update security handling for user namespace

app/assets/images/logo.svg

@@ -130,9 +130,9 @@
    inkscape:window-height="852"
    id="namedview43"
    showgrid="false"
-   inkscape:zoom="1"
-   inkscape:cx="70.721631"
-   inkscape:cy="87.591402"
+   inkscape:zoom="6.34"
+   inkscape:cx="50"
+   inkscape:cy="50"
    inkscape:window-x="0"
    inkscape:window-y="0"
    inkscape:window-maximized="0"
@@ -148,21 +148,22 @@
    style="font-size:9.42450047px;fill:#634227;font-family:HelveticaRounded-Bold"
    x="25.508852"
    y="72.998604"
-   inkscape:export-filename="/Users/bterkuile/companytools/development/rails/qwaiter/app/assets/images/icons/logo-medium.png"
-   inkscape:export-xdpi="112.82128"
-   inkscape:export-ydpi="112.82128"><tspan
+   inkscape:export-filename="/Users/bterkuile/Qwaiter/Android app/Pictures/icon-high-res.png"
+   inkscape:export-xdpi="766.79059"
+   inkscape:export-ydpi="766.79059"><tspan
      style="-inkscape-font-specification:Arial Rounded MT Bold;font-family:Arial Rounded MT Bold"
      id="tspan3936">Q</tspan></text>
 
 
+
 <text
    id="text7"
    x="33.180241"
    y="72.998604"
    style="font-size:11.99999905px"
-   inkscape:export-filename="/Users/bterkuile/companytools/development/rails/qwaiter/app/assets/images/icons/logo-medium.png"
-   inkscape:export-xdpi="112.82128"
-   inkscape:export-ydpi="112.82128"><tspan
+   inkscape:export-filename="/Users/bterkuile/Qwaiter/Android app/Pictures/icon-high-res.png"
+   inkscape:export-xdpi="766.79059"
+   inkscape:export-ydpi="766.79059"><tspan
      x="33.180241"
      y="72.998604"
      font-size="9.4245"
@@ -170,21 +171,26 @@
      style="font-size:9.42450046999999991px;fill:#231f20;font-family:Arial Rounded MT Bold;-inkscape-font-specification:Arial Rounded MT Bold">WAITE</tspan></text>
 
 
+
 <text
    font-size="9.4245"
    id="text19"
    style="font-size:9.42450047px;fill:#634227;font-family:HelveticaRounded-Bold"
    x="63.659245"
    y="72.998604"
-   inkscape:export-filename="/Users/bterkuile/companytools/development/rails/qwaiter/app/assets/images/icons/logo-medium.png"
-   inkscape:export-xdpi="112.82128"
-   inkscape:export-ydpi="112.82128"><tspan
+   inkscape:export-filename="/Users/bterkuile/Qwaiter/Android app/Pictures/icon-high-res.png"
+   inkscape:export-xdpi="766.79059"
+   inkscape:export-ydpi="766.79059"><tspan
      style="-inkscape-font-specification:Arial Rounded MT Bold;font-family:Arial Rounded MT Bold"
      id="tspan3938">R</tspan></text>
 
 
+
 <g
-   id="g3012"><path
+   id="g3012"
+   inkscape:export-filename="/Users/bterkuile/Qwaiter/Android app/Pictures/icon-high-res.png"
+   inkscape:export-xdpi="766.79059"
+   inkscape:export-ydpi="766.79059"><path
      inkscape:export-ydpi="112.82128"
      inkscape:export-xdpi="112.82128"
      inkscape:export-filename="/Users/bterkuile/companytools/development/rails/qwaiter/app/assets/images/icons/logo-medium.png"
@@ -235,7 +241,8 @@
      sodipodi:cy="4230.1689"
      sodipodi:rx="5.5359998"
      sodipodi:ry="5.5359998"
-     style="fill:none;stroke:#634227;stroke-width:0.182;stroke-miterlimit:10" /><path
+     style="fill:none;stroke:#634227;stroke-width:0.182;stroke-miterlimit:10"
+     d="m 4255.8329,4230.1689 c 0,3.0575 -2.4786,5.536 -5.536,5.536 -3.0575,0 -5.536,-2.4785 -5.536,-5.536 0,-3.0574 2.4785,-5.536 5.536,-5.536 3.0574,0 5.536,2.4786 5.536,5.536 z" /><path
      inkscape:export-ydpi="112.82128"
      inkscape:export-xdpi="112.82128"
      inkscape:export-filename="/Users/bterkuile/companytools/development/rails/qwaiter/app/assets/images/icons/logo-medium.png"

app/assets/javascripts/application.js

@@ -16,4 +16,3 @@
 //= require twitter/bootstrap
 //= require_directory .
 //= require_self
-

app/assets/javascripts/user/application.js.erb

@@ -110,6 +110,14 @@ function redirect_to(mapping, variables){
   }
   window.location = QMobile.root_url() + path_mapping[mapping] + '.html?' + vars.join('&')
 }
+function direct_to_site(mapping, variables){
+  variables || (variables = {});
+  var vars = []
+  for(var name in variables){
+    vars.push(name + '=' +variables[name])
+  }
+  window.location = data_host + path_mapping[mapping] + '.html?' + vars.join('&')
+}
 function currency(num) {
   return Qwaiter.currency(num);
 }
@@ -131,9 +139,11 @@ function t(path, vars){
   return result;
 }
 $.ajaxSetup({
-  error: function(xhr, ajaxOptions, error){
-    if(xhr.status == 401 || xhr.status == 0){
-      window.location = data_host + '/user/obtain_token.html';
+  error: function(xhr, ajaxOptions, error, another){
+    if(xhr.status == 401){
+      direct_to_site('obtain_user_token');
+    }else if(xhr.status == 0){
+      QMobile.connection_problem();
     }
   }
 });

app/assets/javascripts/user/quser.js.coffee

@@ -13,7 +13,9 @@ window.Quser=
     $.getJSON(data_host + '/user/list_info.json?' + authentication_string, (res) -> Quser.handle_active_list_default_actions(res))
   handle_active_list: (callback) ->
     $.getJSON(data_host + '/user/list_info.json?' + authentication_string, (res) ->
-      if !res.list_active
+      if(res.ok == false && res.status && res.status == 401)
+        direct_to_site('obtain_user_token') 
+      else if !res.list_active
         redirect_to 'user_root', {list_closed: 'true'}
         return
       window.active_list = res
@@ -22,6 +24,9 @@ window.Quser=
     )
   handle_active_list_default_actions: (response)->
     response ||= {}
+    if(response.ok == false && response.status && response.status == 401)
+      direct_to_site('obtain_user_token') 
+      return
     if response.table_number
       $('.table-number').text(response.table_number)
     if response.supplier_name

app/assets/stylesheets/obtain_token/application.css

@@ -0,0 +1,16 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the top of the
+ * compiled file, but it's generally better to create a new file per style scope.
+ *
+ *= require 'twitter-bootstrap/bootstrap_and_overrides'
+ *= require 'general'
+ *= require_directory .
+ *= require 'devise'
+ *= require_self
+ */

app/assets/stylesheets/obtain_token/darkstrap.sass

@@ -0,0 +1,290 @@
+@import compass
+@import mixins
+
+// Contents:
+//   =General
+//   =Breadcrumbs
+//   =Headings
+//   =Navigation
+//   =Forms
+//   =Tables
+//   =Pagination
+//   =Misc
+
+$color: #c6c6c6
+$bg: #2f2f2f
+$link: #0088cc
+
+$warning: #faa732
+$success: #5bb75b
+$error: #fc5b5e
+
+// ds original: #FB292D
+$info: #3a87ad
+
+$input-bg: #666666
+
+// ds default: #444
+$input-border: #111111
+
+// default: white
+$input-placeholder: #666666
+$input-color: white
+
+//=General ========================================
+// Everything with the inset panel just extends .well
+.well
+  +inset-panel-dark
+
+body
+  background: $bg
+  color: $color
+
+//=Breadcrumbs =======================================
+.breadcrumb
+  @extend .well
+  border: 0
+  //over bs
+  li
+    text-shadow: 0 1px 0 #000
+    //over bs
+
+//=Headings ======================================
+.page-header
+  +horizontal-rule-dark
+
+h1,h2,h3,h4,h5,h6
+  color: white
+
+h6
+  color: #999
+
+//=Navigation
+.nav .dropdown-menu
+
+.nav-tabs .open .dropdown-toggle,
+.nav-pills .open .dropdown-toggle,
+.nav > .open.active > a:hover
+  background-color: darken($bg, 5%)
+  border-color: $bg $bg transparent $bg
+
+.nav > .dropdown.active >  a:hover
+  color: #fff
+
+.nav-tabs .active .dropdown-toggle .caret,
+.nav-pills .active .dropdown-toggle .caret
+  border-top-color: #fff
+
+.nav-tabs
+  border-bottom: 1px solid #666
+  & > .active > a,
+  & > .active > a:hover
+    background-color: $bg
+    color: #fff
+    border-color: #666 #666 transparent #666
+  & > li > a:hover
+    border-color: $bg $bg #666666 $bg
+    background-color: darken($bg, 5%)
+    color: lighten($link, 10%)
+  &.nav-stacked
+    & > li > a, 
+    & > li > a:hover
+      border-color: #666
+
+.nav-pills
+  & > li > a
+    &:hover
+      background-color: darken($bg, 5%)
+      color: lighten($link, 10%)
+    &.btn
+      padding-bottom: 2px
+      background-color: #e6e6e6
+
+.nav-list > li > a,
+.nav-list .nav-header
+  text-shadow: 0 1px 0 #000
+
+.nav-list > li > a:hover
+  background-color: darken($bg, 10%)
+  color: lighten($link, 10%)
+
+.nav-list .active
+  & > a:hover
+    background-color: #0088cc
+    color: white
+
+.tabs-below .nav-tabs
+  border-top: 1px solid #666
+
+.tabs-left .nav-tabs
+  border-right: 1px solid #666
+
+.tabs-right .nav-tabs
+  border-left: 1px solid #666
+
+.tabs-below .nav-tabs > li > a:hover
+  border-top: 1px solid #666
+
+.tabs-left .nav-tabs > li > a:hover
+  border-color: transparent #666 transparent transparent
+
+.tabs-right .nav-tabs > li > a:hover
+  border-color: transparent transparent transparent #666
+
+.tabs-below .nav-tabs .active > a,
+.tabs-below .nav-tabs .active > a:hover
+  border-color: transparent #666 #666 #666
+
+.tabs-left .nav-tabs .active > a,
+.tabs-left .nav-tabs .active > a:hover
+  border-color: #666 transparent #666 #666
+
+.tabs-right .nav-tabs .active > a,
+.tabs-right .nav-tabs .active > a:hover
+  border-color: #666 #666 #666 transparent
+
+//=Forms ========================================
++placeholder($input-placeholder)
+
+.input-prepend .add-on,
+.input-append .add-on
+  background: #444
+  color: $color
+  border-color: #111
+  text-shadow: 0 1px 0  black
+
+label
+  color: $color
+
+input,
+input[type="file"],
+select,
+textarea
+  color: $input-color
+  //background-color: $input-bg;
+  border-color: $input-border
+  @extend .well
+
+.search-query
+  -webkit-box-shadow: rgba(255, 255, 255, 0.1) 0 1px 0, rgba(0, 0, 0, 0) 0 1px 7px 0px inset
+
+legend
+  color: white
+  +horizontal-rule-dark
+
+.form-actions
+  border-top-color: #222
+  background-color: #444
+
+.help-inline
+  color: #999
+
+.control-group
+  &.warning
+    +controls($warning)
+  &.success
+    +controls($success)
+  &.error
+    +controls($error)
+
+//=Tables ========================================
+.table
+  thead
+    color: white
+  td
+    border-top-color: #666
+
+.table-striped
+  tbody tr:nth-child(2n+1)
+    td, th
+      background-color: #444
+
+.table-bordered
+  border: 1px solid #666
+  th + th,
+  td + td,
+  th + td,
+  td + th
+    border-left: 1px solid #666
+
+//=Pagination
+.pagination a:hover
+  color: lighten($link, 10%)
+  background-color: darken($bg, 5%)
+
+.pagination .active a
+  color: #fff
+  background-color: darken($bg, 5%)
+
+.pagination a
+  border-color: #666
+
+//=Pager
+.pager a
+  background-color: $bg
+  border-color: #666
+  &:hover
+    background-color: darken($bg, 5%)
+    color: lighten($link, 10%)
+
+//=Alerts
+=alert($color)
+  color: #fff
+  background-color: $color
+  text-shadow: 0 1px 0 rgba(0, 0, 0, 0.25)
+  border-color: darken($color, 25%)
+  h4
+    color: darken($color, 20%)
+
+.alert
+  +alert($warning)
+
+.alert-success
+  +alert($success)
+
+.alert-error
+  +alert($error)
+
+.alert-info
+  +alert($info)
+
+//=Modals
+
+.modal
+  background-color: #444
+
+.modal-header
+  border-bottom: 1px solid #222
+
+.modal-body p
+  color: $color
+
+.modal-footer
+  background-color: darken(#444444, 5%)
+  border-top: 1px solid #222
+  +box-shadow(0 1px 0 #333333 inset)
+
+//=Progress bars
+.progress
+  @extend .well
+
+//=Misc ========================================
+blockquote
+  border-left-color: #111
+  &.pull-right
+    border-right-color: #111
+
+hr
+  +horizontal-rule-dark
+  border-top: none
+
+code
+  @extend .well
+  border: none
+  //over bs
+
+pre
+  @extend .well
+  border: none
+  //over bs
+  color: $color

app/assets/stylesheets/obtain_token/structure.css.sass

@@ -0,0 +1,6 @@
+@import constants
+html
+  background-image: $wood
+  background-color: $background-brown
+body
+  background-color: transparent

app/controllers/application_controller.rb

@@ -3,7 +3,7 @@ class ApplicationController < ActionController::Base
   layout :layout_by_resource
   
   
-  #protect_from_forgery
+  protect_from_forgery
 
   private
 
@@ -13,7 +13,7 @@ class ApplicationController < ActionController::Base
 
   def layout_by_resource
     if devise_controller?
-      'theme1'
+      session[:user_return_to] =~ /obtain_token/ ? 'obtain_token' : 'theme1'
     else
       "application"
     end

app/controllers/user_controller.rb

@@ -1,14 +1,30 @@
 class UserController < ApplicationController
-  before_filter :allow_mobile, :authenticate_user!
+  before_filter :allow_mobile
+  before_filter :user_authentication #, except: :obtain_token
   layout 'phone'
 
+  def user_authentication
+    if params[:auth_token].present?
+      user = User.find_by_authentication_token(params[:auth_token])
+      sign_in user if user
+      sign_out current_user if current_user && !user # Other token attempt of logged in user
+    else
+      authenticate_user!
+    end
+    unless current_user.present?
+      respond_to do |format|
+        format.html {redirect_to new_user_session_path}
+        format.json {render json: json_response(ok: false, status: 401)}
+      end
+    end
+  end
+
   def authenticate_user_wrapper!
     authenticate_user! unless request.format.html?
     authenticate_user! if params[:action] == 'obtain_token'
   end
 
   def obtain_token
-
   end
 
   alias :list :active_list
@@ -178,14 +194,14 @@ class UserController < ApplicationController
         if list.present?
           if !list.try(:active?)
             current_user.list_is_closed!
-            render json: {list_active: false}
+            render json: json_response(list_active: false)
             return
           else
             list_obj = list.as_json.merge(list_active: list.active? ).merge(list.join_requests_as_json)
-            render json: list_obj
+            render json: json_response(list_obj)
           end
         else
-          render json: {not_present: true}
+          render json: json_response(not_present: true)
         end
       end
     end
@@ -292,4 +308,9 @@ class UserController < ApplicationController
     flash.now[:notice] = t('messages.the_list_has_been_closed', list: List.model_name.human) if params[:list_closed].present?
     flash.now[:notice] = t("messages.#{params[:message]}", list: List.model_name.human, supplier: Supplier.model_name.human) if params[:message].present? && params[:message] =~ /^\w+$/
   end
+
+  def json_response(obj = {})
+    obj[:ok] = true unless obj.has_key?(:ok)
+    obj
+  end
 end

app/helpers/devise_helper.rb

@@ -0,0 +1,7 @@
+module DeviseHelper
+  def devise_error_messages!
+    if resource.errors.present?
+      content_tag(:div, content_tag(:h2, t("errors.messages.not_saved.#{resource.errors.size == 1 ? 'one' : 'other'}", count: resource.errors.size)) +content_tag(:ul, resource.errors.full_messages.map{|m| content_tag(:li, m)}.join.html_safe), class: 'alert alert-error')
+    end
+  end
+end

app/views/devise/_links.html.slim

@@ -1,19 +1,19 @@
 ul.nav.nav-pills
   - if controller_name != 'sessions'
-    li= link_to t('devise.sessions.button'), new_session_path(resource_name)
+    li= link_to t('devise.sessions.button'), new_session_path(resource_name), class: [:devise, :btn]
 
   - if devise_mapping.registerable? && controller_name != 'registrations'
-    li= link_to t('devise.registrations.button'), new_registration_path(resource_name)
+    li= link_to t('devise.registrations.button'), new_registration_path(resource_name), class: [:devise, :btn]
 
   - if devise_mapping.recoverable? && controller_name != 'passwords'
-    li= link_to t('devise.sessions.forgot_your_password'), new_password_path(resource_name)
+    li= link_to t('devise.sessions.forgot_your_password'), new_password_path(resource_name), class: [:devise, :btn]
 
   - if devise_mapping.confirmable? && controller_name != 'confirmations'
-    li= link_to t('devise.confirmations.did_not_receive_instructions_link'), new_confirmation_path(resource_name)
+    li= link_to t('devise.confirmations.did_not_receive_instructions_link'), new_confirmation_path(resource_name), class: [:devise, :btn]
 
   - if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks'
-    li= link_to t('devise.unlocks.did_not_receive_instructions_link'), new_unlock_path(resource_name)
+    li= link_to t('devise.unlocks.did_not_receive_instructions_link'), new_unlock_path(resource_name), class: [:devise, :btn]
 
   - if devise_mapping.omniauthable?
     - resource_class.omniauth_providers.each do |provider|
-      li= link_to t('devise.omniauth_callbacks.sign_in_with', provider: provider.to_s.titleize), omniauth_authorize_path(resource_name, provider)
+      li= link_to t('devise.omniauth_callbacks.sign_in_with', provider: provider.to_s.titleize), omniauth_authorize_path(resource_name, provider), class: [:devise, :btn]

app/views/devise/passwords/edit.html.erb

@@ -1,16 +0,0 @@
-<h2>Change your password</h2>
-
-<%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :put }) do |f| %>
-  <%= devise_error_messages! %>
-  <%= f.hidden_field :reset_password_token %>
-
-  <div><%= f.label :password, "New password" %><br />
-  <%= f.password_field :password %></div>
-
-  <div><%= f.label :password_confirmation, "Confirm new password" %><br />
-  <%= f.password_field :password_confirmation %></div>
-
-  <div><%= f.submit "Change my password" %></div>
-<% end %>
-
-<%= render "links" %>

app/views/devise/passwords/edit.html.slim

@@ -0,0 +1,14 @@
+h2= t('devise.passwords.edit.title')
+= form_for(resource, :as => resource_name, :url => password_path(resource_name), html: {class: 'form-horizontal', method: :put}) do |f| 
+  = devise_error_messages!
+  = f.hidden_field :reset_password_token
+  .control-group
+     = f.label :password, class: 'control-label'
+     .controls= f.password_field :password
+  .control-group
+     = f.label :password_confirmation, class: 'control-label'
+     .controls= f.password_field :password_confirmation
+  .control-group
+    .controls
+      = f.submit t('devise.passwords.edit.button'), class: 'btn btn-primary'
+= render "links"

app/views/devise/passwords/new.html.erb

@@ -1,12 +0,0 @@
-<h2>Forgot your password?</h2>
-
-<%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :post }) do |f| %>
-  <%= devise_error_messages! %>
-
-  <div><%= f.label :email %><br />
-  <%= f.email_field :email %></div>
-
-  <div><%= f.submit "Send me reset password instructions" %></div>
-<% end %>
-
-<%= render "links" %>

app/views/devise/passwords/new.html.slim

@@ -0,0 +1,10 @@
+h2= t('devise.passwords.title')
+= form_for(resource, :as => resource_name, :url => password_path(resource_name), html: {class: 'form-horizontal'}) do |f| 
+  = devise_error_messages!
+  .control-group
+     = f.label :email, class: 'control-label'
+     .controls= f.email_field :email
+  .control-group
+    .controls
+      = f.submit t('devise.passwords.button'), class: 'btn btn-primary'
+= render "links"

app/views/devise/registrations/new.html.slim

@@ -12,5 +12,5 @@ h2= t('devise.registrations.title')
      .controls= f.password_field :password_confirmation
   .control-group
     .controls
-      = f.submit t('devise.registrations.button')
+      = f.submit t('devise.registrations.button'), class: 'btn btn-primary'
 = render "links"

app/views/layouts/obtain_token.html.slim

@@ -0,0 +1,19 @@
+doctype html
+html lang="en"
+  head
+    meta charset="utf-8"
+    meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1"
+    meta name="viewport" content="width=device-width, initial-scale=1.0"
+    title= content_for?(:title) ? yield(:title) : application_title
+    = stylesheet_link_tag 'obtain_token/application'
+    = csrf_meta_tags
+  body class=action_name
+    - if flash[:alert].present?
+      .alert.alert-error
+        a.close data-dismiss="alert" ×
+        div= flash[:alert]
+    - if flash[:notice].present?
+      .alert.alert-success
+        a.close data-dismiss="alert" ×
+        div= flash[:notice]
+    #obtain-token-container= yield

app/views/layouts/phone.html.slim

@@ -19,7 +19,7 @@ html lang="en"
     javascript:
       var data_host = '#{Rails.env == 'development' ? 'http://localhost:3000' : 'http://data.qwaiter.com' }';
       //var data_host = 'http://localhost:3000';
-      //var data_host = 'http://192.168.1.74:3000';
+      data_host = 'http://192.168.1.148:3000';
       var $locale = '#{I18n.locale}';
       var $url_vars = null;
       // Dummy holder when Qmobile object is not supplied by the mobile phone
@@ -36,7 +36,8 @@ html lang="en"
         },
         root_url: function(){return 'file:///Users/bterkuile/Documents/workspace/Qwaiter/assets'},
         root_url: function(){return ''},
-        goHome: function(){ window.location = QMobile.root_url() + path_mapping['user_root'] + '.html'}
+        goHome: function(){ redirect_to('user_root')},
+        connection_problem: function(){alert('There is a problem connecting to the server')}
       });
       //QMobile.setAuthToken('i5brDZ1HS1okoEq3pMyh');