Do not give any password to frontend. Only keep them in rest storage. Use old password if no new one is given.

app/controllers/sessions_controller.rb

@@ -16,9 +16,6 @@ class SessionsController < ApplicationController
     
     user = User.find_fulldata(user.id)
     
-    # do not show password
-    user['password'] = ''
-    
     # auto population of default collections
     default_collection = default_collections()
     
@@ -98,7 +95,7 @@ class SessionsController < ApplicationController
     @_current_user = session[:user_id] = nil
 
     # reset session cookie (set :expire_after to '' in case remember_me is active)
-    request.env['rack.session.options'][:expire_after] = ''
+    request.env['rack.session.options'][:expire_after] = -1.year.from_now
     request.env['rack.session.options'][:renew] = true
 
     render :json => { }

app/controllers/users_controller.rb

@@ -4,26 +4,16 @@ class UsersController < ApplicationController
   # GET /users
   def index
     @users = User.all
-
-    @users.each {|i|
-#      r = i.roles.select('id, name').where(:active => true)
-#      i['roles'] = r
-      role_ids            = i.role_ids
-      group_ids           = i.group_ids
-      organization_id     = i.organization_id
-      i[:role_ids]        = role_ids
-      i[:group_ids]       = group_ids
-      i[:organization_id] = organization_id
+    @users_all = []
+    @users.each {|user|
+      @users_all.push user_data_full( user.id )
     }
-
-    render :json => @users
+    render :json => @users_all
   end
 
   # GET /users/1
   def show
-#    @user = User.find(params[:id])
-    @user = user_data_full(params[:id])
-
+    @user = user_data_full( params[:id] )
     render :json => @user
   end
 
@@ -90,6 +80,11 @@ class UsersController < ApplicationController
       if params[:group_ids]
         @user.group_ids = params[:group_ids]
       end
+      if params[:organization_ids]
+        @user.organization_ids = params[:organization_ids]
+      end
+      
+      @user = user_data_full( params[:id] )
       render :json => @user, :status => :ok
     else
       render :json => @user.errors, :status => :unprocessable_entity

app/models/user.rb

@@ -1,5 +1,6 @@
 class User < ApplicationModel
   before_create           :check_name, :check_email, :check_image
+  before_update           :check_password
   after_create            :cache_delete
   after_update            :cache_delete
   after_destroy           :cache_delete
@@ -15,8 +16,8 @@ class User < ApplicationModel
   def self.authenticate( username, password )
     
     # do not authenticate with nothing
-    return if !username
-    return if !password
+    return if !username || username == ''
+    return if !password || password == '' 
     
     # try to find user based on login
     user = User.where( :login => username, :active => true ).first
@@ -68,6 +69,9 @@ class User < ApplicationModel
     user = User.find(user_id)
     data = user.attributes
 
+    # do not show password
+    user['password'] = ''
+
     # get linked accounts
     data['accounts'] = {}
     authorizations = user.authorizations() || []
@@ -84,13 +88,15 @@ class User < ApplicationModel
       roles.push role
     }
     data['roles'] = roles
+    data['role_ids'] = user.role_ids
 
     groups = []
     user.groups.select('id, name').where( :active => true ).each { |group|
       groups.push group
     }
     data['groups'] = groups
-    
+    data['group_ids'] = user.group_ids
+
     organization = user.organization
     data['organization'] = organization
 
@@ -99,6 +105,7 @@ class User < ApplicationModel
       organizations.push organization
     }
     data['organizations'] = organizations
+    data['organization_ids'] = user.organization_ids
 
     cache_set(user.id, data)
 
@@ -127,4 +134,14 @@ class User < ApplicationModel
         end
       end
     end
+    def check_password
+      
+      # set old password again
+      if self.password == '' || !self.password
+
+        # get current record
+        current = User.find(self.id)
+        self.password = current.password
+      end
+    end
 end