From 63bc26ab1634aa14ad56099503f81fd289ef1b8b Mon Sep 17 00:00:00 2001 From: JuliusR <> Date: Sun, 19 Dec 2021 10:48:54 +0100 Subject: [PATCH] improve handling of User resource --- app/controllers/application_controller.rb | 8 ++++ app/controllers/sessions_controller.rb | 6 +-- app/controllers/users_controller.rb | 27 +++++++------ app/models/user.rb | 47 +++++++++++++---------- app/views/users/_form.haml | 1 + 5 files changed, 51 insertions(+), 38 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index b74db76..003e661 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -22,6 +22,14 @@ class ApplicationController < ActionController::Base end end + def admin_required! + user = current_user + if user.nil? || !user.admin? + flash[:error] = "Not authorized!" + redirect_to root_url + end + end + def authenticate_supplier_admin! @supplier = Supplier.find((params[:supplier_id] || params[:id])) unless current_user.has_access_to?(@supplier) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index c6e9156..ceeffd3 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -6,14 +6,14 @@ class SessionsController < ApplicationController end def create - user = User.authenticate(params[:email], params[:password]) - if user + user = User.find_by(email: params[:email]) + if user && user.authenticate(params[:password]) session[:user_id] = user.id flash[:notice] = "Logged in!" redirect_to root_url else flash.now[:error] = "Invalid email or password" - render "new" + render :new end end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 634633e..fab1413 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,14 +1,18 @@ class UsersController < ApplicationController + + before_action :admin_required! + def new @user=User.new end def create - @user=User.new(user_params) + @user = User.new(user_params) if @user.save - render 'show' + flash[:notice] = "Konto wurde erfolgreich erstellt." + redirect_to @user else - redirect_to new_user_path + render :new end end @@ -18,16 +22,11 @@ class UsersController < ApplicationController def update @user = User.find(params[:id]) - attrs = user_params - respond_to do |format| - if @user.update(attrs) - flash[:notice] = 'Konto wurde erfolgreich aktualisiert.' - format.html { redirect_to user_url(@user) } - format.xml { head :ok } - else - format.html { render :action => "edit" } - format.xml { render :xml => @user.errors.to_xml } - end + if @user.update(user_params) + flash[:notice] = 'Konto wurde erfolgreich aktualisiert.' + redirect_to @user + else + render :edit end end @@ -50,6 +49,6 @@ class UsersController < ApplicationController private def user_params - params.require(:user).permit(:email, :password) + params.require(:user).permit(:email, :password, :password_confirmation, :admin) end end diff --git a/app/models/user.rb b/app/models/user.rb index f37e483..1ee4371 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -2,38 +2,43 @@ class User < ApplicationRecord has_many :user_accesses, :dependent => :destroy has_many :suppliers, :through => :user_accesses - - attr_accessor :password - before_save :encrypt_password + attr_reader :password - validates_confirmation_of :password - validates_presence_of :password, :on => :create - validates_presence_of :email - validates_uniqueness_of :email - - def self.authenticate(email, password) - user = find_by_email(email) - if user && user.password_hash == BCrypt::Engine.hash_secret(password, user.password_salt) - user - else - nil + validates :email, presence: true, uniqueness: true + validates :password, confirmation: true + validate do |user| + unless user.password_hash.present? && user.password_salt.present? + user.errors.add :password, :blank end end - def encrypt_password - if password.present? - self.password_salt = BCrypt::Engine.generate_salt - self.password_hash = BCrypt::Engine.hash_secret(password, password_salt) - end + def self.attributes_protected_by_default + super + %w(password_hash password_salt) end def has_access_to?(supplier) - admin? or !UserAccess.first(:conditions => {:supplier_id => supplier.id, :user_id => id}).nil? + admin? or !UserAccess.where(supplier_id: supplier.id, user_id: id).first.nil? + end + + def authenticate(password_plain) + if self.password_hash == BCrypt::Engine.hash_secret(password_plain, self.password_salt) + self + else + false + end + end + + def password=(password_plain) + @password = password_plain + unless password_plain.blank? + new_salt = BCrypt::Engine.generate_salt + self.password_hash = BCrypt::Engine.hash_secret(password_plain, new_salt) + self.password_salt = new_salt + end end def admin? !!admin end - end diff --git a/app/views/users/_form.haml b/app/views/users/_form.haml index 3c973a6..6e7e397 100644 --- a/app/views/users/_form.haml +++ b/app/views/users/_form.haml @@ -2,6 +2,7 @@ = f.input :email, required: true = f.input :password, required: true = f.input :password_confirmation, required: true + = f.input :admin, required: true .form-actions = f.submit class: 'btn'