From c9f07c823f07c990ed6245e806ce5e8f70ce1953 Mon Sep 17 00:00:00 2001 From: did Date: Mon, 30 Jan 2012 10:56:38 +0100 Subject: [PATCH] remove the old way of doing cross domain authentication (use the :domain => all option) + fix a couple of tiny bugs --- Gemfile | 73 +++++++++---------- Gemfile.lock | 10 +-- .../locomotive/application.js.coffee | 1 - app/cells/locomotive/global_actions_cell.rb | 2 +- .../cross_domain_sessions_controller.rb | 39 ---------- app/models/locomotive/account.rb | 17 ----- .../cross_domain_sessions/new.html.haml | 14 ---- app/views/locomotive/shared/_header.html.haml | 11 +-- .../locomotive/shared/_site_picker.html.haml | 10 +++ config/routes.rb | 8 +- doc/TODO | 4 +- features/admin/cross_domain_auth.feature | 24 ------ lib/locomotive.rb | 3 +- locomotive_cms.gemspec | 3 +- spec/dummy/config/initializers/locomotive.rb | 4 +- .../config/initializers/session_store.rb | 2 +- spec/models/locomotive/account_spec.rb | 27 ------- 17 files changed, 57 insertions(+), 195 deletions(-) delete mode 100644 app/controllers/locomotive/cross_domain_sessions_controller.rb delete mode 100644 app/views/locomotive/cross_domain_sessions/new.html.haml create mode 100644 app/views/locomotive/shared/_site_picker.html.haml delete mode 100644 features/admin/cross_domain_auth.feature diff --git a/Gemfile b/Gemfile index a8c21b0f..6cd69753 100644 --- a/Gemfile +++ b/Gemfile @@ -2,50 +2,49 @@ source 'http://rubygems.org' # add in all the runtime dependencies -gem 'rake', '0.9.2' +gem 'rake', '0.9.2' -gem 'rails', '~> 3.1.3' +gem 'rails', '~> 3.1.3' -gem 'devise', '~> 1.5.3' -gem 'cancan', '~> 1.6.7' +gem 'devise', '~> 1.5.3' +gem 'cancan', '~> 1.6.7' -gem 'mongo', '~> 1.5.2' -gem 'bson_ext', '~> 1.5.2' -gem 'mongoid', '~> 2.4.2' +gem 'mongo', '~> 1.5.2' +gem 'bson_ext', '~> 1.5.2' +gem 'mongoid', '~> 2.4.2' gem 'locomotive_mongoid_acts_as_tree', '~> 0.1.5.8' -gem 'custom_fields', :path => '../gems/custom_fields' # DEV +gem 'custom_fields', :path => '../gems/custom_fields' # DEV # gem 'custom_fields', :git => 'git://github.com/locomotivecms/custom_fields.git', :branch => '2.0.0.rc' -gem 'kaminari' +gem 'kaminari', '~> 0.13.0' -gem 'haml', '~> 3.1.3' -gem 'sass-rails', '~> 3.1.5' -gem 'coffee-script', '~> 2.2.0' -gem 'uglifier', '~> 1.0.4' -gem 'compass', '~> 0.12.alpha.4' -gem 'jquery-rails', '~> 1.0.16' -gem 'rails-backbone', '0.5.4' -gem 'codemirror-rails', '~> 2.21' -gem 'locomotive-tinymce-rails', '~> 3.4.7' -gem 'locomotive-aloha-rails', '~> 0.20.1' -gem 'flash_cookie_session', '~> 1.1.1' +gem 'haml', '~> 3.1.3' +gem 'sass-rails', '~> 3.1.5' +gem 'coffee-script', '~> 2.2.0' +gem 'uglifier', '~> 1.0.4' +gem 'compass', '~> 0.12.alpha.4' +gem 'jquery-rails', '~> 1.0.16' +gem 'rails-backbone', '0.5.4' +gem 'codemirror-rails', '~> 2.21' +gem 'locomotive-tinymce-rails', '~> 3.4.7' +gem 'locomotive-aloha-rails', '~> 0.20.1' +gem 'flash_cookie_session', '~> 1.1.1' -gem 'locomotive_liquid', '2.2.2', :require => 'liquid' -gem 'formtastic', '~> 2.0.2' -gem 'responders', '~> 0.6.4' -gem 'cells', '~> 3.8.0' -gem 'RedCloth', '~> 4.2.8' -gem 'sanitize', '~> 2.0.3' -gem 'highline', '~> 1.6.2' +gem 'locomotive_liquid', '2.2.2', :require => 'liquid' +gem 'formtastic', '~> 2.0.2' +gem 'responders', '~> 0.6.4' +gem 'cells', '~> 3.8.0' +gem 'RedCloth', '~> 4.2.8' +gem 'sanitize', '~> 2.0.3' +gem 'highline', '~> 1.6.2' -gem 'rmagick', '2.12.2', :require => 'RMagick' -gem 'carrierwave-mongoid', '~> 0.1.3' -gem 'fog', '~> 1.0.0' -gem 'dragonfly', '~> 0.9.8' -gem 'rack-cache', '~> 1.1', :require => 'rack/cache' -gem 'mimetype-fu', '~> 0.1.2' +gem 'rmagick', '2.12.2', :require => 'RMagick' +gem 'carrierwave-mongoid', '~> 0.1.3' +gem 'fog', '~> 1.0.0' +gem 'dragonfly', '~> 0.9.8' +gem 'rack-cache', '~> 1.1', :require => 'rack/cache' +gem 'mimetype-fu', '~> 0.1.2' gem 'actionmailer-with-request', '~> 0.3.0', :require => 'actionmailer_with_request' gem 'httparty', '~> 0.8.1' -# gem 'delayed_job_mongoid', '~> 1.0.8' gem 'SystemTimer', :platforms => :ruby_18 # The rest of the dependencies are for use when in the locomotive dev environment @@ -71,8 +70,4 @@ group :test do gem 'launchy' gem 'mocha', '0.9.12' # :git => 'git://github.com/floehopper/mocha.git' -end - -group :production do - gem 'bushido', '0.0.35' -end +end \ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock index 1daae16b..96f3271c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -51,11 +51,6 @@ GEM bson_ext (1.5.2) bson (= 1.5.2) builder (3.0.0) - bushido (0.0.35) - highline (>= 1.6.1) - json (>= 1.4.6) - orm_adapter (~> 0.0.3) - rest-client (>= 1.6.1) cancan (1.6.7) capybara (1.1.2) mime-types (>= 1.16) @@ -214,8 +209,6 @@ GEM rdoc (3.12) json (~> 1.4) responders (0.6.5) - rest-client (1.6.7) - mime-types (>= 1.16) rmagick (2.12.2) rspec (2.6.0) rspec-core (~> 2.6.0) @@ -282,7 +275,6 @@ DEPENDENCIES actionmailer-with-request (~> 0.3.0) autotest bson_ext (~> 1.5.2) - bushido (= 0.0.35) cancan (~> 1.6.7) capybara carrierwave-mongoid (~> 0.1.3) @@ -304,7 +296,7 @@ DEPENDENCIES highline (~> 1.6.2) httparty (~> 0.8.1) jquery-rails (~> 1.0.16) - kaminari + kaminari (~> 0.13.0) launchy locomotive-aloha-rails (~> 0.20.1) locomotive-tinymce-rails (~> 3.4.7) diff --git a/app/assets/javascripts/locomotive/application.js.coffee b/app/assets/javascripts/locomotive/application.js.coffee index 2930b9e8..ea35ecea 100644 --- a/app/assets/javascripts/locomotive/application.js.coffee +++ b/app/assets/javascripts/locomotive/application.js.coffee @@ -1,5 +1,4 @@ #= require_self -#= require_tree . #= require_tree ./utils #= require_tree ./models #= require_tree ./views diff --git a/app/cells/locomotive/global_actions_cell.rb b/app/cells/locomotive/global_actions_cell.rb index 7027a2fd..cd9b8537 100644 --- a/app/cells/locomotive/global_actions_cell.rb +++ b/app/cells/locomotive/global_actions_cell.rb @@ -24,7 +24,7 @@ class Locomotive::GlobalActionsCell < ::Locomotive::MenuCell end add :help, :url => '#', :class => 'tutorial', :id => 'help' - add :logout, :url => destroy_locomotive_account_session_url, :confirm => t('locomotive.messages.confirm'), :method => :delete + add :logout, :url => destroy_locomotive_session_url, :confirm => t('locomotive.messages.confirm'), :method => :delete end def localize_label(label, options = {}) diff --git a/app/controllers/locomotive/cross_domain_sessions_controller.rb b/app/controllers/locomotive/cross_domain_sessions_controller.rb deleted file mode 100644 index 7e30cde4..00000000 --- a/app/controllers/locomotive/cross_domain_sessions_controller.rb +++ /dev/null @@ -1,39 +0,0 @@ -module Locomotive - class CrossDomainSessionsController < BaseController - - layout '/locomotive/layouts/not_logged_in' - - skip_before_filter :verify_authenticity_token - - skip_before_filter :validate_site_membership - - before_filter :require_account, :only => :new - - skip_load_and_authorize_resource - - def new - if site = current_locomotive_account.sites.detect { |s| s._id.to_s == params[:target_id] } - if Rails.env == 'development' - @target = site.full_subdomain - else - @target = site.domains_without_subdomain.first || site.full_subdomain - end - - current_locomotive_account.reset_switch_site_token! - else - redirect_to admin_pages_path - end - end - - def create - if account = Account.find_using_switch_site_token(params[:token]) - account.reset_switch_site_token! - sign_in(account) - redirect_to pages_path - else - redirect_to new_locomotive_account_session_path, :alert => t('flash.locomotive.cross_domain_sessions.create.alert') - end - end - - end -end diff --git a/app/models/locomotive/account.rb b/app/models/locomotive/account.rb index fe7c0781..b05a12ca 100644 --- a/app/models/locomotive/account.rb +++ b/app/models/locomotive/account.rb @@ -1,5 +1,3 @@ -require 'digest' - module Locomotive class Account @@ -10,7 +8,6 @@ module Locomotive ## attributes ## field :name field :locale, :default => Locomotive.config.default_locale.to_s or 'en' - field :switch_site_token ## validations ## validates_presence_of :name @@ -26,20 +23,6 @@ module Locomotive @sites ||= Site.where({ 'memberships.account_id' => self._id }) end - def reset_switch_site_token! - self.switch_site_token = SecureRandom.base64(8).gsub("/", "_").gsub(/=+$/, "") - self.save - end - - def self.find_using_switch_site_token(token, age = 1.minute) - return if token.blank? - self.where(:switch_site_token => token, :updated_at.gt => age.ago.utc).first - end - - def self.find_using_switch_site_token!(token, age = 1.minute) - self.find_using_switch_site_token(token, age) || raise(::Mongoid::Errors::DocumentNotFound.new(self, token)) - end - # Create the API token which will be passed to all the requests to the Locomotive API. # It requires the credentials of an account with admin role. # If an error occurs (invalid account, ...etc), this method raises an exception that has diff --git a/app/views/locomotive/cross_domain_sessions/new.html.haml b/app/views/locomotive/cross_domain_sessions/new.html.haml deleted file mode 100644 index e7800b74..00000000 --- a/app/views/locomotive/cross_domain_sessions/new.html.haml +++ /dev/null @@ -1,14 +0,0 @@ -- title t('.title') - -= form_tag cross_domain_sessions_url(:host => @target, :port => request.port), :method => 'post' do - - = hidden_field_tag 'token', current_locomotive_account.switch_site_token - - .inner - %p.notice= t('.notice') - - .footer - = submit_tag t('locomotive.buttons.switch_to_site') - -:javascript - $(document).ready(function() { setTimeout(function() { $('form').submit(); }, 1000); }); \ No newline at end of file diff --git a/app/views/locomotive/shared/_header.html.haml b/app/views/locomotive/shared/_header.html.haml index be415569..4ddc7e96 100644 --- a/app/views/locomotive/shared/_header.html.haml +++ b/app/views/locomotive/shared/_header.html.haml @@ -4,15 +4,6 @@ = render_cell 'locomotive/global_actions', :show, :current_locomotive_account => current_locomotive_account, :current_site_url => current_site_public_url - if multi_sites? && current_locomotive_account.sites.size > 1 - #sites-picker{ :style => 'display: none' } - %ul - - current_locomotive_account.sites.each do |site| - - unless current_site._id == site._id - %li - = link_to site.name, new_cross_domain_session_url(:target_id => site._id) - - - if can?(:manage, Locomotive::Site) - %p.action - = link_to t('locomotive.sites_picker.new'), new_site_url + = render 'locomotive/shared/site_picker' = render_cell 'locomotive/content_locale_picker', :show, :site => current_site, :locale => current_content_locale \ No newline at end of file diff --git a/app/views/locomotive/shared/_site_picker.html.haml b/app/views/locomotive/shared/_site_picker.html.haml new file mode 100644 index 00000000..369565db --- /dev/null +++ b/app/views/locomotive/shared/_site_picker.html.haml @@ -0,0 +1,10 @@ +#sites-picker{ :style => 'display: none' } + %ul + - current_locomotive_account.sites.each do |site| + - unless current_site._id == site._id + %li + = link_to site.name, pages_url(:host => site.full_subdomain, :port => request.port) + + - if can?(:manage, Locomotive::Site) + %p.action + = link_to t('locomotive.sites_picker.new'), new_site_url \ No newline at end of file diff --git a/config/routes.rb b/config/routes.rb index dad9b548..c64e3b42 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -7,7 +7,8 @@ Locomotive::Engine.routes.draw do :path_prefix => nil, :failure_app => 'Locomotive::Devise::FailureApp', :controllers => { :sessions => 'locomotive/sessions', :passwords => 'locomotive/passwords' } do - match '/' => 'sessions#new' + match '/' => 'sessions#new' + delete 'signout' => 'sessions#destroy', :as => :destroy_locomotive_session end root :to => 'pages#index' @@ -41,11 +42,6 @@ Locomotive::Engine.routes.draw do put :sort, :on => :collection end - # TODO - resources :custom_fields, :path => 'custom/:parent/:slug/fields' - - resources :cross_domain_sessions, :only => [:new, :create] - # installation guide match '/installation' => 'installation#show', :defaults => { :step => 1 }, :as => :installation match '/installation/:step' => 'installation#show', :as => :installation_step diff --git a/doc/TODO b/doc/TODO index a7366a30..c37743c9 100644 --- a/doc/TODO +++ b/doc/TODO @@ -106,8 +106,8 @@ x script to migrate existing site x i18n - heroku module for locomotive - refactoring - - remove the cross domain authentication (use auth_token instead) - - remove the import / export scripts + x remove the import / export scripts + x remove the cross domain authentication (use auth_token instead) - where to put Locomotive::InlineEditorMiddleware ? - upgrade to rails 3.2 (https://github.com/locomotivecms/engine/pull/281/files) diff --git a/features/admin/cross_domain_auth.feature b/features/admin/cross_domain_auth.feature deleted file mode 100644 index 3bacf9f4..00000000 --- a/features/admin/cross_domain_auth.feature +++ /dev/null @@ -1,24 +0,0 @@ -Feature: Cross Domain Authentication - In order to manage a new site I created - As an administrator signed in another site of mine - I want to bypass the authentication - -Background: - Given I have the site: "test site" set up - And I have the site: "another site" set up - And I am an authenticated user - -Scenario: Successful authentication - When I go to pages - Then I should see "Locomotive test website" - When I follow "Locomotive test website #2" - Then I should see "Cross-domain authentication" - When I press "Go" - Then I should see "Locomotive test website #2" - -Scenario: Failed authentication because of an outdated token - When I go to pages - And I follow "Locomotive test website #2" - And I forget to press the button on the cross-domain notice page - And I press "Go" - Then I should see "You need to sign in" diff --git a/lib/locomotive.rb b/lib/locomotive.rb index 436bf175..a10a300e 100644 --- a/lib/locomotive.rb +++ b/lib/locomotive.rb @@ -63,7 +63,8 @@ module Locomotive # cookies stored in mongodb (mongoid_store) Rails.application.config.session_store :mongoid_store, { - :key => self.config.cookie_key + :key => self.config.cookie_key, + :domain => :all } # add middlewares (dragonfly, font, seo, ...etc) diff --git a/locomotive_cms.gemspec b/locomotive_cms.gemspec index 2443f43a..1b5aa81e 100644 --- a/locomotive_cms.gemspec +++ b/locomotive_cms.gemspec @@ -29,7 +29,7 @@ Gem::Specification.new do |s| s.add_dependency 'custom_fields', '~> 2.0.0.rc2' - s.add_dependency 'kaminari' + s.add_dependency 'kaminari', '~> 0.13.0' s.add_dependency 'haml', '~> 3.1.3' s.add_dependency 'sass-rails', '~> 3.1.5' @@ -60,7 +60,6 @@ Gem::Specification.new do |s| s.add_dependency 'actionmailer-with-request', '~> 0.3.0' s.add_dependency 'httparty', '~> 0.8.1' - # s.add_dependency 'delayed_job_mongoid', '~> 1.0.8' s.files = Dir[ 'Gemfile', '{app}/**/*', diff --git a/spec/dummy/config/initializers/locomotive.rb b/spec/dummy/config/initializers/locomotive.rb index bffed31f..8fdd8079 100644 --- a/spec/dummy/config/initializers/locomotive.rb +++ b/spec/dummy/config/initializers/locomotive.rb @@ -8,8 +8,8 @@ Locomotive.configure do |config| config.multi_sites do |multi_sites| # each new website you add will have a default entry based on a subdomain # and the multi_site_domain value (ex: website_1.locomotivehosting.com). - # multi_sites.domain = 'engine.dev' #'myhostingplatform.com' - multi_sites.domain = 'example.com' + multi_sites.domain = 'engine.dev' #'myhostingplatform.com' + # multi_sites.domain = 'example.com' # define the reserved subdomains # Ex: diff --git a/spec/dummy/config/initializers/session_store.rb b/spec/dummy/config/initializers/session_store.rb index 952473ff..62df5a9a 100644 --- a/spec/dummy/config/initializers/session_store.rb +++ b/spec/dummy/config/initializers/session_store.rb @@ -1,6 +1,6 @@ # Be sure to restart your server when you modify this file. -Dummy::Application.config.session_store :cookie_store, key: '_dummy_session' +Dummy::Application.config.session_store :cookie_store, key: '_dummy_session', :domain => :all # Use the database for sessions instead of the cookie-based default, # which shouldn't be used to store highly confidential information diff --git a/spec/models/locomotive/account_spec.rb b/spec/models/locomotive/account_spec.rb index 12a9c12d..34308918 100644 --- a/spec/models/locomotive/account_spec.rb +++ b/spec/models/locomotive/account_spec.rb @@ -63,31 +63,4 @@ describe Locomotive::Account do end - describe 'cross domain authentication' do - - before(:each) do - @account = FactoryGirl.build(:account) - @account.stubs(:save).returns(true) - end - - it 'sets a token' do - @account.reset_switch_site_token!.should be_true - @account.switch_site_token.should_not be_empty - end - - context 'retrieving an account' do - - it 'does not find it with an empty token' do - Locomotive::Account.find_using_switch_site_token(nil).should be_nil - end - - it 'raises an exception if not found' do - expect { - Locomotive::Account.find_using_switch_site_token!(nil) - }.to raise_error Mongoid::Errors::DocumentNotFound - end - - end - - end end