Numerous fixes and mass assignment protection ongoing..

MyITCRM · May 1, 2012 · 0c787e6 · 0c787e6
1 parent bdc6f7f
commit 0c787e6
Show file tree

Hide file tree

Showing 12 changed files with 220 additions and 222 deletions.
diff --git a/app/controllers/roles_controller.rb b/app/controllers/roles_controller.rb
@@ -16,7 +16,7 @@ def index
   # GET /roles/1
   # GET /roles/1.json
   def show
-    @title = Model.name
+    #@title = Model.name
     @role = Role.find(params[:id])
 
     respond_to do |format|

diff --git a/app/controllers/service_rates_controller.rb b/app/controllers/service_rates_controller.rb
@@ -1,88 +1,89 @@
-class ServiceRatesController < ApplicationController
-  # GET /service_rates
-  # GET /service_rates.xml
-  def index
-    @title = 'Service Rates'
-    @service_rates = ServiceRate.all
-
-    respond_to do |format|
-      format.html # index.html.erb
-      format.xml  { render :xml => @service_rates }
-    end
-  end
-
-  # GET /service_rates/1
-  # GET /service_rates/1.xml
-  def show
-    @title = 'Service Rate Details'
-    @service_rate = ServiceRate.find(params[:id])
-
-    respond_to do |format|
-      format.html # show.html.erb
-      format.xml  { render :xml => @service_rate }
-    end
-  end
-
-  # GET /service_rates/new
-  # GET /service_rates/new.xml
-  def new
-    @title = 'Creating New Service Rate'
-    @service_rate = ServiceRate.new
-
-    respond_to do |format|
-      format.html # new.html.erb
-      format.xml  { render :xml => @service_rate }
-    end
-  end
-
-  # GET /service_rates/1/edit
-  def edit
-    @title = 'Editing Service Rate'
-    @service_rate = ServiceRate.find(params[:id])
-  end
-
-  # POST /service_rates
-  # POST /service_rates.xml
-  def create
-    @title = 'Adding New Service Rate'
-    @service_rate = ServiceRate.new(params[:service_rate])
-
-    respond_to do |format|
-      if @service_rate.save
-        format.html { redirect_to(@service_rate, :notice => 'Service rate was successfully created.') }
-        format.xml  { render :xml => @service_rate, :status => :created, :location => @service_rate }
-      else
-        format.html { render :action => "new" }
-        format.xml  { render :xml => @service_rate.errors, :status => :unprocessable_entity }
-      end
-    end
-  end
-
-  # PUT /service_rates/1
-  # PUT /service_rates/1.xml
-  def update
-    @service_rate = ServiceRate.find(params[:id])
-
-    respond_to do |format|
-      if @service_rate.update_attributes(params[:service_rate])
-        format.html { redirect_to(@service_rate, :notice => 'Service rate was successfully updated.') }
-        format.xml  { head :ok }
-      else
-        format.html { render :action => "edit" }
-        format.xml  { render :xml => @service_rate.errors, :status => :unprocessable_entity }
-      end
-    end
-  end
-
-  # DELETE /service_rates/1
-  # DELETE /service_rates/1.xml
-  def destroy
-    @service_rate = ServiceRate.find(params[:id])
-    @service_rate.destroy
-
-    respond_to do |format|
-      format.html { redirect_to(service_rates_url) }
-      format.xml  { head :ok }
-    end
-  end
-end
+class ServiceRatesController < ApplicationController
+  authorize_resource
+  # GET /service_rates
+  # GET /service_rates.xml
+  def index
+    @title = 'Service Rates'
+    @service_rates = ServiceRate.all
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.xml  { render :xml => @service_rates }
+    end
+  end
+
+  # GET /service_rates/1
+  # GET /service_rates/1.xml
+  def show
+    @title = 'Service Rate Details'
+    @service_rate = ServiceRate.find(params[:id])
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.xml  { render :xml => @service_rate }
+    end
+  end
+
+  # GET /service_rates/new
+  # GET /service_rates/new.xml
+  def new
+    @title = 'Creating New Service Rate'
+    @service_rate = ServiceRate.new
+
+    respond_to do |format|
+      format.html # new.html.erb
+      format.xml  { render :xml => @service_rate }
+    end
+  end
+
+  # GET /service_rates/1/edit
+  def edit
+    @title = 'Editing Service Rate'
+    @service_rate = ServiceRate.find(params[:id])
+  end
+
+  # POST /service_rates
+  # POST /service_rates.xml
+  def create
+    @title = 'Adding New Service Rate'
+    @service_rate = ServiceRate.new(params[:service_rate])
+
+    respond_to do |format|
+      if @service_rate.save
+        format.html { redirect_to(@service_rate, :notice => 'Service rate was successfully created.') }
+        format.xml  { render :xml => @service_rate, :status => :created, :location => @service_rate }
+      else
+        format.html { render :action => "new" }
+        format.xml  { render :xml => @service_rate.errors, :status => :unprocessable_entity }
+      end
+    end
+  end
+
+  # PUT /service_rates/1
+  # PUT /service_rates/1.xml
+  def update
+    @service_rate = ServiceRate.find(params[:id])
+
+    respond_to do |format|
+      if @service_rate.update_attributes(params[:service_rate])
+        format.html { redirect_to(@service_rate, :notice => 'Service rate was successfully updated.') }
+        format.xml  { head :ok }
+      else
+        format.html { render :action => "edit" }
+        format.xml  { render :xml => @service_rate.errors, :status => :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /service_rates/1
+  # DELETE /service_rates/1.xml
+  def destroy
+    @service_rate = ServiceRate.find(params[:id])
+    @service_rate.destroy
+
+    respond_to do |format|
+      format.html { redirect_to(service_rates_url) }
+      format.xml  { head :ok }
+    end
+  end
+end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -67,6 +67,8 @@ def edit
   def create
     @title = t "user.t_new_user"
     @user = User.new(params[:user])
+      @user.dynamic_attributes = [:client, :employee, :workorder_assignability, :role_id] if can? :manage, User
+
 
     respond_to do |format|
       if @user.save

diff --git a/app/controllers/work_orders_controller.rb b/app/controllers/work_orders_controller.rb
@@ -74,19 +74,16 @@ def edit
 
   def create
     @title = t "workorder.t_workorders"
-    @work_order = WorkOrder.new(params[:work_order])
+    @work_order = WorkOrder.new
     if can? :create, WorkOrder
-      #if current_user.client
-      #  @work_order.user_id = current_user.id
-      #  else
-      #  @work_order.user_id = params[:user_id] if current_user.employee
-      #end
+      @work_order.user_id = params[:user_id] if current_user.employee?
+      @work_order.user_id = current_user.id if current_user.client?
       @work_order.created_at = Time.now
       @work_order.status_id = 1 # Applies a status of "NEW" by default
-      @work_order.closed = 1 # Work Order is not "closed" by default
+      @work_order.closed = 0 # Work Order is not "closed" by default
       @work_order.created_by = current_user.username
     end
-
+    @work_order.attributes = params[:work_order]
     respond_to do |format|
       if @work_order.save
         format.html { redirect_to @work_order, notice: 'Work Order was successfully created.' }
@@ -132,10 +129,10 @@ def update
   def close
     @title = t "workorder.t_workorders"
     @work_order = WorkOrder.find(params[:id])
-    @work_order.edited_by = current_user.username
-    @work_order.closed_by = current_user.username
-    @work_order.dynamic_attributes = [:status_id, :resolution, :assigned_to_username, :closed] if can? :manage, WorkOrder
-    invoicing_enabled = true
+    #@work_order.edited_by = current_user.username
+    #@work_order.closed_by = current_user.username
+    #@work_order.dynamic_attributes = [:status_id, :resolution, :assigned_to_username, :closed] if can? :manage, WorkOrder
+    #invoicing_enabled = true
     if @work_order.assigned_to_id.blank?
       redirect_to(:back)
       flash[:alert] = "Work Order needs to be assigned to an Employee first before closing."

diff --git a/app/models/invoice.rb b/app/models/invoice.rb
@@ -1,60 +1,60 @@
-class Invoice < ActiveRecord::Base
-  has_many :service_invoice_lines, :dependent => :destroy
-  has_many :product_invoice_lines, :dependent => :destroy
-  belongs_to :user
-  belongs_to :work_order
-
-  attr_accessible :service_id, :product_id, :invoice_note, :user_id, :work_order_id,
-                  :paid, :service_invoice_lines_attributes, :product_invoice_lines_attributes,
-                  :created_by, :updated_by, :due_date
-
-  validates_uniqueness_of :work_order_id, :allow_blank => true
-
-  accepts_nested_attributes_for :service_invoice_lines, :reject_if => lambda { |a| a[:qty].blank? || a[:service_id].blank? }, :allow_destroy => true
-  accepts_nested_attributes_for :product_invoice_lines, :reject_if => lambda { |a| a[:qty].blank? || a[:product_id].blank? }, :allow_destroy => true
-  # Update Invoice Values
-  before_save :update_invoice_values
-  after_save :update_invoice_values
-  after_initialize :update_invoice_values
-
-  # Service lines SUMs
-  def srv_price_totals
-    service_invoice_lines.to_a.sum(&:total_price)
-  end
-  def srv_tax_totals
-    service_invoice_lines.to_a.sum(&:tax)
-  end
-def srv_sub_totals
-    service_invoice_lines.to_a.sum(&:sub_total)
-end
-
-# Product lines SUMs
-def prod_price_totals
-    product_invoice_lines.to_a.sum(&:total_price)
-  end
-  def prod_tax_totals
-    product_invoice_lines.to_a.sum(&:tax)
-  end
-  def prod_sub_totals
-    product_invoice_lines.to_a.sum(&:sub_total)
-  end
-
-  def inv_price_totals
-    service_invoice_lines.to_a.sum(&:total_price) + product_invoice_lines.to_a.sum(&:total_price)
-  end
-  def inv_tax_totals
-    service_invoice_lines.to_a.sum(&:tax) + product_invoice_lines.to_a.sum(&:tax)
-  end
-  def inv_sub_totals
-    service_invoice_lines.to_a.sum(&:sub_total) + product_invoice_lines.to_a.sum(&:sub_total)
-  end
-
-    # Used to update Invoice Totals on Save/Update
-    def update_invoice_values
-    self.sub_total = inv_sub_totals
-    self.tax_total = inv_tax_totals
-    self.total = inv_price_totals
-  end
-
-
-end
+class Invoice < ActiveRecord::Base
+  has_many :service_invoice_lines, :dependent => :destroy
+  has_many :product_invoice_lines, :dependent => :destroy
+  belongs_to :user
+  belongs_to :work_order
+
+  attr_accessible :service_id, :product_id, :invoice_note, :user_id, :work_order_id,
+                  :paid, :service_invoice_lines_attributes, :product_invoice_lines_attributes,
+                  :created_by, :updated_by, :due_date, :qty, :service_id, :line_comment
+
+  validates_uniqueness_of :work_order_id, :allow_blank => true
+
+  accepts_nested_attributes_for :service_invoice_lines, :reject_if => lambda { |a| a[:qty].blank? || a[:service_id].blank? }, :allow_destroy => true
+  accepts_nested_attributes_for :product_invoice_lines, :reject_if => lambda { |a| a[:qty].blank? || a[:product_id].blank? }, :allow_destroy => true
+  # Update Invoice Values
+  before_save :update_invoice_values
+  after_save :update_invoice_values
+  after_initialize :update_invoice_values
+
+  # Service lines SUMs
+  def srv_price_totals
+    service_invoice_lines.to_a.sum(&:total_price)
+  end
+  def srv_tax_totals
+    service_invoice_lines.to_a.sum(&:tax)
+  end
+def srv_sub_totals
+    service_invoice_lines.to_a.sum(&:sub_total)
+end
+
+# Product lines SUMs
+def prod_price_totals
+    product_invoice_lines.to_a.sum(&:total_price)
+  end
+  def prod_tax_totals
+    product_invoice_lines.to_a.sum(&:tax)
+  end
+  def prod_sub_totals
+    product_invoice_lines.to_a.sum(&:sub_total)
+  end
+
+  def inv_price_totals
+    service_invoice_lines.to_a.sum(&:total_price) + product_invoice_lines.to_a.sum(&:total_price)
+  end
+  def inv_tax_totals
+    service_invoice_lines.to_a.sum(&:tax) + product_invoice_lines.to_a.sum(&:tax)
+  end
+  def inv_sub_totals
+    service_invoice_lines.to_a.sum(&:sub_total) + product_invoice_lines.to_a.sum(&:sub_total)
+  end
+
+    # Used to update Invoice Totals on Save/Update
+    def update_invoice_values
+    self.sub_total = inv_sub_totals
+    self.tax_total = inv_tax_totals
+    self.total = inv_price_totals
+  end
+
+
+end