Project

General

Profile

« Previous | Next » 

Revision 355bce36

Added by Ohad Levy over 10 years ago

fixes #3930 - refactoring of edit_self implementation.

View differences:

app/controllers/users_controller.rb
class UsersController < ApplicationController
include Foreman::Controller::AutoCompleteSearch
include Foreman::Controller::UsersMixin
before_filter :find_user, :only => [:edit, :update, :destroy]
before_filter :find_resource, :only => [:edit, :update, :destroy]
skip_before_filter :require_mail, :only => [:edit, :update, :logout]
skip_before_filter :require_login, :authorize, :session_expiry, :update_activity_time, :set_taxonomy, :set_gettext_locale_db, :only => [:login, :logout, :extlogout]
skip_before_filter :authorize, :only => :extlogin
after_filter :update_activity_time, :only => :login
attr_accessor :editing_self
def index
begin
users = User.search_for(params[:search], :order => params[:order])
......
end
def create
admin = params[:user].delete :admin
@user = User.new(params[:user]){|u| u.admin = admin }
if @user.save
@user.roles << Role.find_by_name("Anonymous") unless @user.roles.map(&:name).include? "Anonymous"
process_success
else
process_error
......
end
def edit
editing_self?
if @user.user_facts.count == 0
user_fact = @user.user_facts.build :operator => "==", :andor => "or"
user_fact.fact_name_id = FactName.first.id if FactName.first
......
end
def update
# Remove keys for restricted variables when the user is editing their own account
if editing_self
for key in params[:user].keys
params[:user].delete key unless %w{password_confirmation password mail firstname lastname locale}.include? key
end
User.current.editing_self = true
end
# Only an admin can update admin attribute of another user
# this is required, as the admin field is blacklisted above
admin = params[:user].delete :admin
@user.admin = admin if User.current.admin
if @user.update_attributes(params[:user])
@user.roles << Role.find_by_name("Anonymous") unless @user.roles.map(&:name).include? "Anonymous"
hostgroup_ids = params[:user]["hostgroup_ids"].reject(&:empty?).map(&:to_i) unless params[:user]["hostgroup_ids"].empty?
update_hostgroups_owners(hostgroup_ids) unless hostgroup_ids.empty?
process_success editing_self ? { :success_redirect => hosts_path } : {}
update_sub_hostgroups_owners
process_success((editing_self? && !current_user.allowed_to?({:controller => 'users', :action => 'index'})) ? { :success_redirect => hosts_path } : {})
else
process_error
end
User.current.editing_self = false if editing_self
# Remove locale from the session when set to "Browser Locale" and editing self
session.delete(:locale) if params[:user][:locale].try(:empty?) and params[:id].to_i == User.current.id
end
def destroy
......
end
private
def authorize(ctrl = params[:controller], action = params[:action])
# Editing self is true when the user is granted access to just their own account details
if action == 'auto_complete_search' and User.current.allowed_to?({:controller => ctrl, :action => 'index'})
return true
end
self.editing_self = false
return true if User.current.allowed_to?({:controller => ctrl, :action => action})
if (action =~ /edit|update/ and params[:id].to_i == User.current.id)
return self.editing_self = true
else
deny_access and return
end
end
def find_user
@user = User.find(params[:id])
end
def update_hostgroups_owners(hostgroup_ids)
subhostgroups = Hostgroup.where(:id => hostgroup_ids).map(&:subtree).flatten.reject { |hg| hg.users.include?(@user) }
subhostgroups.each { |subhs| subhs.users << @user }
def find_resource
@user ||= User.find(params[:id])
end
def login_user(user)

Also available in: Unified diff