bterkuile/mozo-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor security system

Browse Source
This commit is contained in:
Benjamin ter Kuile
2012-12-11 11:27:41 +01:00
parent f19044ae6a
commit 009b84f7cd
10 changed files with 151 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/assets/javascripts/user/application.js.erb
+9 -10
View File
@@ -1,6 +1,6 @@
// This is a manifest file that'll be compiled into application.js, which will include all the files // This is a manifest file that'll be compiled into application.js, which will include all the files
// listed below. // listed below.
// a //
// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts, // Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path. // or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
// //
@@ -39,7 +39,7 @@ var path_mapping = {
list_products: '/list_products', list_products: '/list_products',
active_list: '/active_list', active_list: '/active_list',
history_list: '/history_list', history_list: '/history_list',
obtain_user_token: '/obtain_token', obtain_token: '/obtain_token',
lists_history: '/list_history' lists_history: '/list_history'
} }
var $translations = { var $translations = {
@@ -119,7 +119,7 @@ function redirect_to(mapping, variables){
var vars = []; var vars = [];
for(var name in variables){ for(var name in variables){
vars.push(name + '=' +variables[name]); vars.push(name + '=' +variables[name]);
Qstorage[name] = variables[name]; Qstorage.setItem(name, variables[name]);
} }
window.location = QMobile.root_url() + path_mapping[mapping] + '.html' window.location = QMobile.root_url() + path_mapping[mapping] + '.html'
} }
@@ -154,22 +154,21 @@ function t(path, vars){
$.ajaxSetup({ $.ajaxSetup({
error: function(xhr, ajaxOptions, error, another){ error: function(xhr, ajaxOptions, error, another){
if(xhr.status == 401){ if(xhr.status == 401){
direct_to_site('obtain_user_token'); redirect_to('obtain_token');
}else if(xhr.status == 0){ }else if(xhr.status == 0){
QMobile.connection_problem(); QMobile.connection_problem();
} }
} }
}); });
var Qstorage = sessionStorage;
$(function(){ $(function(){
$locale = QMobile.locale(); $locale = Qstorage.getItem('locale') || 'en';
if(Qstorage.message){ if(Qstorage.getItem('message')){
var container = $('.alert-success'); var container = $('.alert-success');
container.find('div').text($translations[$locale]['messages'][Qstorage.message]); container.find('div').text($translations[$locale]['messages'][Qstorage.getItem('message')]);
container.show(); container.show();
Qstorage.removeItem('message'); Qstorage.removeItem('message');
} }
if(Qstorage.list_closed){ if(Qstorage.getItem('list_closed')){
var container = $('.alert-error'); var container = $('.alert-error');
container.find('div').text($translations[$locale]['messages']['the_list_has_been_closed']); container.find('div').text($translations[$locale]['messages']['the_list_has_been_closed']);
container.show(); container.show();
@@ -178,7 +177,7 @@ $(function(){
setTranslations(); setTranslations();
}); });
function setLocale(locale){ function setLocale(locale){
QMobile.setLocale(locale); Qstorage.setItem('locale', locale);
$locale = locale; $locale = locale;
setTranslations(); setTranslations();
} }
app/assets/javascripts/user/quser.js.coffee
+52 -17
View File
@@ -1,5 +1,5 @@
authentication_string = QMobile.authentication_string() #authentication_string = QMobile.authentication_string()
authentication_object = $.parseJSON(QMobile.authentication_object()) #authentication_object = $.parseJSON(QMobile.authentication_object())
class Quser class Quser
format_date: (utc) -> format_date: (utc) ->
formatted = '' formatted = ''
@@ -9,7 +9,9 @@ class Quser
formatted formatted
watch_events: -> watch_events: ->
faye = new Faye.Client(event_host) faye = new Faye.Client(event_host)
faye.subscribe "/user/"+QMobile.user_id(), (e)=> user_id = Qstorage.getItem('user_id')
return unless user_id && user_id.length > 0
faye.subscribe "/user/"+user_id, (e)=>
if(e.event == 'list_closed') if(e.event == 'list_closed')
#redirect_to 'user_root', {list_closed: 'true'} #redirect_to 'user_root', {list_closed: 'true'}
redirect_to 'history_list', {list_id: e.data.id, list_closed: true} redirect_to 'history_list', {list_id: e.data.id, list_closed: true}
@@ -39,12 +41,38 @@ class Quser
$('.list-total-amount').html(currency(e.data.total_amount)) $('.list-total-amount').html(currency(e.data.total_amount))
console.log(e) console.log(e)
false false
reset_user: ->
Qstorage.removeItem('auth_token')
Qstorage.removeItem('user_id')
authenticate_user: ->
email = $('#user-email')
password = $('#user-password')
return unless email.length && password.length
return email.focus() unless email.val() && email.val().length > 0
return password.focus() unless password.val() && password.val().length > 0
$.post(data_host + '/user/obtain_token.json', {"user[email]": email.val(), "user[password]": password.val()}, (res)=>
if res.auth_token
Qstorage.setItem('auth_token', res.auth_token)
Qstorage.setItem('user_id', res.user_id)
redirect_to 'user_root'
else
$('.user-alert').html(t('obtain_token.invalid_combination')).show()
)
false
ensure_token: (callback)->
redirect_to('obtain_token') unless Qstorage.getItem('auth_token') && typeof(Qstorage.getItem('auth_token')) == 'string' && Qstorage.getItem('auth_token').length > 0
@authentication_string = 'auth_token='+Qstorage.getItem('auth_token')
@authentication_object = {auth_token: Qstorage.getItem('auth_token')}
callback.call() if callback
home_loader: -> home_loader: ->
$.getJSON(data_host + '/user/list_info.json?' + authentication_string, (res) => @handle_active_list_default_actions(res)) @ensure_token =>
$.getJSON(data_host + '/user/list_info.json?' + @authentication_string, (res) => @handle_active_list_default_actions(res))
handle_active_list: (callback) -> handle_active_list: (callback) ->
$.getJSON(data_host + '/user/list_info.json?' + authentication_string, (res) => @ensure_token =>
$.getJSON(data_host + '/user/list_info.json?' + @authentication_string, (res) =>
if(res.ok == false && res.status && res.status == 401) if(res.ok == false && res.status && res.status == 401)
direct_to_site('obtain_user_token') redirect_to('obtain_token')
else if !res.list_active else if !res.list_active
redirect_to 'user_root', {list_closed: 'true'} redirect_to 'user_root', {list_closed: 'true'}
return return
@@ -55,7 +83,7 @@ class Quser
handle_active_list_default_actions: (response)-> handle_active_list_default_actions: (response)->
response ||= {} response ||= {}
if(response.ok == false && response.status && response.status == 401) if(response.ok == false && response.status && response.status == 401)
direct_to_site('obtain_user_token') redirect_to('obtain_token')
return return
$('.table-number').text(response.table_number) if response.table_number $('.table-number').text(response.table_number) if response.table_number
@@ -163,7 +191,10 @@ class Quser
return unless window.active_list && !window.active_list.needs_payment return unless window.active_list && !window.active_list.needs_payment
$.post(data_host + '/user/list_needs_payment.json', authentication_object, (res) => window.active_list = res; window.Quser.list_needs_payment_default_action(res)) $.post(data_host + '/user/list_needs_payment.json', authentication_object, (res) => window.active_list = res; window.Quser.list_needs_payment_default_action(res))
load_active_list: () -> load_active_list: () ->
$.getJSON(data_host + '/user/active_list.json?'+authentication_string, (res) => @ensure_token =>
$.getJSON(data_host + '/user/active_list.json?'+@authentication_string, (res) =>
if(res.ok == false && res.status && res.status == 401)
redirect_to('obtain_token')
window.active_list = res if res._id window.active_list = res if res._id
unless res.list_active unless res.list_active
redirect_to 'history_list', {list_id: window.active_list._id, list_closed: true} redirect_to 'history_list', {list_id: window.active_list._id, list_closed: true}
@@ -175,7 +206,8 @@ class Quser
) )
load_history_list: () -> load_history_list: () ->
return unless list_id = Qstorage.list_id return unless list_id = Qstorage.list_id
$.getJSON(data_host + '/user/history_list.json?list_id='+list_id+'&'+ authentication_string, (res) => @ensure_token =>
$.getJSON(data_host + '/user/history_list.json?list_id='+list_id+'&'+ @authentication_string, (res) =>
body = $('#history-list-table tbody') body = $('#history-list-table tbody')
foot = $('#history-list-table tfoot') foot = $('#history-list-table tfoot')
@build_list_table(body, foot, res) @build_list_table(body, foot, res)
@@ -184,9 +216,10 @@ class Quser
$('.supplier-name').text(res.supplier_name) $('.supplier-name').text(res.supplier_name)
) )
load_list_history: -> load_list_history: ->
page = Qstorage.page || 1 @ensure_token =>
page = Qstorage.getItem('page') || 1
page = parseInt(page) page = parseInt(page)
$.getJSON(data_host + '/user/list_history.json?'+authentication_string+'&page='+page, (res) => $.getJSON(data_host + '/user/list_history.json?'+@authentication_string+'&page='+page, (res) =>
@paginate(res, @load_list_history) @paginate(res, @load_list_history)
container = $('#list-history-container').html('') container = $('#list-history-container').html('')
for list in res.lists for list in res.lists
@@ -235,12 +268,13 @@ class Quser
$('.list-total-amount').html(currency(m_obj.total_amount)) $('.list-total-amount').html(currency(m_obj.total_amount))
order_selected_products: ()-> order_selected_products: ()->
@ensure_token =>
return if $.isEmptyObject(window.active_products_list) return if $.isEmptyObject(window.active_products_list)
h = {} h = {}
h['table_id'] = Qstorage.getItem('table_id') if Qstorage.getItem('table_id') h['table_id'] = Qstorage.getItem('table_id') if Qstorage.getItem('table_id')
for product_id, number of window.active_products_list for product_id, number of window.active_products_list
h['products['+product_id+']'] = number h['products['+product_id+']'] = number
$.post(data_host + '/user/order_selected_products', $.extend(h, authentication_object), ((res) => @handle_response(res)), 'json') $.post(data_host + '/user/order_selected_products', $.extend(h, @authentication_object), ((res) => @handle_response(res)), 'json')
handle_response: (res) -> handle_response: (res) ->
if(typeof(res) == 'string') if(typeof(res) == 'string')
return unless res.length return unless res.length
@@ -268,10 +302,11 @@ class Quser
Qupdate('#active-order-container') Qupdate('#active-order-container')
load_active_list_products: -> load_active_list_products: ->
@populate_products_table('/user/list_products.json?'+authentication_string) @populate_products_table('/user/list_products.json?'+@authentication_string)
load_table_products: -> load_table_products: ->
@ensure_token =>
return redirect_to 'user_root', {message: 'cannot_identify_table'} unless Qstorage.table_id return redirect_to 'user_root', {message: 'cannot_identify_table'} unless Qstorage.table_id
@populate_products_table('/user/list_products_for_table.json?'+authentication_string+'&table_id='+Qstorage.table_id) @populate_products_table('/user/list_products_for_table.json?'+@authentication_string+'&table_id='+Qstorage.table_id)
populate_products_table: (src)-> populate_products_table: (src)->
$.getJSON(data_host + src, (res) => $.getJSON(data_host + src, (res) =>
include_order_buttons = res.my_list || !res.table_occupied include_order_buttons = res.my_list || !res.table_occupied
@@ -317,7 +352,7 @@ class Quser
actions_for_table: (table)-> actions_for_table: (table)->
table = JSON.parse(table) if typeof(table) == 'string' table = JSON.parse(table) if typeof(table) == 'string'
Qstorage.table_id = table.table_id Qstorage.table_id = table.table_id
$.getJSON(data_host + '/user/table_info.json?'+authentication_string+'&table_id='+table.table_id, (res)=> $.getJSON(data_host + '/user/table_info.json?'+@authentication_string+'&table_id='+table.table_id, (res)=>
if res.current_table_id if res.current_table_id
if res.other_supplier if res.other_supplier
redirect_to 'user_root', {message: 'table_is_from_other_supplier'} redirect_to 'user_root', {message: 'table_is_from_other_supplier'}
@@ -337,7 +372,7 @@ class Quser
## Offer to move table ## Offer to move table
Qwaiter.confirm( Qwaiter.confirm(
ok: -> ok: ->
$.post(data_host + '/user/move_table', $.extend({table_id: table.table_id}, authentication_object), (res2)-> $.post(data_host + '/user/move_table', $.extend({table_id: table.table_id}, @authentication_object), (res2)->
if res2.occupied if res2.occupied
redirect_to 'user_root', {message: 'move_table.cannot_move_to_occupied_tabe'} redirect_to 'user_root', {message: 'move_table.cannot_move_to_occupied_tabe'}
else else
@@ -371,7 +406,7 @@ class Quser
cont.html('') cont.html('')
cont.append $($('<img />').attr('src', "#{$asset_path}spinner.gif")) cont.append $($('<img />').attr('src', "#{$asset_path}spinner.gif"))
cont.append $($('<p>').html(t('join_request.waiting_for_confirmation'))) cont.append $($('<p>').html(t('join_request.waiting_for_confirmation')))
$.post(data_host + '/user/join_occupied_table', $.extend({table_id: table_id}, authentication_object)) $.post(data_host + '/user/join_occupied_table', $.extend({table_id: table_id}, @authentication_object))
#setInterval('Quser.check_if_can_join_occupied_table("'+table_id+'")', 7500) #setInterval('Quser.check_if_can_join_occupied_table("'+table_id+'")', 7500)
add_product: (product_id, count) -> add_product: (product_id, count) ->
count ||= 1 count ||= 1
app/controllers/user_controller.rb
+13 -5
View File
@@ -1,6 +1,6 @@
class UserController < ApplicationController class UserController < ApplicationController
before_filter :allow_mobile before_filter :allow_mobile
before_filter :user_authentication #, except: :obtain_token before_filter :user_authentication, except: :obtain_token
layout 'phone' layout 'phone'
def user_authentication def user_authentication
@@ -19,12 +19,20 @@ class UserController < ApplicationController
end end
end end
def authenticate_user_wrapper! def obtain_token
authenticate_user! unless request.format.html? respond_to do |format|
authenticate_user! if params[:action] == 'obtain_token' format.html
format.json do
render json: json_response(ok: false, status: 401) and return unless params[:user].present? && params[:user][:email].present? && params[:user][:password].present?
user = User.find_by_email(params[:user][:email])
render json: json_response(ok: false, status: 401) and return unless user
render json: json_response(ok: false, status: 401) and return unless user.valid_password?(params[:user][:password])
user.ensure_authentication_token
sign_in user
render json: json_response(ok: true, auth_token: user.authentication_token, user_id: user.id)
end end
def obtain_token end
end end
alias :list :active_list alias :list :active_list
app/views/layouts/phone.html.slim
+4 -3
View File
@@ -23,6 +23,7 @@ html lang="en"
var event_host = '#{event_host}'; var event_host = '#{event_host}';
var $locale = 'en'; var $locale = 'en';
var $asset_path = '##assets_path##'; var $asset_path = '##assets_path##';
var Qstorage = localStorage;
- else - else
javascript: javascript:
var QMobile, Qwaiter, Quser; var QMobile, Qwaiter, Quser;
@@ -30,6 +31,7 @@ html lang="en"
var event_host = '#{event_host}'; var event_host = '#{event_host}';
var $locale = 'en'; var $locale = 'en';
var $asset_path = '/assets/'; var $asset_path = '/assets/';
var Qstorage = localStorage;
#{Rails.env.production? ? '' : "data_host = 'http://qwaiter.dev';"} #{Rails.env.production? ? '' : "data_host = 'http://qwaiter.dev';"}
//var data_host = 'http://localhost:3000'; //var data_host = 'http://localhost:3000';
QMobile || (QMobile = { QMobile || (QMobile = {
@@ -54,7 +56,6 @@ html lang="en"
user_id: function(){return this.stored_user_id }, user_id: function(){return this.stored_user_id },
log: function(str){console.log(str)} log: function(str){console.log(str)}
}); });
QMobile.setAuthToken('#{current_user.authentication_token}');QMobile.setUserId('#{current_user.id}');
body class=action_name body class=action_name
- unless ENV['QWAITER_MOBILE_EXPORT'] == 'yes' - unless ENV['QWAITER_MOBILE_EXPORT'] == 'yes'
@@ -82,8 +83,8 @@ html lang="en"
.span12 .span12
= yield = yield
= javascript_include_tag "user/application" = javascript_include_tag "user/application"
script#alert-template[type="text/html"]= render 'user/alert.mustache' script#alert-template[type="text/html"]= mustache_template 'user/alert'
script#join-request-template[type="text/html"]= render 'user/join_request.mustache' script#join-request-template[type="text/html"]= mustache_template 'user/join_request'
= yield :footer = yield :footer
javascript: javascript:
jQuery(function(){#{onload_javascript}}); jQuery(function(){#{onload_javascript}});
app/views/user/list_products.html.slim
+1 -9
View File
@@ -18,12 +18,4 @@
script#products-category-template[type="text/html"]= mustache_template 'products_category' script#products-category-template[type="text/html"]= mustache_template 'products_category'
script#products-category-for-order-template[type="text/html"]= mustache_template 'products_category_for_order' script#products-category-for-order-template[type="text/html"]= mustache_template 'products_category_for_order'
script#active-order-template[type="text/html"]= mustache_template 'active_order' script#active-order-template[type="text/html"]= mustache_template 'active_order'
- content_for :footer do - onload_javascript 'Quser.handle_active_list(function(){Quser.load_active_list_products();Quser.watch_events()})'
javascript:
jQuery(function(){
Quser.handle_active_list(function(){
Quser.load_active_list_products();
Quser.watch_events();
})
})
app/views/user/list_products_for_table.html.slim
+4 -10
View File
@@ -8,13 +8,7 @@
tr tr
td= slider_image td= slider_image
#active-order-container #active-order-container
script#products-category-template[type="text/html"]= render 'products_category.mustache' script#products-category-template[type="text/html"]= mustache_template 'products_category'
script#products-category-for-order-template[type="text/html"]= render 'products_category_for_order.mustache' script#products-category-for-order-template[type="text/html"]= mustache_template 'products_category_for_order'
script#active-order-template[type="text/html"]= render 'active_order.mustache' script#active-order-template[type="text/html"]= mustache_template 'active_order'
- content_for :footer do - onload_javascript 'Quser.load_table_products()'
javascript:
jQuery(function(){
Quser.load_table_products();
QMobile.activateRotation();
})
app/views/user/obtain_token.html.slim
+17 -5
View File
@@ -1,5 +1,17 @@
- content_for :footer do = top_bar title: 'obtain_token.title' do
javascript: span
QMobile.setAuthToken('#{current_user.authentication_token}');
QMobile.setUserId('#{current_user.id}'); .well
QMobile.goHome(); .alert.alert-warming.user-alert.hide
form.form-horizontal
.control-group
label.control-label data-t='attributes.user.email' Email
.controls
input#user-email.email type="email" placeholder="Email"
.control-group
label.control-label data-t='attributes.user.password' Password
.controls
input#user-password.password type="password" placeholder="Password"
.control-group
.controls
button.btn.btn-primary data-t="obtain_token.obtain" onclick="Quser.authenticate_user(); return false"
config/locales/en.yml
+3
View File
@@ -144,6 +144,9 @@ en:
total: Total total: Total
product_category: product_category:
other_name: Overig other_name: Overig
obtain_token:
title: Authenticate Qwaiter
obtain: Authenticate
section: section:
first_section_title: Room first_section_title: Room
manage_tables: manage_tables:
config/locales/nl.yml
+3
View File
@@ -157,6 +157,9 @@ nl:
total: Totaal total: Totaal
product_category: product_category:
other_name: Overig other_name: Overig
obtain_token:
title: Aanmelden bij Qwaiter
obtain: Aanmelden
section: section:
first_section_title: Ruimte first_section_title: Ruimte
manage_tables: manage_tables:
config/routes.rb
+1
View File
@@ -55,6 +55,7 @@ Qwaiter::Application.routes.draw do
post '/user/approve_join_request' => 'user#approve_join_request' post '/user/approve_join_request' => 'user#approve_join_request'
post '/user/check_table_join_status' => 'user#check_table_join_status' post '/user/check_table_join_status' => 'user#check_table_join_status'
get '/user/obtain_token' => 'user#obtain_token', as: :user_obtain_token get '/user/obtain_token' => 'user#obtain_token', as: :user_obtain_token
post '/user/obtain_token' => 'user#obtain_token', constraints: {format: :json}