Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Upgraded to Rails 3.1. as_json serialization changed to where only su…

…bresources use to_xml/serializable_hash so there's a slight security problem where as_json objects return protected attributres. Majorly refactored to some more Rails 3 type conventions and got rid of custom mass assignment authorizer and now using ActiveModel::MassAssignmentSecurity.
  • Loading branch information...
commit 62798c8d8c039a8cd47b3ebd5642c3f37c671249 1 parent 677e401
Ethan Waldo authored
Showing with 319 additions and 211 deletions.
  1. +3 −0  .rvmrc
  2. +8 −8 Gemfile
  3. +74 −63 Gemfile.lock
  4. 0  {public → app/assets}/javascripts/DateTimePicker.js
  5. 0  {public → app/assets}/javascripts/admin.js
  6. 0  {public → app/assets}/javascripts/events.js
  7. 0  {public → app/assets}/javascripts/ext_overrides.js
  8. 0  {public → app/assets}/javascripts/raor.js
  9. 0  {public → app/assets}/javascripts/sencha-touch-debug.js
  10. 0  {public → app/assets}/javascripts/sencha-touch.js
  11. 0  {public → app/assets}/stylesheets/images/fade_down.png
  12. 0  {public → app/assets}/stylesheets/images/lf1m.png
  13. 0  {public → app/assets}/stylesheets/images/lfw.png
  14. 0  {public → app/assets}/stylesheets/images/status_unknown.png
  15. 0  {public → app/assets}/stylesheets/master.css
  16. 0  {public → app/assets}/stylesheets/sencha-touch.css
  17. +7 −0 app/controllers/application_controller.rb
  18. +35 −40 app/controllers/checkins_controller.rb
  19. +31 −27 app/controllers/events_controller.rb
  20. +1 −2  app/controllers/users/registrations_controller.rb
  21. +17 −27 app/controllers/users_controller.rb
  22. +5 −1 app/models/ability.rb
  23. +2 −1  app/models/checkin.rb
  24. +2 −1  app/models/event.rb
  25. +6 −1 app/models/user.rb
  26. +2 −1  app/models/user_token.rb
  27. +2 −2 app/views/users/registrations/new.html.erb
  28. +12 −7 config/application.rb
  29. +22 −0 config/database.yml.example
  30. +7 −3 config/environments/development.rb
  31. +23 −12 config/environments/production.rb
  32. +8 −1 config/environments/test.rb
  33. +5 −9 config/initializers/accessible_attributes.rb
  34. +27 −0 config/initializers/controller_resource.rb
  35. +1 −1  config/initializers/secret_token.rb
  36. +2 −2 config/initializers/serializable_overload.rb
  37. +1 −1  config/initializers/session_store.rb
  38. +14 −0 config/initializers/wrap_parameters.rb
  39. +1 −1  config/locales/en.yml
  40. +1 −0  db/schema.rb
View
3  .rvmrc
@@ -0,0 +1,3 @@
+rvm_gemset_create_on_use_flag=1
+rvm ruby-1.9.2@raor
+echo "Switching to" `rvm current`
View
16 Gemfile
@@ -1,19 +1,19 @@
source 'http://rubygems.org'
source "http://gems.github.com"
-gem 'rails', '3.0.9'
+gem 'rails', '3.1.0'
# Bundle edge Rails instead:
# gem 'rails', :git => 'git://github.com/rails/rails.git'
#gem 'sqlite3'
-gem 'pg'
-gem 'devise', '1.4.2'
-gem 'omniauth', '0.2.6'
-gem "oa-oauth", '0.2.6', :require => "omniauth/oauth"
-gem 'devise-twitter', '0.1.1'
-gem 'cancan', '1.6.5'
-gem 'will_paginate', '3.0.0'
+gem 'pg', '~>0.11.0'
+gem 'devise', '~>1.4.5'
+gem 'omniauth', '~>0.2.6'
+gem "oa-oauth", '~>0.2.6', :require => "omniauth/oauth"
+gem 'devise-twitter', '~>0.1.1'
+gem 'cancan', '~>1.6.5'
+gem 'will_paginate', '~>3.0.0'
# Use unicorn as the web server
gem 'unicorn'
View
137 Gemfile.lock
@@ -2,38 +2,40 @@ GEM
remote: http://rubygems.org/
remote: http://gems.github.com/
specs:
- abstract (1.0.0)
- actionmailer (3.0.9)
- actionpack (= 3.0.9)
- mail (~> 2.2.19)
- actionpack (3.0.9)
- activemodel (= 3.0.9)
- activesupport (= 3.0.9)
- builder (~> 2.1.2)
- erubis (~> 2.6.6)
- i18n (~> 0.5.0)
- rack (~> 1.2.1)
- rack-mount (~> 0.6.14)
- rack-test (~> 0.5.7)
- tzinfo (~> 0.3.23)
- activemodel (3.0.9)
- activesupport (= 3.0.9)
- builder (~> 2.1.2)
- i18n (~> 0.5.0)
- activerecord (3.0.9)
- activemodel (= 3.0.9)
- activesupport (= 3.0.9)
- arel (~> 2.0.10)
- tzinfo (~> 0.3.23)
- activeresource (3.0.9)
- activemodel (= 3.0.9)
- activesupport (= 3.0.9)
- activesupport (3.0.9)
+ actionmailer (3.1.0)
+ actionpack (= 3.1.0)
+ mail (~> 2.3.0)
+ actionpack (3.1.0)
+ activemodel (= 3.1.0)
+ activesupport (= 3.1.0)
+ builder (~> 3.0.0)
+ erubis (~> 2.7.0)
+ i18n (~> 0.6)
+ rack (~> 1.3.2)
+ rack-cache (~> 1.0.3)
+ rack-mount (~> 0.8.2)
+ rack-test (~> 0.6.1)
+ sprockets (~> 2.0.0)
+ activemodel (3.1.0)
+ activesupport (= 3.1.0)
+ bcrypt-ruby (~> 3.0.0)
+ builder (~> 3.0.0)
+ i18n (~> 0.6)
+ activerecord (3.1.0)
+ activemodel (= 3.1.0)
+ activesupport (= 3.1.0)
+ arel (~> 2.2.1)
+ tzinfo (~> 0.3.29)
+ activeresource (3.1.0)
+ activemodel (= 3.1.0)
+ activesupport (= 3.1.0)
+ activesupport (3.1.0)
+ multi_json (~> 1.0)
addressable (2.2.4)
archive-tar-minitar (0.5.2)
- arel (2.0.10)
- bcrypt-ruby (2.1.4)
- builder (2.1.2)
+ arel (2.2.1)
+ bcrypt-ruby (3.0.0)
+ builder (3.0.0)
cancan (1.6.5)
capistrano (2.8.0)
highline
@@ -42,26 +44,25 @@ GEM
net-ssh (>= 2.0.14)
net-ssh-gateway (>= 1.1.0)
columnize (0.3.4)
- devise (1.4.2)
- bcrypt-ruby (~> 2.1.2)
+ devise (1.4.5)
+ bcrypt-ruby (~> 3.0)
orm_adapter (~> 0.0.3)
warden (~> 1.0.3)
devise-twitter (0.1.1)
devise (>= 1.1.0)
warden_oauth (~> 0.1.1)
- erubis (2.6.6)
- abstract (>= 1.0.0)
+ erubis (2.7.0)
faraday (0.6.1)
addressable (~> 2.2.4)
multipart-post (~> 1.1.0)
rack (>= 1.1.0, < 2)
highline (1.6.2)
- i18n (0.5.0)
+ hike (1.2.1)
+ i18n (0.6.0)
kgio (2.6.0)
linecache19 (0.5.12)
ruby_core_source (>= 0.1.4)
- mail (2.2.19)
- activesupport (>= 2.3.6)
+ mail (2.3.0)
i18n (>= 0.4.0)
mime-types (~> 1.16)
treetop (~> 1.4.8)
@@ -74,7 +75,7 @@ GEM
net-ssh (>= 1.99.1)
net-sftp (2.0.5)
net-ssh (>= 2.0.9)
- net-ssh (2.2.0)
+ net-ssh (2.2.1)
net-ssh-gateway (1.1.0)
net-ssh (>= 1.99.1)
nokogiri (1.4.7)
@@ -119,32 +120,37 @@ GEM
pg (0.11.0)
polyglot (0.3.2)
pyu-ruby-sasl (0.0.3.3)
- rack (1.2.3)
- rack-mount (0.6.14)
+ rack (1.3.2)
+ rack-cache (1.0.3)
+ rack (>= 0.4)
+ rack-mount (0.8.3)
rack (>= 1.0.0)
rack-openid (1.3.1)
rack (>= 1.1.0)
ruby-openid (>= 2.1.8)
- rack-test (0.5.7)
+ rack-ssl (1.3.2)
+ rack
+ rack-test (0.6.1)
rack (>= 1.0)
- rails (3.0.9)
- actionmailer (= 3.0.9)
- actionpack (= 3.0.9)
- activerecord (= 3.0.9)
- activeresource (= 3.0.9)
- activesupport (= 3.0.9)
+ rails (3.1.0)
+ actionmailer (= 3.1.0)
+ actionpack (= 3.1.0)
+ activerecord (= 3.1.0)
+ activeresource (= 3.1.0)
+ activesupport (= 3.1.0)
bundler (~> 1.0)
- railties (= 3.0.9)
- railties (3.0.9)
- actionpack (= 3.0.9)
- activesupport (= 3.0.9)
+ railties (= 3.1.0)
+ railties (3.1.0)
+ actionpack (= 3.1.0)
+ activesupport (= 3.1.0)
+ rack-ssl (~> 1.3.2)
rake (>= 0.8.7)
rdoc (~> 3.4)
- thor (~> 0.14.4)
+ thor (~> 0.14.6)
raindrops (0.7.0)
rake (0.9.2)
- rdoc (3.9.1)
- rest-client (1.6.3)
+ rdoc (3.9.4)
+ rest-client (1.6.7)
mime-types (>= 1.16)
ruby-debug-base19 (0.11.25)
columnize (>= 0.3.1)
@@ -160,12 +166,17 @@ GEM
ruby_core_source (0.1.5)
archive-tar-minitar (>= 0.5.2)
rubyntlm (0.1.1)
+ sprockets (2.0.0)
+ hike (~> 1.2)
+ rack (~> 1.0)
+ tilt (!= 1.3.0, ~> 1.1)
thor (0.14.6)
+ tilt (1.3.3)
treetop (1.4.10)
polyglot
polyglot (>= 0.3.1)
tzinfo (0.3.29)
- unicorn (4.1.0)
+ unicorn (4.1.1)
kgio (~> 2.4)
rack
raindrops (~> 0.6)
@@ -180,14 +191,14 @@ PLATFORMS
ruby
DEPENDENCIES
- cancan (= 1.6.5)
+ cancan (~> 1.6.5)
capistrano
- devise (= 1.4.2)
- devise-twitter (= 0.1.1)
- oa-oauth (= 0.2.6)
- omniauth (= 0.2.6)
- pg
- rails (= 3.0.9)
+ devise (~> 1.4.5)
+ devise-twitter (~> 0.1.1)
+ oa-oauth (~> 0.2.6)
+ omniauth (~> 0.2.6)
+ pg (~> 0.11.0)
+ rails (= 3.1.0)
ruby-debug19
unicorn
- will_paginate (= 3.0.0)
+ will_paginate (~> 3.0.0)
View
0  public/javascripts/DateTimePicker.js → app/assets/javascripts/DateTimePicker.js
File renamed without changes
View
0  public/javascripts/admin.js → app/assets/javascripts/admin.js
File renamed without changes
View
0  public/javascripts/events.js → app/assets/javascripts/events.js
File renamed without changes
View
0  public/javascripts/ext_overrides.js → app/assets/javascripts/ext_overrides.js
File renamed without changes
View
0  public/javascripts/raor.js → app/assets/javascripts/raor.js
File renamed without changes
View
0  public/javascripts/sencha-touch-debug.js → app/assets/javascripts/sencha-touch-debug.js
File renamed without changes
View
0  public/javascripts/sencha-touch.js → app/assets/javascripts/sencha-touch.js
File renamed without changes
View
0  public/stylesheets/images/fade_down.png → app/assets/stylesheets/images/fade_down.png
File renamed without changes
View
0  public/stylesheets/images/lf1m.png → app/assets/stylesheets/images/lf1m.png
File renamed without changes
View
0  public/stylesheets/images/lfw.png → app/assets/stylesheets/images/lfw.png
File renamed without changes
View
0  public/stylesheets/images/status_unknown.png → ...ets/stylesheets/images/status_unknown.png
File renamed without changes
View
0  public/stylesheets/master.css → app/assets/stylesheets/master.css
File renamed without changes
View
0  public/stylesheets/sencha-touch.css → app/assets/stylesheets/sencha-touch.css
File renamed without changes
View
7 app/controllers/application_controller.rb
@@ -1,7 +1,14 @@
class ApplicationController < ActionController::Base
include BrowserDetect
+ before_filter :authenticate_user!
protect_from_forgery
rescue_from CanCan::AccessDenied do |exception|
redirect_to root_url, :alert => exception.message
end
+
+ protected
+ def as_what?
+ klass = self.class.name.sub("Controller", "").underscore.split('/').last.singularize.camelize.constantize
+ self.can?(:manage, klass) ? :admin : :default
+ end
end
View
75 app/controllers/checkins_controller.rb
@@ -1,41 +1,33 @@
class CheckinsController < ApplicationController
- load_and_authorize_resource
- before_filter :authenticate_user!
+ load_and_authorize_resource :event
+ load_and_authorize_resource :checkin, :through => :event
- def index
- @event = Event.find(params[:event_id])
- @checkins = @event.checkins.page(params[:page])
+ respond_to :html, :json
- respond_to do |format|
- format.html
+ def index
+ respond_with(@checkins) do |format|
format.json do
- render :json => {:success => true, :total => @checkins.total_entries, :checkins => @checkins.as_json(:include => {:user => {:only => :name}})}
+ render :json => {:success => true, :total => @checkins.page(params[:page]).total_entries, :checkins => @checkins.page(params[:page]).as_json(:include => {:user => {:only => :name}}, :as => as_what?)}
end
end
end
def show
- @event = Event.find(params[:event_id])
- @checkin = @event.checkins.find_by_id(params[:id]) unless @event.blank?
-
- respond_to do |format|
- format.html
+ respond_with(@checkin) do |format|
format.json do
- render :json => {:success => true, :checkin => @checkin.as_json(:include => {:user => {:only => :name}})}
+ render :json => {:success => true, :checkin => @checkin.as_json(:include => {:user => {:only => :name}}, :as => as_what?)}
end
end
end
def new
- @event = Event.find(params[:event_id])
- @checkin = Checkin.new
+ respond_with(@checkin)
end
def create
- event = Event.find(params[:event_id])
- respond_to do |format|
+ respond_with(@checkin) do |format|
format.html do
- if event && (checkin = event.checkin(current_user))
+ if @event && (checkin = @event.checkin(current_user))
flash[:notice] = "Successfully checked in to event #{event.name}"
redirect_to edit_checkin_path(checkin)
else
@@ -47,8 +39,8 @@ def create
format.json do
options = params[:checkin] || {}
options["user_id"] = current_user.id
-
- if event && event.checkins.create(options.symbolize_keys)
+
+ if @event.checkins.create(options.symbolize_keys, :as => as_what?)
render :json => {:success => true}
else
render :json => {:success => false}
@@ -58,33 +50,36 @@ def create
end
def edit
- @checkin = Checkin.find(params[:id])
+ respond_with(@checkin)
end
def update
- if params[:checkin]
- @checkin = Checkin.find(params[:id])
- if @checkin.update_attributes(params[:checkin])
- flash[:notice] = "Successfully updated checkin status for #{@checkin.event.name}"
- redirect_to event_path(@checkin.event)
- else
- flash[:error] = "Failed to update checkin status"
- redirect_to new_event_path
- end
- else
- @event = Event.find(params[:event_id])
- if @event && @event.checkin(current_user)
- flash[:notice] = "Successfully checked in to event #{@event.name}"
- redirect_to event_path(@event)
- else
- flash[:error] = "Failed to check in to event #{@event.name}"
- redirect_to new_event_path
+ respond_with(@checkin) do |format|
+ format.html do
+ if params[:checkin]
+ if @checkin.update_attributes(params[:checkin])
+ flash[:notice] = "Successfully updated checkin status for #{@checkin.event.name}"
+ redirect_to event_path(@checkin.event)
+ else
+ flash[:error] = "Failed to update checkin status"
+ redirect_to new_event_path
+ end
+ else
+ @event = Event.find(params[:event_id])
+ if @event && @event.checkin(current_user)
+ flash[:notice] = "Successfully checked in to event #{@event.name}"
+ redirect_to event_path(@event)
+ else
+ flash[:error] = "Failed to check in to event #{@event.name}"
+ redirect_to new_event_path
+ end
+ end
end
end
end
def destroy
- @event = Event.find(params[:id])
@event.checkout(current_user) unless @event.blank?
+ respond_with(@checkin)
end
end
View
58 app/controllers/events_controller.rb
@@ -1,24 +1,25 @@
class EventsController < ApplicationController
- load_and_authorize_resource :except => [:index, :current]
- before_filter :authenticate_user!
+ load_resource :event, :except => [:current]
+ authorize_resource :event, :except => [:index, :current]
+
+ respond_to :html, :json
def index
# Must manually authorize due to setting current_user on events
if can?(:read, Event) && can?(:read, User)
- respond_to do |format|
+ respond_with(@events) do |format|
format.html do
if browser_is?("webkit")
render :nothing => true, :layout => true
else
- @events = Event.all
render :index
end
end
format.json do
- events = Event.page(params[:page])
+ events = @events.page(params[:page])
events.map{|event| event.current_user = current_user}
- render :json => {:success => true, :total => events.total_entries, :events => events.as_json(:include => {:creator => {:only => "name"}}, :methods => :is_checked_in?)}
+ render :json => {:success => true, :total => events.total_entries, :events => events.as_json(:include => {:creator => {:only => "name"}}, :methods => :is_checked_in?, :as => as_what?)}
end
end
end
@@ -40,16 +41,14 @@ def current
format.json do
events = Event.page(params[:page])
events.map{|event| event.current_user = current_user}
- render :json => {:success => true, :total => events.total_entries, :events => events.as_json(:include => {:creator => {:only => "name"}}, :methods => :is_checked_in?)}
+ render :json => {:success => true, :total => events.total_entries, :events => events.as_json(:include => {:creator => {:only => "name"}}, :methods => :is_checked_in?, :as => as_what?)}
end
end
end
end
def show
- @event = Event.find(params[:id])
-
- respond_to do |format|
+ respond_with(@event) do |format|
format.html do
if browser_is?("webkit")
redirect_to events_path(:current_event => @event)
@@ -57,20 +56,25 @@ def show
render :index
end
end
+
+ format.json do
+ @event.current_user = current_user
+ render :json => {:success => true, :events => @event.as_json(:include => {:creator => {:only => "name"}}, :methods => :is_checked_in?, :as => as_what?)}
+ end
end
end
def new
- @event = Event.new
+ respond_with(@event)
end
def create
params[:event][:creator_id] = current_user.id
- @event = Event.create(params[:event])
+ @event.assign_attributes(params[:event], :as => as_what?)
- respond_to do |format|
+ respond_with(@event) do |format|
format.html do
- if @event
+ if @event.save
flash[:notice] = "Successfully created event #{@event.name}"
redirect_to event_path(@event)
else
@@ -80,7 +84,7 @@ def create
end
format.json do
- if @event
+ if @event.save
render :json => {:success => true}
else
render :json => {:success => false}
@@ -90,25 +94,25 @@ def create
end
def edit
- @event = Event.find(params[:id])
+ respond_with(@event)
end
def update
- @event = Event.find(params[:id])
- if params[:event].blank?
- flash[:error] = "Error while trying to update event"
- redirect_to events_path
- elsif @event.update_attributes(params[:event])
- flash[:notice] = "Successfully updated event #{@event.name}"
- redirect_to event_path(@event)
- else
- flash[:error] = "Failed to update event #{@event.name}"
- redirect_to edit_event_path(@event)
+ respond_with(@event) do |format|
+ format.html do
+ if @event.update_attributes(params[:event])
+ flash[:notice] = "Successfully updated event #{@event.name}"
+ redirect_to event_path(@event)
+ else
+ flash[:error] = "Failed to update event #{@event.name}"
+ redirect_to edit_event_path(@event)
+ end
+ end
end
end
def destroy
- @event = Event.find(params[:id])
@event.destroy unless @event.blank?
+ respond_with(@event)
end
end
View
3  app/controllers/users/registrations_controller.rb
@@ -7,8 +7,7 @@ def new
def create
super
- user = User.find_by_email(params["user"]["email"])
- UserToken.create(:user => user, :uid => params["uid"], :provider => params["provider"])
+ User.find_by_email(params[:user][:email]) || User.create(params[:user])
end
def update
View
44 app/controllers/users_controller.rb
@@ -1,47 +1,39 @@
class UsersController < ApplicationController
- load_and_authorize_resource
- before_filter :authenticate_user!
+ load_and_authorize_resource :user
- def index
- users = User.page(params[:page])
- users.each do |user|
- user.accessible = [:id,:email,:reset_password_sent_at,:remember_created_at,:sign_in_count,:current_sign_in_at,:last_sign_in_at,:current_sign_in_ip,:last_sign_in_ip,:name,:created_at,:updated_at]
- end if can? :manage, User
+ respond_to :html, :json
- respond_to do |format|
+ def index
+ respond_with(@users) do |format|
format.html
format.json do
- render :json => {:success => true, :total => users.total_entries, :users => users.as_json(:except => [:encrypted_password, :reset_password_token], :methods => :roles)}
+ render :json => {:success => true, :total => @users.page(params[:page]).total_entries, :users => @users.page(params[:page]).as_json(:except => [:encrypted_password, :reset_password_token], :methods => :roles, :as => as_what?)}
end
end
end
def show
- @users = User.find(params[:id])
-
- respond_to do |format|
+ respond_with(@user) do |format|
format.html
format.json do
- render :json => {:success => true, :users => users.as_json(:except => [:encrypted_password, :reset_password_token], :methods => :roles)}
+ render :json => {:success => true, :users => @user.as_json(:except => [:encrypted_password, :reset_password_token], :methods => :roles, :as => as_what?)}
end
end
end
def new
- @user = User.new
+ respond_with(@user)
end
def create
if params[:users] && params[:users][0]
- @user = User.new(params[:users][0])
+ @user.assign_attributes(params[:users][0])
@user.roles = params[:users][0]['roles']
- @user.accessible = [:id,:email,:reset_password_sent_at,:remember_created_at,:sign_in_count,:current_sign_in_at,:last_sign_in_at,:current_sign_in_ip,:last_sign_in_ip,:name,:created_at,:updated_at] if can? :manage, User
- @user.save
end
- respond_to do |format|
+ respond_with(@user) do |format|
format.html do
if @user.save
flash[:notice] = "Successfully created user #{@user.name}"
@@ -54,7 +46,7 @@ def create
format.json do
if @user.save
- render :json => {:success => true, :users => [@user].as_json(:except => [:encrypted_password, :reset_password_token]), :methods => :roles}
+ render :json => {:success => true, :users => [@user].as_json(:except => [:encrypted_password, :reset_password_token], :as => as_what?), :methods => :roles}
else
render :json => {:success => false}
end
@@ -63,21 +55,18 @@ def create
end
def edit
- @user = User.find(params[:id])
+ responds_with(@user)
end
def update
params[:users][0]["password"] = nil if params[:users] && params[:users][0] && params[:users][0]["password"].blank?
- @user = User.find(params[:id])
- @user.roles = params[:users][0]['roles']
- @user.accessible = [:id,:email,:reset_password_sent_at,:remember_created_at,:sign_in_count,:current_sign_in_at,:last_sign_in_at,:current_sign_in_ip,:last_sign_in_ip,:name,:created_at,:updated_at] if can? :manage, User
- respond_to do |format|
+ respond_with(@user) do |format|
format.html do
if params[:user].blank?
flash[:error] = "Error while trying to update user"
redirect_to users_path
- elsif @user.update_attributes(params[:user]) && @user.save
+ elsif @user.update_attributes(params[:user])
flash[:notice] = "Successfully updated user #{@user.name}"
redirect_to user_path(@user)
else
@@ -93,7 +82,7 @@ def update
elsif @user.update_attributes(params[:users][0]) && @user.save
flash[:notice] = "Successfully updated user #{@user.name}"
- render :json => {:success => true, :users => [@user].as_json(:except => [:encrypted_password, :reset_password_token], :methods => :roles)}
+ render :json => {:success => true, :users => [@user].as_json(:except => [:encrypted_password, :reset_password_token], :methods => :roles, :as => as_what?)}
else
flash[:error] = "Failed to update user #{@user.name}"
render :json => {:success => false}
@@ -103,7 +92,8 @@ def update
end
def destroy
- @user = User.find(params[:id])
@user.destroy unless @user.blank?
+
+ respond_with(@user)
end
end
View
6 app/models/ability.rb
@@ -6,7 +6,11 @@ def initialize(user)
if user.is? :admin
can :manage, :all
else
- can :read, :all
+ can :read, [Checkin, Event]
+ can :manage, User, :id => user.id
+ can :create, Checkin
+ can :update, Checkin, :user_id => user.id
+ can :destroy, Checkin, :user_id => user.id
end
# Define abilities for the passed in user here. For example:
#
View
3  app/models/checkin.rb
@@ -2,5 +2,6 @@ class Checkin < ActiveRecord::Base
belongs_to :event
belongs_to :user
- attr_accessible :user_id, :employment, :employ, :shoutout
+ attr_accessible :user_id, :employment, :employ, :shoutout, :event_id, :as => :default
+ attr_accessible :user_id, :employment, :employ, :shoutout, :event_id, :created_at, :updated_at, :as => :admin
end
View
3  app/models/event.rb
@@ -4,7 +4,8 @@ class Event < ActiveRecord::Base
belongs_to :creator, :class_name => "User"
attr_accessor :current_user
- attr_accessible :name, :description, :start_date, :end_date
+ attr_accessible :name, :description, :start_date, :end_date, :as => :default
+ attr_accessible :id, :name, :description, :start_date, :end_date, :creator_id, :created_at, :updated_at, :as => :admin
scope :current, :conditions => "events.end_date >= (SELECT date('now'))", :order => "events.end_date ASC"
def is_checked_in? user=nil
View
7 app/models/user.rb
@@ -3,12 +3,17 @@ class User < ActiveRecord::Base
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable, :omniauthable
- attr_accessible :name, :email, :password, :password_confirmation, :api_key, :name, :remember_me, :roles
+ attr_accessible :name, :email, :password, :password_confirmation, :api_key, :name, :remember_me, :roles, :user, :uid, :provider,
+ :user_tokens_attributes, :as => :default
+ attr_accessible :id, :email, :reset_password_sent_at, :remember_created_at, :sign_in_count, :current_sign_in_at, :last_sign_in_at,
+ :current_sign_in_ip,:last_sign_in_ip,:name,:created_at,:updated_at, :user_tokens_attributes, :as => :admin
has_many :user_tokens
has_many :checkins
has_many :events, :through => :checkins
+ accepts_nested_attributes_for :user_tokens
+
def self.find_for_twitter_oauth(omniauth, signed_in_resource=nil)
authentication = UserToken.find_by_provider_and_uid(omniauth['provider'], omniauth['uid'])
if authentication && authentication.user
View
3  app/models/user_token.rb
@@ -1,5 +1,6 @@
class UserToken < ActiveRecord::Base
belongs_to :user
- attr_accessible :user, :user_id, :provider, :uid
+ attr_accessible :user, :user_id, :provider, :uid, :as => :default
+ attr_accessible :user, :user_id, :provider, :uid, :created_at, :updated_at, :as => :admin
end
View
4 app/views/users/registrations/new.html.erb
@@ -16,8 +16,8 @@
<%= f.password_field :password_confirmation %></p>
<p><%= f.submit "Sign up" %></p>
- <%= hidden_field_tag "provider", @provider %>
- <%= hidden_field_tag "uid", @uid %>
+ <%= hidden_field_tag "user[user_tokens_attributes][0][provider]", @provider %>
+ <%= hidden_field_tag "user[user_tokens_attributes][0][uid]", @uid %>
<% end %>
<%= render :partial => "devise/shared/links" %>
View
19 config/application.rb
@@ -2,9 +2,12 @@
require 'rails/all'
-# If you have a Gemfile, require the gems listed there, including any gems
-# you've limited to :test, :development, or :production.
-Bundler.require(:default, Rails.env) if defined?(Bundler)
+if defined?(Bundler)
+ # If you precompile assets before deploying to production, use this line
+ Bundler.require *Rails.groups(:assets => %w(development test))
+ # If you want your assets lazily compiled in production, use this line
+ # Bundler.require(:default, :assets, Rails.env)
+end
module Raor
class Application < Rails::Application
@@ -30,15 +33,18 @@ class Application < Rails::Application
# config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
# config.i18n.default_locale = :de
- # JavaScript files you want as :defaults (application.js is always included).
- # config.action_view.javascript_expansions[:defaults] = %w(jquery rails)
-
# Configure the default encoding used in templates for Ruby 1.9.
config.encoding = "utf-8"
# Configure sensitive parameters which will be filtered from the log file.
config.filter_parameters += [:password]
+ # Enable the asset pipeline
+ config.assets.enabled = true
+
+ # Version of your assets, change this if you want to expire all your assets
+ config.assets.version = '1.0'
+
config.to_prepare do
Devise::SessionsController.layout "devise"
Devise::RegistrationsController.layout proc{ |controller| user_signed_in? ? "application" : "devise" }
@@ -46,6 +52,5 @@ class Application < Rails::Application
Devise::UnlocksController.layout "devise"
Devise::PasswordsController.layout "devise"
end
- ActiveRecord::Base.include_root_in_json = false
end
end
View
22 config/database.yml.example
@@ -0,0 +1,22 @@
+# SQLite version 3.x
+# gem install sqlite3
+development:
+ adapter: sqlite3
+ database: db/development.sqlite3
+ pool: 5
+ timeout: 5000
+
+# Warning: The database defined as "test" will be erased and
+# re-generated from your development database when you run "rake".
+# Do not set this db to the same as development or production.
+test:
+ adapter: sqlite3
+ database: db/test.sqlite3
+ pool: 5
+ timeout: 5000
+
+production:
+ adapter: sqlite3
+ database: db/production.sqlite3
+ pool: 5
+ timeout: 5000
View
10 config/environments/development.rb
@@ -3,7 +3,7 @@
# In the development environment your application's code is reloaded on
# every request. This slows down response time but is perfect for development
- # since you don't have to restart the webserver when you make code changes.
+ # since you don't have to restart the web server when you make code changes.
config.cache_classes = false
# Log error messages when you accidentally call methods on nil.
@@ -11,7 +11,6 @@
# Show full error reports and disable caching
config.consider_all_requests_local = true
- config.action_view.debug_rjs = true
config.action_controller.perform_caching = false
# Don't care if the mailer can't send
@@ -24,5 +23,10 @@
config.action_dispatch.best_standards_support = :builtin
config.action_mailer.default_url_options = { :host => 'localhost:3000' }
-end
+ # Do not compress assets
+ config.assets.compress = false
+
+ # Expands the lines which load the assets
+ config.assets.debug = true
+end
View
35 config/environments/production.rb
@@ -1,7 +1,6 @@
Raor::Application.configure do
# Settings specified here will take precedence over those in config/application.rb
- # The production environment is meant for finished, "live" apps.
# Code is not reloaded between requests
config.cache_classes = true
@@ -9,14 +8,27 @@
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
- # Specifies the header that your server uses for sending files
- config.action_dispatch.x_sendfile_header = "X-Sendfile"
+ # Disable Rails's static asset server (Apache or nginx will already do this)
+ config.serve_static_assets = false
+
+ # Compress JavaScripts and CSS
+ config.assets.compress = true
+
+ # Don't fallback to assets pipeline if a precompiled asset is missed
+ config.assets.compile = false
+
+ # Generate digests for assets URLs
+ config.assets.digest = true
- # For nginx:
- # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect'
+ # Defaults to Rails.root.join("public/assets")
+ # config.assets.manifest = YOUR_PATH
- # If you have no front-end server that supports something like X-Sendfile,
- # just comment this out and Rails will serve the files
+ # Specifies the header that your server uses for sending files
+ # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
+ # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+ # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+ # config.force_ssl = true
# See everything in the log (default is :info)
# config.log_level = :debug
@@ -27,13 +39,12 @@
# Use a different cache store in production
# config.cache_store = :mem_cache_store
- # Disable Rails's static asset server
- # In production, Apache or nginx will already do this
- config.serve_static_assets = true
-
- # Enable serving of images, stylesheets, and javascripts from an asset server
+ # Enable serving of images, stylesheets, and JavaScripts from an asset server
# config.action_controller.asset_host = "http://assets.example.com"
+ # Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
+ # config.assets.precompile += %w( search.js )
+
# Disable delivery errors, bad email addresses will be ignored
# config.action_mailer.raise_delivery_errors = false
View
9 config/environments/test.rb
@@ -7,7 +7,11 @@
# and recreated between test runs. Don't rely on the data there!
config.cache_classes = true
- # Log error messages when you accidentally call methods on nil.
+ # Configure static asset server for tests with Cache-Control for performance
+ config.serve_static_assets = true
+ config.static_cache_control = "public, max-age=3600"
+
+ # Log error messages when you accidentally call methods on nil
config.whiny_nils = true
# Show full error reports and disable caching
@@ -32,4 +36,7 @@
# Print deprecation notices to the stderr
config.active_support.deprecation = :stderr
+
+ # Allow pass debug_assets=true as a query parameter to load pages with unpackaged assets
+ config.assets.allow_debugging = true
end
View
14 config/initializers/accessible_attributes.rb
@@ -1,13 +1,9 @@
class ActiveRecord::Base
- attr_accessible
- attr_accessor :accessible
+ include ActiveModel::MassAssignmentSecurity
- private
- def mass_assignment_authorizer
- if accessible == :all
- self.class.protected_attributes
- else
- super + (accessible || [])
+ def assign_attributes(values, options = {})
+ sanitize_for_mass_assignment(values, options[:as] || :default).each do |k, v|
+ send("#{k}=", v)
end
end
-end
+end
View
27 config/initializers/controller_resource.rb
@@ -0,0 +1,27 @@
+module CanCan
+ class ControllerResource
+ protected
+ def find_resource
+ if @options[:singleton] && parent_resource.respond_to?(name)
+ parent_resource.send(name)
+ else
+ @options[:find_by] ? resource_base.send("find_by_#{@options[:find_by]}!", id_param, :as => @options[:as]) : resource_base.find(id_param)
+ end
+ end
+
+ def resource_base
+ @options[:as] = @controller.can?(:manage, resource_class) ? :default : :admin
+ if @options[:through]
+ if parent_resource
+ @options[:singleton] ? resource_class : parent_resource.send(@options[:through_association] || name.to_s.pluralize)
+ elsif @options[:shallow]
+ resource_class
+ else
+ raise AccessDenied.new(nil, authorization_action, resource_class) # maybe this should be a record not found error instead?
+ end
+ else
+ resource_class
+ end
+ end
+ end
+end
View
2  config/initializers/secret_token.rb
@@ -4,4 +4,4 @@
# If you change this key, all old signed cookies will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
-Raor::Application.config.secret_token = '9d10e2211757fc820c106b4dd7f8118246c93e8d1be41042d8dbf37e21c49b51b766831e0067f0a6e9672f108cf8b215a0e87b70447546f679b2aa600408a8af'
+Raor::Application.config.secret_token = '9e5e1915b7669d49362238def1847845fc8897aca408ff0dbfa258d059ed01399ffad2c3d3374380533c1584398c3b33bd3bdbfac9471781d12b3a9e32e0dfff'
View
4 config/initializers/serializable_overload.rb
@@ -17,7 +17,7 @@ def #{method}(options=nil)
super(options)
elsif self.class.blacklist_keys?
except = Array(options[:except])
- super(options.merge(:except => except + (self.class.blacklist_keys - self.send(:mass_assignment_authorizer).to_a)))
+ super(options.merge(:except => except + (self.class.blacklist_keys - self.send(:mass_assignment_authorizer, options[:as] || :default).to_a)))
else
super
end
@@ -26,4 +26,4 @@ def #{method}(options=nil)
end
end
end
-end
+end
View
2  config/initializers/session_store.rb
@@ -1,6 +1,6 @@
# Be sure to restart your server when you modify this file.
-Raor::Application.config.session_store :cookie_store, :key => '_raor_session'
+Raor::Application.config.session_store :cookie_store, key: '_raor_session'
# Use the database for sessions instead of the cookie-based default,
# which shouldn't be used to store highly confidential information
View
14 config/initializers/wrap_parameters.rb
@@ -0,0 +1,14 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+ wrap_parameters format: [:json]
+end
+
+# Disable root element in JSON by default.
+ActiveSupport.on_load(:active_record) do
+ self.include_root_in_json = false
+end
View
2  config/locales/en.yml
@@ -1,5 +1,5 @@
# Sample localization file for English. Add more files in this directory for other locales.
-# See http://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points.
+# See https://github.com/svenfuchs/rails-i18n/tree/master/rails%2Flocale for starting points.
en:
hello: "Hello world"
View
1  db/schema.rb
@@ -1,3 +1,4 @@
+# encoding: UTF-8
# This file is auto-generated from the current state of the database. Instead
# of editing this file, please use the migrations feature of Active Record to
# incrementally modify your database, and then regenerate this schema definition.
Please sign in to comment.
Something went wrong with that request. Please try again.