merged with master

TODO_ben

@@ -0,0 +1,3 @@
+TODO
+
+test require_owner_or_dept_admin universally 

app/controllers/app_configs_controller.rb

@@ -7,7 +7,8 @@ def edit
 
   def update
     @app_config = AppConfig.first
-    if @app_config.update_attributes(params[:app_config])
+    use_ldap = params[:use_ldap] ? true : false
+    if @app_config.update_attributes(params[:app_config].merge({:use_ldap=>use_ldap}))
       flash[:notice] = "Successfully updated appconfig."
     end
     render :action => 'edit'

app/controllers/application_controller.rb

@@ -21,6 +21,7 @@ class ApplicationController < ActionController::Base
 
   $appconfig = AppConfig.first
 
+  # We should improve this page, probably on the actual template -ben
   def access_denied
     text = "Access denied"
     text += "<br>Maybe you want to <a href=\"#{login_path}\">try logging in with built-in authentication</a>?" if $appconfig.login_options.include?('built-in')
@@ -44,7 +45,7 @@ def current_user
       nil
     end)
   end
-  
+
   def current_department
     unless @current_department
       if current_user
@@ -102,12 +103,8 @@ def load_user_session
     @user_session = UserSession.find
   end
 
-  def require_admin_of(obj)
-    redirect_to(access_denied_path) unless current_user.is_admin_of?(obj)
-  end
-
-  # these are the authorization before_filters to use under controllers
-  # these all return nil
+# These are the authorization before_filters to use under controllers
+# These all return nil
   def require_department_admin
     redirect_to(access_denied_path) unless current_user.is_admin_of?(current_department)
   end
@@ -122,8 +119,18 @@ def require_superuser
       redirect_to(access_denied_path)
     end
   end
-  
+
 # These three methods all return true/false, so they can be tested to trigger return statements
+# Takes a department, location, or loc_group
+  def require_admin_of(thing)
+    unless current_user.is_admin_of?(thing)
+      flash[:error] = "You are not authorized to administer this #{thing.class.name.decamelize}"
+      redirect_to(access_denied_path) and return false
+    end
+    return true
+  end
+
+
 # Takes any object that has a user method and checks against current_user
   def require_owner(thing)
     unless current_user.is_owner_of?(thing)
@@ -132,19 +139,21 @@ def require_owner(thing)
     end
     return true
   end
-  
+
 # Takes any object that has a user method and its department
   def require_owner_or_dept_admin(thing, dept)
     unless current_user.is_owner_of?(thing) || current_user.is_admin_of?(dept)
       flash[:error] = "You are not the owner of this #{thing.class.name.decamelize}, nor are you the department administrator."
-      render :template => access_denied_path and return false
+      redirect_to access_denied_path and return false
+#      will probably use render instead of redirect_to later --Laura
+#      render :template => access_denied_path and return false
     end
     return true
   end
 
-  # Takes a department; intended to be passed some_thing.department
+# Takes a department; intended to be passed some_thing.department
   def require_department_membership(dept)
-    unless current_user.departments.include?(dept) 
+    unless current_user.departments.include?(dept)
       flash[:error] = "You are not a member of the appropriate department."
       redirect_to(access_denied_path) and return false
     end
@@ -184,7 +193,7 @@ def department_chooser
       redirect_to switch_department_path and return
     end
   end
-  
+
   #checks to see if the action should be rendered without a layout. optionally pass it another action/controller
   def layout_check(action = action_name, controller = controller_name)
      if params[:layout] == "false"
@@ -200,3 +209,4 @@ def switch_department_path
     send("#{controller_name}_path") rescue root_path
   end
 end
+

app/controllers/data_entries_controller.rb

@@ -1,5 +1,5 @@
 class DataEntriesController < ApplicationController
-  #Not yet permission-locked!!!
+  #Not yet secured
 
   before_filter :check_for_data_object
 

app/controllers/data_fields_controller.rb

@@ -1,5 +1,4 @@
 class DataFieldsController < ApplicationController
-  # Hack to provide a consistent department within the data controller
   before_filter :require_department_admin
   before_filter :check_for_data_type
 

app/controllers/data_objects_controller.rb

@@ -1,38 +1,32 @@
 class DataObjectsController < ApplicationController
-  #User admin methods will need to be rewritten in move to other codebase
-  #Not yet permission-locked!!!
-
-  # not at all sure what's going on here anymore, will ask ryan about it -ben
+
+# Needs views revised for non-ajax degradeability -ben
   def index   
-    @data_objects = get_allowed_data_objects
+    @data_objects = @department.data_objects
     @group_type_options = options_for_group_type
     @group_by_options = []
-    # if params[:view_options]
-    #   @selected_type = params[:view_options][:group_type]
-    #   if params[:view_options][:group_by]
-    #     unless (@selected_by = params[:view_options][:group_by]).blank?
-    #       @data_objects = @selected_type.classify.constantize.find(@selected_by).data_objects
-    #     end
-    #   end
-    #   @group_by_options = options_for_group_by(@selected_type)
-    # end
-    if params[:group_by]
-      @selected_type = params[:group_by]
-      if params[:group_by] == "data_types"
-        @types_objects_hash = @data_objects.group_by(&:data_type)
-      elsif params[:group_by] == "locations"
-        @types_objects_hash = @data_objects.group_by{|object| object.locations[0]}
-      elsif params[:group_by] == "loc_groups"
-        @types_objects_hash = @data_objects.group_by(&:data_type)
+    @selected_type = ["Department", "departments"]
+    if params[:group_type]
+      @group_by_options = options_for_group_by(params[:group_type])
+      if params[:group_by] && !params[:group_by].blank?
+        @data_objects &= params[:group_type].classify.constantize.find(params[:group_by]).data_objects
+        @selected_by = @group_by_options.select{|opt| opt.include? params[:group_by].to_i}.flatten
+      else 
+        @selected_by = @group_by_options.first
       end
-    else #default
-      @types_objects_hash = @data_objects.group_by &:data_type
+      @selected_type = @group_type_options.select{|a|a.include? params[:group_type]}.flatten
+    end
+    @types_objects_hash = @data_objects.group_by &:data_type
+    respond_to do |format|
+      format.html
+      format.js
     end
   end
-
+  
 # This needs its views rewritten to enable viewing a subset of all entries -ben  
   def show
     @data_object = DataObject.find(params[:id])   
+    require_department_membership(@data_object.department)
     @data_fields = @data_object.data_type.data_fields
     @data_entries = @data_object.data_entries
   end
@@ -46,6 +40,7 @@ def new
   def create
     @data_object = DataObject.new(params[:data_object])
     @data_object.data_type_id = params[:data_type_id] if params[:data_type_id]
+    check_data_object_admin_permission(@data_object)    
     if @data_object.save
       flash[:notice] = "Successfully created data object."
       redirect_to (params[:add_another] ? new_data_type_data_object_path(@data_object.data_type) : data_objects_path)
@@ -58,10 +53,12 @@ def create
   def edit
     @data_object = DataObject.find(params[:id])
     @locations_select = current_user.loc_groups_to_admin(@department).map{|lg| lg.locations}.flatten
+    check_data_object_admin_permission(@data_object)    
   end
 
   def update
     @data_object = DataObject.find(params[:id])
+    check_data_object_admin_permission(@data_object)    
     if @data_object.update_attributes(params[:data_object])
       flash[:notice] = "Successfully updated data object."
       redirect_to @data_object
@@ -72,6 +69,7 @@ def update
 
   def destroy
     @data_object = DataObject.find(params[:id])
+    check_data_object_admin_permission(@data_object)    
     @data_type = @data_object.data_type
     @data_object.destroy
     flash[:notice] = "Successfully destroyed data object."
@@ -80,37 +78,45 @@ def destroy
 
 private
 
-#   Returns all the data objects that the user is permitted to administer
-  def get_allowed_data_objects
-    return @department.data_objects if current_user.is_admin_of?(@department)
-    unless (@loc_groups = current_user.loc_groups_to_admin(@department)).empty?
-      @loc_groups.map{|lg| DataObject.by_location_group(lg)}.flatten    
-    else
-      flash[:error] = "You do not have the permissions necessary to view any
-                      data objects."
-      redirect_to access_denied_path
-    end
-  end
+# Currently not in use -ben
+# Returns all the data objects that the user is permitted to administer
+# other methods should grab these objects, and narrow them down
+#  def get_allowed_data_objects
+#    return @department.data_objects if current_user.is_admin_of?(@department)
+#    unless (@loc_groups = current_user.loc_groups_to_admin(@department)).empty?
+#      @loc_groups.map{|lg| DataObject.by_location_group(lg)}.flatten    
+#    else
+#      flash[:error] = "You do not have the permissions necessary to view any
+#                      data objects."
+#      redirect_to access_denied_path
+#    end
+#  end
 
+  #These three options should probably be refactored into helper methods -ben
   def options_for_group_type
     options = [["Location","locations"],["Location Group","loc_groups"]]
     if current_user.is_admin_of?(@department)
-      options.push(["Data type", "data_types"], ["Department", "departments"])
+      options.push(["Data type", "data_types"], ["Department", "departments"]).sort
     end
   end 
-
+
+  #These three options should probably be refactored into helper methods -ben
   def options_for_group_by(group_type)
     return [] if group_type == "departments"
     @options = @department.send(group_type)
-    if group_type == "locations" || group_type == "loc_groups" 
-      @options.delete_if{|opt| !current_user.is_admin_of?(opt)}
-    end
-    @options.map{|t| [t.name, t.id]} << []
+    @options.map{|t| [t.name, t.id]}.sort
   end
 
+  #These three options should probably be refactored into helper methods -ben
   def options_for_location_select
     current_user.loc_groups_to_admin(@department).map{|lg| lg.locations}.flatten
   end
 
+  def check_data_object_admin_permission(obj)
+    if (current_user.loc_groups_to_admin(@department).map{|lg| lg.locations}.flatten & obj.locations).empty?
+      flash[:notice] = "You do not have permission to administer this data object"
+      redirect_to access_denied_path
+    end
+  end
 
 end

app/controllers/first_run_controller.rb

@@ -9,6 +9,7 @@ def new_app_config
   def create_app_config
     AppConfig.first.destroy if AppConfig.first
     @app_config=AppConfig.new(params[:app_config])
+    @appconfig.use_ldap = params[:use_ldap] ? true : false
     if @app_config.save
       flash[:notice] = "App Settings have been configured."
       redirect_to first_department_path

app/controllers/notices_controller.rb

@@ -27,15 +27,15 @@ def edit
   end
 
   def create
+#  raise params.to_yaml
     @notice = Notice.new(params[:notice])
-    @notice.is_sticky = true unless current_user.is_admin_of?(current_department)
+    @notice.is_sticky = true
+    @notice.is_sticky = false if params[:type] == "announcement" && current_user.is_admin_of?(current_department)
     @notice.author = current_user
     @notice.department = current_department
-    @notice.start_time = Time.now if @notice.is_sticky
-    @notice.active_sticky = true if @notice.is_sticky
-    @notice.end_time = nil if params[:indefinite] || @notice.is_sticky
-    @notice.active = true
-    @notice.save
+    @notice.start_time = Time.now if params[:start_time_choice] == 'now' || @notice.is_sticky
+    @notice.end_time = nil if params[:end_time_choice] == "indefinite" || @notice.is_sticky
+    @notice.save(false)
     set_sources
     respond_to do |format|
       if @notice.save
@@ -86,14 +86,18 @@ def destroy
   protected
 
   def set_sources
-#    raise params.to_yaml
     if params[:for_users]
       params[:for_users].split(",").each do |l|
         if l == l.split("||").first #This is for if javascript is disabled
           l = l.strip
+          @notice.save(false)
           @notice.user_sources << Department.find_by_name(l)
-          @notice.user_sources << User.find_by_names(l).first
-          @notice.user_sources << User.find_by_login(l)
+          a = User.find_by_names(l).first
+          a.save
+          @notice.user_sources << a
+          b = User.find_by_login(l)
+          b.save
+          @notice.user_sources << b
         else
           l = l.split("||")
           @notice.user_sources << l[0].constantize.find(l[1]) if l.length == 2

app/controllers/reports_controller.rb

@@ -21,11 +21,12 @@ def popup
   end
 
 # Do we need this action?  -ben
-#  def new
-#    #TODO: this doesn't work, because we can't redirect with post. bah.
-#    @report = Report.new
-#    #post_via_redirect :action => 'create'
-#  end
+# uncommented for now -- it's the default redirect after creating a shift. -ryan
+ def new
+   #TODO: this doesn't work, because we can't redirect with post. bah.
+   @report = Report.new
+   #post_via_redirect :action => 'create'
+ end
 
 # Already secured by @report.user == current_user -ben
   def create

app/controllers/shifts_controller.rb

@@ -12,7 +12,7 @@ def index
     @loc_group_select = {}
     current_user.departments.each do |dept|
       @loc_group_select.store(dept.id, current_user.loc_groups(dept))
-    end    
+    end
     @selected_loc_groups = current_user.user_config.view_loc_groups.split(', ').map{|lg|LocGroup.find(lg).id}
 
     # figure out what days to display based on user preferences
@@ -115,11 +115,12 @@ def update
     end
   end
 
-# unnecessary -ben
-#  def destroy
-#    @shift = Shift.find(params[:id])
-#    @shift.destroy
-#    flash[:notice] = "Successfully destroyed shift."
-#    redirect_to shifts_url
-#  end
+#unnecessary -ben
+#yes neccessary! see: canceling a shift, etc. -ryan
+  def destroy
+    @shift = Shift.find(params[:id])
+    @shift.destroy
+    flash[:notice] = "Successfully destroyed shift."
+    redirect_to shifts_url
+  end
 end