improve handling of User resource
This commit is contained in:
parent
d705402d8b
commit
9f3d301550
5 changed files with 51 additions and 38 deletions
|
@ -22,6 +22,14 @@ class ApplicationController < ActionController::Base
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def admin_required!
|
||||||
|
user = current_user
|
||||||
|
if user.nil? || !user.admin?
|
||||||
|
flash[:error] = "Not authorized!"
|
||||||
|
redirect_to root_url
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def authenticate_supplier_admin!
|
def authenticate_supplier_admin!
|
||||||
@supplier = Supplier.find((params[:supplier_id] || params[:id]))
|
@supplier = Supplier.find((params[:supplier_id] || params[:id]))
|
||||||
unless current_user.has_access_to?(@supplier)
|
unless current_user.has_access_to?(@supplier)
|
||||||
|
|
|
@ -6,14 +6,14 @@ class SessionsController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
user = User.authenticate(params[:email], params[:password])
|
user = User.find_by(email: params[:email])
|
||||||
if user
|
if user && user.authenticate(params[:password])
|
||||||
session[:user_id] = user.id
|
session[:user_id] = user.id
|
||||||
flash[:notice] = "Logged in!"
|
flash[:notice] = "Logged in!"
|
||||||
redirect_to root_url
|
redirect_to root_url
|
||||||
else
|
else
|
||||||
flash.now[:error] = "Invalid email or password"
|
flash.now[:error] = "Invalid email or password"
|
||||||
render "new"
|
render :new
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,14 +1,18 @@
|
||||||
class UsersController < ApplicationController
|
class UsersController < ApplicationController
|
||||||
|
|
||||||
|
before_action :admin_required!
|
||||||
|
|
||||||
def new
|
def new
|
||||||
@user=User.new
|
@user=User.new
|
||||||
end
|
end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
@user=User.new(user_params)
|
@user = User.new(user_params)
|
||||||
if @user.save
|
if @user.save
|
||||||
render 'show'
|
flash[:notice] = "Konto wurde erfolgreich erstellt."
|
||||||
|
redirect_to @user
|
||||||
else
|
else
|
||||||
redirect_to new_user_path
|
render :new
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -18,16 +22,11 @@ class UsersController < ApplicationController
|
||||||
|
|
||||||
def update
|
def update
|
||||||
@user = User.find(params[:id])
|
@user = User.find(params[:id])
|
||||||
attrs = user_params
|
if @user.update(user_params)
|
||||||
respond_to do |format|
|
|
||||||
if @user.update(attrs)
|
|
||||||
flash[:notice] = 'Konto wurde erfolgreich aktualisiert.'
|
flash[:notice] = 'Konto wurde erfolgreich aktualisiert.'
|
||||||
format.html { redirect_to user_url(@user) }
|
redirect_to @user
|
||||||
format.xml { head :ok }
|
|
||||||
else
|
else
|
||||||
format.html { render :action => "edit" }
|
render :edit
|
||||||
format.xml { render :xml => @user.errors.to_xml }
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -50,6 +49,6 @@ class UsersController < ApplicationController
|
||||||
|
|
||||||
private
|
private
|
||||||
def user_params
|
def user_params
|
||||||
params.require(:user).permit(:email, :password)
|
params.require(:user).permit(:email, :password, :password_confirmation, :admin)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -3,37 +3,42 @@ class User < ApplicationRecord
|
||||||
has_many :user_accesses, :dependent => :destroy
|
has_many :user_accesses, :dependent => :destroy
|
||||||
has_many :suppliers, :through => :user_accesses
|
has_many :suppliers, :through => :user_accesses
|
||||||
|
|
||||||
|
attr_reader :password
|
||||||
|
|
||||||
attr_accessor :password
|
validates :email, presence: true, uniqueness: true
|
||||||
before_save :encrypt_password
|
validates :password, confirmation: true
|
||||||
|
validate do |user|
|
||||||
validates_confirmation_of :password
|
unless user.password_hash.present? && user.password_salt.present?
|
||||||
validates_presence_of :password, :on => :create
|
user.errors.add :password, :blank
|
||||||
validates_presence_of :email
|
|
||||||
validates_uniqueness_of :email
|
|
||||||
|
|
||||||
def self.authenticate(email, password)
|
|
||||||
user = find_by_email(email)
|
|
||||||
if user && user.password_hash == BCrypt::Engine.hash_secret(password, user.password_salt)
|
|
||||||
user
|
|
||||||
else
|
|
||||||
nil
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def encrypt_password
|
def self.attributes_protected_by_default
|
||||||
if password.present?
|
super + %w(password_hash password_salt)
|
||||||
self.password_salt = BCrypt::Engine.generate_salt
|
|
||||||
self.password_hash = BCrypt::Engine.hash_secret(password, password_salt)
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def has_access_to?(supplier)
|
def has_access_to?(supplier)
|
||||||
admin? or !UserAccess.first(:conditions => {:supplier_id => supplier.id, :user_id => id}).nil?
|
admin? or !UserAccess.where(supplier_id: supplier.id, user_id: id).first.nil?
|
||||||
|
end
|
||||||
|
|
||||||
|
def authenticate(password_plain)
|
||||||
|
if self.password_hash == BCrypt::Engine.hash_secret(password_plain, self.password_salt)
|
||||||
|
self
|
||||||
|
else
|
||||||
|
false
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def password=(password_plain)
|
||||||
|
@password = password_plain
|
||||||
|
unless password_plain.blank?
|
||||||
|
new_salt = BCrypt::Engine.generate_salt
|
||||||
|
self.password_hash = BCrypt::Engine.hash_secret(password_plain, new_salt)
|
||||||
|
self.password_salt = new_salt
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def admin?
|
def admin?
|
||||||
!!admin
|
!!admin
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
= f.input :email, required: true
|
= f.input :email, required: true
|
||||||
= f.input :password, required: true
|
= f.input :password, required: true
|
||||||
= f.input :password_confirmation, required: true
|
= f.input :password_confirmation, required: true
|
||||||
|
= f.input :admin, required: true
|
||||||
|
|
||||||
.form-actions
|
.form-actions
|
||||||
= f.submit class: 'btn'
|
= f.submit class: 'btn'
|
||||||
|
|
Loading…
Reference in a new issue