From cbed060fa16ce62821f637ff5d8fde7aa421d31e Mon Sep 17 00:00:00 2001 From: hukl Date: Wed, 7 Oct 2009 21:20:18 +0200 Subject: enabling users to edit their own details - tested as well - yay --- app/controllers/users_controller.rb | 37 ++++++++++++++++++-------------- test/functional/users_controller_test.rb | 14 ++++++++++++ 2 files changed, 35 insertions(+), 16 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index b15f83b..ead989d 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,12 +1,13 @@ class UsersController < ApplicationController - + # Private - + before_filter :login_required - before_filter :verify_admin_status, :except => [:index, :show] - + before_filter :find_user, :only => [:show, :edit, :update, :destroy] + before_filter :verify_status, :except => [:index, :show] + layout 'admin' - + def index @users = User.all(:order => "login ASC") end @@ -17,7 +18,7 @@ class UsersController < ApplicationController def create @user = User.new params[:user] - + if @user.save redirect_to user_path(@user) else @@ -26,12 +27,9 @@ class UsersController < ApplicationController end def edit - @user = User.find(params[:id]) end def update - @user = User.find(params[:id]) - if @user.update_attributes(params[:user]) redirect_to user_path(@user) else @@ -40,20 +38,27 @@ class UsersController < ApplicationController end def show - @user = User.find(params[:id]) end def destroy - user = User.find(params[:id]) - user.destroy if user + @user.destroy if @user redirect_to users_path end private - def verify_admin_status - unless current_user.admin - flash[:notice] = "Sorry, you need to be an admin for this action" - redirect_to users_path + def find_user + @user = User.find(params[:id]) + end + + def verify_status + @user ||= User.new + unless @user.id == current_user.id || current_user.admin + deny_user_access end end + + def deny_user_access + flash[:notice] = "Sorry, you need to be an admin for this action" + redirect_to users_path + end end diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb index a8333fe..05257fa 100644 --- a/test/functional/users_controller_test.rb +++ b/test/functional/users_controller_test.rb @@ -99,6 +99,12 @@ class UsersControllerTest < ActionController::TestCase assert_response :success end + test "editing own user details is allowed" do + login_as :quentin + get :edit, :id => User.find_by_login("quentin").id + assert_response :success + end + test "updating an user when being logged in as regular user wont work" do user = User.find_by_login("aaron") login_as :quentin @@ -118,6 +124,14 @@ class UsersControllerTest < ActionController::TestCase assert_equal "random", user.reload.login end + test "updating own user details is allowd" do + user = User.find_by_login("quentin") + login_as :quentin + put :update, :id => user.id, :user => {:login => "random"} + assert_redirected_to user_path(user) + assert_equal "random", user.reload.login + end + test "showing a user" do login_as :quentin get :show, :id => User.find_by_login("aaron").id -- cgit v1.3