From 0b70895d93bb9909060ebc91c13756c25c176b02 Mon Sep 17 00:00:00 2001
From: Luciano Prestes Cavalcanti <lucianopcbr@gmail.com>
Date: Tue, 28 Jul 2015 15:09:12 -0300
Subject: [PATCH] Change private_token from session to user creation

---
 app/controllers/my_profile/profile_editor_controller.rb |  7 +++++++
 app/controllers/public/account_controller.rb            |  4 ++--
 app/models/user.rb                                      | 19 +++++++++++++++++--
 app/views/profile_editor/_person_form.html.erb          |  9 +++++++++
 lib/noosfero/api/session.rb                             |  1 -
 5 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/app/controllers/my_profile/profile_editor_controller.rb b/app/controllers/my_profile/profile_editor_controller.rb
index 2eb3014..07649c3 100644
--- a/app/controllers/my_profile/profile_editor_controller.rb
+++ b/app/controllers/my_profile/profile_editor_controller.rb
@@ -132,6 +132,13 @@ class ProfileEditorController < MyProfileController
     redirect_to_previous_location
   end
 
+  def reset_private_token
+    profile = environment.profiles.find(params[:id])
+    profile.user.generate_private_token!
+
+    redirect_to_previous_location
+  end
+
   protected
 
   def redirect_to_previous_location
diff --git a/app/controllers/public/account_controller.rb b/app/controllers/public/account_controller.rb
index 3a9a8e0..c5233de 100644
--- a/app/controllers/public/account_controller.rb
+++ b/app/controllers/public/account_controller.rb
@@ -16,7 +16,7 @@ class AccountController < ApplicationController
   def activate
     @user = User.find_by_activation_code(params[:activation_code]) if params[:activation_code]
     if @user
-      unless @user.environment.enabled?('admin_must_approve_new_users') 
+      unless @user.environment.enabled?('admin_must_approve_new_users')
         if @user.activate
           @message = _("Your account has been activated, now you can log in!")
           check_redirection
@@ -30,7 +30,7 @@ class AccountController < ApplicationController
           @user.activation_code = nil
           @user.save!
           redirect_to :controller => :home
-        end      
+        end
       end
     else
       session[:notice] = _("It looks like you're trying to activate an account. Perhaps have already activated this account?")
diff --git a/app/models/user.rb b/app/models/user.rb
index 0819e57..d28aa1c 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -113,6 +113,7 @@ class User < ActiveRecord::Base
   validates_uniqueness_of   :login, :email, :case_sensitive => false, :scope => :environment_id
   before_save :encrypt_password
   before_save :normalize_email, if: proc{ |u| u.email.present? }
+  before_save :generate_private_token_if_not_exist
   validates_format_of :email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda {|user| !user.email.blank?})
 
   validates_inclusion_of :terms_accepted, :in => [ '1' ], :if => lambda { |u| ! u.terms_of_use.blank? }, :message => N_('{fn} must be checked in order to signup.').fix_i18n
@@ -122,19 +123,33 @@ class User < ActiveRecord::Base
     environment ||= Environment.default
     u = self.first :conditions => ['(login = ? OR email = ?) AND environment_id = ? AND activated_at IS NOT NULL',
                                    login, login, environment.id] # need to get the salt
-    u && u.authenticated?(password) ? u : nil
+    if u && u.authenticated?(password)
+      u.generate_private_token_if_not_exist
+      return u
+    end
+    return nil
   end
 
   def register_login
     self.update_attribute :last_login_at, Time.now
   end
 
-  def generate_private_token!
+  def generate_private_token
     self.private_token = SecureRandom.hex
     self.private_token_generated_at = DateTime.now
+  end
+
+  def generate_private_token!
+    self.generate_private_token
     save(:validate => false)
   end
 
+  def generate_private_token_if_not_exist
+    unless self.private_token
+      self.generate_private_token
+    end
+  end
+
   TOKEN_VALIDITY = 2.weeks
   def private_token_expired?
     self.private_token.nil? || (self.private_token_generated_at + TOKEN_VALIDITY < DateTime.now)
diff --git a/app/views/profile_editor/_person_form.html.erb b/app/views/profile_editor/_person_form.html.erb
index 19abfb0..0645334 100644
--- a/app/views/profile_editor/_person_form.html.erb
+++ b/app/views/profile_editor/_person_form.html.erb
@@ -1,5 +1,14 @@
 <% @person ||= @profile %>
 
+<div class="formfieldline">
+  <%= label_tag("private_token", _("Private Token")) %>
+  <div class="formfield type-text">
+    <%= text_field_tag("a", @profile.user.private_token, :size => 30) %>
+  </div>
+</div>
+
+<%= link_to("Reset token", {:controller => :profile_editor, :action => :reset_private_token, :id => @person.id}, :class => "button with-text") %>
+
 <% optional_field(@person, 'nickname') do %>
   <%= f.text_field(:nickname, :maxlength => 16, :size => 30, :rel => _('Nickname')) %>
   <div>
diff --git a/lib/noosfero/api/session.rb b/lib/noosfero/api/session.rb
index 2fe805f..030962a 100644
--- a/lib/noosfero/api/session.rb
+++ b/lib/noosfero/api/session.rb
@@ -17,7 +17,6 @@ module Noosfero
         user ||= User.authenticate(params[:login], params[:password], environment)
 
         return unauthorized! unless user
-        user.generate_private_token!
         @current_user = user
         present user, :with => Entities::UserLogin
       end
--
libgit2 0.21.2