From 63bc26ab1634aa14ad56099503f81fd289ef1b8b Mon Sep 17 00:00:00 2001
From: JuliusR <>
Date: Sun, 19 Dec 2021 10:48:54 +0100
Subject: [PATCH] improve handling of User resource

---
 app/controllers/application_controller.rb |  8 ++++
 app/controllers/sessions_controller.rb    |  6 +--
 app/controllers/users_controller.rb       | 27 +++++++------
 app/models/user.rb                        | 47 +++++++++++++----------
 app/views/users/_form.haml                |  1 +
 5 files changed, 51 insertions(+), 38 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b74db76..003e661 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -22,6 +22,14 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def admin_required!
+    user = current_user
+    if user.nil? || !user.admin?
+      flash[:error] = "Not authorized!"
+      redirect_to root_url
+    end
+  end
+
   def authenticate_supplier_admin!
     @supplier = Supplier.find((params[:supplier_id] || params[:id]))
     unless current_user.has_access_to?(@supplier)
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index c6e9156..ceeffd3 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -6,14 +6,14 @@ class SessionsController < ApplicationController
   end
 
   def create
-    user = User.authenticate(params[:email], params[:password])
-    if user
+    user = User.find_by(email: params[:email])
+    if user && user.authenticate(params[:password])
       session[:user_id] = user.id
       flash[:notice] = "Logged in!"
       redirect_to root_url
     else
       flash.now[:error] = "Invalid email or password"
-      render "new"
+      render :new
     end
   end
 
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 634633e..fab1413 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,14 +1,18 @@
 class UsersController < ApplicationController
+
+  before_action :admin_required!
+
   def new
     @user=User.new
   end
 
   def create
-    @user=User.new(user_params)
+    @user = User.new(user_params)
     if @user.save
-      render 'show'
+      flash[:notice] = "Konto wurde erfolgreich erstellt."
+      redirect_to @user
     else
-      redirect_to new_user_path
+      render :new
     end
   end
 
@@ -18,16 +22,11 @@ class UsersController < ApplicationController
 
   def update
     @user = User.find(params[:id])
-    attrs = user_params
-    respond_to do |format|
-      if @user.update(attrs)
-        flash[:notice] = 'Konto wurde erfolgreich aktualisiert.'
-        format.html { redirect_to user_url(@user) }
-        format.xml  { head :ok }
-      else
-        format.html { render :action => "edit" }
-        format.xml  { render :xml => @user.errors.to_xml }
-      end
+    if @user.update(user_params)
+      flash[:notice] = 'Konto wurde erfolgreich aktualisiert.'
+      redirect_to @user
+    else
+      render :edit
     end
   end
 
@@ -50,6 +49,6 @@ class UsersController < ApplicationController
 
   private
   def user_params
-    params.require(:user).permit(:email, :password)
+    params.require(:user).permit(:email, :password, :password_confirmation, :admin)
   end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index f37e483..1ee4371 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -2,38 +2,43 @@ class User < ApplicationRecord
 
   has_many :user_accesses, :dependent => :destroy
   has_many :suppliers, :through => :user_accesses
-  
 
-  attr_accessor :password
-  before_save :encrypt_password
+  attr_reader :password
 
-  validates_confirmation_of :password
-  validates_presence_of :password, :on => :create
-  validates_presence_of :email
-  validates_uniqueness_of :email
-
-  def self.authenticate(email, password)
-    user = find_by_email(email)
-    if user && user.password_hash == BCrypt::Engine.hash_secret(password, user.password_salt)
-      user
-    else
-      nil
+  validates :email, presence: true, uniqueness: true
+  validates :password, confirmation: true
+  validate do |user|
+    unless user.password_hash.present? && user.password_salt.present?
+      user.errors.add :password, :blank
     end
   end
 
-  def encrypt_password
-    if password.present?
-      self.password_salt = BCrypt::Engine.generate_salt
-      self.password_hash = BCrypt::Engine.hash_secret(password, password_salt)
-    end
+  def self.attributes_protected_by_default
+    super + %w(password_hash password_salt)
   end
 
   def has_access_to?(supplier)
-    admin? or !UserAccess.first(:conditions => {:supplier_id => supplier.id, :user_id => id}).nil?
+    admin? or !UserAccess.where(supplier_id: supplier.id, user_id: id).first.nil?
+  end
+
+  def authenticate(password_plain)
+    if self.password_hash == BCrypt::Engine.hash_secret(password_plain, self.password_salt)
+      self
+    else
+      false
+    end
+  end
+
+  def password=(password_plain)
+    @password = password_plain
+    unless password_plain.blank?
+      new_salt = BCrypt::Engine.generate_salt
+      self.password_hash = BCrypt::Engine.hash_secret(password_plain, new_salt)
+      self.password_salt = new_salt
+    end
   end
 
   def admin?
     !!admin
   end
-
 end
diff --git a/app/views/users/_form.haml b/app/views/users/_form.haml
index 3c973a6..6e7e397 100644
--- a/app/views/users/_form.haml
+++ b/app/views/users/_form.haml
@@ -2,6 +2,7 @@
   = f.input :email, required: true
   = f.input :password, required: true
   = f.input :password_confirmation, required: true
+  = f.input :admin, required: true
 
   .form-actions
     = f.submit class: 'btn'