Do not give any password to frontend. Only keep them in rest storage. Use old password if no new one is given.

This commit is contained in:
Martin Edenhofer 2012-04-20 17:39:50 +02:00
parent bcccd22ece
commit 10c2ab62f7
3 changed files with 31 additions and 22 deletions

View file

@ -16,9 +16,6 @@ class SessionsController < ApplicationController
user = User.find_fulldata(user.id) user = User.find_fulldata(user.id)
# do not show password
user['password'] = ''
# auto population of default collections # auto population of default collections
default_collection = default_collections() default_collection = default_collections()
@ -98,7 +95,7 @@ class SessionsController < ApplicationController
@_current_user = session[:user_id] = nil @_current_user = session[:user_id] = nil
# reset session cookie (set :expire_after to '' in case remember_me is active) # reset session cookie (set :expire_after to '' in case remember_me is active)
request.env['rack.session.options'][:expire_after] = '' request.env['rack.session.options'][:expire_after] = -1.year.from_now
request.env['rack.session.options'][:renew] = true request.env['rack.session.options'][:renew] = true
render :json => { } render :json => { }

View file

@ -4,26 +4,16 @@ class UsersController < ApplicationController
# GET /users # GET /users
def index def index
@users = User.all @users = User.all
@users_all = []
@users.each {|i| @users.each {|user|
# r = i.roles.select('id, name').where(:active => true) @users_all.push user_data_full( user.id )
# i['roles'] = r
role_ids = i.role_ids
group_ids = i.group_ids
organization_id = i.organization_id
i[:role_ids] = role_ids
i[:group_ids] = group_ids
i[:organization_id] = organization_id
} }
render :json => @users_all
render :json => @users
end end
# GET /users/1 # GET /users/1
def show def show
# @user = User.find(params[:id]) @user = user_data_full( params[:id] )
@user = user_data_full(params[:id])
render :json => @user render :json => @user
end end
@ -90,6 +80,11 @@ class UsersController < ApplicationController
if params[:group_ids] if params[:group_ids]
@user.group_ids = params[:group_ids] @user.group_ids = params[:group_ids]
end end
if params[:organization_ids]
@user.organization_ids = params[:organization_ids]
end
@user = user_data_full( params[:id] )
render :json => @user, :status => :ok render :json => @user, :status => :ok
else else
render :json => @user.errors, :status => :unprocessable_entity render :json => @user.errors, :status => :unprocessable_entity

View file

@ -1,5 +1,6 @@
class User < ApplicationModel class User < ApplicationModel
before_create :check_name, :check_email, :check_image before_create :check_name, :check_email, :check_image
before_update :check_password
after_create :cache_delete after_create :cache_delete
after_update :cache_delete after_update :cache_delete
after_destroy :cache_delete after_destroy :cache_delete
@ -15,8 +16,8 @@ class User < ApplicationModel
def self.authenticate( username, password ) def self.authenticate( username, password )
# do not authenticate with nothing # do not authenticate with nothing
return if !username return if !username || username == ''
return if !password return if !password || password == ''
# try to find user based on login # try to find user based on login
user = User.where( :login => username, :active => true ).first user = User.where( :login => username, :active => true ).first
@ -68,6 +69,9 @@ class User < ApplicationModel
user = User.find(user_id) user = User.find(user_id)
data = user.attributes data = user.attributes
# do not show password
user['password'] = ''
# get linked accounts # get linked accounts
data['accounts'] = {} data['accounts'] = {}
authorizations = user.authorizations() || [] authorizations = user.authorizations() || []
@ -84,12 +88,14 @@ class User < ApplicationModel
roles.push role roles.push role
} }
data['roles'] = roles data['roles'] = roles
data['role_ids'] = user.role_ids
groups = [] groups = []
user.groups.select('id, name').where( :active => true ).each { |group| user.groups.select('id, name').where( :active => true ).each { |group|
groups.push group groups.push group
} }
data['groups'] = groups data['groups'] = groups
data['group_ids'] = user.group_ids
organization = user.organization organization = user.organization
data['organization'] = organization data['organization'] = organization
@ -99,6 +105,7 @@ class User < ApplicationModel
organizations.push organization organizations.push organization
} }
data['organizations'] = organizations data['organizations'] = organizations
data['organization_ids'] = user.organization_ids
cache_set(user.id, data) cache_set(user.id, data)
@ -127,4 +134,14 @@ class User < ApplicationModel
end end
end end
end end
def check_password
# set old password again
if self.password == '' || !self.password
# get current record
current = User.find(self.id)
self.password = current.password
end
end
end end