nusairat
diff --git a/‎lib/authenticated_system.rb
+189 b/‎lib/authenticated_system.rb
+189
diff --git a/‎lib/authenticated_test_helper.rb
+11 b/‎lib/authenticated_test_helper.rb
+11
diff --git a/‎lib/hijacker.rb
+72 b/‎lib/hijacker.rb
+72
@@ -0,0 +1,189 @@
+module AuthenticatedSystem
+  protected
+    # Returns true or false if the user is logged in.
+    # Preloads @current_user with the user model if they're logged in.
+    def logged_in?
+      !!current_user
+    end
+
+    # Accesses the current user from the session.
+    # Future calls avoid the database because nil is not equal to false.
+    def current_user
+      @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_user == false
+    end
+
+    # Store the given user id in the session.
+    def current_user=(new_user)
+      session[:user_id] = new_user ? new_user.id : nil
+      @current_user = new_user || false
+    end
+
+    # Check if the user is authorized
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the user
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorized?
+    #    current_user.login != "bob"
+    #  end
+    #
+    def authorized?(action = action_name, resource = nil)
+      logged_in?
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_filter :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_filter :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_filter :login_required
+    #
+    def login_required
+      authorized? || access_denied
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the user is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |format|
+        format.html do
+          store_location
+          redirect_to new_session_path
+        end
+        # format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987
+        # Add any other API formats here.  (Some browsers, notably IE6, send Accept: */* and trigger 
+        # the 'format.any' block incorrectly. See http://bit.ly/ie6_borken or http://bit.ly/ie6_borken2
+        # for a workaround.)
+        format.any(:json, :xml) do
+          request_http_basic_authentication 'Web Password'
+        end
+      end
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location
+      session[:return_to] = request.request_uri
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.  Set an appropriately modified
+    #   after_filter :store_location, :only => [:index, :new, :show, :edit]
+    # for any controller you want to be bounce-backable.
+    def redirect_back_or_default(default)
+      redirect_to(session[:return_to] || default)
+      session[:return_to] = nil
+    end
+
+    # Inclusion hook to make #current_user and #logged_in?
+    # available as ActionView helper methods.
+    def self.included(base)
+      base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method
+    end
+
+    #
+    # Login
+    #
+
+    # Called from #current_user.  First attempt to login by the user id stored in the session.
+    def login_from_session
+      self.current_user = User.find_by_id(session[:user_id]) if session[:user_id]
+    end
+
+    # Called from #current_user.  Now, attempt to login by basic authentication information.
+    def login_from_basic_auth
+      authenticate_with_http_basic do |login, password|
+        self.current_user = User.authenticate(login, password)
+      end
+    end
+    
+    #
+    # Logout
+    #
+
+    # Called from #current_user.  Finaly, attempt to login by an expiring token in the cookie.
+    # for the paranoid: we _should_ be storing user_token = hash(cookie_token, request IP)
+    def login_from_cookie
+      user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token])
+      if user && user.remember_token?
+        self.current_user = user
+        handle_remember_cookie! false # freshen cookie token (keeping date)
+        self.current_user
+      end
+    end
+
+    # This is ususally what you want; resetting the session willy-nilly wreaks
+    # havoc with forgery protection, and is only strictly necessary on login.
+    # However, **all session state variables should be unset here**.
+    def logout_keeping_session!
+      # Kill server-side auth cookie
+      @current_user.forget_me if @current_user.is_a? User
+      @current_user = false     # not logged in, and don't do it for me
+      kill_remember_cookie!     # Kill client-side auth cookie
+      session[:user_id] = nil   # keeps the session but kill our variable
+      # explicitly kill any other session variables you set
+    end
+
+    # The session should only be reset at the tail end of a form POST --
+    # otherwise the request forgery protection fails. It's only really necessary
+    # when you cross quarantine (logged-out to logged-in).
+    def logout_killing_session!
+      logout_keeping_session!
+      reset_session
+    end
+    
+    #
+    # Remember_me Tokens
+    #
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    def valid_remember_cookie?
+      return nil unless @current_user
+      (@current_user.remember_token?) && 
+        (cookies[:auth_token] == @current_user.remember_token)
+    end
+    
+    # Refresh the cookie auth token if it exists, create it otherwise
+    def handle_remember_cookie!(new_cookie_flag)
+      return unless @current_user
+      case
+      when valid_remember_cookie? then @current_user.refresh_token # keeping same expiry date
+      when new_cookie_flag        then @current_user.remember_me 
+      else                             @current_user.forget_me
+      end
+      send_remember_cookie!
+    end
+  
+    def kill_remember_cookie!
+      cookies.delete :auth_token
+    end
+    
+    def send_remember_cookie!
+      cookies[:auth_token] = {
+        :value   => @current_user.remember_token,
+        :expires => @current_user.remember_token_expires_at }
+    end
+
+end
@@ -0,0 +1,11 @@
+module AuthenticatedTestHelper
+  # Sets the current user in the session from the user fixtures.
+  def login_as(user)
+    @request.session[:user_id] = user ? (user.is_a?(User) ? user.id : users(user).id) : nil
+  end
+
+  def authorize_as(user)
+    @request.env["HTTP_AUTHORIZATION"] = user ? ActionController::HttpAuthentication::Basic.encode_credentials(users(user).login, 'monkey') : nil
+  end
+  
+end
@@ -0,0 +1,72 @@
+# Hijacker class
+#
+# This class is used by RoleRequirementTestHelper to temporarily hijack a controller action for testing
+#
+# Example usage:
+#   hijacker = Hijacker.new(ListingsController)
+#   hijacker.hijack_instance_method("index", "render :text => 'hello world!'" )
+#   get :index        # will return "hello world"
+#   hijacker.restore  # put things back the way you found it
+
+class Hijacker
+  def initialize(klass)
+    @target_klass = klass
+    @method_stores = {}
+  end
+  
+  def hijack_class_method(method_name, eval_string = nil, arg_names = [], &block)
+    hijack_method(class_self_instance, method_name, eval_string, arg_names, &block )
+  end
+  
+  def hijack_instance_method(method_name, eval_string = nil, arg_names = [], &block)
+    hijack_method(@target_klass, method_name, eval_string, arg_names, &block )
+  end
+  
+  # restore all 
+  def restore
+    @method_stores.each_pair{|klass, method_stores|
+      method_stores.reverse_each{ |method_name, method| 
+        klass.send :undef_method, method_name
+        klass.send :define_method, method_name, method if method
+      }
+    }
+    @method_stores.clear
+    true
+  rescue
+    false
+  end
+  
+protected  
+
+  def class_self_instance
+    @target_klass.send :eval, "class << self; self; end;"
+  end
+  
+  def hijack_method(klass, method_name, eval_string = nil, arg_names = [], &block)
+    method_name = method_name.to_s
+    # You have got love ruby!  What other language allows you to pillage and plunder a class like this? 
+    
+    (@method_stores[klass]||=[]) << [
+      method_name, 
+      klass.instance_methods.include?(method_name) && klass.instance_method(method_name)
+    ]
+    
+    klass.send :undef_method, method_name
+    if Symbol === eval_string
+      klass.send :define_method, method_name, klass.instance_methods(eval_string)
+    elsif String === eval_string
+      klass.class_eval <<-EOF 
+        def #{method_name}(#{arg_names * ','})
+          #{eval_string}
+        end
+      EOF
+    elsif block_given?
+      klass.send :define_method, method_name, block
+    end
+    
+    true
+  rescue
+    false
+  end
+  
+end