improve handling of User resource

This commit is contained in:
JuliusR 2021-12-19 10:48:54 +01:00 committed by 1resu
parent d705402d8b
commit 9f3d301550
5 changed files with 51 additions and 38 deletions

View file

@ -22,6 +22,14 @@ class ApplicationController < ActionController::Base
end end
end end
def admin_required!
user = current_user
if user.nil? || !user.admin?
flash[:error] = "Not authorized!"
redirect_to root_url
end
end
def authenticate_supplier_admin! def authenticate_supplier_admin!
@supplier = Supplier.find((params[:supplier_id] || params[:id])) @supplier = Supplier.find((params[:supplier_id] || params[:id]))
unless current_user.has_access_to?(@supplier) unless current_user.has_access_to?(@supplier)

View file

@ -6,14 +6,14 @@ class SessionsController < ApplicationController
end end
def create def create
user = User.authenticate(params[:email], params[:password]) user = User.find_by(email: params[:email])
if user if user && user.authenticate(params[:password])
session[:user_id] = user.id session[:user_id] = user.id
flash[:notice] = "Logged in!" flash[:notice] = "Logged in!"
redirect_to root_url redirect_to root_url
else else
flash.now[:error] = "Invalid email or password" flash.now[:error] = "Invalid email or password"
render "new" render :new
end end
end end

View file

@ -1,14 +1,18 @@
class UsersController < ApplicationController class UsersController < ApplicationController
before_action :admin_required!
def new def new
@user=User.new @user=User.new
end end
def create def create
@user=User.new(user_params) @user = User.new(user_params)
if @user.save if @user.save
render 'show' flash[:notice] = "Konto wurde erfolgreich erstellt."
redirect_to @user
else else
redirect_to new_user_path render :new
end end
end end
@ -18,16 +22,11 @@ class UsersController < ApplicationController
def update def update
@user = User.find(params[:id]) @user = User.find(params[:id])
attrs = user_params if @user.update(user_params)
respond_to do |format| flash[:notice] = 'Konto wurde erfolgreich aktualisiert.'
if @user.update(attrs) redirect_to @user
flash[:notice] = 'Konto wurde erfolgreich aktualisiert.' else
format.html { redirect_to user_url(@user) } render :edit
format.xml { head :ok }
else
format.html { render :action => "edit" }
format.xml { render :xml => @user.errors.to_xml }
end
end end
end end
@ -50,6 +49,6 @@ class UsersController < ApplicationController
private private
def user_params def user_params
params.require(:user).permit(:email, :password) params.require(:user).permit(:email, :password, :password_confirmation, :admin)
end end
end end

View file

@ -3,37 +3,42 @@ class User < ApplicationRecord
has_many :user_accesses, :dependent => :destroy has_many :user_accesses, :dependent => :destroy
has_many :suppliers, :through => :user_accesses has_many :suppliers, :through => :user_accesses
attr_reader :password
attr_accessor :password validates :email, presence: true, uniqueness: true
before_save :encrypt_password validates :password, confirmation: true
validate do |user|
validates_confirmation_of :password unless user.password_hash.present? && user.password_salt.present?
validates_presence_of :password, :on => :create user.errors.add :password, :blank
validates_presence_of :email
validates_uniqueness_of :email
def self.authenticate(email, password)
user = find_by_email(email)
if user && user.password_hash == BCrypt::Engine.hash_secret(password, user.password_salt)
user
else
nil
end end
end end
def encrypt_password def self.attributes_protected_by_default
if password.present? super + %w(password_hash password_salt)
self.password_salt = BCrypt::Engine.generate_salt
self.password_hash = BCrypt::Engine.hash_secret(password, password_salt)
end
end end
def has_access_to?(supplier) def has_access_to?(supplier)
admin? or !UserAccess.first(:conditions => {:supplier_id => supplier.id, :user_id => id}).nil? admin? or !UserAccess.where(supplier_id: supplier.id, user_id: id).first.nil?
end
def authenticate(password_plain)
if self.password_hash == BCrypt::Engine.hash_secret(password_plain, self.password_salt)
self
else
false
end
end
def password=(password_plain)
@password = password_plain
unless password_plain.blank?
new_salt = BCrypt::Engine.generate_salt
self.password_hash = BCrypt::Engine.hash_secret(password_plain, new_salt)
self.password_salt = new_salt
end
end end
def admin? def admin?
!!admin !!admin
end end
end end

View file

@ -2,6 +2,7 @@
= f.input :email, required: true = f.input :email, required: true
= f.input :password, required: true = f.input :password, required: true
= f.input :password_confirmation, required: true = f.input :password_confirmation, required: true
= f.input :admin, required: true
.form-actions .form-actions
= f.submit class: 'btn' = f.submit class: 'btn'