improve handling of User resource

2021-12-19 10:48:54 +01:00 · 2021-12-19 10:48:54 +01:00 · 63bc26ab16
parent b319b9de93
commit 63bc26ab16
5 changed files with 51 additions and 38 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -22,6 +22,14 @@ class ApplicationController < ActionController::Base
    end
  end
  def admin_required!
    user = current_user
    if user.nil? || !user.admin?
      flash[:error] = "Not authorized!"
      redirect_to root_url
    end
  end
  def authenticate_supplier_admin!
    @supplier = Supplier.find((params[:supplier_id] || params[:id]))
    unless current_user.has_access_to?(@supplier)
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -6,14 +6,14 @@ class SessionsController < ApplicationController
  end
  def create
-    user = User.authenticate(params[:email], params[:password])
+    user = User.find_by(email: params[:email])
-    if user
+    if user && user.authenticate(params[:password])
      session[:user_id] = user.id
      flash[:notice] = "Logged in!"
      redirect_to root_url
    else
      flash.now[:error] = "Invalid email or password"
-      render "new"
+      render :new
    end
  end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -1,14 +1,18 @@
 class UsersController < ApplicationController
  before_action :admin_required!
  def new
    @user=User.new
  end
  def create
-    @user=User.new(user_params)
+    @user = User.new(user_params)
    if @user.save
-      render 'show'
+      flash[:notice] = "Konto wurde erfolgreich erstellt."
      redirect_to @user
    else
-      redirect_to new_user_path
+      render :new
    end
  end
@ -18,16 +22,11 @@ class UsersController < ApplicationController
  def update
    @user = User.find(params[:id])
-    attrs = user_params
+    if @user.update(user_params)
-    respond_to do |format|
+      flash[:notice] = 'Konto wurde erfolgreich aktualisiert.'
-      if @user.update(attrs)
+      redirect_to @user
-        flash[:notice] = 'Konto wurde erfolgreich aktualisiert.'
+    else
-        format.html { redirect_to user_url(@user) }
+      render :edit
        format.xml  { head :ok }
      else
        format.html { render :action => "edit" }
        format.xml  { render :xml => @user.errors.to_xml }
      end
    end
  end
@ -50,6 +49,6 @@ class UsersController < ApplicationController
  private
  def user_params
-    params.require(:user).permit(:email, :password)
+    params.require(:user).permit(:email, :password, :password_confirmation, :admin)
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -2,38 +2,43 @@ class User < ApplicationRecord
  has_many :user_accesses, :dependent => :destroy
  has_many :suppliers, :through => :user_accesses
-  attr_accessor :password
+  attr_reader :password
  before_save :encrypt_password
-  validates_confirmation_of :password
+  validates :email, presence: true, uniqueness: true
-  validates_presence_of :password, :on => :create
+  validates :password, confirmation: true
-  validates_presence_of :email
+  validate do |user|
-  validates_uniqueness_of :email
+    unless user.password_hash.present? && user.password_salt.present?
-
+      user.errors.add :password, :blank
  def self.authenticate(email, password)
    user = find_by_email(email)
    if user && user.password_hash == BCrypt::Engine.hash_secret(password, user.password_salt)
      user
    else
      nil
    end
  end
-  def encrypt_password
+  def self.attributes_protected_by_default
-    if password.present?
+    super + %w(password_hash password_salt)
      self.password_salt = BCrypt::Engine.generate_salt
      self.password_hash = BCrypt::Engine.hash_secret(password, password_salt)
    end
  end
  def has_access_to?(supplier)
-    admin? or !UserAccess.first(:conditions => {:supplier_id => supplier.id, :user_id => id}).nil?
+    admin? or !UserAccess.where(supplier_id: supplier.id, user_id: id).first.nil?
  end
  def authenticate(password_plain)
    if self.password_hash == BCrypt::Engine.hash_secret(password_plain, self.password_salt)
      self
    else
      false
    end
  end
  def password=(password_plain)
    @password = password_plain
    unless password_plain.blank?
      new_salt = BCrypt::Engine.generate_salt
      self.password_hash = BCrypt::Engine.hash_secret(password_plain, new_salt)
      self.password_salt = new_salt
    end
  end
  def admin?
    !!admin
  end
 end
--- a/app/views/users/_form.haml
+++ b/app/views/users/_form.haml
@ -2,6 +2,7 @@
  = f.input :email, required: true
  = f.input :password, required: true
  = f.input :password_confirmation, required: true
  = f.input :admin, required: true
  .form-actions
    = f.submit class: 'btn'