remove the old way of doing cross domain authentication (use the :domain => all option) + fix a couple of tiny bugs

2012-01-30 10:56:38 +01:00 · 2012-01-30 10:56:38 +01:00 · c9f07c823f
parent a85db53520
commit c9f07c823f
17 changed files with 57 additions and 195 deletions
--- a/71
+++ b/71
@ -2,50 +2,49 @@ source 'http://rubygems.org'

 # add in all the runtime dependencies

-gem 'rake',                     '0.9.2'
+gem 'rake',                       '0.9.2'

-gem 'rails',                    '~> 3.1.3'
+gem 'rails',                      '~> 3.1.3'

-gem 'devise',                   '~> 1.5.3'
-gem 'cancan',                   '~> 1.6.7'
+gem 'devise',                     '~> 1.5.3'
+gem 'cancan',                     '~> 1.6.7'

-gem 'mongo',                    '~> 1.5.2'
-gem 'bson_ext',                 '~> 1.5.2'
-gem 'mongoid',                  '~> 2.4.2'
+gem 'mongo',                      '~> 1.5.2'
+gem 'bson_ext',                   '~> 1.5.2'
+gem 'mongoid',                    '~> 2.4.2'
 gem 'locomotive_mongoid_acts_as_tree', '~> 0.1.5.8'
-gem 'custom_fields',            :path => '../gems/custom_fields' # DEV
+gem 'custom_fields',              :path => '../gems/custom_fields' # DEV
 # gem 'custom_fields',            :git => 'git://github.com/locomotivecms/custom_fields.git', :branch => '2.0.0.rc'
-gem 'kaminari'
+gem 'kaminari',                   '~> 0.13.0'

-gem 'haml',                     '~> 3.1.3'
-gem 'sass-rails',               '~> 3.1.5'
-gem 'coffee-script',            '~> 2.2.0'
-gem 'uglifier',                 '~> 1.0.4'
-gem 'compass',                  '~> 0.12.alpha.4'
-gem 'jquery-rails',             '~> 1.0.16'
-gem 'rails-backbone',           '0.5.4'
-gem 'codemirror-rails',         '~> 2.21'
-gem 'locomotive-tinymce-rails', '~> 3.4.7'
-gem 'locomotive-aloha-rails',   '~> 0.20.1'
-gem 'flash_cookie_session',     '~> 1.1.1'
+gem 'haml',                       '~> 3.1.3'
+gem 'sass-rails',                 '~> 3.1.5'
+gem 'coffee-script',              '~> 2.2.0'
+gem 'uglifier',                   '~> 1.0.4'
+gem 'compass',                    '~> 0.12.alpha.4'
+gem 'jquery-rails',               '~> 1.0.16'
+gem 'rails-backbone',             '0.5.4'
+gem 'codemirror-rails',           '~> 2.21'
+gem 'locomotive-tinymce-rails',   '~> 3.4.7'
+gem 'locomotive-aloha-rails',     '~> 0.20.1'
+gem 'flash_cookie_session',       '~> 1.1.1'

-gem 'locomotive_liquid',        '2.2.2', :require => 'liquid'
-gem 'formtastic',               '~> 2.0.2'
-gem 'responders',               '~> 0.6.4'
-gem 'cells',                    '~> 3.8.0'
-gem 'RedCloth',                 '~> 4.2.8'
-gem 'sanitize',                 '~> 2.0.3'
-gem 'highline',                 '~> 1.6.2'
+gem 'locomotive_liquid',          '2.2.2', :require => 'liquid'
+gem 'formtastic',                 '~> 2.0.2'
+gem 'responders',                 '~> 0.6.4'
+gem 'cells',                      '~> 3.8.0'
+gem 'RedCloth',                   '~> 4.2.8'
+gem 'sanitize',                   '~> 2.0.3'
+gem 'highline',                   '~> 1.6.2'

-gem 'rmagick',                  '2.12.2', :require => 'RMagick'
-gem 'carrierwave-mongoid',      '~> 0.1.3'
-gem 'fog',                      '~> 1.0.0'
-gem 'dragonfly',                '~> 0.9.8'
-gem 'rack-cache',               '~> 1.1', :require => 'rack/cache'
-gem 'mimetype-fu',              '~> 0.1.2'
+gem 'rmagick',                    '2.12.2', :require => 'RMagick'
+gem 'carrierwave-mongoid',        '~> 0.1.3'
+gem 'fog',                        '~> 1.0.0'
+gem 'dragonfly',                  '~> 0.9.8'
+gem 'rack-cache',                 '~> 1.1', :require => 'rack/cache'
+gem 'mimetype-fu',                '~> 0.1.2'
 gem 'actionmailer-with-request',  '~> 0.3.0', :require => 'actionmailer_with_request'
 gem 'httparty',                   '~> 0.8.1'
-# gem 'delayed_job_mongoid',        '~> 1.0.8'
 gem 'SystemTimer',                :platforms => :ruby_18

 # The rest of the dependencies are for use when in the locomotive dev environment
@ -72,7 +71,3 @@ group :test do
  gem 'launchy'
  gem 'mocha', '0.9.12' # :git => 'git://github.com/floehopper/mocha.git'
 end
-
-group :production do
-  gem 'bushido', '0.0.35'
-end
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -51,11 +51,6 @@ GEM
    bson_ext (1.5.2)
      bson (= 1.5.2)
    builder (3.0.0)
-    bushido (0.0.35)
-      highline (>= 1.6.1)
-      json (>= 1.4.6)
-      orm_adapter (~> 0.0.3)
-      rest-client (>= 1.6.1)
    cancan (1.6.7)
    capybara (1.1.2)
      mime-types (>= 1.16)
@ -214,8 +209,6 @@ GEM
    rdoc (3.12)
      json (~> 1.4)
    responders (0.6.5)
-    rest-client (1.6.7)
-      mime-types (>= 1.16)
    rmagick (2.12.2)
    rspec (2.6.0)
      rspec-core (~> 2.6.0)
@ -282,7 +275,6 @@ DEPENDENCIES
  actionmailer-with-request (~> 0.3.0)
  autotest
  bson_ext (~> 1.5.2)
-  bushido (= 0.0.35)
  cancan (~> 1.6.7)
  capybara
  carrierwave-mongoid (~> 0.1.3)
@ -304,7 +296,7 @@ DEPENDENCIES
  highline (~> 1.6.2)
  httparty (~> 0.8.1)
  jquery-rails (~> 1.0.16)
-  kaminari
+  kaminari (~> 0.13.0)
  launchy
  locomotive-aloha-rails (~> 0.20.1)
  locomotive-tinymce-rails (~> 3.4.7)
--- a/app/assets/javascripts/locomotive/application.js.coffee
+++ b/app/assets/javascripts/locomotive/application.js.coffee
@ -1,5 +1,4 @@
 #= require_self
-#= require_tree .
 #= require_tree ./utils
 #= require_tree ./models
 #= require_tree ./views
--- a/app/cells/locomotive/global_actions_cell.rb
+++ b/app/cells/locomotive/global_actions_cell.rb
@ -24,7 +24,7 @@ class Locomotive::GlobalActionsCell < ::Locomotive::MenuCell
    end

    add :help, :url => '#', :class => 'tutorial', :id => 'help'
-    add :logout, :url => destroy_locomotive_account_session_url, :confirm => t('locomotive.messages.confirm'), :method => :delete
+    add :logout, :url => destroy_locomotive_session_url, :confirm => t('locomotive.messages.confirm'), :method => :delete
  end

  def localize_label(label, options = {})
--- a/app/controllers/locomotive/cross_domain_sessions_controller.rb
+++ b/app/controllers/locomotive/cross_domain_sessions_controller.rb
@ -1,39 +0,0 @@
-module Locomotive
-  class CrossDomainSessionsController < BaseController
-
-    layout '/locomotive/layouts/not_logged_in'
-
-    skip_before_filter :verify_authenticity_token
-
-    skip_before_filter :validate_site_membership
-
-    before_filter :require_account, :only => :new
-
-    skip_load_and_authorize_resource
-
-    def new
-      if site = current_locomotive_account.sites.detect { |s| s._id.to_s == params[:target_id] }
-        if Rails.env == 'development'
-          @target = site.full_subdomain
-        else
-          @target = site.domains_without_subdomain.first || site.full_subdomain
-        end
-
-        current_locomotive_account.reset_switch_site_token!
-      else
-        redirect_to admin_pages_path
-      end
-    end
-
-    def create
-      if account = Account.find_using_switch_site_token(params[:token])
-        account.reset_switch_site_token!
-        sign_in(account)
-        redirect_to pages_path
-      else
-        redirect_to new_locomotive_account_session_path, :alert => t('flash.locomotive.cross_domain_sessions.create.alert')
-      end
-    end
-
-  end
-end
--- a/app/models/locomotive/account.rb
+++ b/app/models/locomotive/account.rb
@ -1,5 +1,3 @@
-require 'digest'
-
 module Locomotive
  class Account

@ -10,7 +8,6 @@ module Locomotive
    ## attributes ##
    field :name
    field :locale, :default => Locomotive.config.default_locale.to_s or 'en'
-    field :switch_site_token

    ## validations ##
    validates_presence_of :name
@ -26,20 +23,6 @@ module Locomotive
      @sites ||= Site.where({ 'memberships.account_id' => self._id })
    end

-    def reset_switch_site_token!
-      self.switch_site_token = SecureRandom.base64(8).gsub("/", "_").gsub(/=+$/, "")
-      self.save
-    end
-
-    def self.find_using_switch_site_token(token, age = 1.minute)
-      return if token.blank?
-      self.where(:switch_site_token => token, :updated_at.gt => age.ago.utc).first
-    end
-
-    def self.find_using_switch_site_token!(token, age = 1.minute)
-      self.find_using_switch_site_token(token, age) || raise(::Mongoid::Errors::DocumentNotFound.new(self, token))
-    end
-
    # Create the API token which will be passed to all the requests to the Locomotive API.
    # It requires the credentials of an account with admin role.
    # If an error occurs (invalid account, ...etc), this method raises an exception that has
--- a/app/views/locomotive/cross_domain_sessions/new.html.haml
+++ b/app/views/locomotive/cross_domain_sessions/new.html.haml
@ -1,14 +0,0 @@
- title t('.title')
-
-= form_tag cross_domain_sessions_url(:host => @target, :port => request.port), :method => 'post' do
-
-  = hidden_field_tag 'token', current_locomotive_account.switch_site_token
-
-  .inner
-    %p.notice= t('.notice')
-
-  .footer
-    = submit_tag t('locomotive.buttons.switch_to_site')
-
-:javascript
-  $(document).ready(function() { setTimeout(function() { $('form').submit(); }, 1000); });
--- a/app/views/locomotive/shared/_header.html.haml
+++ b/app/views/locomotive/shared/_header.html.haml
@ -4,15 +4,6 @@
 = render_cell 'locomotive/global_actions', :show, :current_locomotive_account => current_locomotive_account, :current_site_url => current_site_public_url

 - if multi_sites? && current_locomotive_account.sites.size > 1
-  #sites-picker{ :style => 'display: none' }
-    %ul
-      - current_locomotive_account.sites.each do |site|
-        - unless current_site._id == site._id
-          %li
-            = link_to site.name, new_cross_domain_session_url(:target_id => site._id)
-
-    - if can?(:manage, Locomotive::Site)
-      %p.action
-        = link_to t('locomotive.sites_picker.new'), new_site_url
+  = render 'locomotive/shared/site_picker'

 = render_cell 'locomotive/content_locale_picker', :show, :site => current_site, :locale => current_content_locale
--- a/app/views/locomotive/shared/_site_picker.html.haml
+++ b/app/views/locomotive/shared/_site_picker.html.haml
@ -0,0 +1,10 @@
+#sites-picker{ :style => 'display: none' }
+  %ul
+    - current_locomotive_account.sites.each do |site|
+      - unless current_site._id == site._id
+        %li
+          = link_to site.name, pages_url(:host => site.full_subdomain, :port => request.port)
+
+  - if can?(:manage, Locomotive::Site)
+    %p.action
+      = link_to t('locomotive.sites_picker.new'), new_site_url
--- a/config/routes.rb
+++ b/config/routes.rb
@ -7,7 +7,8 @@ Locomotive::Engine.routes.draw do
    :path_prefix  => nil,
    :failure_app  => 'Locomotive::Devise::FailureApp',
    :controllers  => { :sessions => 'locomotive/sessions', :passwords => 'locomotive/passwords' } do
-      match '/' => 'sessions#new'
+      match '/'         => 'sessions#new'
+      delete 'signout'  => 'sessions#destroy', :as => :destroy_locomotive_session
  end

  root :to => 'pages#index'
@ -41,11 +42,6 @@ Locomotive::Engine.routes.draw do
    put :sort, :on => :collection
  end

-  # TODO
-  resources :custom_fields, :path => 'custom/:parent/:slug/fields'
-
-  resources :cross_domain_sessions, :only => [:new, :create]
-
  # installation guide
  match '/installation'       => 'installation#show', :defaults => { :step => 1 }, :as => :installation
  match '/installation/:step' => 'installation#show', :as => :installation_step
--- a/doc/TODO
+++ b/doc/TODO
@ -106,8 +106,8 @@ x script to migrate existing site
  x i18n
 - heroku module for locomotive
 - refactoring
-  - remove the cross domain authentication (use auth_token instead)
-  - remove the import / export scripts
+  x remove the import / export scripts
+  x remove the cross domain authentication (use auth_token instead)
  - where to put Locomotive::InlineEditorMiddleware ?
 - upgrade to rails 3.2 (https://github.com/locomotivecms/engine/pull/281/files)

--- a/features/admin/cross_domain_auth.feature
+++ b/features/admin/cross_domain_auth.feature
@ -1,24 +0,0 @@
-Feature: Cross Domain Authentication
-  In order to manage a new site I created
-  As an administrator signed in another site of mine
-  I want to bypass the authentication
-
-Background:
-  Given I have the site: "test site" set up
-  And I have the site: "another site" set up
-  And I am an authenticated user
-
-Scenario: Successful authentication
-  When I go to pages
-  Then I should see "Locomotive test website"
-  When I follow "Locomotive test website #2"
-  Then I should see "Cross-domain authentication"
-  When I press "Go"
-  Then I should see "Locomotive test website #2"
-
-Scenario: Failed authentication because of an outdated token
-  When I go to pages
-  And I follow "Locomotive test website #2"
-  And I forget to press the button on the cross-domain notice page
-  And I press "Go"
-  Then I should see "You need to sign in"
--- a/lib/locomotive.rb
+++ b/lib/locomotive.rb
@ -63,7 +63,8 @@ module Locomotive

    # cookies stored in mongodb (mongoid_store)
    Rails.application.config.session_store :mongoid_store, {
-      :key => self.config.cookie_key
+      :key    => self.config.cookie_key,
+      :domain => :all
    }

    # add middlewares (dragonfly, font, seo, ...etc)
--- a/locomotive_cms.gemspec
+++ b/locomotive_cms.gemspec
@ -29,7 +29,7 @@ Gem::Specification.new do |s|

  s.add_dependency 'custom_fields',         '~> 2.0.0.rc2'

-  s.add_dependency 'kaminari'
+  s.add_dependency 'kaminari',              '~> 0.13.0'

  s.add_dependency 'haml',                  '~> 3.1.3'
  s.add_dependency 'sass-rails',            '~> 3.1.5'
@ -60,7 +60,6 @@ Gem::Specification.new do |s|

  s.add_dependency 'actionmailer-with-request', '~> 0.3.0'
  s.add_dependency 'httparty',                  '~> 0.8.1'
-  # s.add_dependency 'delayed_job_mongoid',       '~> 1.0.8'

  s.files        = Dir[ 'Gemfile',
                        '{app}/**/*',
--- a/spec/dummy/config/initializers/locomotive.rb
+++ b/spec/dummy/config/initializers/locomotive.rb
@ -8,8 +8,8 @@ Locomotive.configure do |config|
  config.multi_sites do |multi_sites|
    # each new website you add will have a default entry based on a subdomain
    # and the multi_site_domain value (ex: website_1.locomotivehosting.com).
-    # multi_sites.domain = 'engine.dev' #'myhostingplatform.com'
-    multi_sites.domain = 'example.com'
+    multi_sites.domain = 'engine.dev' #'myhostingplatform.com'
+    # multi_sites.domain = 'example.com'

    # define the reserved subdomains
    # Ex:
--- a/spec/dummy/config/initializers/session_store.rb
+++ b/spec/dummy/config/initializers/session_store.rb
@ -1,6 +1,6 @@
 # Be sure to restart your server when you modify this file.

-Dummy::Application.config.session_store :cookie_store, key: '_dummy_session'
+Dummy::Application.config.session_store :cookie_store, key: '_dummy_session', :domain => :all

 # Use the database for sessions instead of the cookie-based default,
 # which shouldn't be used to store highly confidential information
--- a/spec/models/locomotive/account_spec.rb
+++ b/spec/models/locomotive/account_spec.rb
@ -63,31 +63,4 @@ describe Locomotive::Account do

  end

-  describe 'cross domain authentication' do
-
-    before(:each) do
-      @account = FactoryGirl.build(:account)
-      @account.stubs(:save).returns(true)
-    end
-
-    it 'sets a token' do
-      @account.reset_switch_site_token!.should be_true
-      @account.switch_site_token.should_not be_empty
-    end
-
-    context 'retrieving an account' do
-
-      it 'does not find it with an empty token' do
-        Locomotive::Account.find_using_switch_site_token(nil).should be_nil
-      end
-
-      it 'raises an exception if not found' do
-        expect {
-          Locomotive::Account.find_using_switch_site_token!(nil)
-        }.to raise_error Mongoid::Errors::DocumentNotFound
-      end
-
-    end
-
-  end
 end