Permalink
Browse files

Added attribute accessible to allow user editing of profile and start…

… of home page
  • Loading branch information...
1 parent fad4c9d commit 412e0b8275b429e7ca005b7ebf4745d332b14935 @mikel committed May 18, 2009
@@ -13,7 +13,7 @@ def new
def create
@user = User.new
- @user.attributes = params[:user]
+ update_user(@user, params[:user])
if @user.save
flash[:notice] = "User #{@user.login} successfully created"
redirect_to users_path
@@ -23,15 +23,31 @@ def create
end
def edit
- @user = User.find(params[:id])
+ if current_user.admin
+ @user = User.find(params[:id])
+ else
+ @user = User.find(current_user.id)
+ end
end
def update
- @user = User.find(params[:id])
- @user.attributes = params[:user]
+ if current_user.admin
+ @user = User.find(params[:id])
+ update_user(@user, params[:user])
+ else
+ @user = User.find(current_user.id)
+ @user.attributes = params[:user]
+ end
if @user.save
- flash[:notice] = "Update Successful"
- redirect_to users_path
+ if current_user.admin
+ flash[:notice] = "Update Successful"
+ redirect_to users_path
+ else
+ flash[:notice] = "Successfully updated profile"
+ redirect_to root_path
+ end
+ else
+ render :action => :edit
end
end
@@ -45,5 +61,13 @@ def destroy
end
redirect_to users_path
end
+
+ private
+
+ def update_user(user, params_hash)
+ user.attributes = params[:user]
+ user.login = params[:user][:login]
+ user.admin = params[:user][:admin]
+ end
end
View
@@ -4,6 +4,8 @@ class User < ActiveRecord::Base
has_many :memberships
has_many :roles, :through => :memberships
+ attr_accessible :given_name, :family_name, :email, :password, :password_confirmation
+
# Makes this user a member of the administrator group
def add_role!(role_name)
role = Role.find_by_name!(role_name.to_s)
@@ -1 +1,9 @@
-<%= flash[:notice] %>
+<%= flash[:notice] %>
+
+<h1>Welcome to Mailer</h1>
+
+<%- if current_user.admin -%>
+ <%= link_to "Edit Users", users_path %>
+<%- else -%>
+ <%= link_to "Edit Profile", edit_user_path(current_user) %>
+<%- end -%>
@@ -1,5 +1,5 @@
<%= form.label :login %><br />
-<%= form.text_field :login %><br />
+<%= form.text_field :login, :disabled => !current_user.admin %><br />
<br />
<%= form.label :email %><br />
<%= form.text_field :email %><br />
@@ -16,6 +16,7 @@
<%= form.label :family_name %><br />
<%= form.text_field :family_name %><br />
<br />
-<%= form.label :admin %><br />
-<%= form.check_box :admin %><br />
-<br />
+<%- if current_user.admin -%>
+ <%= form.label :admin %><br />
+ <%= form.check_box :admin %><br />
+<%- end -%>
@@ -0,0 +1,22 @@
+Feature: Home page
+ In order to know what to do and how to get there
+ As an user
+ I want a home page that gives me relevant links and information
+
+ Scenario: going to the home page as a user
+ Given I am logged in
+ When I go to the homepage
+ Then I should be on the homepage
+ And I should see "Welcome to Mailer"
+ And I should see "Edit Profile"
+
+ Scenario: going to the home page as an administrator
+ Given I am logged in as an admin
+ When I go to the homepage
+ Then I should be on the homepage
+ And I should see "Welcome to Mailer"
+ And I should see "Edit Users"
+
+
+
+
@@ -108,4 +108,19 @@ Feature: Managing users
And I click the delete link for "bsmith"
Then I should be on the users page
And I should see "Can not delete the last administrator"
-
+
+ Scenario: User editing their own profile
+ Given I am logged in
+ When I go to the edit user page for "bsmith"
+ Then the "login" field should be disabled
+ And I should not see "admin"
+
+ Scenario: User updating their own profile
+ Given I am logged in
+ When I go to the edit user page for "bsmith"
+ And I fill in "email" with "sammy@you.com"
+ And I fill in "given name" with "Sammy"
+ And I fill in "family name" with "Jones"
+ And I press "Update"
+ Then I should be on the homepage
+ And I should see "Successfully updated profile"
@@ -113,3 +113,7 @@
Then /^I should be on (.+)$/ do |page_name|
URI.parse(current_url).path.should == path_to(page_name)
end
+
+Then /^the "([^\"]*)" field should be disabled$/ do |label|
+ field_labeled(label).should be_disabled
+end
@@ -99,4 +99,22 @@
end
end
+ describe "mass assignment protection" do
+ it "should not allow you to mass assign the login" do
+ user = User.new({:login => 'bob'})
+ user.login.should be_nil
+ end
+
+ it "should not allow you to mass assign the admin" do
+ user = User.new({:admin => true})
+ user.admin.should_not be_true
+ end
+
+ it "should allow you to mass assign the login" do
+ user = User.new({:given_name => 'mikel'})
+ user.given_name.should == 'mikel'
+ end
+
+ end
+
end

0 comments on commit 412e0b8

Please sign in to comment.