feature that you're now finding lacking from Spree, that's easy fixed.
+
+Just add this line to your Gemfile:
+
+    gem "spree_auth_devise", :git => "git://github.com/spree/spree_auth_devise"
+
+Then run `bundle install`. Authentication will then work exactly as it did in previous versions of Spree.
+
+If you're installing this in a new Spree 1.2+ application, you'll need to install and run the migrations with
+
+    bundle exec rake spree_auth:install:migrations
+    bundle exec rake db:migrate
+
+and then, run `bundle exec rake spree_auth:admin:create` in order to set up the admin user for the application.
+
+If you're updating a Spree 1.1 application, run these to migrate the database:
+
+    rake railties:install:migrations
+    rake db:migrate
+
+
+## Testing
+
+You need to do a quick one-time creation of a test application and then you can use it to run the tests.
+
+    bundle exec rake test_app
+
+Then run the rspec tests
+
+    bundle exec rake spec
+
+If everything doesn't pass on your machine (using Ruby (1.8.7 or 1.9.3) and (MySQL or PostgreSQL or SQLite3)) then we would consider that a bug. Please file a bug report on the issues page for this project with your test output
+and we will investigate it.

data/app/assets/javascripts/admin/spree_auth.js

@@ -0,0 +1 @@
+//= require admin/spree_core

data/app/assets/javascripts/store/spree_auth.js

@@ -0,0 +1 @@
+//= require store/spree_core

data/app/assets/stylesheets/admin/spree_auth.css

@@ -0,0 +1,3 @@
+/*
+ *= require admin/spree_core
+*/

data/app/assets/stylesheets/store/spree_auth.css

@@ -0,0 +1,3 @@
+/*
+ *= require store/spree_core
+*/

data/app/controllers/spree/admin/admin_controller_decorator.rb

@@ -0,0 +1,7 @@
+require File.expand_path('../../base_controller_decorator', __FILE__)
+Spree::Admin::BaseController.class_eval do
+  protected
+    def model_class
+      "Spree::#{controller_name.classify}".constantize
+    end
+end

data/app/controllers/spree/admin/admin_orders_controller_decorator.rb

@@ -0,0 +1,14 @@
+Spree::Admin::OrdersController.class_eval do
+  before_filter :check_authorization
+
+  private
+    def check_authorization
+      load_order
+      session[:access_token] ||= params[:token]
+
+      resource = @order || Spree::Order.new
+      action = params[:action].to_sym
+
+      authorize! action, resource, session[:access_token]
+    end
+end

data/app/controllers/spree/admin/admin_resource_controller_decorator.rb

@@ -0,0 +1,3 @@
+Spree::Admin::ResourceController.class_eval do
+  rescue_from CanCan::AccessDenied, :with => :unauthorized
+end

data/app/controllers/spree/admin/admin_users_controller_decorator.rb

@@ -0,0 +1,21 @@
+require File.expand_path('../../base_controller_decorator', __FILE__)
+Spree::Admin::UsersController.class_eval do
+  rescue_from Spree::User::DestroyWithOrdersError, :with => :user_destroy_with_orders_error
+
+  update.after :sign_in_if_change_own_password
+
+  before_filter :load_roles, :only => [:edit, :new, :update, :create]
+
+  private
+
+    def sign_in_if_change_own_password
+      if spree_current_user == @user && @user.password.present?
+        sign_in(@user, :event => :authentication, :bypass => true)
+      end
+    end
+
+    def load_roles
+      @roles = Spree::Role.scoped
+    end
+end
+

data/app/controllers/spree/admin/users_controller.rb

@@ -0,0 +1,77 @@
+module Spree
+  module Admin
+    class UsersController < ResourceController
+
+      # http://spreecommerce.com/blog/2010/11/02/json-hijacking-vulnerability/
+      before_filter :check_json_authenticity, :only => :index
+      before_filter :load_roles, :only => [:edit, :new, :update, :create, :generate_api_key, :clear_api_key]
+
+      def index
+        respond_with(@collection) do |format|
+          format.html
+          format.json { render :json => json_data }
+        end
+      end
+
+      def generate_api_key
+        if @user.generate_spree_api_key!
+          flash.notice = t('key_generated', :scope => 'spree.api')
+        end
+        redirect_to edit_admin_user_path(@user)
+      end
+
+      def clear_api_key
+        if @user.clear_spree_api_key!
+          flash.notice = t('key_cleared', :scope => 'spree.api')
+        end
+        redirect_to edit_admin_user_path(@user)
+      end
+
+
+      protected
+
+        def collection
+          return @collection if @collection.present?
+          unless request.xhr?
+            @search = Spree::User.registered.ransack(params[:q])
+            @collection = @search.result.page(params[:page]).per(Spree::Config[:admin_products_per_page])
+          else
+            #disabling proper nested include here due to rails 3.1 bug
+            #@collection = User.includes(:bill_address => [:state, :country], :ship_address => [:state, :country]).
+            @collection = Spree::User.includes(:bill_address, :ship_address).
+                              where("spree_users.email #{LIKE} :search
+                                     OR (spree_addresses.firstname #{LIKE} :search AND spree_addresses.id = spree_users.bill_address_id)
+                                     OR (spree_addresses.lastname  #{LIKE} :search AND spree_addresses.id = spree_users.bill_address_id)
+                                     OR (spree_addresses.firstname #{LIKE} :search AND spree_addresses.id = spree_users.ship_address_id)
+                                     OR (spree_addresses.lastname  #{LIKE} :search AND spree_addresses.id = spree_users.ship_address_id)",
+              { :search => "#{params[:q].strip}%" }).
+                limit(params[:limit] || 100)
+            end
+          end
+
+      private
+
+        # handling raise from Spree::Admin::ResourceController#destroy
+        def user_destroy_with_orders_error
+          invoke_callbacks(:destroy, :fails)
+          render :status => :forbidden, :text => t(:error_user_destroy_with_orders)
+        end
+
+        # Allow different formats of json data to suit different ajax calls
+        def json_data
+          json_format = params[:json_format] or 'default'
+          case json_format
+          when 'basic'
+            collection.map { |u| { 'id' => u.id, 'name' => u.email } }.to_json
+          else
+            address_fields = [:firstname, :lastname, :address1, :address2, :city, :zipcode, :phone, :state_name, :state_id, :country_id]
+            includes = { :only => address_fields , :include => { :state => { :only => :name }, :country => { :only => :name } } }
+
+            collection.to_json(:only => [:id, :email], :include =>
+                               { :bill_address => includes, :ship_address => includes })
+          end
+        end
+
+    end
+  end
+end

data/app/controllers/spree/base_controller_decorator.rb

@@ -0,0 +1,18 @@
+Spree::BaseController.class_eval do
+  def spree_login_path
+    spree.login_path
+  end
+
+  def spree_signup_path
+    spree.signup_path
+  end
+
+  def spree_logout_path
+    spree.destroy_user_session_path
+  end
+
+  def spree_current_user
+    current_user
+  end
+end
+

data/app/controllers/spree/checkout_controller_decorator.rb

@@ -0,0 +1,47 @@
+Spree::CheckoutController.class_eval do
+  before_filter :check_authorization
+  before_filter :check_registration, :except => [:registration, :update_registration]
+
+  helper 'spree/users'
+
+  def registration
+    @user = Spree::User.new
+  end
+
+  def update_registration
+    fire_event("spree.user.signup", :order => current_order)
+    # hack - temporarily change the state to something other than cart so we can validate the order email address
+    current_order.state = 'address'
+    if current_order.update_attributes(params[:order])
+      redirect_to checkout_path
+    else
+      @user = Spree::User.new
+      render 'registration'
+    end
+  end
+
+  private
+
+    def skip_state_validation?
+      %w(registration update_registration).include?(params[:action])
+    end
+
+    def check_authorization
+      authorize!(:edit, current_order, session[:access_token])
+    end
+
+    # Introduces a registration step whenever the +registration_step+ preference is true.
+    def check_registration
+      return unless Spree::Auth::Config[:registration_step]
+      return if spree_current_user or current_order.email
+      store_location
+      redirect_to spree.checkout_registration_path
+    end
+
+    # Overrides the equivalent method defined in Spree::Core.  This variation of the method will ensure that users
+    # are redirected to the tokenized order url unless authenticated as a registered user.
+    def completion_route
+      return order_path(@order) if spree_current_user
+      spree.token_order_path(@order, @order.token)
+    end
+end

data/app/controllers/spree/orders_controller_decorator.rb

@@ -0,0 +1,15 @@
+Spree::OrdersController.class_eval do
+  before_filter :check_authorization
+
+  private
+    def check_authorization
+      session[:access_token] ||= params[:token]
+      order = Spree::Order.find_by_number(params[:id]) || current_order
+
+      if order
+        authorize! :edit, order, session[:access_token]
+      else
+        authorize! :create, Spree::Order.new
+      end
+    end
+end

data/app/controllers/spree/products_controller_decorator.rb

@@ -0,0 +1,13 @@
+Spree::ProductsController.class_eval do
+  rescue_from CanCan::AccessDenied, :with => :render_404
+
+  private
+    def load_product
+      @product = Spree::Product.find_by_permalink!(params[:id])
+      if !@product.deleted? && (@product.available_on.nil? || @product.available_on.future?)
+        # Allow admins to view any yet to be available products
+        raise CanCan::AccessDenied unless spree_current_user && spree_current_user.has_spree_role?(:admin)
+      end
+    end
+end
+

data/app/controllers/spree/user_passwords_controller.rb

@@ -0,0 +1,32 @@
+class Spree::UserPasswordsController < Devise::PasswordsController
+  include SslRequirement
+  helper 'spree/users', 'spree/base'
+
+  if defined?(Spree::Dash)
+    helper 'spree/analytics'
+  end
+
+  include Spree::Core::ControllerHelpers
+
+  ssl_required
+
+  # Temporary Override until next Devise release (i.e after v1.3.4)
+  # line:
+  #   respond_with resource, :location => new_session_path(resource_name)
+  # is generating bad url /session/new.user
+  #
+  # overridden to:
+  #   respond_with resource, :location => login_path
+  #
+  def create
+    self.resource = resource_class.send_reset_password_instructions(params[resource_name])
+
+    if resource.errors.empty?
+      set_flash_message(:notice, :send_instructions) if is_navigational_format?
+      respond_with resource, :location => spree.login_path
+    else
+      respond_with_navigational(resource) { render :new }
+    end
+  end
+
+end

data/app/controllers/spree/user_registrations_controller.rb

@@ -0,0 +1,63 @@
+class Spree::UserRegistrationsController < Devise::RegistrationsController
+  include SslRequirement
+  helper 'spree/users', 'spree/base'
+
+  if defined?(Spree::Dash)
+    helper 'spree/analytics'
+  end
+
+  include Spree::Core::ControllerHelpers
+  ssl_required
+  before_filter :check_permissions, :only => [:edit, :update]
+  skip_before_filter :require_no_authentication
+
+  # GET /resource/sign_up
+  def new
+    super
+  end
+
+  # POST /resource/sign_up
+  def create
+    @user = build_resource(params[:user])
+    if resource.save
+      set_flash_message(:notice, :signed_up)
+      sign_in(:user, @user)
+      session[:spree_user_signup] = true
+      associate_user
+      sign_in_and_redirect(:user, @user)
+    else
+      clean_up_passwords(resource)
+      render :new
+    end
+  end
+
+  # GET /resource/edit
+  def edit
+    super
+  end
+
+  # PUT /resource
+  def update
+    super
+  end
+
+  # DELETE /resource
+  def destroy
+    super
+  end
+
+  # GET /resource/cancel
+  # Forces the session data which is usually expired after sign
+  # in to be expired now. This is useful if the user wants to
+  # cancel oauth signing in/up in the middle of the process,
+  # removing all OAuth session data.
+  def cancel
+    super
+  end
+
+  protected
+    def check_permissions
+      authorize!(:create, resource)
+    end
+
+end

data/app/controllers/spree/user_sessions_controller.rb

@@ -0,0 +1,58 @@
+class Spree::UserSessionsController < Devise::SessionsController
+  include SslRequirement
+  helper 'spree/users', 'spree/base'
+  if defined?(Spree::Dash)
+    helper 'spree/analytics'
+  end
+
+  include Spree::Core::CurrentOrder
+  include Spree::Core::ControllerHelpers
+
+  ssl_required :new, :create, :destroy, :update
+  ssl_allowed :login_bar
+
+  # GET /resource/sign_in
+  def new
+    super
+  end
+
+  def create
+    authenticate_user!
+
+    if user_signed_in?
+      respond_to do |format|
+        format.html {
+          flash.notice = t(:logged_in_succesfully)
+          redirect_back_or_default(root_path)
+        }
+        format.js {
+          user = resource.record
+          render :json => {:ship_address => user.ship_address, :bill_address => user.bill_address}.to_json
+        }
+      end
+    else
+      flash.now[:error] = t('devise.failure.invalid')
+      render :new
+    end
+  end
+
+  def destroy
+    cookies.clear
+    session.clear
+    super
+  end
+
+  def nav_bar
+    render :partial => 'spree/shared/nav_bar'
+  end
+
+  private
+    def accurate_title
+      t(:login)
+    end
+
+    def redirect_back_or_default(default)
+      redirect_to(session["user_return_to"] || default)
+      session["user_return_to"] = nil
+    end
+end

data/app/controllers/spree/users_controller.rb

@@ -0,0 +1,50 @@
+class Spree::UsersController < Spree::BaseController
+  ssl_required
+  prepend_before_filter :load_object, :only => [:show, :edit, :update]
+  prepend_before_filter :authorize_actions, :only => :new
+
+  def show
+    @orders = @user.orders.complete
+  end
+
+  def create
+    @user = Spree::User.new(params[:user])
+    if @user.save
+
+      if current_order
+        session[:guest_token] = nil
+      end
+
+      redirect_back_or_default(root_url)
+    else
+      render :new
+    end
+  end
+
+  def update
+    if @user.update_attributes(params[:user])
+      if params[:user][:password].present?
+        # this logic needed b/c devise wants to log us out after password changes
+        user = Spree::User.reset_password_by_token(params[:user])
+        sign_in(@user, :event => :authentication, :bypass => !Spree::Auth::Config[:signout_after_password_change])
+      end
+      redirect_to spree.account_url, :notice => t(:account_updated)
+    else
+      render :edit
+    end
+  end
+
+  private
+    def load_object
+      @user ||= spree_current_user
+      authorize! params[:action].to_sym, @user
+    end
+
+    def authorize_actions
+      authorize! params[:action].to_sym, Spree::User.new
+    end
+
+    def accurate_title
+      t(:my_account)
+    end
+end

data/app/helpers/spree/admin/users_helper.rb

@@ -0,0 +1,10 @@
+module Spree
+  module Admin
+    module UsersHelper
+      def list_roles(user)
+        # while testing spree-core itself user model does not have method roles
+        user.respond_to?(:spree_roles) ? user.spree_roles.collect { |role| role.name }.join(", ") : []
+      end
+    end
+  end
+end

data/app/helpers/spree/users_helper.rb

@@ -0,0 +1,15 @@
+module Spree
+  module UsersHelper
+    def password_style(user)
+      ActiveSupport::Deprecation.warn '[SPREE] Password style has be depreciated due to the removal of OpenID from the Auth Gem. '
+        'Please install the spree_social gem to regain this functionality and more.'
+      ''
+    end
+
+    def openid_style(user)
+      ActiveSupport::Deprecation.warn '[SPREE] Password style has be depreciated due to the removal of OpenID from the Auth Gem. '
+        'Please install the spree_social gem to regain this functionality and more.'
+      'display:none'
+    end
+  end
+end

data/app/mailers/spree/user_mailer.rb

@@ -0,0 +1,8 @@
+class Spree::UserMailer < ActionMailer::Base
+  def reset_password_instructions(user)
+    @edit_password_reset_url = spree.edit_user_password_url(:reset_password_token => user.reset_password_token)
+
+    mail(:to => user.email,
+         :subject => Spree::Config[:site_name] + ' ' + I18n.t(:password_reset_instructions))
+  end
+end

data/app/models/spree/auth_configuration.rb

@@ -0,0 +1,6 @@
+module Spree
+  class AuthConfiguration < Preferences::Configuration
+    preference :registration_step, :boolean, :default => true
+    preference :signout_after_password_change, :boolean, :default => true
+  end
+end

data/app/models/spree/current_order_decorator.rb

@@ -0,0 +1,12 @@
+Spree::Core::CurrentOrder.module_eval do
+  # Associate the new order with the currently authenticated user before saving
+  def before_save_new_order
+    @current_order.user ||= try_spree_current_user
+  end
+
+  def after_save_new_order
+    # make sure the user has permission to access the order (if they are a guest)
+    return if spree_current_user
+    session[:access_token] = @current_order.token
+  end
+end

data/app/models/spree/user.rb

@@ -0,0 +1,83 @@
+module Spree
+  class User < ActiveRecord::Base
+    include Core::UserBanners
+
+    devise :database_authenticatable, :token_authenticatable, :registerable, :recoverable,
+           :rememberable, :trackable, :validatable, :encryptable, :encryptor => 'authlogic_sha512'
+
+    has_many :orders
+    belongs_to :ship_address, :foreign_key => 'ship_address_id', :class_name => 'Spree::Address'
+    belongs_to :bill_address, :foreign_key => 'bill_address_id', :class_name => 'Spree::Address'
+
+    before_save :check_admin
+    before_validation :set_login
+    before_destroy :check_completed_orders
+
+    # Setup accessible (or protected) attributes for your model
+    attr_accessible :email, :password, :password_confirmation, :remember_me, :persistence_token, :login, :spree_role_ids
+
+    users_table_name = User.table_name
+    roles_table_name = Role.table_name
+
+    scope :admin, lambda { includes(:spree_roles).where("#{roles_table_name}.name" => "admin") }
+    scope :registered, where("#{users_table_name}.email NOT LIKE ?", "%@example.net")
+
+    class DestroyWithOrdersError < StandardError; end
+
+    # Creates an anonymous user.  An anonymous user is basically an auto-generated +User+ account that is created for the customer
+    # behind the scenes and its completely transparently to the customer.  All +Orders+ must have a +User+ so this is necessary
+    # when adding to the "cart" (which is really an order) and before the customer has a chance to provide an email or to register.
+    def self.anonymous!
+      token = User.generate_token(:persistence_token)
+      User.create(:email => "#{token}@example.net", :password => token, :password_confirmation => token, :persistence_token => token)
+    end
+
+    def self.admin_created?
+      User.admin.count > 0
+    end
+
+    def anonymous?
+      email =~ /@example.net$/ ? true : false
+    end
+
+    def send_reset_password_instructions
+      generate_reset_password_token!
+      UserMailer.reset_password_instructions(self).deliver
+    end
+
+    protected
+      def password_required?
+        !persisted? || password.present? || password_confirmation.present?
+      end
+
+    private
+
+      def check_completed_orders
+        raise DestroyWithOrdersError if orders.complete.present?
+      end
+
+      def check_admin
+        return if self.class.admin_created?
+        admin_role = Role.find_or_create_by_name 'admin'
+        self.spree_roles << admin_role
+      end
+
+      def set_login
+        # for now force login to be same as email, eventually we will make this configurable, etc.
+        self.login ||= self.email if self.email
+      end
+
+      # Generate a friendly string randomically to be used as token.
+      def self.friendly_token
+        SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
+      end
+
+      # Generate a token by looping and ensuring does not already exist.
+      def self.generate_token(column)
+        loop do
+          token = friendly_token
+          break token unless find(:first, :conditions => { column => token })
+        end
+      end
+  end
+end

data/app/overrides/admin_tab.rb

@@ -0,0 +1,6 @@
+Deface::Override.new(:virtual_path => "spree/layouts/admin",
+                     :name => "user_admin_tabs",
+                     :insert_bottom => "[data-hook='admin_tabs'], #admin_tabs[data-hook]",
+                     :text => "<%= tab(:users, :url => spree.admin_users_path) %>",
+                     :disabled => false)
+

data/app/overrides/auth_admin_login_navigation_bar.rb

@@ -0,0 +1,5 @@
+Deface::Override.new(:virtual_path => "spree/layouts/admin",
+                     :name => "auth_admin_login_navigation_bar",
+                     :replace => "[data-hook='admin_login_navigation_bar'], #admin_login_navigation_bar[data-hook]",
+                     :partial => "spree/layouts/admin/login_nav",
+                     :original => '0a5476d4d5db90ec8dd200ebaa0109a6a54ec6bc' )