Class User
In: app/models/user.rb
Parent: ActiveRecord::Base

A generic user login facility. Provides a user login, password management, and administrative facilities. Logs users in via HTTP Basic authentication, a login form, or a security token. Maintains the login state using Session.

I started out with the Salted Hash login generator, and essentially rewrote the whole thing, learning a lot from the previous versions. This is not a criticism of the previous work, my goals were different. So, it’s fair to say that this is derived from the work of Joe Hosteny and Tobias Leutke.

Methods

admin?   admin?   change_email   change_password   current   current=   initial_self_promotion?   logging_in?   login_user   me?   new   new_or_me?   new_or_me_or_logging_in?   new_token   new_token   prepare_save   sign_off   sign_on   sign_on   sign_on_by_session   sign_on_by_token   sign_on_by_token  

Included Modules

ModelSecurity

Constants

Char64 = (('a'..'z').collect + ('A'..'Z').collect + ('0'..'9').collect + ['.','/']).freeze

Attributes

old_password  [RW] 
password  [RW] 
password_confirmation  [RW] 

Public Class methods

admin?()

Return true if the currently-logged-in user is the administrator. Class method. This is used as a pseudo-security test by let_display.

current()

Return the currently-logged-in user.

current=(u)

Set the currently-logged-in user.

new(attributes = nil)

Create a new user record.

This is either used to create an ephemeral prototype object to initialize a form, or an object resulting from a form submission that will become a persistent record.

new_token(address)

Create a new security token, or if the current one is not yet expired, return the current one. Should only be called with nobody logged in, it will log out the current user if one is logged in. Class method.

sign_off()

Log off the current user.

sign_on(handle, pwd)

Log on the user for this record, given a user name and password. Class method.

sign_on_by_session(user_id)

Continue the current login, from the session data. This should be called by User.setup .

sign_on_by_token(id, token)

Sign on the user using an ID (record index) and security token. Class method.

Public Instance methods

admin?()

Return true if the currently-logged-in user is the administrator. Instance method. This is used as a security test.

change_email(attributes)

Change the user’s email address. FIX: send confirmation email.

change_password(attributes)

Change the user’s password. Confirm the old password while doing so.

initial_self_promotion?()

Return true if the user’s ID is 1 and the user is attempting to promote himself to administrator. This is used to bootstrap the first administrator and for no other purpose.

logging_in?()

Return true if the user is currently logging in. This security test allows us to designate model fields to be visible only while a user is logging in.

me?()

Return true if this record corresponds to the currently-logged-in user. This is used as a security test.

new_or_me?()

Return true if the user record is new (never been saved) or if it corresponds to the currently-logged-in user. This security test is a common pattern applied to a number of user record attributes.

new_or_me_or_logging_in?()

Return true if the user record is new (never been saved) or if it corresponds to the currently-logged-in user, or if the current user is the special "login" user. This security test is a common pattern applied to a number of user record attributes.

new_token()

Create a new security token, or if the current one is not yet expired, return the current one. Should only be called with nobody logged in, it will log out the current user if one is logged in. Instance method.

prepare_save()

Encrypt the password before saving. Then wipe out the provided plaintext password, so that it won’t trigger unnecessary security tests and validations the next time this record is saved. Wiping out the plaintext is more secure, anyway.

sign_on(pass)

Log on the user for this record, given a password. Instance method.

sign_on_by_token(t)

Sign on the user using a security token. Instance method.

[Validate]