diff options
| author | simon <simon@zagal.(none)> | 2009-02-08 23:15:11 +0100 |
|---|---|---|
| committer | hukl <hukl@eight.local> | 2009-02-15 20:22:01 +0100 |
| commit | 9f94a70c3e3d9bf766cb9663b0a904d30a190d85 (patch) | |
| tree | 4b4bbf567ec60a939d024b083b478d72476700a5 /app/controllers | |
| parent | 48ffd4eb446bcaeba7651758ec3002f342702249 (diff) | |
* initial commit of the stripped restful-authentication
* http basic auth and login from cookie have been removed
* no it does not work yet, it's so f*cking secure, it won't even let legitimate users login
Diffstat (limited to 'app/controllers')
| -rw-r--r-- | app/controllers/application_controller.rb | 4 | ||||
| -rw-r--r-- | app/controllers/sessions_controller.rb | 40 |
2 files changed, 43 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 6635a3f..b481317 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb | |||
| @@ -2,9 +2,11 @@ | |||
| 2 | # Likewise, all the methods added will be available for all controllers. | 2 | # Likewise, all the methods added will be available for all controllers. |
| 3 | 3 | ||
| 4 | class ApplicationController < ActionController::Base | 4 | class ApplicationController < ActionController::Base |
| 5 | include AuthenticatedSystem | ||
| 6 | |||
| 5 | helper :all # include all helpers, all the time | 7 | helper :all # include all helpers, all the time |
| 6 | protect_from_forgery # See ActionController::RequestForgeryProtection for details | 8 | protect_from_forgery # See ActionController::RequestForgeryProtection for details |
| 7 | 9 | ||
| 8 | # Scrub sensitive parameters from your log | 10 | # Scrub sensitive parameters from your log |
| 9 | # filter_parameter_logging :password | 11 | filter_parameter_logging :password, :password_confirmation |
| 10 | end | 12 | end |
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb new file mode 100644 index 0000000..7c06ac8 --- /dev/null +++ b/app/controllers/sessions_controller.rb | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | # This controller handles the login/logout function of the site. | ||
| 2 | class SessionsController < ApplicationController | ||
| 3 | |||
| 4 | # render new.rhtml | ||
| 5 | def new | ||
| 6 | end | ||
| 7 | |||
| 8 | def create | ||
| 9 | logout_keeping_session! | ||
| 10 | user = User.authenticate(params[:login], params[:password]) | ||
| 11 | if user | ||
| 12 | # Protects against session fixation attacks, causes request forgery | ||
| 13 | # protection if user resubmits an earlier form using back | ||
| 14 | # button. Uncomment if you understand the tradeoffs. | ||
| 15 | reset_session | ||
| 16 | |||
| 17 | self.current_user = user | ||
| 18 | redirect_back_or_default('/') # TODO: insert appropriate path to cms main page | ||
| 19 | flash[:notice] = "Logged in successfully" | ||
| 20 | else | ||
| 21 | note_failed_signin | ||
| 22 | @login = params[:login] | ||
| 23 | @remember_me = params[:remember_me] | ||
| 24 | render :action => 'new' | ||
| 25 | end | ||
| 26 | end | ||
| 27 | |||
| 28 | def destroy | ||
| 29 | logout_killing_session! | ||
| 30 | flash[:notice] = "You have been logged out." | ||
| 31 | redirect_back_or_default('/login') | ||
| 32 | end | ||
| 33 | |||
| 34 | protected | ||
| 35 | # Track failed login attempts | ||
| 36 | def note_failed_signin | ||
| 37 | flash[:error] = "Couldn't log you in as '#{params[:login]}'" | ||
| 38 | logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}" | ||
| 39 | end | ||
| 40 | end | ||
