Navigation

← Previous Changeset
Next Changeset →

Changeset 470

Timestamp:

10/19/06 04:38:25 (2 years ago)

Author:

hlame

Message:

Adding functionality to the password expiry, such that (through use of another before_filter) it will force the user to change their password if it is expired before allowing them access to any other controller/action. The old version would only redirect during login, so you could just click away and ignore it, making the whole expired_password thing a bit blah. This version attempts to be smart enough to not force you to change your password *during* a session, only at the start (it checks the expiry date of the password against the logged_in_at date of the user object... hardly an ideal solution, but we have no other mechanism at the model level to know if a user is actually currently logged in or not.

Files:

login_engine/trunk/app/controllers/user_controller.rb (modified) (2 diffs)
login_engine/trunk/lib/login_engine.rb (modified) (1 diff)
login_engine/trunk/lib/login_engine/authenticated_system.rb (modified) (2 diffs)
login_engine/trunk/lib/login_engine/authenticated_user.rb (modified) (1 diff)
login_engine/trunk/test/functional/user_controller_test.rb (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

login_engine/trunk/app/controllers/user_controller.rb

r450	r470
29	29	flash[:notice] = 'Login successful'
30	30
31		# if password has expired, the redirect to login
32		if !session[:user].passwords.empty? && session[:user].password_expired?
33		flash[:notice] = 'Password expired. Please change your password'
34		redirect_to :action => :change_password
35		else
36
37		case LoginEngine.config(:login_redirect)
38		when :back
39		# we have stored the 'back' link, so we should send them to whatever page they
40		# were at before they clicked 'login'.
41		redirect_to session['back-to'] \|\| LoginEngine.default_home
42		session['back-to'] = nil
43
44		when :default
45		# whenever someone logs in, we always want to send them to the homepage
46		redirect_to LoginEngine.default_home
47
48		else
49		# they got sent to login because of an unauthorised action, so we should have
50		# the location stored anyway.
51		redirect_to_stored_or_default
52		end
53
54		end
	31	case LoginEngine.config(:login_redirect)
	32	when :back
	33	# we have stored the 'back' link, so we should send them to whatever page they
	34	# were at before they clicked 'login'.
	35	redirect_to session['back-to'] \|\| LoginEngine.default_home
	36	session['back-to'] = nil
	37
	38	when :default
	39	# whenever someone logs in, we always want to send them to the homepage
	40	redirect_to LoginEngine.default_home
	41
	42	else
	43	# they got sent to login because of an unauthorised action, so we should have
	44	# the location stored anyway.
	45	redirect_to_stored_or_default
	46	end
	47
55	48	else
56	49	@login = params[:user][:login]
…	…
104	97	# since sometimes we're changing the password from within another action/template...
105	98	#redirect_to :action => params[:back_to] if params[:back_to]
106		redirect_back_or_default :action => 'change_password'
	99	#redirect_back_or_default :action => 'change_password'
	100	redirect_to_stored_or_back_or_default :action => 'change_password'
107	101	# after we have changed the password, do we really want to end up back in the same place?
108	102	# Why not redirect to the stored location or default?

login_engine/trunk/lib/login_engine.rb

r454	r470
60	60	# password expiry time in days
61	61	# 0 means it will not expire
	62	# non-zero requires use of the
	63	# detect_expired_password filter in your
	64	# controllers
62	65	config :password_expiry, 0
63	66

login_engine/trunk/lib/login_engine/authenticated_system.rb

r446	r470
60	60	end
61	61
	62	# filter for detecting expired passwords. add
	63	#
	64	# before_filter :detect_expired_password
	65	#
	66	# to application_controller if you want to force password changes when
	67	# someone logs in and their password has expired.
	68	# Only really makes sense if you have the password_expiry config
	69	# set to non-zero value.
	70	def detect_expired_password
	71	if user?
	72	u = session[:user].reload
	73	# if password has expired, the redirect to login
	74	# but only if it expired before the user logged in, forcing unavoidable password changes
	75	# during a session would be cruel. Once you are in, you are in.
	76	if !u.passwords.empty? && u.password_expired_during_current_login_session?
	77	if request.get?
	78	store_location
	79	end
	80	flash.now[:warning] = 'Password expired. You must change your password before continuing'
	81	redirect_to :controller => 'user', :action => 'change_password'
	82	# Return false to halt the filter chain
	83	return false
	84	end
	85	end
	86	return true
	87	end
	88
62	89	# overwrite if you want to have special behavior in case the user is not authorized
63	90	# to access the current operation.
…	…
93	120	end
94	121
	122	def redirect_to_stored_or_back_or_default(default=default_home)
	123	if !session['return-to'].nil?
	124	redirect_to_url session['return-to']
	125	session['return-to'] = nil
	126	elsif !request.env["HTTP_REFERER"].nil?
	127	redirect_to(request.env["HTTP_REFERER"]) # same as redirect_to :back
	128	else
	129	redirect_to default
	130	end
	131	end
	132
95	133	def default_home
96	134	case LoginEngine.config(:default_home)

login_engine/trunk/lib/login_engine/authenticated_user.rb

r451	r470
145	145	end
146	146
	147	# TODO - this only really makes sense if we know if a given user is logged in
	148	# which we don't really...
	149	def password_expired_during_current_login_session?
	150	return (password_expired? and self.passwords.first.created_at < self.logged_in_at)
	151	end
	152
147	153	protected
148	154

login_engine/trunk/test/functional/user_controller_test.rb

r451	r470
551	551	assert session[:user].password_expired?
552	552
553		assert_match /Password expired/, flash[:notice]
	553	get :home
	554	assert_match /Password expired/, flash[:warning]
554	555	assert_redirect_url(@controller.url_for(:action => "change_password"))
555	556	end