second commit :)

Author: micktaiwan

Rakefile

@@ -0,0 +1,10 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require(File.join(File.dirname(__FILE__), 'config', 'boot'))
+
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+require 'tasks/rails'

app/controllers/application_controller.rb

@@ -0,0 +1,13 @@
+# Filters added to this controller apply to all controllers in the application.
+# Likewise, all the methods added will be available for all controllers.
+
+class ApplicationController < ActionController::Base
+  helper :all # include all helpers, all the time
+  protect_from_forgery # See ActionController::RequestForgeryProtection for details
+  
+  layout 'general'
+
+  # Scrub sensitive parameters from your log
+  # filter_parameter_logging :password
+end
+

app/controllers/sessions_controller.rb

@@ -0,0 +1,43 @@
+# This controller handles the login/logout function of the site.  
+class SessionsController < ApplicationController
+  # Be sure to include AuthenticationSystem in Application Controller instead
+  include AuthenticatedSystem
+
+  # render new.rhtml
+  def new
+  end
+
+  def create
+    logout_keeping_session!
+    user = User.authenticate(params[:login], params[:password])
+    if user
+      # Protects against session fixation attacks, causes request forgery
+      # protection if user resubmits an earlier form using back
+      # button. Uncomment if you understand the tradeoffs.
+      # reset_session
+      self.current_user = user
+      new_cookie_flag = (params[:remember_me] == "1")
+      handle_remember_cookie! new_cookie_flag
+      redirect_back_or_default('/')
+      flash[:notice] = "Logged in successfully"
+    else
+      note_failed_signin
+      @login       = params[:login]
+      @remember_me = params[:remember_me]
+      render :action => 'new'
+    end
+  end
+
+  def destroy
+    logout_killing_session!
+    flash[:notice] = "You have been logged out."
+    redirect_back_or_default('/')
+  end
+
+protected
+  # Track failed login attempts
+  def note_failed_signin
+    flash[:error] = "Couldn't log you in as '#{params[:login]}'"
+    logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}"
+  end
+end

app/controllers/users_controller.rb

@@ -0,0 +1,28 @@
+class UsersController < ApplicationController
+  # Be sure to include AuthenticationSystem in Application Controller instead
+  include AuthenticatedSystem
+  
+
+  # render new.rhtml
+  def new
+    @user = User.new
+  end
+ 
+  def create
+    logout_keeping_session!
+    @user = User.new(params[:user])
+    success = @user && @user.save
+    if success && @user.errors.empty?
+            # Protects against session fixation attacks, causes request forgery
+      # protection if visitor resubmits an earlier form using back
+      # button. Uncomment if you understand the tradeoffs.
+      # reset session
+      self.current_user = @user # !! now logged in
+      redirect_back_or_default('/')
+      flash[:notice] = "Thanks for signing up!  We're sending you an email with your activation code."
+    else
+      flash[:error]  = "We couldn't set up that account, sorry.  Please try again, or contact an admin (link is above)."
+      render :action => 'new'
+    end
+  end
+end

app/controllers/welcome_controller.rb

@@ -0,0 +1,2 @@
+class WelcomeController < ApplicationController
+end

app/helpers/application_helper.rb

@@ -0,0 +1,3 @@
+# Methods added to this helper will be available to all templates in the application.
+module ApplicationHelper
+end

app/helpers/sessions_helper.rb

@@ -0,0 +1,2 @@
+module SessionsHelper
+end

app/helpers/users_helper.rb

@@ -0,0 +1,93 @@
+module UsersHelper
+  
+  #
+  # Use this to wrap view elements that the user can't access.
+  # !! Note: this is an *interface*, not *security* feature !!
+  # You need to do all access control at the controller level.
+  #
+  # Example:
+  # <%= if_authorized?(:index,   User)  do link_to('List all users', users_path) end %> |
+  # <%= if_authorized?(:edit,    @user) do link_to('Edit this user', edit_user_path) end %> |
+  # <%= if_authorized?(:destroy, @user) do link_to 'Destroy', @user, :confirm => 'Are you sure?', :method => :delete end %> 
+  #
+  #
+  def if_authorized?(action, resource, &block)
+    if authorized?(action, resource)
+      yield action, resource
+    end
+  end
+
+  #
+  # Link to user's page ('users/1')
+  #
+  # By default, their login is used as link text and link title (tooltip)
+  #
+  # Takes options
+  # * :content_text => 'Content text in place of user.login', escaped with
+  #   the standard h() function.
+  # * :content_method => :user_instance_method_to_call_for_content_text
+  # * :title_method => :user_instance_method_to_call_for_title_attribute
+  # * as well as link_to()'s standard options
+  #
+  # Examples:
+  #   link_to_user @user
+  #   # => <a href="/users/3" title="barmy">barmy</a>
+  #
+  #   # if you've added a .name attribute:
+  #  content_tag :span, :class => :vcard do
+  #    (link_to_user user, :class => 'fn n', :title_method => :login, :content_method => :name) +
+  #          ': ' + (content_tag :span, user.email, :class => 'email')
+  #   end
+  #   # => <span class="vcard"><a href="/users/3" title="barmy" class="fn n">Cyril Fotheringay-Phipps</a>: <span class="email">[email protected]</span></span>
+  #
+  #   link_to_user @user, :content_text => 'Your user page'
+  #   # => <a href="/users/3" title="barmy" class="nickname">Your user page</a>
+  #
+  def link_to_user(user, options={})
+    raise "Invalid user" unless user
+    options.reverse_merge! :content_method => :login, :title_method => :login, :class => :nickname
+    content_text      = options.delete(:content_text)
+    content_text    ||= user.send(options.delete(:content_method))
+    options[:title] ||= user.send(options.delete(:title_method))
+    link_to h(content_text), user_path(user), options
+  end
+
+  #
+  # Link to login page using remote ip address as link content
+  #
+  # The :title (and thus, tooltip) is set to the IP address 
+  #
+  # Examples:
+  #   link_to_login_with_IP
+  #   # => <a href="/login" title="169.69.69.69">169.69.69.69</a>
+  #
+  #   link_to_login_with_IP :content_text => 'not signed in'
+  #   # => <a href="/login" title="169.69.69.69">not signed in</a>
+  #
+  def link_to_login_with_IP content_text=nil, options={}
+    ip_addr           = request.remote_ip
+    content_text    ||= ip_addr
+    options.reverse_merge! :title => ip_addr
+    if tag = options.delete(:tag)
+      content_tag tag, h(content_text), options
+    else
+      link_to h(content_text), login_path, options
+    end
+  end
+
+  #
+  # Link to the current user's page (using link_to_user) or to the login page
+  # (using link_to_login_with_IP).
+  #
+  def link_to_current_user(options={})
+    if current_user
+      link_to_user current_user, options
+    else
+      content_text = options.delete(:content_text) || 'not signed in'
+      # kill ignored options from link_to_user
+      [:content_method, :title_method].each{|opt| options.delete(opt)} 
+      link_to_login_with_IP content_text, options
+    end
+  end
+
+end

app/helpers/welcome_helper.rb

@@ -0,0 +1,2 @@
+module WelcomeHelper
+end

app/models/user.rb

@@ -0,0 +1,54 @@
+require 'digest/sha1'
+
+class User < ActiveRecord::Base
+  include Authentication
+  include Authentication::ByPassword
+  include Authentication::ByCookieToken
+
+  validates_presence_of     :login
+  validates_length_of       :login,    :within => 3..40
+  validates_uniqueness_of   :login
+  validates_format_of       :login,    :with => Authentication.login_regex, :message => Authentication.bad_login_message
+
+  validates_format_of       :name,     :with => Authentication.name_regex,  :message => Authentication.bad_name_message, :allow_nil => true
+  validates_length_of       :name,     :maximum => 100
+
+  validates_presence_of     :email
+  validates_length_of       :email,    :within => 6..100 #[email protected]
+  validates_uniqueness_of   :email
+  validates_format_of       :email,    :with => Authentication.email_regex, :message => Authentication.bad_email_message
+
+  
+
+  # HACK HACK HACK -- how to do attr_accessible from here?
+  # prevents a user from submitting a crafted form that bypasses activation
+  # anything else you want your user to change should be added here.
+  attr_accessible :login, :email, :name, :password, :password_confirmation
+
+
+
+  # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
+  #
+  # uff.  this is really an authorization, not authentication routine.  
+  # We really need a Dispatch Chain here or something.
+  # This will also let us return a human error message.
+  #
+  def self.authenticate(login, password)
+    return nil if login.blank? || password.blank?
+    u = find_by_login(login.downcase) # need to get the salt
+    u && u.authenticated?(password) ? u : nil
+  end
+
+  def login=(value)
+    write_attribute :login, (value ? value.downcase : nil)
+  end
+
+  def email=(value)
+    write_attribute :email, (value ? value.downcase : nil)
+  end
+
+  protected
+    
+
+
+end