class UsersController

File

users_controller.rb

(C)

Hipposoft 2008

Purpose

Manage User objects. See models/user.rb for more.


03-Jan-2008 (ADH): Created.

Public Instance Methods

cancel() click to toggle source

Cancel a sign in account edit request.

# File app/controllers/users_controller.rb, line 181
def cancel
  id    = params[ :id ]
  @user = User.find( id )

  # We must have found a user in the database matching the ID.
  # The ID must be provided. There must be a currently logged in
  # user and their ID must match that of the cancellation request.
  # The user must not have a name yet - if they do, it implies a
  # created, active account.

  if ( @user.nil? or id.nil? or @current_user.nil? or ( id.to_i() != @current_user.id ) or @user.name )
    flash[ :error ] = "Cancellation request not understood."
  else
    @user.destroy()
    flash[ :error ] = 'Sign in cancelled.'
  end

  redirect_to( signout_path() )
end
create() click to toggle source

Create a new User account.

# File app/controllers/users_controller.rb, line 115
def create
  return appctrl_not_permitted() unless @current_user.admin?

  @record = @user = User.new
  @control_panel = @user.control_panel = ControlPanel.new

  update_and_save_user( 'New account created', 'new' )
end
delete() click to toggle source

Users should not normally be destroyed. Only administrators can do this.

# File app/controllers/users_controller.rb, line 204
def delete
  appctrl_delete( 'User' )
end
delete_confirm() click to toggle source

Show an “Are you sure?” prompt.

# File app/controllers/users_controller.rb, line 210
def delete_confirm
  return appctrl_not_permitted() unless ( @current_user.admin? )

  # Nobody can delete admin accounts. You must assign the admin
  # privilege to someone else, then, since you can't revoke your
  # own admin privileges either, have the new admin change your
  # account type and delete the user record. This is a good way
  # of ensuring that there is always at least one admin.

  @record = User.find( params[ :id ] )
  return appctrl_not_permitted() if ( @record.admin? )

  @record.destroy()

  flash[ :notice ] = 'User and all associated data deleted'
  redirect_to( users_path() )
end
edit() click to toggle source

Prepare for the ‘edit’ view, allowing a user to update their account details. Restricted users can only edit their own account.

# File app/controllers/users_controller.rb, line 127
def edit
  id = params[ :id ]

  if ( @current_user.restricted? and @current_user.id != id.to_i )
    return appctrl_not_permitted()
  end

  @user          = User.find( id )
  @control_panel = @user.control_panel
end
home() click to toggle source

Home page - only show if logged in.

# File app/controllers/users_controller.rb, line 34
def home
  redirect_to signin_path() and return if ( @current_user.nil? )
end
index() click to toggle source

List users - not allowed for restricted users

# File app/controllers/users_controller.rb, line 40
def index
  return appctrl_not_permitted() if ( @current_user.restricted? )

  # Set up the column data; see the index helper functions in
  # application_helper.rb for details.

  @columns = [
    { :header_text => 'Name',           :value_method   => 'name',         :value_in_place => true                  },
    { :header_text => 'Code',           :value_method   => 'code',         :value_in_place => true                  },
    { :header_text => 'Account type',   :value_method   => 'user_type'                                              },
    { :header_text => 'E-mail address', :value_method   => 'email',        :value_helper => 'userhelp_email'        },
    { :header_text => 'Identity URL',   :value_method   => 'identity_url', :value_helper => 'userhelp_identity_url' },
  ]

  # Get the basic options hash from ApplicationController, then work out
  # the conditions on objects being fetched, including handling the search
  # form data.

  options        = appctrl_index_assist( User )
  active_vars    = { :active => true  }
  inactive_vars  = { :active => false }
  conditions_sql = "WHERE ( active = :active )\n"

  # If asked to search for something, build extra conditions to do so.

  range_sql, range_start, range_end = appctrl_search_range_sql( User )

  unless ( range_sql.nil? )
    search = "%#{ params[ :search ] }%" # SQL wildcards either side of the search string
    conditions_sql << "AND #{ range_sql } ( name ILIKE :search OR email ILIKE :search OR identity_url ILIKE :search )\n"

    vars = { :search => search, :range_start => range_start, :range_end => range_end }
    active_vars.merge!( vars )
    inactive_vars.merge!( vars )
  end

  # Sort order is already partially compiled in 'options' from the earlier
  # call to 'appctrl_index_assist'.

  order_sql = "ORDER BY #{ options[ :order ] }, name ASC, code ASC"
  options.delete( :order )

  # Compile the main SQL statement.

  finder_sql  = "SELECT * FROM users\n" <<
                "#{ conditions_sql }\n" <<
                "#{ order_sql      }"

  # Now paginate using this SQL. The only difference between the active and
  # inactive cases is the value of the variables passed to Active Record for
  # substitution into the final SQL query going to the database.

  @active_users   = User.paginate_by_sql( [ finder_sql, active_vars   ], options )
  @inactive_users = User.paginate_by_sql( [ finder_sql, inactive_vars ], options )
end
new() click to toggle source

Never allow direct creation attempts. User creation is done via session management. The only exception is for administrators, who may (carefully!) choose to create user accounts up-front after adding an ID to the permitted list.

# File app/controllers/users_controller.rb, line 108
def new
  return appctrl_not_permitted() unless @current_user.admin?
  @record = @user = User.new
end
show() click to toggle source

Show user details.

# File app/controllers/users_controller.rb, line 98
def show
  @user = User.find( params[ :id ] )
  return appctrl_not_permitted() unless ( @user and ( @current_user.privileged? or @user == @current_user ) )
end
update() click to toggle source

Update a User following submission of an ‘edit’ view form. Restricted users can only edit their own account.

# File app/controllers/users_controller.rb, line 141
def update
  id = params[ :id ]

  if ( @current_user.restricted? and @current_user.id != id.to_i )
    return appctrl_not_permitted()
  end

  @user = User.find( id )

  if ( @current_user.admin? and params[ :notify_user ] )
    EmailNotifier.admin_update_notification( @user ).deliver()
  end

  # New user just set up a previously uninitialised account (no
  # e-mail yet stored - update_and_save_user will take that from
  # the params hash) or a normal account edit?

  if ( @user.nil? or @user.name.empty? )
    if ( User.count == 1 )
      message = 'New administrator account created. You can now set up whatever ' <<
                'initial customers, projects and tasks you need.'
    else
      message = 'New account created. Before you can use the service fully, the '   <<
                'administrator will have to configure some account settings. You '  <<
                'will be notified by e-mail when this process is complete. Please ' <<
                "direct queries to the administrator at '#{ EMAIL_ADMIN }'."
    end

    update_and_save_user(
      message,
      'edit',
      true
    )
  else
    update_and_save_user( 'User details updated.', 'edit' )
  end
end