Commit 8779108b by John Doe

completed basic permission management

parent 3dff1ef3
class UserGroupsController < ApplicationController class UserGroupsController < ApplicationController
before_action :set_user_group, only: [:show, :update, :destroy] before_action :authenticate_user!
before_action :set_user_group, only: [:update, :destroy]
before_action :authentiate_group_admin, only: [:update, :destroy]
# GET /user_groups
# GET /user_groups.json # GET /user_groups.json
def index def index
@user_groups = UserGroup.all @user_groups = UserGroup.all
end end
# GET /user_groups/1
# GET /user_groups/1.json
def show
end
# POST /user_groups
# POST /user_groups.json # POST /user_groups.json
def create def create
@user_group = UserGroup.new(user_group_params) @user_group = UserGroup.new(user_group_params)
...@@ -48,6 +43,10 @@ class UserGroupsController < ApplicationController ...@@ -48,6 +43,10 @@ class UserGroupsController < ApplicationController
# Never trust parameters from the scary internet, only allow the white list through. # Never trust parameters from the scary internet, only allow the white list through.
def user_group_params def user_group_params
params.fetch(:user_group, {}) params.permit(:name, :description)
end
def authorize_group_admin
head :unauthorized unless @user_group.owner==current_user
end end
end end
class UsersController < ApplicationController
before_action :authenticate_user!
# GET /users.json
def index
@users = User.confirmed
end
end
...@@ -15,6 +15,14 @@ class User < ActiveRecord::Base ...@@ -15,6 +15,14 @@ class User < ActiveRecord::Base
validates :email, :uniqueness => true validates :email, :uniqueness => true
validates :password, :confirmation => true validates :password, :confirmation => true
#---Scopes----
scope :confirmed, -> { where("confirmed_at IS NOT NULL") }
# ----------------------------------------
# :section: Class Methods
# ----------------------------------------
def self.json_keys #public attributes
[:id, :first_name, :last_name]
end
# ---------------------------------------- # ----------------------------------------
# :section: Permission Checkers # :section: Permission Checkers
# ---------------------------------------- # ----------------------------------------
...@@ -76,7 +84,7 @@ class User < ActiveRecord::Base ...@@ -76,7 +84,7 @@ class User < ActiveRecord::Base
def name def name
"#{self.first_name} #{self.last_name}" "#{self.first_name} #{self.last_name}"
end end
protected protected
......
...@@ -24,39 +24,11 @@ class UserGroup < ApplicationRecord ...@@ -24,39 +24,11 @@ class UserGroup < ApplicationRecord
validates :owner_id, :presence => true validates :owner_id, :presence => true
#--------------- # ----------------------------------------
#:section: Utility Methods # :section: Class Methods
#--------------- # ----------------------------------------
def self.json_keys #public attributes
# Returns a json model of the UserGroup. [:id, :name]
# ===attributes
# * +options+: hash, pass <tt>{}</tt> for no options, or <tt>{:include_members=>true}</tt>
#
# ===examples
#
# #Just the group
# user_group.as_json({}) =
# {"name" => "Lab Group",
# "description" => "Users working on NILM in the lab",
# "id" => 3}
#
# #Include the members
# user_group.as_json({:include_members=>true}) =
# {"name" => "Lab Group",
# "description" => "Users working on NILM in the lab",
# "id" => 3}
# :members => [
# {"first_name" => "John",
# "last_name" => "Ledner",
# "id" => 3,
# :confirmed => true,
# }, ... ]
# }
def as_json(options)
group = super(only: [:name, :description, :id])
if(options[:include_members])
group[:members] = self.users.as_json(:abbreviated=>true)
end
return group
end end
end end
...@@ -2,6 +2,7 @@ json.data do ...@@ -2,6 +2,7 @@ json.data do
json.extract! @permission, *Permission.json_keys json.extract! @permission, *Permission.json_keys
json.target_name @permission.target_name json.target_name @permission.target_name
json.target_type @permission.target_type json.target_type @permission.target_type
json.removable @permission.user_id!=current_user.id
end end
json.partial! "helpers/messages", service: @service json.partial! "helpers/messages", service: @service
json.extract! user_group, :id, :created_at, :updated_at
json.url user_group_url(user_group, format: :json)
\ No newline at end of file
json.array! @user_groups, partial: 'user_groups/user_group', as: :user_group json.array! @user_groups do |group|
\ No newline at end of file json.extract! group, *UserGroup.json_keys
end
json.partial! "user_groups/user_group", user_group: @user_group
\ No newline at end of file
json.array! @users do |user|
json.extract! user, *User.json_keys
end
...@@ -6,6 +6,7 @@ Rails.application.routes.draw do ...@@ -6,6 +6,7 @@ Rails.application.routes.draw do
resources :db_streams, only: [:update] resources :db_streams, only: [:update]
mount_devise_token_auth_for 'User', at: 'auth' mount_devise_token_auth_for 'User', at: 'auth'
resources :user_groups resources :users, only: [:index, :create, :destroy]
resources :user_groups, only: [:index, :create, :destroy]
resources :permissions, only: [:index, :create, :destroy] resources :permissions, only: [:index, :create, :destroy]
end end
# frozen_string_literal: true
require 'rails_helper' require 'rails_helper'
# This spec was generated by rspec-rails when you ran the scaffold generator. RSpec.describe UserGroupsController, type: :request do
# It demonstrates how one might use RSpec to specify the controller code that let(:grp1) { create(:user_group, name: 'Group1') }
# was generated by Rails when you ran the scaffold generator. let(:grp2) { create(:user_group, name: 'Group2') }
#
# It assumes that the implementation code is generated by the rails scaffold
# generator. If you are using any extension libraries to generate different
# controller code, this generated spec may or may not pass.
#
# It only uses APIs available in rails and/or rspec-rails. There are a number
# of tools you can use to make these specs even more expressive, but we're
# sticking to rails and rspec-rails APIs to keep things simple and stable.
#
# Compared to earlier versions of this generator, there is very limited use of
# stubs and message expectations in this spec. Stubs are only used when there
# is no simpler way to get a handle on the object needed for the example.
# Message expectations are only used when there is no simpler way to specify
# that an instance is receiving a specific message.
RSpec.describe UserGroupsController, type: :controller, broken: true do let(:john) { create(:user, first_name: 'Jonh') }
# This should return the minimal set of attributes required to create a valid describe 'GET index' do
# UserGroup. As you add validations to UserGroup, be sure to before { john.confirm }
# adjust the attributes here as well.
let(:valid_attributes) {
skip("Add a hash of attributes valid for your model")
}
let(:invalid_attributes) { context 'with authenticated user' do
skip("Add a hash of attributes invalid for your model") it 'returns user groups' do
} # force lazy evaluation of let to build groups
grp1; grp2;
# This should return the minimal set of values that should be in the session @auth_headers = john.create_new_auth_token
# in order to pass any filters (e.g. authentication) defined in get "/user_groups.json", headers: @auth_headers
# UserGroupsController. Be sure to keep this updated too. expect(response.header['Content-Type']).to include('application/json')
let(:valid_session) { {} } body = JSON.parse(response.body)
expect(body[0]["id"]).to eq(grp1.id)
describe "GET #index" do expect(body[1]["id"]).to eq(grp2.id)
it "assigns all user_groups as @user_groups" do
user_group = UserGroup.create! valid_attributes
get :index, params: {}, session: valid_session
expect(assigns(:user_groups)).to eq([user_group])
end
end
describe "GET #show" do
it "assigns the requested user_group as @user_group" do
user_group = UserGroup.create! valid_attributes
get :show, params: {id: user_group.to_param}, session: valid_session
expect(assigns(:user_group)).to eq(user_group)
end
end
describe "GET #new" do
it "assigns a new user_group as @user_group" do
get :new, params: {}, session: valid_session
expect(assigns(:user_group)).to be_a_new(UserGroup)
end
end
describe "GET #edit" do
it "assigns the requested user_group as @user_group" do
user_group = UserGroup.create! valid_attributes
get :edit, params: {id: user_group.to_param}, session: valid_session
expect(assigns(:user_group)).to eq(user_group)
end
end
describe "POST #create" do
context "with valid params" do
it "creates a new UserGroup" do
expect {
post :create, params: {user_group: valid_attributes}, session: valid_session
}.to change(UserGroup, :count).by(1)
end
it "assigns a newly created user_group as @user_group" do
post :create, params: {user_group: valid_attributes}, session: valid_session
expect(assigns(:user_group)).to be_a(UserGroup)
expect(assigns(:user_group)).to be_persisted
end
it "redirects to the created user_group" do
post :create, params: {user_group: valid_attributes}, session: valid_session
expect(response).to redirect_to(UserGroup.last)
end end
end end
context 'without sign-in' do
context "with invalid params" do it 'returns unauthorized' do
it "assigns a newly created but unsaved user_group as @user_group" do get "/user_groups.json"
post :create, params: {user_group: invalid_attributes}, session: valid_session expect(response.status).to eq(401)
expect(assigns(:user_group)).to be_a_new(UserGroup)
end
it "re-renders the 'new' template" do
post :create, params: {user_group: invalid_attributes}, session: valid_session
expect(response).to render_template("new")
end end
end end
end end
describe "PUT #update" do
context "with valid params" do
let(:new_attributes) {
skip("Add a hash of attributes valid for your model")
}
it "updates the requested user_group" do
user_group = UserGroup.create! valid_attributes
put :update, params: {id: user_group.to_param, user_group: new_attributes}, session: valid_session
user_group.reload
skip("Add assertions for updated state")
end
it "assigns the requested user_group as @user_group" do
user_group = UserGroup.create! valid_attributes
put :update, params: {id: user_group.to_param, user_group: valid_attributes}, session: valid_session
expect(assigns(:user_group)).to eq(user_group)
end
it "redirects to the user_group" do
user_group = UserGroup.create! valid_attributes
put :update, params: {id: user_group.to_param, user_group: valid_attributes}, session: valid_session
expect(response).to redirect_to(user_group)
end
end
context "with invalid params" do
it "assigns the user_group as @user_group" do
user_group = UserGroup.create! valid_attributes
put :update, params: {id: user_group.to_param, user_group: invalid_attributes}, session: valid_session
expect(assigns(:user_group)).to eq(user_group)
end
it "re-renders the 'edit' template" do
user_group = UserGroup.create! valid_attributes
put :update, params: {id: user_group.to_param, user_group: invalid_attributes}, session: valid_session
expect(response).to render_template("edit")
end
end
end
describe "DELETE #destroy" do
it "destroys the requested user_group" do
user_group = UserGroup.create! valid_attributes
expect {
delete :destroy, params: {id: user_group.to_param}, session: valid_session
}.to change(UserGroup, :count).by(-1)
end
it "redirects to the user_groups list" do
user_group = UserGroup.create! valid_attributes
delete :destroy, params: {id: user_group.to_param}, session: valid_session
expect(response).to redirect_to(user_groups_url)
end
end
end end
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe UsersController, type: :request do
let(:steve) { create(:user, first_name: 'Steve')}
let(:john) { create(:user, first_name: 'Jonh') }
let(:newguy) { create(:user, first_name: 'Unconfirmed')}
describe 'GET index' do
before do
john.confirm
steve.confirm
end
context 'with authenticated user' do
it 'returns confirmed users' do
# force lazy evaluation of let to build users
newguy
@auth_headers = john.create_new_auth_token
get "/users.json", headers: @auth_headers
expect(response.header['Content-Type']).to include('application/json')
body = JSON.parse(response.body)
expect(body[0]["id"]).to eq(john.id)
expect(body[1]["id"]).to eq(steve.id)
expect(body.length).to eq(2) #does not have newguy
end
end
context 'without sign-in' do
it 'returns unauthorized' do
get "/users.json"
expect(response.status).to eq(401)
end
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment