Do not give any password to frontend. Only keep them in rest storage. Use old password if no new one is given.
This commit is contained in:
parent
bcccd22ece
commit
10c2ab62f7
3 changed files with 31 additions and 22 deletions
|
@ -16,9 +16,6 @@ class SessionsController < ApplicationController
|
|||
|
||||
user = User.find_fulldata(user.id)
|
||||
|
||||
# do not show password
|
||||
user['password'] = ''
|
||||
|
||||
# auto population of default collections
|
||||
default_collection = default_collections()
|
||||
|
||||
|
@ -98,7 +95,7 @@ class SessionsController < ApplicationController
|
|||
@_current_user = session[:user_id] = nil
|
||||
|
||||
# reset session cookie (set :expire_after to '' in case remember_me is active)
|
||||
request.env['rack.session.options'][:expire_after] = ''
|
||||
request.env['rack.session.options'][:expire_after] = -1.year.from_now
|
||||
request.env['rack.session.options'][:renew] = true
|
||||
|
||||
render :json => { }
|
||||
|
|
|
@ -4,26 +4,16 @@ class UsersController < ApplicationController
|
|||
# GET /users
|
||||
def index
|
||||
@users = User.all
|
||||
|
||||
@users.each {|i|
|
||||
# r = i.roles.select('id, name').where(:active => true)
|
||||
# i['roles'] = r
|
||||
role_ids = i.role_ids
|
||||
group_ids = i.group_ids
|
||||
organization_id = i.organization_id
|
||||
i[:role_ids] = role_ids
|
||||
i[:group_ids] = group_ids
|
||||
i[:organization_id] = organization_id
|
||||
@users_all = []
|
||||
@users.each {|user|
|
||||
@users_all.push user_data_full( user.id )
|
||||
}
|
||||
|
||||
render :json => @users
|
||||
render :json => @users_all
|
||||
end
|
||||
|
||||
# GET /users/1
|
||||
def show
|
||||
# @user = User.find(params[:id])
|
||||
@user = user_data_full(params[:id])
|
||||
|
||||
@user = user_data_full( params[:id] )
|
||||
render :json => @user
|
||||
end
|
||||
|
||||
|
@ -90,6 +80,11 @@ class UsersController < ApplicationController
|
|||
if params[:group_ids]
|
||||
@user.group_ids = params[:group_ids]
|
||||
end
|
||||
if params[:organization_ids]
|
||||
@user.organization_ids = params[:organization_ids]
|
||||
end
|
||||
|
||||
@user = user_data_full( params[:id] )
|
||||
render :json => @user, :status => :ok
|
||||
else
|
||||
render :json => @user.errors, :status => :unprocessable_entity
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
class User < ApplicationModel
|
||||
before_create :check_name, :check_email, :check_image
|
||||
before_update :check_password
|
||||
after_create :cache_delete
|
||||
after_update :cache_delete
|
||||
after_destroy :cache_delete
|
||||
|
@ -15,8 +16,8 @@ class User < ApplicationModel
|
|||
def self.authenticate( username, password )
|
||||
|
||||
# do not authenticate with nothing
|
||||
return if !username
|
||||
return if !password
|
||||
return if !username || username == ''
|
||||
return if !password || password == ''
|
||||
|
||||
# try to find user based on login
|
||||
user = User.where( :login => username, :active => true ).first
|
||||
|
@ -68,6 +69,9 @@ class User < ApplicationModel
|
|||
user = User.find(user_id)
|
||||
data = user.attributes
|
||||
|
||||
# do not show password
|
||||
user['password'] = ''
|
||||
|
||||
# get linked accounts
|
||||
data['accounts'] = {}
|
||||
authorizations = user.authorizations() || []
|
||||
|
@ -84,12 +88,14 @@ class User < ApplicationModel
|
|||
roles.push role
|
||||
}
|
||||
data['roles'] = roles
|
||||
data['role_ids'] = user.role_ids
|
||||
|
||||
groups = []
|
||||
user.groups.select('id, name').where( :active => true ).each { |group|
|
||||
groups.push group
|
||||
}
|
||||
data['groups'] = groups
|
||||
data['group_ids'] = user.group_ids
|
||||
|
||||
organization = user.organization
|
||||
data['organization'] = organization
|
||||
|
@ -99,6 +105,7 @@ class User < ApplicationModel
|
|||
organizations.push organization
|
||||
}
|
||||
data['organizations'] = organizations
|
||||
data['organization_ids'] = user.organization_ids
|
||||
|
||||
cache_set(user.id, data)
|
||||
|
||||
|
@ -127,4 +134,14 @@ class User < ApplicationModel
|
|||
end
|
||||
end
|
||||
end
|
||||
def check_password
|
||||
|
||||
# set old password again
|
||||
if self.password == '' || !self.password
|
||||
|
||||
# get current record
|
||||
current = User.find(self.id)
|
||||
self.password = current.password
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue