app/controllers/users_controller.rb
class UsersController < ApplicationController
before_action :admin_login_required, :only => [:index, :show]
before_action :admin_or_self_login_required, :only => [:destroy]
skip_before_action :login_required, :only => [:new, :create]
prepend_before_action :login_optional, :only => [:new, :create]
# GET /users GET /users.xml
def index
respond_to do |format|
order_by = 'login'
if params[:order] && User.column_names.include?(params[:order])
order_by = params[:order]
end
format.html do
@page_title = t('users.manage_users_title')
@users = User.order(order_by + ' ASC').paginate :page => params[:page]
@total_users = User.count
# When we call users/signup from the admin page we store the URL so that
# we get returned here when signup is successful
store_location
end
format.xml do
@users = User.order(order_by)
render :xml => @users.to_xml(:root => :users, :except => [:password])
end
end
end
# GET /users/id GET /users/id.xml
def show
@user = User.find(params[:id])
render :xml => @user.to_xml(:root => :user, :except => [:password])
end
# GET /users/new
def new
@auth_types = []
unless session[:cas_user]
Tracks::Config.auth_schemes.each { |auth| @auth_types << [auth, auth] }
else
@auth_types << ['cas', 'cas']
end
if User.no_users_yet?
@page_title = t('users.first_user_title')
@heading = t('users.first_user_heading')
@user = get_new_user
elsif (@user && @user.is_admin?) || SITE_CONFIG['open_signups']
@page_title = t('users.new_user_title')
@heading = t('users.new_user_heading')
@user = get_new_user
else # all other situations (i.e. a non-admin is logged in, or no one is logged in, but we have some users)
@page_title = t('users.no_signups_title')
@admin_email = SITE_CONFIG['admin_email']
render :action => "nosignup", :layout => "login"
return
end
render :layout => "login"
end
# Example usage: curl -H 'Accept: application/xml' -H 'Content-Type:
# application/xml'
# -u admin:up2n0g00d
# -d '<request><login>username</login><password>abc123</password></request>'
# http://our.tracks.host/users
#
# POST /users POST /users.xml
def create
if params['exception']
render_failure "Expected post format is valid xml like so: <user><login>username</login><password>abc123</password></user>."
return
end
respond_to do |format|
format.html do
unless User.no_users_yet? || (@user && @user.is_admin?) || SITE_CONFIG['open_signups']
@page_title = t('users.no_signups_title')
@admin_email = SITE_CONFIG['admin_email']
render :action => "nosignup", :layout => "login"
return
end
unless params['approve_tos'] == 'on' || SITE_CONFIG['tos_link'].blank?
notify :error, t('users.tos_error')
redirect_to signup_path
return
end
user = User.new(user_params)
unless user.valid?
notify :error, t('users.create_error')
redirect_to signup_path
return
end
signup_by_admin = true if @user && @user.is_admin?
first_user_signing_up = User.no_users_yet?
user.is_admin = true if first_user_signing_up
if user.save
@user = User.authenticate(user.login, params['user']['password'])
@user.create_preference(:locale => I18n.locale)
@user.save
session['user_id'] = @user.id unless signup_by_admin
notify :notice, t('users.signup_successful', :username => @user.login)
redirect_back_or_home
end
return
end
format.xml do
unless current_user && current_user.is_admin
render :body => t('errors.user_unauthorized'), :status => 401
return
end
unless check_create_user_params
render_failure "Expected post format is valid xml like so: <user><login>username</login><password>abc123</password></user>.", 400
return
end
unless user_params['approve_tos'] == 'on' || SITE_CONFIG['tos_link'].blank?
render_failure "You have to accept the terms of service to sign up!"
return
end
user = User.new(user_params)
user.password_confirmation = user_params[:password]
saved = user.save
unless user.new_record?
render :body => t('users.user_created'), :status => 200
else
render_failure user.errors.full_messages.to_xml(root: "errors", skip_types: true), 409
end
return
end
end
end
# DELETE /users/id DELETE /users/id.xml
def destroy
@deleted_user = User.find(params[:id])
# Remove the user
@saved = @deleted_user.destroy
# Log out the user if they've deleted their own user and it succeeded.
if @saved && current_user == @deleted_user
logout_user
end
respond_to do |format|
format.html do
if @saved
notify :notice, t('users.successfully_deleted_user', :username => @deleted_user.login)
else
notify :error, t('users.failed_to_delete_user', :username => @deleted_user.login)
end
if current_user == @deleted_user
redirect_to login
else
redirect_to users_url
end
end
format.js do
@total_users = User.count
end
format.xml do
head :ok
end
end
end
def change_password
@page_title = t('users.change_password_title')
end
def update_password
# is used for focing password change after sha->bcrypt upgrade
current_user.change_password(user_params[:password], user_params[:password_confirmation])
notify :notice, t('users.password_updated')
redirect_to preferences_path
rescue Exception => error
notify :error, error.message
redirect_to change_password_user_path(current_user)
end
def change_auth_type
@page_title = t('users.change_auth_type_title')
end
def update_auth_type
current_user.auth_type = user_params[:auth_type]
if current_user.save
notify :notice, t('users.auth_type_updated')
redirect_to preferences_path
else
notify :warning, t('users.auth_type_update_error', :error_messages => current_user.errors.full_messages.join(', '))
redirect_to change_auth_type_user_path(current_user)
end
end
def refresh_token
current_user.generate_token
current_user.save!
notify :notice, t('users.new_token_generated')
redirect_to preferences_path
end
private
def user_params
params.require(:user).permit(:login, :first_name, :last_name, :email, :password_confirmation, :password, :auth_type, :open_id_url)
end
def get_new_user
if session['new_user']
user = session['new_user']
session['new_user'] = nil
else
user = User.new
end
user
end
def check_create_user_params
return false unless params.key?(:user)
return false unless params[:user].key?(:login)
return false if params[:user][:login].empty?
return false unless params[:user].key?(:password)
return false if params[:user][:password].empty?
return true
end
end