From twinwing at gmail.com Fri Feb 22 13:28:11 2008 From: twinwing at gmail.com (Albert Ng) Date: Fri, 22 Feb 2008 14:28:11 -0400 Subject: how to "encrypt" the password/login for the blog.rb example? Message-ID: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> Greetings all I find myself in need of making a little 3 page app that will run scripts, and my first thought was Camping! looking at the blog.rb example, I see a very nice example of authentication, but the username/password is transmitted in clear text form My question then is, Is there an easy way of "encrypting" that information? If not, will I have to go the https way with apache, or is there a ruby http server that can do that? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/camping-list/attachments/20080222/e9e90dc0/attachment.html From manfred at gmail.com Fri Feb 22 13:39:59 2008 From: manfred at gmail.com (Manfred Stienstra) Date: Fri, 22 Feb 2008 19:39:59 +0100 Subject: how to "encrypt" the password/login for the blog.rb example? In-Reply-To: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> References: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> Message-ID: <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> On Feb 22, 2008, at 7:28 PM, Albert Ng wrote: > looking at the blog.rb example, I see a very nice example of > authentication, but the username/password is transmitted in clear > text form > > My question then is, Is there an easy way of "encrypting" that > information? Well, the easiest way is to do logins over SSL. A second option could be HTTP Digest Authentication, but browser support for that is flackey to say the least. You can try digest auth, it's in Apache and probably in other webservers. > If not, will I have to go the https way with apache, or is there a > ruby http server that can do that? WEBRick can do SSL, see http://www.webrick.org/ Manfred From twinwing at gmail.com Fri Feb 22 14:21:39 2008 From: twinwing at gmail.com (Albert Ng) Date: Fri, 22 Feb 2008 15:21:39 -0400 Subject: how to "encrypt" the password/login for the blog.rb example? In-Reply-To: <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> References: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> Message-ID: <73925d240802221121y7a11d39cmad37f89d18c8e631@mail.gmail.com> Thanks a bunch, that helps a lot. As an aside, there's no mention of this mailing list on the camping wiki On Fri, Feb 22, 2008 at 2:39 PM, Manfred Stienstra wrote: > On Feb 22, 2008, at 7:28 PM, Albert Ng wrote: > > > looking at the blog.rb example, I see a very nice example of > > authentication, but the username/password is transmitted in clear > > text form > > > > My question then is, Is there an easy way of "encrypting" that > > information? > > Well, the easiest way is to do logins over SSL. A second option could > be HTTP Digest Authentication, but browser support for that is flackey > to say the least. You can try digest auth, it's in Apache and probably > in other webservers. > > > If not, will I have to go the https way with apache, or is there a > > ruby http server that can do that? > > WEBRick can do SSL, see http://www.webrick.org/ > > Manfred > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/camping-list/attachments/20080222/d4c07759/attachment.html From twinwing at gmail.com Sat Feb 23 11:08:01 2008 From: twinwing at gmail.com (Albert Ng) Date: Sat, 23 Feb 2008 12:08:01 -0400 Subject: how can I catch HTTP 501? Message-ID: <73925d240802230808i1117a137s713fa4e921b94666@mail.gmail.com> I'm using camping with reststop to do a html front end for sending pre-defined messages to different devices (puts will work) depending on the time (will parse cron). No real deadline. Works great up to now, much fun, forgot to sleep. Problem is when I pass a URL of the form /device/1/ping without a "Ping" controller method. It will send me a "501 Not Implemented". Interestingly enough, /device/1/1/ping will give me "404 Not Found" which I have properly handled. So my question are: In what part of the code can I catch the 501? How can I implement a catch-all controller method? Who's giving me the nicely formated web page when the 501's happening? Where could I have found that out? If I stop using reststop, will the problem go away? Attached is what I have worked up till now. Has a postamble, will work with webrick. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/camping-list/attachments/20080223/b945c1da/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: ctd.rb Type: application/octet-stream Size: 4330 bytes Desc: not available Url : http://rubyforge.org/pipermail/camping-list/attachments/20080223/b945c1da/attachment-0001.obj From whateley at gmail.com Sat Feb 23 13:10:31 2008 From: whateley at gmail.com (Brendan Taylor) Date: Sat, 23 Feb 2008 11:10:31 -0700 Subject: how to "encrypt" the password/login for the blog.rb example? In-Reply-To: <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> References: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> Message-ID: <20080223181031.GK2918@nyarlathotep.necronomicorp.com> On Fri, Feb 22, 2008 at 07:39:59PM +0100, Manfred Stienstra wrote: > On Feb 22, 2008, at 7:28 PM, Albert Ng wrote: > > > looking at the blog.rb example, I see a very nice example of > > authentication, but the username/password is transmitted in clear > > text form > > > > My question then is, Is there an easy way of "encrypting" that > > information? > > Well, the easiest way is to do logins over SSL. A second option could > be HTTP Digest Authentication, but browser support for that is flackey > to say the least. I've been using Digest myself, can't say I've run into any problems with browser support. Browser UI for it isn't great, of course. I've attached a module for doing digest auth with Camping. It uses the httpauth gem. Use it something like this: Camping.goes :Foo module Foo include Camping::DigestAuth REALM = "foo" module_function def password_for_user(username) # returns the correct password for user "username" # or nil if the user doesn't exist end end At the beginning of every controller method you want to be authenticated, call the 'authenticate' method. -------------- next part -------------- require "httpauth" module Camping module DigestAuth include HTTPAuth::Digest class Unauthorized < RuntimeError; end # call this at the start of methods that require authentication def authenticate raise Unauthorized unless @user end def service(*a) app = Kernel.const_get(self.class.name.gsub(/^(\w+)::.+$/, '\1')) auth_h = @env["HTTP_AUTHORIZATION"] begin if auth_h credentials = Credentials.from_header(auth_h) user = credentials.h[:username] begin pass = app.password_for_user(user) rescue NameError raise "define #password_for_user on your app module" end if pass and credentials.validate(:password => pass, :method => @method.upcase) @user = user auth_info = AuthenticationInfo.from_credentials credentials @headers["Authentication-Info"] = auth_info.to_header end end rescue HTTPAuth::UnwellformedHeader # they probably sent eg. a Basic Authenticate header # just ignore it instead of exploding end super(*a) rescue Unauthorized @status = 401 challenge = Challenge.new :realm => app::REALM, :qop => ["auth"] @headers["WWW-Authenticate"] = challenge.to_header @body = authentication_failed self end # override this for a nicer error message def authentication_failed @headers["Content-Type"] = "text/plain" "you are not authorized." end end end -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://rubyforge.org/pipermail/camping-list/attachments/20080223/84820d85/attachment.bin From twinwing at gmail.com Sat Feb 23 13:39:23 2008 From: twinwing at gmail.com (Albert Ng) Date: Sat, 23 Feb 2008 14:39:23 -0400 Subject: diff to splat the password field in blog.rb Message-ID: <73925d240802231039x79e94b85x14a31262bd4dff8d@mail.gmail.com> 235c235 < input :name => 'password', :type => 'text'; br --- > input :name => 'password', :type => 'password'; br sorry for all the noise in the list :( -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/camping-list/attachments/20080223/4850000b/attachment.html From twinwing at gmail.com Sat Feb 23 22:32:32 2008 From: twinwing at gmail.com (Albert Ng) Date: Sat, 23 Feb 2008 23:32:32 -0400 Subject: how to "encrypt" the password/login for the blog.rb example? In-Reply-To: <20080223181031.GK2918@nyarlathotep.necronomicorp.com> References: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> <20080223181031.GK2918@nyarlathotep.necronomicorp.com> Message-ID: <73925d240802231932x76d8d64au5332e21b3ab465dc@mail.gmail.com> Thank you Mr. Taylor, Mr. Stienstra It feels so great to be on the cutting edge of 1999's web encryption and authorization! Mr Taylor, I have used your module for digest authorization and was wondering if you could answer a couple of questions: What does module_function do without calling a :symbol? How is the ?service? function called when I'm calling ?authenticate?, which only function is to raise if a condition is not met? Mr. Stienstra, I have looked into using SSL with WEBrick. Thank you very much, it is exactly what I was looking for. On Sat, Feb 23, 2008 at 2:10 PM, Brendan Taylor wrote: > On Fri, Feb 22, 2008 at 07:39:59PM +0100, Manfred Stienstra wrote: > > On Feb 22, 2008, at 7:28 PM, Albert Ng wrote: > > > > > looking at the blog.rb example, I see a very nice example of > > > authentication, but the username/password is transmitted in clear > > > text form > > > > > > My question then is, Is there an easy way of "encrypting" that > > > information? > > > > Well, the easiest way is to do logins over SSL. A second option could > > be HTTP Digest Authentication, but browser support for that is flackey > > to say the least. > > I've been using Digest myself, can't say I've run into any > problems with browser support. Browser UI for it isn't great, of > course. > ... > At the beginning of every controller method you want to be > authenticated, call the 'authenticate' method. attached is my current progress. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/camping-list/attachments/20080223/711f300a/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: ctd.rb Type: application/octet-stream Size: 4869 bytes Desc: not available Url : http://rubyforge.org/pipermail/camping-list/attachments/20080223/711f300a/attachment.obj From seti at tquadrado.com Sat Feb 23 23:38:30 2008 From: seti at tquadrado.com (pedro mg) Date: Sun, 24 Feb 2008 04:38:30 +0000 Subject: how can I catch HTTP 501? In-Reply-To: <73925d240802230808i1117a137s713fa4e921b94666@mail.gmail.com> References: <73925d240802230808i1117a137s713fa4e921b94666@mail.gmail.com> Message-ID: Hi, i gave a quick look at the code and it seems you need to work out the route for "ping" on the Devices class. I'm not using reststop, but went to check it out. http://reststop.rubyforge.org/classes/Camping/Controllers.src/M000011.html def no_method(e) _error("No controller method responds to this route!", 501, e) end def not_found(e) _error("Record not found!", 404, e) end Seems those 501 are being delivered by reststop. http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html "10.5.2 501 Not Implemented The server does not support the functionality required to fulfill the request. This is the appropriate response when the server does not recognize the request method and is not capable of supporting it for any resource. " In Reststop: "Calling REST "" creates a controller with the appropriate routes and maps your REST methods to standard Camping controller mehods. This is meant to be used in your Controllers module in place of R ." You'l need to specify those possible routes probably: # GET /devices/1/ping def ping(id) ... end If i well understood, you'd like to have a /devices/1/(\w+) route that reststop could parse. It is not a case solved by a 'prefix'. If you knew the possible methods, you'd implement them. In this case, i'd use Camping standard Routes, where you are free to specify what you want by the use of RegExp's. Or... you can try to change Reststop yourself ;) on your own risk, following or not the REST architecture :) Start by redirecting that error message to a specific Route of yours. /lib/reststop.rb if e.message =~ /no such method/ return no_method(e) # <== act here ;) else raise e end ...or even a bit above, in the protected block under send(custom_action...) pedro mg On 2/23/08, Albert Ng wrote: > I'm using camping with reststop to do a html front end for sending > pre-defined messages to different devices (puts will work) depending on the > time (will parse cron). No real deadline. > > Works great up to now, much fun, forgot to sleep. > > Problem is when I pass a URL of the form /device/1/ping without a "Ping" > controller method. It will send me a "501 Not Implemented". Interestingly > enough, /device/1/1/ping will give me "404 Not Found" which I have properly > handled. > > So my question are: > In what part of the code can I catch the 501? > How can I implement a catch-all controller method? > Who's giving me the nicely formated web page when the 501's happening? > Where could I have found that out? > If I stop using reststop, will the problem go away? > > Attached is what I have worked up till now. Has a postamble, will work with > webrick. > > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list > > -- pedro mg http://blog.tquadrado.com From whateley at gmail.com Sun Feb 24 10:49:39 2008 From: whateley at gmail.com (Brendan Taylor) Date: Sun, 24 Feb 2008 08:49:39 -0700 Subject: how to "encrypt" the password/login for the blog.rb example? In-Reply-To: <73925d240802231932x76d8d64au5332e21b3ab465dc@mail.gmail.com> References: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> <20080223181031.GK2918@nyarlathotep.necronomicorp.com> <73925d240802231932x76d8d64au5332e21b3ab465dc@mail.gmail.com> Message-ID: <20080224154939.GL2918@nyarlathotep.necronomicorp.com> On Sat, Feb 23, 2008 at 11:32:32PM -0400, Albert Ng wrote: > Mr Taylor, I have used your module for digest authorization and was > wondering if you could answer a couple of questions: > What does module_function do without calling a :symbol? : "If used with no arguments, subsequently defined methods become module functions." > How is the ?service? function called when I'm calling ?authenticate?, which > only function is to raise if a condition is not met? Mixin inheritance stuff. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://rubyforge.org/pipermail/camping-list/attachments/20080224/7ffe4871/attachment.bin From manfred at gmail.com Mon Feb 25 05:22:12 2008 From: manfred at gmail.com (Manfred Stienstra) Date: Mon, 25 Feb 2008 11:22:12 +0100 Subject: how to "encrypt" the password/login for the blog.rb example? In-Reply-To: <20080223181031.GK2918@nyarlathotep.necronomicorp.com> References: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> <20080223181031.GK2918@nyarlathotep.necronomicorp.com> Message-ID: <8460F964-49DC-4748-8593-D7BF5102ECA0@gmail.com> On Feb 23, 2008, at 7:10 PM, Brendan Taylor wrote: > I've attached a module for doing digest auth with Camping. It uses the > httpauth gem. You have to take care when using httpauth because it doesn't do any internal validation of the digest authorization request, so I think it might be vulnerable to replay attacks or something. Manfred From twinwing at gmail.com Mon Feb 25 09:36:47 2008 From: twinwing at gmail.com (Albert Ng) Date: Mon, 25 Feb 2008 10:36:47 -0400 Subject: how can I catch HTTP 501? In-Reply-To: References: <73925d240802230808i1117a137s713fa4e921b94666@mail.gmail.com> Message-ID: <73925d240802250636j4d76ddf5sf71546ea396b1f2f@mail.gmail.com> Thanks for the advice Pedro, but unfortunately I've gone back to using the regular Camping paths. It's less RESTfull, but more robust. if I was to call app/1/k, markaby (?) would show me the cookie name, same with (i) for italic 1, (b) for bold 1, and a few others. On Sun, Feb 24, 2008 at 12:38 AM, pedro mg wrote: > Hi, > > i gave a quick look at the code and it seems you need to work out the > route for "ping" on the Devices class. I'm not using reststop, but > went to check it out. > > http://reststop.rubyforge.org/classes/Camping/Controllers.src/M000011.html > > def no_method(e) > _error("No controller method responds to this route!", 501, e) > end > > def not_found(e) > _error("Record not found!", 404, e) > end > > Seems those 501 are being delivered by reststop. > ... > Or... you can try to change Reststop yourself ;) on your own risk, > following or not the REST architecture :) > pedro mg > http://blog.tquadrado.com > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/camping-list/attachments/20080225/b0a53d8f/attachment.html From twinwing at gmail.com Mon Feb 25 09:37:45 2008 From: twinwing at gmail.com (Albert Ng) Date: Mon, 25 Feb 2008 10:37:45 -0400 Subject: how can I catch HTTP 501? In-Reply-To: <73925d240802250636j4d76ddf5sf71546ea396b1f2f@mail.gmail.com> References: <73925d240802230808i1117a137s713fa4e921b94666@mail.gmail.com> <73925d240802250636j4d76ddf5sf71546ea396b1f2f@mail.gmail.com> Message-ID: <73925d240802250637w13bdcccl50e94091ac7d422a@mail.gmail.com> not that regular camping paths are anything less than awesome On Mon, Feb 25, 2008 at 10:36 AM, Albert Ng wrote: > Thanks for the advice Pedro, but unfortunately I've gone back to using the > regular Camping paths. It's less RESTfull, but more robust. > > if I was to call app/1/k, markaby (?) would show me the cookie name, same > with (i) for italic 1, (b) for bold 1, and a few others. > > On Sun, Feb 24, 2008 at 12:38 AM, pedro mg wrote: > > > Hi, > > > > i gave a quick look at the code and it seems you need to work out the > > route for "ping" on the Devices class. I'm not using reststop, but > > went to check it out. > > > > > > http://reststop.rubyforge.org/classes/Camping/Controllers.src/M000011.html > > > > def no_method(e) > > _error("No controller method responds to this route!", 501, e) > > end > > > > def not_found(e) > > _error("Record not found!", 404, e) > > end > > > > Seems those 501 are being delivered by reststop. > > ... > > Or... you can try to change Reststop yourself ;) on your own risk, > > following or not the REST architecture :) > > > > > pedro mg > > http://blog.tquadrado.com > > _______________________________________________ > > Camping-list mailing list > > Camping-list at rubyforge.org > > http://rubyforge.org/mailman/listinfo/camping-list > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/camping-list/attachments/20080225/8736e0f3/attachment.html From twinwing at gmail.com Mon Feb 25 16:21:37 2008 From: twinwing at gmail.com (Albert Ng) Date: Mon, 25 Feb 2008 17:21:37 -0400 Subject: how to "encrypt" the password/login for the blog.rb example? In-Reply-To: <8460F964-49DC-4748-8593-D7BF5102ECA0@gmail.com> References: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> <20080223181031.GK2918@nyarlathotep.necronomicorp.com> <8460F964-49DC-4748-8593-D7BF5102ECA0@gmail.com> Message-ID: <73925d240802251321x5ee6feb3ye5a92656f2d21ee9@mail.gmail.com> I'll keep that in mind. As an aside, using this gem, how would I go about changing the user without closing the browser or raising ?Unauthorized?? That last pops up a log-in window that can't authorize (have to press escape). On Mon, Feb 25, 2008 at 6:22 AM, Manfred Stienstra wrote: > > On Feb 23, 2008, at 7:10 PM, Brendan Taylor wrote: > > > I've attached a module for doing digest auth with Camping. It uses the > > httpauth gem. > > You have to take care when using httpauth because it doesn't do any > internal validation of the digest authorization request, so I think it > might be vulnerable to replay attacks or something. > > Manfred > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/camping-list/attachments/20080225/02b604eb/attachment.html From aredridel at nbtsc.org Mon Feb 25 17:24:12 2008 From: aredridel at nbtsc.org (Aria Stewart) Date: Mon, 25 Feb 2008 15:24:12 -0700 Subject: how to "encrypt" the password/login for the blog.rb example? In-Reply-To: <73925d240802251321x5ee6feb3ye5a92656f2d21ee9@mail.gmail.com> References: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> <20080223181031.GK2918@nyarlathotep.necronomicorp.com> <8460F964-49DC-4748-8593-D7BF5102ECA0@gmail.com> <73925d240802251321x5ee6feb3ye5a92656f2d21ee9@mail.gmail.com> Message-ID: <8D04B80C-96F6-4B41-A16A-D54DC13449D7@nbtsc.org> On Feb 25, 2008, at 2:21 PM, Albert Ng wrote: > I'll keep that in mind. > > As an aside, using this gem, how would I go about changing the user > without closing the browser or raising ?Unauthorized?? That last > pops up a log-in window that can't authorize (have to press escape). You can't. Browsers really really really should include a logout button, and they don't. File bugs with me! From twinwing at gmail.com Mon Feb 25 19:43:34 2008 From: twinwing at gmail.com (Albert Ng) Date: Mon, 25 Feb 2008 20:43:34 -0400 Subject: how to "encrypt" the password/login for the blog.rb example? In-Reply-To: <8D04B80C-96F6-4B41-A16A-D54DC13449D7@nbtsc.org> References: <73925d240802221028g5430eadfy8d7b5580fac7cb43@mail.gmail.com> <915B63B5-19DC-4CC8-BB9A-398FBCAFD5F1@gmail.com> <20080223181031.GK2918@nyarlathotep.necronomicorp.com> <8460F964-49DC-4748-8593-D7BF5102ECA0@gmail.com> <73925d240802251321x5ee6feb3ye5a92656f2d21ee9@mail.gmail.com> <8D04B80C-96F6-4B41-A16A-D54DC13449D7@nbtsc.org> Message-ID: <73925d240802251643i794717f3k4d034df719a407cd@mail.gmail.com> On Mon, Feb 25, 2008 at 6:24 PM, Aria Stewart wrote: > > On Feb 25, 2008, at 2:21 PM, Albert Ng wrote: > > > I'll keep that in mind. > > > > As an aside, using this gem, how would I go about changing the user > > without closing the browser or raising ?Unauthorized?? That last > > pops up a log-in window that can't authorize (have to press escape). > > You can't. Browsers really really really should include a logout > button, and they don't. File bugs with me! > :) After cursing at @state, wondering why it wasn't saving before I ?raise Unauthorized? (for 3 hours *rolleyes*) , I've finally gotten the expected behavior by creating a ?Loginstate? table that belongs to ?User?, calling save explicitly, and working some logic with that. It's horribly expensive on the database, but it's ok for my purposes, because the app is only accessible locally. Another thing is that I changed password_for_user to record_for_user, as I'm using @user for an AR record, and the gem kept turning it into a string :P P.S. http://code.whytheluckystiff.net/camping/ticket/129 is very annoying, they changed mongrel/camping again (for the worse) Module Ctd:Models class Loginstate < Base belongs_to :users end --- create_table :ctd_loginstates do |t| t.column :user_id, :integer, :null => false t.column :reauthenticate, :boolean, :default => false end user.create_loginstate --- Module Ctd:Controlers class CloseSession def get authenticate @user.loginstate.reauthenticate = true @user.loginstate.save redirect R(Index) end end --- module Ctd include Camping::DigestAuth REALM = "ctd" module_function def record_for_user(username) include Ctd::Models user = User.find( :first, :conditions => ['username = ?', username]) user = User.find( :first, :conditions => ['username = ?', 'dummy']) unless user if user.loginstate.reauthenticate == true user.loginstate.reauthenticate = false user.loginstate.save raise Unauthorized end if user return user end end -------------- next part -------------- An HTML attachment was scrubbed... URL: http://rubyforge.org/pipermail/camping-list/attachments/20080225/9a9ca62c/attachment.html