ROR汇集---restful-authentication

摘自：http://github.com/technoweenie/restful-authentication/tree/master

 

Restful Authentication Generator

This widely-used plugin provides a foundation for securely managing user
authentication:

• Login / logout
• Secure password handling
• Account activation by validating email
• Account approval / disabling by admin
• Rudimentary hooks for authorization and access control.

!! important: if you upgrade your site, existing user account !! !! passwords will stop working unless you use —old-passwords !!

 

h2. Installation

This is a basic restful authentication generator for rails, taken from
acts as authenticated. Currently it requires Rails 1.2.6 or above.

IMPORTANT FOR RAILS > 2.1 USERS To avoid a NameError exception (lighthouse tracker ticket ), check out the code to have an underscore and not dash in its name:

• either use git clone git://github.com/technoweenie/restful-authentication.git restful_authentication
• or rename the plugin’s directory to be restful_authentication after fetching it.

To use the generator:

./script/generate authenticated user sessions / —include-activation / —stateful / —rspec / —skip-migration / —skip-routes / —old-passwords

• The first parameter specifies the model that gets created in signup (typically
  a user or account model). A model with migration is created, as well as a
  basic controller with the create method. You probably want to say “User” here.

• The second parameter specifies the session controller name. This is the
  controller that handles the actual login/logout function on the site.
  (probably: “Session”).

• —include-activation: Generates the code for a ActionMailer and its respective
  Activation Code through email.

• -stateful: Builds in support for acts_as_state_machine and generates
  activation code. (@ -stateful@ implies --include-activation ). Based on the
  idea at [[http://www.vaporbase.com/postings/stateful_authentication]]. Passing
  --skip-migration will skip the user migration, and --skip-routes will skip
  resource generation - both useful if you’ve already run this generator.
  (Needs the acts_as_state_machine plugin ,
  but new installs should probably run with @ -aasm@ instead.)

• —aasm: Works the same as stateful but uses the updated aasm gem

• —rspec: Generate RSpec tests and Stories in place of standard rails tests.
  This requires the
  RSpec and Rspec-on-rails plugins
  (make sure you “./script/generate rspec” after installing RSpec.) The rspec
  and story suite are much more thorough than the rails tests, and changes are
  unlikely to be backported.

• —old-passwords: Use the older password scheme (see [[#COMPATIBILITY ]], above)

• —skip-migration: Don’t generate a migration file for this model

• —skip-routes: Don’t generate a resource line in config/routes.rb

---

h2. After installing

The below assumes a Model named ‘User’ and a Controller named ‘Session’; please
alter to suit. There are additional security minutae in notes/README-Tradeoffs
— only the paranoid or the curious need bother, though.

• Add these familiar login URLs to your config/routes.rb if you like:

map.signup  ‘/signup’, :controller => ‘users’,   :action => ‘new’

map.login  ‘/login’,  :controller => ‘session’, :action => ‘new’

map.logout ‘/logout’, :controller => ‘session’, :action => ‘destroy’

• With --include-activation , also add to your config/routes.rb :

map.activate ‘/activate/:activation_code’, :controller => ‘users’, :action => ‘activate’, :activation_code => nil

and add an observer to config/environment.rb

:

config.active_record.observers = :user_observer

Pay attention, may be this is not an issue for everybody, but if you should have problems, that the sent activation_code does match with that in the database stored, reload your user object before sending its data through email something like:

class UserObserver < ActiveRecord::Observer

def after_create(user)

user.reload

UserMailer.deliver_signup_notification(user)

end

def after_save(user)

user.reload

UserMailer.deliver_activation(user) if user.recently_activated?

end

end

• With --stateful , add an observer to config/environment.rb:

config.active_record.observers = :user_observer

and modify the users resource line to read map.resources :users, :member => { :suspend => :put, :unsuspend => :put, :purge => :delete }

• If you use a public repository for your code (such as github, rubyforge,
  gitorious, etc.) make sure to NOT post your site_keys.rb (add a line like
  ‘/config/initializers/site_keys.rb’ to your .gitignore or do the svn ignore
  dance), but make sure you DO keep it backed up somewhere safe.

参考：http://www.letrails.cn/archives/52/