improve handling of User resource

1 year ago · 63bc26ab16
parent b319b9de93
commit 63bc26ab16
5 changed files with 51 additions and 38 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -22,6 +22,14 @@ class ApplicationController < ActionController::Base
    end
  end

+  def admin_required!
+    user = current_user
+    if user.nil? || !user.admin?
+      flash[:error] = "Not authorized!"
+      redirect_to root_url
+    end
+  end
+
  def authenticate_supplier_admin!
    @supplier = Supplier.find((params[:supplier_id] || params[:id]))
    unless current_user.has_access_to?(@supplier)
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -6,14 +6,14 @@ class SessionsController < ApplicationController
  end

  def create
-    user = User.authenticate(params[:email], params[:password])
-    if user
+    user = User.find_by(email: params[:email])
+    if user && user.authenticate(params[:password])
      session[:user_id] = user.id
      flash[:notice] = "Logged in!"
      redirect_to root_url
    else
      flash.now[:error] = "Invalid email or password"
-      render "new"
+      render :new
    end
  end

--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -1,14 +1,18 @@
 class UsersController < ApplicationController
+
+  before_action :admin_required!
+
  def new
    @user=User.new
  end

  def create
-    @user=User.new(user_params)
+    @user = User.new(user_params)
    if @user.save
-      render 'show'
+      flash[:notice] = "Konto wurde erfolgreich erstellt."
+      redirect_to @user
    else
-      redirect_to new_user_path
+      render :new
    end
  end

@ -18,16 +22,11 @@ class UsersController < ApplicationController

  def update
    @user = User.find(params[:id])
-    attrs = user_params
-    respond_to do |format|
-      if @user.update(attrs)
-        flash[:notice] = 'Konto wurde erfolgreich aktualisiert.'
-        format.html { redirect_to user_url(@user) }
-        format.xml  { head :ok }
-      else
-        format.html { render :action => "edit" }
-        format.xml  { render :xml => @user.errors.to_xml }
-      end
+    if @user.update(user_params)
+      flash[:notice] = 'Konto wurde erfolgreich aktualisiert.'
+      redirect_to @user
+    else
+      render :edit
    end
  end

@ -50,6 +49,6 @@ class UsersController < ApplicationController

  private
  def user_params
-    params.require(:user).permit(:email, :password)
+    params.require(:user).permit(:email, :password, :password_confirmation, :admin)
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -2,38 +2,43 @@ class User < ApplicationRecord

  has_many :user_accesses, :dependent => :destroy
  has_many :suppliers, :through => :user_accesses
-  

-  attr_accessor :password
-  before_save :encrypt_password
+  attr_reader :password

-  validates_confirmation_of :password
-  validates_presence_of :password, :on => :create
-  validates_presence_of :email
-  validates_uniqueness_of :email
-
-  def self.authenticate(email, password)
-    user = find_by_email(email)
-    if user && user.password_hash == BCrypt::Engine.hash_secret(password, user.password_salt)
-      user
-    else
-      nil
+  validates :email, presence: true, uniqueness: true
+  validates :password, confirmation: true
+  validate do |user|
+    unless user.password_hash.present? && user.password_salt.present?
+      user.errors.add :password, :blank
    end
  end

-  def encrypt_password
-    if password.present?
-      self.password_salt = BCrypt::Engine.generate_salt
-      self.password_hash = BCrypt::Engine.hash_secret(password, password_salt)
-    end
+  def self.attributes_protected_by_default
+    super + %w(password_hash password_salt)
  end

  def has_access_to?(supplier)
-    admin? or !UserAccess.first(:conditions => {:supplier_id => supplier.id, :user_id => id}).nil?
+    admin? or !UserAccess.where(supplier_id: supplier.id, user_id: id).first.nil?
+  end
+
+  def authenticate(password_plain)
+    if self.password_hash == BCrypt::Engine.hash_secret(password_plain, self.password_salt)
+      self
+    else
+      false
+    end
+  end
+
+  def password=(password_plain)
+    @password = password_plain
+    unless password_plain.blank?
+      new_salt = BCrypt::Engine.generate_salt
+      self.password_hash = BCrypt::Engine.hash_secret(password_plain, new_salt)
+      self.password_salt = new_salt
+    end
  end

  def admin?
    !!admin
  end
-
 end
--- a/app/views/users/_form.haml
+++ b/app/views/users/_form.haml
@ -2,6 +2,7 @@
  = f.input :email, required: true
  = f.input :password, required: true
  = f.input :password_confirmation, required: true
+  = f.input :admin, required: true

  .form-actions
    = f.submit class: 'btn'