| Module | Cms::Authentication::Controller |
| In: |
lib/cms/authentication/controller.rb
|
Inclusion hook to make current_user and logged_in? available as ActionView helper methods.
# File lib/cms/authentication/controller.rb, line 122
122: def self.included(base)
123: base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method
124: end
Redirect as appropriate when an access request fails.
The default action is to redirect to the BrowserCMS admin login screen.
Override this method in your controllers if you want to have special behavior in case the user is not authorized to access the requested action. For example, a popup window might simply close itself.
# File lib/cms/authentication/controller.rb, line 95
95: def access_denied
96: respond_to do |format|
97: format.html do
98: store_location
99: redirect_to cms_login_path
100: end
101: end
102: end
Check if the user is authorized
Override this method in your controllers if you want to restrict access to only a few actions or if you want to check if the user has the correct rights.
Example:
# only allow nonbobs def authorized? current_user.login != "bob" end
# File lib/cms/authentication/controller.rb, line 65
65: def authorized?(action=nil, resource=nil, *args)
66: logged_in?
67: end
Accesses the current user from the session or ‘remember me’ cookie. If the user is not logged in, this will be set to the guest user, which represents a public user, who will likely have more limited permissions
# File lib/cms/authentication/controller.rb, line 38
38: def current_user
39: # Note: We have disabled basic_http_auth
40: @current_user ||= begin
41: User.current = (login_from_session || login_from_cookie || User.guest)
42: end
43: end
Store the given user id in the session.
# File lib/cms/authentication/controller.rb, line 46
46: def current_user=(new_user)
47: session[:user_id] = new_user ? new_user.id : nil
48: @current_user = new_user || false
49: User.current = @current_user
50: end
Refresh the cookie auth token if it exists, create it otherwise
# File lib/cms/authentication/controller.rb, line 192
192: def handle_remember_cookie! new_cookie_flag
193: return unless User.current
194: case
195: when valid_remember_cookie? then User.current.refresh_token # keeping same expiry date
196: when new_cookie_flag then User.current.remember_me
197: else User.current.forget_me
198: end
199: send_remember_cookie!
200: end
# File lib/cms/authentication/controller.rb, line 202
202: def kill_remember_cookie!
203: cookies.delete :auth_token
204: end
Returns true or false if the user is logged in. Preloads User.current with the user model if they‘re logged in.
# File lib/cms/authentication/controller.rb, line 31
31: def logged_in?
32: !current_user.nil? && !current_user.guest?
33: end
Called from current_user. Now, attempt to login by basic authentication information.
# File lib/cms/authentication/controller.rb, line 136
136: def login_from_basic_auth
137: authenticate_with_http_basic do |login, password|
138: self.current_user = User.authenticate(login, password)
139: end
140: end
Called from current_user. Finaly, attempt to login by an expiring token in the cookie. for the paranoid: we should be storing user_token = hash(cookie_token, request IP)
# File lib/cms/authentication/controller.rb, line 148
148: def login_from_cookie
149: user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token])
150: if user && user.remember_token?
151: self.current_user = user
152: handle_remember_cookie! false # freshen cookie token (keeping date)
153: self.current_user
154: end
155: end
Called from current_user. First attempt to login by the user id stored in the session.
# File lib/cms/authentication/controller.rb, line 131
131: def login_from_session
132: self.current_user = User.find_by_id(session[:user_id]) if session[:user_id]
133: end
Filter method to enforce a login requirement.
To require logins for all actions, use this in your controllers:
before_filter :login_required
To require logins for specific actions, use this in your controllers:
before_filter :login_required, :only => [ :edit, :update ]
To skip this in a subclassed controller:
skip_before_filter :login_required
# File lib/cms/authentication/controller.rb, line 83
83: def login_required
84: authorized? || access_denied
85: end
This is ususally what you want; resetting the session willy-nilly wreaks havoc with forgery protection, and is only strictly necessary on login. However, **all session state variables should be unset here**.
# File lib/cms/authentication/controller.rb, line 160
160: def logout_keeping_session!
161: # Kill server-side auth cookie
162: User.current.forget_me if User.current.is_a? User
163: User.current = false # not logged in, and don't do it for me
164: kill_remember_cookie! # Kill client-side auth cookie
165: session[:user_id] = nil # keeps the session but kill our variable
166: # explicitly kill any other session variables you set
167: end
The session should only be reset at the tail end of a form POST — otherwise the request forgery protection fails. It‘s only really necessary when you cross quarantine (logged-out to logged-in).
# File lib/cms/authentication/controller.rb, line 172
172: def logout_killing_session!
173: logout_keeping_session!
174: reset_session
175: end
Redirect to the URI stored by the most recent store_location call or to the passed default. Set an appropriately modified
after_filter :store_location, :only => [:index, :new, :show, :edit]
for any controller you want to be bounce-backable.
# File lib/cms/authentication/controller.rb, line 115
115: def redirect_back_or_default(default)
116: redirect_to(session[:return_to] || default)
117: session[:return_to] = nil
118: end
# File lib/cms/authentication/controller.rb, line 206
206: def send_remember_cookie!
207: cookies[:auth_token] = {
208: :value => User.current.remember_token,
209: :expires => User.current.remember_token_expires_at }
210: end
Store the URI of the current request in the session.
We can return to this location by calling redirect_back_or_default.
# File lib/cms/authentication/controller.rb, line 107
107: def store_location
108: session[:return_to] = request.request_uri
109: end
Cookies shouldn‘t be allowed to persist past their freshness date, and they should be changed at each login
# File lib/cms/authentication/controller.rb, line 185
185: def valid_remember_cookie?
186: return nil unless User.current
187: (User.current.remember_token?) &&
188: (cookies[:auth_token] == User.current.remember_token)
189: end