bterkuile/mozo-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor security system

Browse Source
This commit is contained in:
Benjamin ter Kuile
2012-12-11 11:27:41 +01:00
parent f19044ae6a
commit 009b84f7cd
10 changed files with 151 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/assets/javascripts/user/application.js.erb
+9 -10
View File
@@ -1,6 +1,6 @@
// This is a manifest file that'll be compiled into application.js, which will include all the files
// listed below.
// a
//
// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
//
@@ -39,7 +39,7 @@ var path_mapping = {
list_products: '/list_products',
active_list: '/active_list',
history_list: '/history_list',
obtain_user_token: '/obtain_token',
obtain_token: '/obtain_token',
lists_history: '/list_history'
}
var $translations = {
@@ -119,7 +119,7 @@ function redirect_to(mapping, variables){
var vars = [];
for(var name in variables){
vars.push(name + '=' +variables[name]);
Qstorage[name] = variables[name];
Qstorage.setItem(name, variables[name]);
}
window.location = QMobile.root_url() + path_mapping[mapping] + '.html'
}
@@ -154,22 +154,21 @@ function t(path, vars){
$.ajaxSetup({
error: function(xhr, ajaxOptions, error, another){
if(xhr.status == 401){
direct_to_site('obtain_user_token');
redirect_to('obtain_token');
}else if(xhr.status == 0){
QMobile.connection_problem();
}
}
});
var Qstorage = sessionStorage;
$(function(){
$locale = QMobile.locale();
if(Qstorage.message){
$locale = Qstorage.getItem('locale') || 'en';
if(Qstorage.getItem('message')){
var container = $('.alert-success');
container.find('div').text($translations[$locale]['messages'][Qstorage.message]);
container.find('div').text($translations[$locale]['messages'][Qstorage.getItem('message')]);
container.show();
Qstorage.removeItem('message');
}
if(Qstorage.list_closed){
if(Qstorage.getItem('list_closed')){
var container = $('.alert-error');
container.find('div').text($translations[$locale]['messages']['the_list_has_been_closed']);
container.show();
@@ -178,7 +177,7 @@ $(function(){
setTranslations();
});
function setLocale(locale){
QMobile.setLocale(locale);
Qstorage.setItem('locale', locale);
$locale = locale;
setTranslations();
}
app/assets/javascripts/user/quser.js.coffee
+95 -60
View File
@@ -1,5 +1,5 @@
authentication_string = QMobile.authentication_string()
authentication_object = $.parseJSON(QMobile.authentication_object())
#authentication_string = QMobile.authentication_string()
#authentication_object = $.parseJSON(QMobile.authentication_object())
class Quser
format_date: (utc) ->
formatted = ''
@@ -9,7 +9,9 @@ class Quser
formatted
watch_events: ->
faye = new Faye.Client(event_host)
faye.subscribe "/user/"+QMobile.user_id(), (e)=>
user_id = Qstorage.getItem('user_id')
return unless user_id && user_id.length > 0
faye.subscribe "/user/"+user_id, (e)=>
if(e.event == 'list_closed')
#redirect_to 'user_root', {list_closed: 'true'}
redirect_to 'history_list', {list_id: e.data.id, list_closed: true}
@@ -39,23 +41,49 @@ class Quser
$('.list-total-amount').html(currency(e.data.total_amount))
console.log(e)
false
home_loader: ->
$.getJSON(data_host + '/user/list_info.json?' + authentication_string, (res) => @handle_active_list_default_actions(res))
handle_active_list: (callback) ->
$.getJSON(data_host + '/user/list_info.json?' + authentication_string, (res) =>
if(res.ok == false && res.status && res.status == 401)
direct_to_site('obtain_user_token')
else if !res.list_active
redirect_to 'user_root', {list_closed: 'true'}
return
window.active_list = res
callback.call() if callback
@handle_active_list_default_actions(res)
reset_user: ->
Qstorage.removeItem('auth_token')
Qstorage.removeItem('user_id')
authenticate_user: ->
email = $('#user-email')
password = $('#user-password')
return unless email.length && password.length
return email.focus() unless email.val() && email.val().length > 0
return password.focus() unless password.val() && password.val().length > 0
$.post(data_host + '/user/obtain_token.json', {"user[email]": email.val(), "user[password]": password.val()}, (res)=>
if res.auth_token
Qstorage.setItem('auth_token', res.auth_token)
Qstorage.setItem('user_id', res.user_id)
redirect_to 'user_root'
else
$('.user-alert').html(t('obtain_token.invalid_combination')).show()
)
false
ensure_token: (callback)->
redirect_to('obtain_token') unless Qstorage.getItem('auth_token') && typeof(Qstorage.getItem('auth_token')) == 'string' && Qstorage.getItem('auth_token').length > 0
@authentication_string = 'auth_token='+Qstorage.getItem('auth_token')
@authentication_object = {auth_token: Qstorage.getItem('auth_token')}
callback.call() if callback
home_loader: ->
@ensure_token =>
$.getJSON(data_host + '/user/list_info.json?' + @authentication_string, (res) => @handle_active_list_default_actions(res))
handle_active_list: (callback) ->
@ensure_token =>
$.getJSON(data_host + '/user/list_info.json?' + @authentication_string, (res) =>
if(res.ok == false && res.status && res.status == 401)
redirect_to('obtain_token')
else if !res.list_active
redirect_to 'user_root', {list_closed: 'true'}
return
window.active_list = res
callback.call() if callback
@handle_active_list_default_actions(res)
)
handle_active_list_default_actions: (response)->
response ||= {}
if(response.ok == false && response.status && response.status == 401)
direct_to_site('obtain_user_token')
redirect_to('obtain_token')
return
$('.table-number').text(response.table_number) if response.table_number
@@ -163,41 +191,46 @@ class Quser
return unless window.active_list && !window.active_list.needs_payment
$.post(data_host + '/user/list_needs_payment.json', authentication_object, (res) => window.active_list = res; window.Quser.list_needs_payment_default_action(res))
load_active_list: () ->
$.getJSON(data_host + '/user/active_list.json?'+authentication_string, (res) =>
window.active_list = res if res._id
unless res.list_active
redirect_to 'history_list', {list_id: window.active_list._id, list_closed: true}
return
@handle_active_list_default_actions(res)
body = $('#active-list-table tbody')
foot = $('#active-list-table tfoot')
@build_list_table(body, foot, res)
)
@ensure_token =>
$.getJSON(data_host + '/user/active_list.json?'+@authentication_string, (res) =>
if(res.ok == false && res.status && res.status == 401)
redirect_to('obtain_token')
window.active_list = res if res._id
unless res.list_active
redirect_to 'history_list', {list_id: window.active_list._id, list_closed: true}
return
@handle_active_list_default_actions(res)
body = $('#active-list-table tbody')
foot = $('#active-list-table tfoot')
@build_list_table(body, foot, res)
)
load_history_list: () ->
return unless list_id = Qstorage.list_id
$.getJSON(data_host + '/user/history_list.json?list_id='+list_id+'&'+ authentication_string, (res) =>
body = $('#history-list-table tbody')
foot = $('#history-list-table tfoot')
@build_list_table(body, foot, res)
$('.list-created-at').text(@format_date(res.created_at))
$('.list-closed-at').text(@format_date(res.closed_at))
$('.supplier-name').text(res.supplier_name)
)
@ensure_token =>
$.getJSON(data_host + '/user/history_list.json?list_id='+list_id+'&'+ @authentication_string, (res) =>
body = $('#history-list-table tbody')
foot = $('#history-list-table tfoot')
@build_list_table(body, foot, res)
$('.list-created-at').text(@format_date(res.created_at))
$('.list-closed-at').text(@format_date(res.closed_at))
$('.supplier-name').text(res.supplier_name)
)
load_list_history: ->
page = Qstorage.page || 1
page = parseInt(page)
$.getJSON(data_host + '/user/list_history.json?'+authentication_string+'&page='+page, (res) =>
@paginate(res, @load_list_history)
container = $('#list-history-container').html('')
for list in res.lists
li = $('<li></li>').appendTo(container)
link = $('<a href="#"></a>').appendTo(li)
link.click(-> redirect_to 'history_list', list_id: list._id)
txt = list.supplier_name
txt += ' - '
txt += @format_date(list.created_at)
link.text(txt)
)
@ensure_token =>
page = Qstorage.getItem('page') || 1
page = parseInt(page)
$.getJSON(data_host + '/user/list_history.json?'+@authentication_string+'&page='+page, (res) =>
@paginate(res, @load_list_history)
container = $('#list-history-container').html('')
for list in res.lists
li = $('<li></li>').appendTo(container)
link = $('<a href="#"></a>').appendTo(li)
link.click(-> redirect_to 'history_list', list_id: list._id)
txt = list.supplier_name
txt += ' - '
txt += @format_date(list.created_at)
link.text(txt)
)
paginate: (wrapper, callback) ->
container = $('nav.pagination')
container.html('')
@@ -235,12 +268,13 @@ class Quser
$('.list-total-amount').html(currency(m_obj.total_amount))
order_selected_products: ()->
return if $.isEmptyObject(window.active_products_list)
h = {}
h['table_id'] = Qstorage.getItem('table_id') if Qstorage.getItem('table_id')
for product_id, number of window.active_products_list
h['products['+product_id+']'] = number
$.post(data_host + '/user/order_selected_products', $.extend(h, authentication_object), ((res) => @handle_response(res)), 'json')
@ensure_token =>
return if $.isEmptyObject(window.active_products_list)
h = {}
h['table_id'] = Qstorage.getItem('table_id') if Qstorage.getItem('table_id')
for product_id, number of window.active_products_list
h['products['+product_id+']'] = number
$.post(data_host + '/user/order_selected_products', $.extend(h, @authentication_object), ((res) => @handle_response(res)), 'json')
handle_response: (res) ->
if(typeof(res) == 'string')
return unless res.length
@@ -268,10 +302,11 @@ class Quser
Qupdate('#active-order-container')
load_active_list_products: ->
@populate_products_table('/user/list_products.json?'+authentication_string)
@populate_products_table('/user/list_products.json?'+@authentication_string)
load_table_products: ->
return redirect_to 'user_root', {message: 'cannot_identify_table'} unless Qstorage.table_id
@populate_products_table('/user/list_products_for_table.json?'+authentication_string+'&table_id='+Qstorage.table_id)
@ensure_token =>
return redirect_to 'user_root', {message: 'cannot_identify_table'} unless Qstorage.table_id
@populate_products_table('/user/list_products_for_table.json?'+@authentication_string+'&table_id='+Qstorage.table_id)
populate_products_table: (src)->
$.getJSON(data_host + src, (res) =>
include_order_buttons = res.my_list || !res.table_occupied
@@ -317,7 +352,7 @@ class Quser
actions_for_table: (table)->
table = JSON.parse(table) if typeof(table) == 'string'
Qstorage.table_id = table.table_id
$.getJSON(data_host + '/user/table_info.json?'+authentication_string+'&table_id='+table.table_id, (res)=>
$.getJSON(data_host + '/user/table_info.json?'+@authentication_string+'&table_id='+table.table_id, (res)=>
if res.current_table_id
if res.other_supplier
redirect_to 'user_root', {message: 'table_is_from_other_supplier'}
@@ -337,7 +372,7 @@ class Quser
## Offer to move table
Qwaiter.confirm(
ok: ->
$.post(data_host + '/user/move_table', $.extend({table_id: table.table_id}, authentication_object), (res2)->
$.post(data_host + '/user/move_table', $.extend({table_id: table.table_id}, @authentication_object), (res2)->
if res2.occupied
redirect_to 'user_root', {message: 'move_table.cannot_move_to_occupied_tabe'}
else
@@ -371,7 +406,7 @@ class Quser
cont.html('')
cont.append $($('<img />').attr('src', "#{$asset_path}spinner.gif"))
cont.append $($('<p>').html(t('join_request.waiting_for_confirmation')))
$.post(data_host + '/user/join_occupied_table', $.extend({table_id: table_id}, authentication_object))
$.post(data_host + '/user/join_occupied_table', $.extend({table_id: table_id}, @authentication_object))
#setInterval('Quser.check_if_can_join_occupied_table("'+table_id+'")', 7500)
add_product: (product_id, count) ->
count ||= 1
app/controllers/user_controller.rb
+14 -6
View File
@@ -1,6 +1,6 @@
class UserController < ApplicationController
before_filter :allow_mobile
before_filter :user_authentication #, except: :obtain_token
before_filter :user_authentication, except: :obtain_token
layout 'phone'
def user_authentication
@@ -19,12 +19,20 @@ class UserController < ApplicationController
end
end
def authenticate_user_wrapper!
authenticate_user! unless request.format.html?
authenticate_user! if params[:action] == 'obtain_token'
end
def obtain_token
respond_to do |format|
format.html
format.json do
render json: json_response(ok: false, status: 401) and return unless params[:user].present? && params[:user][:email].present? && params[:user][:password].present?
user = User.find_by_email(params[:user][:email])
render json: json_response(ok: false, status: 401) and return unless user
render json: json_response(ok: false, status: 401) and return unless user.valid_password?(params[:user][:password])
user.ensure_authentication_token
sign_in user
render json: json_response(ok: true, auth_token: user.authentication_token, user_id: user.id)
end
end
end
alias :list :active_list
app/views/layouts/phone.html.slim
+4 -3
View File
@@ -23,6 +23,7 @@ html lang="en"
var event_host = '#{event_host}';
var $locale = 'en';
var $asset_path = '##assets_path##';
var Qstorage = localStorage;
- else
javascript:
var QMobile, Qwaiter, Quser;
@@ -30,6 +31,7 @@ html lang="en"
var event_host = '#{event_host}';
var $locale = 'en';
var $asset_path = '/assets/';
var Qstorage = localStorage;
#{Rails.env.production? ? '' : "data_host = 'http://qwaiter.dev';"}
//var data_host = 'http://localhost:3000';
QMobile || (QMobile = {
@@ -54,7 +56,6 @@ html lang="en"
user_id: function(){return this.stored_user_id },
log: function(str){console.log(str)}
});
QMobile.setAuthToken('#{current_user.authentication_token}');QMobile.setUserId('#{current_user.id}');
body class=action_name
- unless ENV['QWAITER_MOBILE_EXPORT'] == 'yes'
@@ -82,8 +83,8 @@ html lang="en"
.span12
= yield
= javascript_include_tag "user/application"
script#alert-template[type="text/html"]= render 'user/alert.mustache'
script#join-request-template[type="text/html"]= render 'user/join_request.mustache'
script#alert-template[type="text/html"]= mustache_template 'user/alert'
script#join-request-template[type="text/html"]= mustache_template 'user/join_request'
= yield :footer
javascript:
jQuery(function(){#{onload_javascript}});
app/views/user/list_products.html.slim
+1 -9
View File
@@ -18,12 +18,4 @@
script#products-category-template[type="text/html"]= mustache_template 'products_category'
script#products-category-for-order-template[type="text/html"]= mustache_template 'products_category_for_order'
script#active-order-template[type="text/html"]= mustache_template 'active_order'
- content_for :footer do
javascript:
jQuery(function(){
Quser.handle_active_list(function(){
Quser.load_active_list_products();
Quser.watch_events();
})
})
- onload_javascript 'Quser.handle_active_list(function(){Quser.load_active_list_products();Quser.watch_events()})'
app/views/user/list_products_for_table.html.slim
+4 -10
View File
@@ -8,13 +8,7 @@
tr
td= slider_image
#active-order-container
script#products-category-template[type="text/html"]= render 'products_category.mustache'
script#products-category-for-order-template[type="text/html"]= render 'products_category_for_order.mustache'
script#active-order-template[type="text/html"]= render 'active_order.mustache'
- content_for :footer do
javascript:
jQuery(function(){
Quser.load_table_products();
QMobile.activateRotation();
})
script#products-category-template[type="text/html"]= mustache_template 'products_category'
script#products-category-for-order-template[type="text/html"]= mustache_template 'products_category_for_order'
script#active-order-template[type="text/html"]= mustache_template 'active_order'
- onload_javascript 'Quser.load_table_products()'
app/views/user/obtain_token.html.slim
+17 -5
View File
@@ -1,5 +1,17 @@
- content_for :footer do
javascript:
QMobile.setAuthToken('#{current_user.authentication_token}');
QMobile.setUserId('#{current_user.id}');
QMobile.goHome();
= top_bar title: 'obtain_token.title' do
span
.well
.alert.alert-warming.user-alert.hide
form.form-horizontal
.control-group
label.control-label data-t='attributes.user.email' Email
.controls
input#user-email.email type="email" placeholder="Email"
.control-group
label.control-label data-t='attributes.user.password' Password
.controls
input#user-password.password type="password" placeholder="Password"
.control-group
.controls
button.btn.btn-primary data-t="obtain_token.obtain" onclick="Quser.authenticate_user(); return false"
config/locales/en.yml
+3
View File
@@ -144,6 +144,9 @@ en:
total: Total
product_category:
other_name: Overig
obtain_token:
title: Authenticate Qwaiter
obtain: Authenticate
section:
first_section_title: Room
manage_tables:
config/locales/nl.yml
+3
View File
@@ -157,6 +157,9 @@ nl:
total: Totaal
product_category:
other_name: Overig
obtain_token:
title: Aanmelden bij Qwaiter
obtain: Aanmelden
section:
first_section_title: Ruimte
manage_tables:
config/routes.rb
+1
View File
@@ -55,6 +55,7 @@ Qwaiter::Application.routes.draw do
post '/user/approve_join_request' => 'user#approve_join_request'
post '/user/check_table_join_status' => 'user#check_table_join_status'
get '/user/obtain_token' => 'user#obtain_token', as: :user_obtain_token
post '/user/obtain_token' => 'user#obtain_token', constraints: {format: :json}