include SslRequirement

def ssl_required?

true

end

SSL Requirement

===============

SSL requirement adds a declarative way of specifying that certain actions

should only be allowed to run under SSL, and if they're accessed without it,

they should be redirected.

Example:

class ApplicationController < ActiveRecord::Base

include SslRequirement

end

class AccountController < ApplicationController

ssl_required :signup, :payment

ssl_allowed :index

def signup

# Non-SSL access will be redirected to SSL

end

def payment

# Non-SSL access will be redirected to SSL

end

def index

# This action will work either with or without SSL

end

def other

# SSL access will be redirected to non-SSL

end

end

You can overwrite the protected method ssl_required? to rely on other things

than just the declarative specification. Say, only premium accounts get SSL.

P.S.: Beware when you include the SslRequirement module. At the time of

inclusion, it'll add the before_filter that validates the declarations. Some

times you'll want to run other before_filters before that. They should then be

declared ahead of including this module.

Copyright (c) 2005 David Heinemeier Hansson, released under the MIT license

# Copyright (c) 2005 David Heinemeier Hansson

#

# Permission is hereby granted, free of charge, to any person obtaining

# a copy of this software and associated documentation files (the

# "Software"), to deal in the Software without restriction, including

# without limitation the rights to use, copy, modify, merge, publish,

# distribute, sublicense, and/or sell copies of the Software, and to

# permit persons to whom the Software is furnished to do so, subject to

# the following conditions:

#

# The above copyright notice and this permission notice shall be

# included in all copies or substantial portions of the Software.

#

# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,

# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF

# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE

# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION

# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION

# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

module SslRequirement

def self.included(controller)

controller.extend(ClassMethods)

controller.before_filter(:ensure_proper_protocol)

end

module ClassMethods

# Specifies that the named actions requires an SSL connection to be performed (which is enforced by ensure_proper_protocol).

def ssl_required(*actions)

write_inheritable_array(:ssl_required_actions, actions)

end

def ssl_allowed(*actions)

write_inheritable_array(:ssl_allowed_actions, actions)

end

end

protected

# Returns true if the current action is supposed to run as SSL

def ssl_required?

(self.class.read_inheritable_attribute(:ssl_required_actions) || []).include?(action_name.to_sym)

end

def ssl_allowed?

(self.class.read_inheritable_attribute(:ssl_allowed_actions) || []).include?(action_name.to_sym)

end

private

def ensure_proper_protocol

return true if ssl_allowed?

if ssl_required? && !request.ssl?

redirect_to "https://" + request.host + request.request_uri

flash.keep

return false

elsif request.ssl? && !ssl_required?

redirect_to "http://" + request.host + request.request_uri

flash.keep

return false

end

end

end

begin

require 'action_controller'

rescue LoadError

if ENV['ACTIONCONTROLLER_PATH'].nil?

abort <<MSG

Please set the ACTIONCONTROLLER_PATH environment variable to the directory

containing the action_controller.rb file.

MSG

else

$LOAD_PATH.unshift << ENV['ACTIONCONTROLLER_PATH']

begin

require 'action_controller'

rescue LoadError

abort "ActionController could not be found."

end

end

end

require 'action_controller/test_process'

require 'test/unit'

require "#{File.dirname(__FILE__)}/../lib/ssl_requirement"

ActionController::Base.logger = nil

ActionController::Routing::Routes.reload rescue nil

class SslRequirementController < ActionController::Base

include SslRequirement

ssl_required :a, :b

ssl_allowed :c

def a

render :nothing => true

end

def b

render :nothing => true

end

def c

render :nothing => true

end

def d

render :nothing => true

end

def set_flash

flash[:foo] = "bar"

end

end

class SslRequirementTest < Test::Unit::TestCase

def setup

@controller = SslRequirementController.new

@request = ActionController::TestRequest.new

@response = ActionController::TestResponse.new

end

def test_redirect_to_https_preserves_flash

get :set_flash

get :b

assert_response :redirect

assert_equal "bar", flash[:foo]

end

def test_not_redirecting_to_https_does_not_preserve_the_flash

get :set_flash

get :d

assert_response :success

assert_nil flash[:foo]

end

def test_redirect_to_http_preserves_flash

get :set_flash

@request.env['HTTPS'] = "on"

get :d

assert_response :redirect

assert_equal "bar", flash[:foo]

end

def test_not_redirecting_to_http_does_not_preserve_the_flash

get :set_flash

@request.env['HTTPS'] = "on"

get :a

assert_response :success

assert_nil flash[:foo]

end

def test_required_without_ssl

assert_not_equal "on", @request.env["HTTPS"]

get :a

assert_response :redirect

assert_match %r{^https://}, @response.headers['Location']

get :b

assert_response :redirect

assert_match %r{^https://}, @response.headers['Location']

end

def test_required_with_ssl

@request.env['HTTPS'] = "on"

get :a

assert_response :success

get :b

assert_response :success

end

def test_disallowed_without_ssl

assert_not_equal "on", @request.env["HTTPS"]

get :d

assert_response :success

end

def test_disallowed_with_ssl

@request.env['HTTPS'] = "on"

get :d

assert_response :redirect

assert_match %r{^http://}, @response.headers['Location']

end

def test_allowed_without_ssl

assert_not_equal "on", @request.env["HTTPS"]

get :c

assert_response :success

end

def test_allowed_with_ssl

@request.env['HTTPS'] = "on"

get :c

assert_response :success

end

end