Introduce user helper

h/static/scripts/account/account-controller.coffee

 class AccountController
-  @inject = [  '$rootScope', '$scope', '$filter',
-               'flash', 'session', 'identity', 'formHelpers']
-  constructor: ($rootScope,   $scope,   $filter,
-                flash, session, identity, formHelpers) ->
+  @inject = [  '$scope', '$filter',
+               'flash', 'formHelpers', 'identity', 'session', 'user']
+  constructor: ($scope,   $filter,
+                flash,   formHelpers,   identity,   session,   user ) ->
     persona_filter = $filter('persona')
     $scope.subscriptionDescription =
       reply: 'Receive notification emails when: - Someone replies to one of my annotations'
@@ -33,7 +33,7 @@ class AccountController
       $scope.$broadcast 'formState', form.$name, ''  # Update status btn
 
     $scope.tab = 'Account'
-    session.profile({user_id: $rootScope.persona}).$promise
+    session.profile({user_id: user.getPersona()}).$promise
       .then (result) =>
         $scope.subscriptions = result.subscriptions
 
@@ -47,7 +47,7 @@ class AccountController
       # The extension is then removed from the page.
       # Confirmation of success is given.
       return unless form.$valid
-      username = persona_filter $rootScope.persona
+      username = persona_filter user.getPersona()
       packet =
         username: username
         pwd: form.pwd.$modelValue
@@ -62,7 +62,7 @@ class AccountController
       formHelpers.applyValidationErrors(form)
       return unless form.$valid
 
-      username = persona_filter $rootScope.persona
+      username = persona_filter user.getPersona()
       packet =
         username: username
         pwd: form.pwd.$modelValue
@@ -77,7 +77,7 @@ class AccountController
 
     $scope.updated = (index, form) ->
       packet =
-        username: $rootScope.persona
+        username: user.getPersona()
         subscriptions: JSON.stringify $scope.subscriptions[index]
 
       successHandler = angular.bind(null, onSuccess, form)

h/static/scripts/controllers.coffee

-# User authorization function for the Permissions plugin.
-authorizeAction = (action, annotation, user) ->
-  if annotation.permissions
-    tokens = annotation.permissions[action] || []
-
-    if tokens.length == 0
-      # Empty or missing tokens array: only admin can perform action.
-      return false
-
-    for token in tokens
-      if user == token
-        return true
-      if token == 'group:__world__'
-        return true
-
-    # No tokens matched: action should not be performed.
-    return false
-
-  # Coarse-grained authorization
-  else if annotation.user
-    return user and user == annotation.user
-
-  # No authorization info on annotation: free-for-all!
-  true
-
-
 class AppController
   this.$inject = [
     '$location', '$route', '$scope', '$timeout',
     'annotator', 'flash', 'identity', 'streamer', 'streamfilter',
-    'documentHelpers', 'drafts'
+    'documentHelpers', 'drafts', 'user'
   ]
   constructor: (
      $location,   $route,   $scope,   $timeout,
      annotator,   flash,   identity,   streamer,   streamfilter,
-     documentHelpers,   drafts
+     documentHelpers,   drafts, user
   ) ->
     {plugins, host, providers} = annotator
 
-    checkingToken = false
     isFirstRun = $location.search().hasOwnProperty('firstrun')
 
     applyUpdates = (action, data) ->
@@ -81,7 +54,7 @@ class AppController
       Store = plugins.Store
       delete plugins.Store
 
-      if $rootScope.persona or annotator.socialView.name is 'none'
+      if user.getPersona() or annotator.socialView.name is 'none'
         annotator.addPlugin 'Store', annotator.options.Store
 
         $scope.store = plugins.Store
@@ -106,12 +79,12 @@ class AppController
       Store.updateAnnotation = angular.noop
 
       # Sort out which annotations should remain in place.
-      user = $rootScope.persona
+      persona = user.getPersona()
       view = annotator.socialView.name
       cull = (acc, annotation) ->
-        if view is 'single-player' and annotation.user != user
+        if view is 'single-player' and annotation.user != persona
           acc.drop.push annotation
-        else if authorizeAction 'read', annotation, user
+        else if authorizeAction 'read', annotation, persona
           acc.keep.push annotation
         else
           acc.drop.push annotation
@@ -133,41 +106,18 @@ class AppController
         $timeout -> cleanup rest
 
     onlogin = (assertion) ->
-      checkingToken = true
-
-      # Configure the Auth plugin with the issued assertion as refresh token.
-      annotator.addPlugin 'Auth',
-        tokenUrl: documentHelpers.absoluteURI(
-          "/api/token?assertion=#{assertion}")
-
-      # Set the user from the token.
-      plugins.Auth.withToken (token) ->
-        checkingToken = false
-        annotator.addPlugin 'Permissions',
-          user: token.userId
-          userAuthorize: authorizeAction
-        $scope.$apply ->
-          $rootScope.persona = token.userId
-          reset()
+      user.login assertion, reset
 
     onlogout = ->
-      plugins.Auth?.element.removeData('annotator:headers')
-      plugins.Auth?.destroy()
-      delete plugins.Auth
-
-      plugins.Permissions?.setUser(null)
-      plugins.Permissions?.destroy()
-      delete plugins.Permissions
-
-      $rootScope.persona = null
-      checkingToken = false
+      user.logout()
       reset()
 
     onready = ->
-      if not checkingToken and typeof $rootScope.persona == 'undefined'
+      persona = user.getPersona()
+      if not user.checkingInProgress() and typeof persona == 'undefined'
         # If we're not checking the token and persona is undefined, onlogin
         # hasn't run, which means we aren't authenticated.
-        $rootScope.persona = null
+        user.noPersona()
         reset()
 
         if isFirstRun
@@ -177,6 +127,7 @@ class AppController
       $scope.dialog.visible = false
 
     reset = ->
+      $scope.persona = user.getPersona()
       $scope.dialog.visible = false
 
       # Update any edits in progress.
@@ -193,7 +144,7 @@ class AppController
     $scope.$watch 'socialView.name', (newValue, oldValue) ->
       return if newValue is oldValue
       initStore()
-      if newValue is 'single-player' and not $rootScope.persona
+      if newValue is 'single-player' and not user.getPersona()
         annotator.show()
         flash 'info',
           'You will need to sign in for your highlights to be saved.'

h/static/scripts/directives/annotation.coffee

@@ -37,10 +37,10 @@ validate = (value) ->
 # {@link annotator annotator service} for persistence.
 ###
 AnnotationController = [
-  '$rootScope', '$scope', '$timeout',
-  'annotator', 'drafts', 'flash', 'documentHelpers', 'timeHelpers',
-  ($rootScope,   $scope,   $timeout,
-   annotator,   drafts,   flash,   documentHelpers,   timeHelpers
+  '$scope', '$timeout',
+  'annotator', 'drafts', 'flash', 'documentHelpers', 'timeHelpers', 'user'
+  ($scope,   $timeout,
+   annotator,   drafts,   flash,   documentHelpers,   timeHelpers,   user
   ) ->
     @annotation = {}
     @action = 'view'
@@ -182,16 +182,17 @@ AnnotationController = [
       reply = {references, uri}
       annotator.publish 'beforeAnnotationCreated', reply
 
-      if $rootScope.persona?
-        reply.permissions.update = [$rootScope.persona]
-        reply.permissions.delete = [$rootScope.persona]
-        reply.permissions.admin = [$rootScope.persona]
+      persona = user.getPersona()
+      if persona?
+        reply.permissions.update = [persona]
+        reply.permissions.delete = [persona]
+        reply.permissions.admin = [persona]
 
         # If replying to a public annotation make the response public.
         if 'group:__world__' in (model.permissions.read or [])
           reply.permissions.read = ['group:__world__']
         else
-          reply.permissions.read = [$rootScope.persona]
+          reply.permissions.read = [persona]
 
     ###*
     # @ngdoc method

h/static/scripts/services/user-service.coffee

+# User authorization function for the Permissions plugin.
+authorizeAction = (action, annotation, user) ->
+  if annotation.permissions
+    tokens = annotation.permissions[action] || []
+
+    if tokens.length == 0
+      # Empty or missing tokens array: only admin can perform action.
+      return false
+
+    for token in tokens
+      if user == token
+        return true
+      if token == 'group:__world__'
+        return true
+
+    # No tokens matched: action should not be performed.
+    return false
+
+  # Coarse-grained authorization
+  else if annotation.user
+    return user and user == annotation.user
+
+  # No authorization info on annotation: free-for-all!
+  true
+
+class User
+  _persona: undefined
+  _checkingToken: false
+  login: undefined
+  logout: undefined
+
+  this.$inject = ['annotator', 'documentHelpers']
+  constructor:   ( annotator,   documentHelpers) ->
+    {plugins} = annotator
+
+    @login = (assertion, callbackFn) ->
+      @_checkingToken = true
+
+      # Configure the Auth plugin with the issued assertion as refresh token.
+      annotator.addPlugin 'Auth',
+        tokenUrl: documentHelpers.absoluteURI(
+          "/api/token?assertion=#{assertion}")
+
+      # Set the user from the token.
+      plugins.Auth.withToken (token) =>
+        @_checkingToken = false
+        annotator.addPlugin 'Permissions',
+          user: token.userId
+          userAuthorize: authorizeAction
+        @_persona = token.userId
+        callbackFn()
+
+    @logout = ->
+      plugins.Auth?.element.removeData('annotator:headers')
+      plugins.Auth?.destroy()
+      delete plugins.Auth
+
+      plugins.Permissions?.setUser(null)
+      plugins.Permissions?.destroy()
+      delete plugins.Permissions
+
+      @_persona = null
+      @_checkingToken = false
+
+  checkingInProgress: -> @_checkingToken
+  getPersona: -> @_persona
+  noPersona: -> @_persona = null
+
+angular.module('h')
+.service('user', User)
\ No newline at end of file