summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorsimon <simon@zagal.(none)>2009-02-08 23:15:11 +0100
committerhukl <hukl@eight.local>2009-02-15 20:22:01 +0100
commit9f94a70c3e3d9bf766cb9663b0a904d30a190d85 (patch)
tree4b4bbf567ec60a939d024b083b478d72476700a5 /app
parent48ffd4eb446bcaeba7651758ec3002f342702249 (diff)
* initial commit of the stripped restful-authentication
* http basic auth and login from cookie have been removed * no it does not work yet, it's so f*cking secure, it won't even let legitimate users login
Diffstat (limited to 'app')
-rw-r--r--app/controllers/application_controller.rb4
-rw-r--r--app/controllers/sessions_controller.rb40
-rw-r--r--app/helpers/sessions_helper.rb2
-rw-r--r--app/models/user.rb34
-rw-r--r--app/views/sessions/new.html.erb16
5 files changed, 95 insertions, 1 deletions
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 6635a3f..b481317 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -2,9 +2,11 @@
2# Likewise, all the methods added will be available for all controllers. 2# Likewise, all the methods added will be available for all controllers.
3 3
4class ApplicationController < ActionController::Base 4class ApplicationController < ActionController::Base
5 include AuthenticatedSystem
6
5 helper :all # include all helpers, all the time 7 helper :all # include all helpers, all the time
6 protect_from_forgery # See ActionController::RequestForgeryProtection for details 8 protect_from_forgery # See ActionController::RequestForgeryProtection for details
7 9
8 # Scrub sensitive parameters from your log 10 # Scrub sensitive parameters from your log
9 # filter_parameter_logging :password 11 filter_parameter_logging :password, :password_confirmation
10end 12end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
new file mode 100644
index 0000000..7c06ac8
--- /dev/null
+++ b/app/controllers/sessions_controller.rb
@@ -0,0 +1,40 @@
1# This controller handles the login/logout function of the site.
2class SessionsController < ApplicationController
3
4 # render new.rhtml
5 def new
6 end
7
8 def create
9 logout_keeping_session!
10 user = User.authenticate(params[:login], params[:password])
11 if user
12 # Protects against session fixation attacks, causes request forgery
13 # protection if user resubmits an earlier form using back
14 # button. Uncomment if you understand the tradeoffs.
15 reset_session
16
17 self.current_user = user
18 redirect_back_or_default('/') # TODO: insert appropriate path to cms main page
19 flash[:notice] = "Logged in successfully"
20 else
21 note_failed_signin
22 @login = params[:login]
23 @remember_me = params[:remember_me]
24 render :action => 'new'
25 end
26 end
27
28 def destroy
29 logout_killing_session!
30 flash[:notice] = "You have been logged out."
31 redirect_back_or_default('/login')
32 end
33
34protected
35 # Track failed login attempts
36 def note_failed_signin
37 flash[:error] = "Couldn't log you in as '#{params[:login]}'"
38 logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}"
39 end
40end
diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb
new file mode 100644
index 0000000..f54a8fc
--- /dev/null
+++ b/app/helpers/sessions_helper.rb
@@ -0,0 +1,2 @@
1module SessionsHelper
2end \ No newline at end of file
diff --git a/app/models/user.rb b/app/models/user.rb
index 4a57cf0..3ac0712 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,2 +1,36 @@
1require 'digest/sha1'
2
1class User < ActiveRecord::Base 3class User < ActiveRecord::Base
4 include Authentication
5 include Authentication::ByPassword
6
7 validates_presence_of :login
8 validates_length_of :login, :within => 3..40
9 validates_uniqueness_of :login
10 validates_format_of :login, :with => Authentication.login_regex,
11 :message => Authentication.bad_login_message
12
13 validates_presence_of :email
14 validates_length_of :email, :within => 6..100 #r@a.wk
15 validates_uniqueness_of :email
16 validates_format_of :email, :with => Authentication.email_regex,
17 :message => Authentication.bad_email_message
18
19 attr_accessible :login, :email, :password, :password_confirmation
20
21 # Authenticates a user by their login name and unencrypted password. Returns the user or nil.
22 def self.authenticate(login, password)
23 return nil if login.blank? || password.blank?
24 u = find_by_login(login) # need to get the salt
25 u && u.authenticated?(password) ? u : nil
26 end
27
28 # TODO: Do we really want to have downcase logins only?
29 def login=(value)
30 write_attribute :login, (value ? value.downcase : nil)
31 end
32
33 def email=(value)
34 write_attribute :email, (value ? value.downcase : nil)
35 end
2end 36end
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
new file mode 100644
index 0000000..84f8469
--- /dev/null
+++ b/app/views/sessions/new.html.erb
@@ -0,0 +1,16 @@
1<h1>Log In</h1>
2
3<% form_tag session_path do -%>
4<p><%= label_tag 'login' %><br />
5<%= text_field_tag 'login', @login %></p>
6
7<p><%= label_tag 'password' %><br/>
8<%= password_field_tag 'password', nil %></p>
9
10<!-- Uncomment this if you want this functionality
11<p><%= label_tag 'remember_me', 'Remember me' %>
12<%= check_box_tag 'remember_me', '1', @remember_me %></p>
13-->
14
15<p><%= submit_tag 'Log in' %></p>
16<% end -%>