diff options
| author | simon <simon@zagal.(none)> | 2009-02-08 23:15:11 +0100 |
|---|---|---|
| committer | hukl <hukl@eight.local> | 2009-02-15 20:22:01 +0100 |
| commit | 9f94a70c3e3d9bf766cb9663b0a904d30a190d85 (patch) | |
| tree | 4b4bbf567ec60a939d024b083b478d72476700a5 /app | |
| parent | 48ffd4eb446bcaeba7651758ec3002f342702249 (diff) | |
* initial commit of the stripped restful-authentication
* http basic auth and login from cookie have been removed
* no it does not work yet, it's so f*cking secure, it won't even let legitimate users login
Diffstat (limited to 'app')
| -rw-r--r-- | app/controllers/application_controller.rb | 4 | ||||
| -rw-r--r-- | app/controllers/sessions_controller.rb | 40 | ||||
| -rw-r--r-- | app/helpers/sessions_helper.rb | 2 | ||||
| -rw-r--r-- | app/models/user.rb | 34 | ||||
| -rw-r--r-- | app/views/sessions/new.html.erb | 16 |
5 files changed, 95 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 6635a3f..b481317 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb | |||
| @@ -2,9 +2,11 @@ | |||
| 2 | # Likewise, all the methods added will be available for all controllers. | 2 | # Likewise, all the methods added will be available for all controllers. |
| 3 | 3 | ||
| 4 | class ApplicationController < ActionController::Base | 4 | class ApplicationController < ActionController::Base |
| 5 | include AuthenticatedSystem | ||
| 6 | |||
| 5 | helper :all # include all helpers, all the time | 7 | helper :all # include all helpers, all the time |
| 6 | protect_from_forgery # See ActionController::RequestForgeryProtection for details | 8 | protect_from_forgery # See ActionController::RequestForgeryProtection for details |
| 7 | 9 | ||
| 8 | # Scrub sensitive parameters from your log | 10 | # Scrub sensitive parameters from your log |
| 9 | # filter_parameter_logging :password | 11 | filter_parameter_logging :password, :password_confirmation |
| 10 | end | 12 | end |
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb new file mode 100644 index 0000000..7c06ac8 --- /dev/null +++ b/app/controllers/sessions_controller.rb | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | # This controller handles the login/logout function of the site. | ||
| 2 | class SessionsController < ApplicationController | ||
| 3 | |||
| 4 | # render new.rhtml | ||
| 5 | def new | ||
| 6 | end | ||
| 7 | |||
| 8 | def create | ||
| 9 | logout_keeping_session! | ||
| 10 | user = User.authenticate(params[:login], params[:password]) | ||
| 11 | if user | ||
| 12 | # Protects against session fixation attacks, causes request forgery | ||
| 13 | # protection if user resubmits an earlier form using back | ||
| 14 | # button. Uncomment if you understand the tradeoffs. | ||
| 15 | reset_session | ||
| 16 | |||
| 17 | self.current_user = user | ||
| 18 | redirect_back_or_default('/') # TODO: insert appropriate path to cms main page | ||
| 19 | flash[:notice] = "Logged in successfully" | ||
| 20 | else | ||
| 21 | note_failed_signin | ||
| 22 | @login = params[:login] | ||
| 23 | @remember_me = params[:remember_me] | ||
| 24 | render :action => 'new' | ||
| 25 | end | ||
| 26 | end | ||
| 27 | |||
| 28 | def destroy | ||
| 29 | logout_killing_session! | ||
| 30 | flash[:notice] = "You have been logged out." | ||
| 31 | redirect_back_or_default('/login') | ||
| 32 | end | ||
| 33 | |||
| 34 | protected | ||
| 35 | # Track failed login attempts | ||
| 36 | def note_failed_signin | ||
| 37 | flash[:error] = "Couldn't log you in as '#{params[:login]}'" | ||
| 38 | logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}" | ||
| 39 | end | ||
| 40 | end | ||
diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb new file mode 100644 index 0000000..f54a8fc --- /dev/null +++ b/app/helpers/sessions_helper.rb | |||
| @@ -0,0 +1,2 @@ | |||
| 1 | module SessionsHelper | ||
| 2 | end \ No newline at end of file | ||
diff --git a/app/models/user.rb b/app/models/user.rb index 4a57cf0..3ac0712 100644 --- a/app/models/user.rb +++ b/app/models/user.rb | |||
| @@ -1,2 +1,36 @@ | |||
| 1 | require 'digest/sha1' | ||
| 2 | |||
| 1 | class User < ActiveRecord::Base | 3 | class User < ActiveRecord::Base |
| 4 | include Authentication | ||
| 5 | include Authentication::ByPassword | ||
| 6 | |||
| 7 | validates_presence_of :login | ||
| 8 | validates_length_of :login, :within => 3..40 | ||
| 9 | validates_uniqueness_of :login | ||
| 10 | validates_format_of :login, :with => Authentication.login_regex, | ||
| 11 | :message => Authentication.bad_login_message | ||
| 12 | |||
| 13 | validates_presence_of :email | ||
| 14 | validates_length_of :email, :within => 6..100 #r@a.wk | ||
| 15 | validates_uniqueness_of :email | ||
| 16 | validates_format_of :email, :with => Authentication.email_regex, | ||
| 17 | :message => Authentication.bad_email_message | ||
| 18 | |||
| 19 | attr_accessible :login, :email, :password, :password_confirmation | ||
| 20 | |||
| 21 | # Authenticates a user by their login name and unencrypted password. Returns the user or nil. | ||
| 22 | def self.authenticate(login, password) | ||
| 23 | return nil if login.blank? || password.blank? | ||
| 24 | u = find_by_login(login) # need to get the salt | ||
| 25 | u && u.authenticated?(password) ? u : nil | ||
| 26 | end | ||
| 27 | |||
| 28 | # TODO: Do we really want to have downcase logins only? | ||
| 29 | def login=(value) | ||
| 30 | write_attribute :login, (value ? value.downcase : nil) | ||
| 31 | end | ||
| 32 | |||
| 33 | def email=(value) | ||
| 34 | write_attribute :email, (value ? value.downcase : nil) | ||
| 35 | end | ||
| 2 | end | 36 | end |
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb new file mode 100644 index 0000000..84f8469 --- /dev/null +++ b/app/views/sessions/new.html.erb | |||
| @@ -0,0 +1,16 @@ | |||
| 1 | <h1>Log In</h1> | ||
| 2 | |||
| 3 | <% form_tag session_path do -%> | ||
| 4 | <p><%= label_tag 'login' %><br /> | ||
| 5 | <%= text_field_tag 'login', @login %></p> | ||
| 6 | |||
| 7 | <p><%= label_tag 'password' %><br/> | ||
| 8 | <%= password_field_tag 'password', nil %></p> | ||
| 9 | |||
| 10 | <!-- Uncomment this if you want this functionality | ||
| 11 | <p><%= label_tag 'remember_me', 'Remember me' %> | ||
| 12 | <%= check_box_tag 'remember_me', '1', @remember_me %></p> | ||
| 13 | --> | ||
| 14 | |||
| 15 | <p><%= submit_tag 'Log in' %></p> | ||
| 16 | <% end -%> | ||
