Merge pull request #33 from YaleSTC/9_event_permissions

9 event permissions
YaleSTC · Sep 27, 2014 · e04da32 · e04da32
2 parents b22a615 + da60d5d
commit e04da32
Show file tree

Hide file tree

Showing 16 changed files with 108 additions and 33 deletions.
diff --git a/app/controllers/attendance_entries_controller.rb b/app/controllers/attendance_entries_controller.rb
@@ -1,6 +1,8 @@
 class AttendanceEntriesController < ApplicationController
-  before_action :set_attendance_entry, only: [:show, :edit, :update, :destroy]
-  load_and_authorize_resource
+  # before_action :set_attendance_entry, only: [:show, :edit, :update, :destroy]
+  load_and_authorize_resource :event
+  load_and_authorize_resource :attendance_entry, through: :event, param_method: :attendance_entry_params
+
 
   # GET /attendance_entries
   # GET /attendance_entries.json

diff --git a/app/controllers/events_controller.rb b/app/controllers/events_controller.rb
@@ -1,23 +1,26 @@
 require "yaleidlookup"
 
 class EventsController < ApplicationController
-  before_action :set_event, only: [:show, :edit, :update, :destroy]
-  load_and_authorize_resource
+  # before_action :set_event, only: [:show, :edit, :update, :destroy]
+  load_and_authorize_resource param_method: :event_params
 
   # GET /events
   # GET /events.json
   def index
-    @events = Event.all.reverse
+    @events = @events.reverse
   end
 
   # GET /events/1
   # GET /events/1.json
   def show
+    redirect_to event_attendance_entries_path(@event)
   end
 
   # GET /events/new
   def new
-    @event = Event.new
+    # @event = Event.new
+    @event.description ||= "Please swipe your card or enter your netid"
+    @event.users << current_user
   end
 
   # GET /events/1/edit
@@ -27,7 +30,7 @@ def edit
   # POST /events
   # POST /events.json
   def create
-    @event = Event.new(event_params)
+    # @event = Event.new(event_params)
 
     respond_to do |format|
       if @event.save
@@ -43,9 +46,10 @@ def create
   # PATCH/PUT /events/1
   # PATCH/PUT /events/1.json
   def update
+
     respond_to do |format|
       if @event.update(event_params)
-        format.html { redirect_to @event, notice: 'Event was successfully updated.' }
+        format.html { redirect_to edit_event_path(@event), notice: 'Event was successfully updated.' }
         format.json { head :no_content }
       else
         format.html { render action: 'edit' }
@@ -66,8 +70,8 @@ def destroy
 
   # GET /events/1/swipe
   def swipe
-    # authorize! :read, :cardswipe
     @event = Event.find(params[:event_id])
+    authorize! :update, @event
     @count = @event.attendance_entries.count
     render layout: "fullscreen"
   end
@@ -77,6 +81,7 @@ def swipe
   def lookup
     # authorize! :lookup, :cardswipe
     @event = Event.find(params[:event_id])
+    authorize! :update, @event
     upi = YaleIDLookup.determine_upi(params[:query])
 
     if upi.blank? #or, if it raises an "I cannot find someone" error would be better?
@@ -113,7 +118,7 @@ def lookup
   end
 
   def wipe_attendance
-    @event = Event.find(params[:event_id])
+    # @event = Event.find(params[:event_id])
     @event.attendance_entries.destroy_all
     flash[:notice] = "All attendance entries for this event have been wiped."
     redirect_to event_attendance_entries_path(@event)
@@ -127,6 +132,6 @@ def set_event
 
     # Never trust parameters from the scary internet, only allow the white list through.
     def event_params
-      params.require(:event).permit(:title, :description)
+      params.require(:event).permit(:title, :description, :user_ids => [])
     end
 end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -17,6 +17,7 @@ def index
   # GET /users/1
   # GET /users/1.json
   def show
+    redirect_to edit_user_path(@user)
   end
 
   # GET /users/new
@@ -49,7 +50,7 @@ def create
   def update
     respond_to do |format|
       if @user.update(user_params)
-        format.html { redirect_to @user, notice: 'User was successfully updated.' }
+        format.html { redirect_to user_edit_path(@user), notice: 'User was successfully updated.' }
         format.json { head :no_content }
       else
         format.html { render action: 'edit' }
@@ -76,6 +77,6 @@ def set_user
 
     # Never trust parameters from the scary internet, only allow the white list through.
     def user_params
-      params.require(:user).permit(:first_name, :last_name, :netid)
+      params.require(:user).permit(:first_name, :nickname, :last_name, :email)
     end
 end
diff --git a/app/models/ability.rb b/app/models/ability.rb
@@ -5,11 +5,16 @@ def initialize(user)
     # Define abilities for the passed in user here. For example:
     #
     # user ||= User.find_by(netid: session[:cas_user])
-    admin_users = %w{csw3 jl2463 sbt3 dz65 cb585 deg38 mrd25 cb785}
+    superusers = %w{ jl2463 sbt3 dz65 cb585 deg38 mrd25 cb785}
 
-    if admin_users.include? user.netid
+    if superusers.include? user.netid
       can :manage, :all
     else
+      can :create, Event
+      can :manage, Event, {:users => { :id => user.id }}
+      can :create, AttendanceEntry
+      can :manage, AttendanceEntry, {:users => { :id => user.id }}
+      can [:read, :update], User, {:id => user.id}
       can :read, :homepage
       can :read, :personlookup
     end

diff --git a/app/models/attendance_entry.rb b/app/models/attendance_entry.rb
@@ -1,6 +1,5 @@
 class AttendanceEntry < ActiveRecord::Base
 
-#has_many people
 belongs_to :event
 validates :event, presence: true
 validates :upi, :uniqueness => { :scope => :event, :message => "This person has already been checked into this event." }

diff --git a/app/models/event.rb b/app/models/event.rb
@@ -1,8 +1,10 @@
 class Event < ActiveRecord::Base
 
-# has_and_belongs_to_many :users, as: admins
+has_and_belongs_to_many :users
+validates :users, presence: true
 has_many :attendance_entries
 
+
   def last_edited
     if attendance_entries.blank?
       return ""

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -1,3 +1,26 @@
 class User < ActiveRecord::Base
+  validates :netid, presence: true, uniqueness: true
+  has_and_belongs_to_many :events
 
+  after_create :get_ldap_attributes
+
+  def get_ldap_attributes
+    attributes = YaleLDAP.lookup(netid: netid)
+      .slice(:first_name, :nickname, :last_name, :netid, :email)
+    self.update_attributes(attributes)
+  rescue
+    false # don't actually save it if LDAP fails
+  end
+
+  def full_name
+    if nickname.blank?
+      full_name = first_name + " " + last_name
+    else
+      full_name = nickname + " " + last_name
+    end
+  end
+
+  def full_name_with_netid
+    full_name + " " + netid
+  end
 end
diff --git a/app/views/attendance_entries/index.html.erb b/app/views/attendance_entries/index.html.erb
@@ -13,6 +13,14 @@
   </ol>
 </p>
 
+<div class="row">
+  <div class="col-md-12">
+      <%= link_to edit_event_path(@event), :class => "btn btn-default" do %>
+        <span class="glyphicon glyphicon-pencil"></span> Edit Event
+      <% end %>
+  </div>
+</div>
+
 <div class="row">
   <div class="col-md-12">
     <div class="btn-group">

diff --git a/app/views/events/_form.html.erb b/app/views/events/_form.html.erb
@@ -4,6 +4,7 @@
   <div class="form-input">
     <%= f.input :title %>
     <%= f.input :description, as: :text %>
+    <%= f.association :users, label_method: :full_name_with_netid %>
     <%#= f.association :attendance_entries %>
   </div>
 

diff --git a/app/views/events/index.html.erb b/app/views/events/index.html.erb
@@ -38,7 +38,11 @@
               <span class="glyphicon glyphicon-list-alt"></span> Attendance
             <% end %>
           </td>
-          <td><%= link_to 'Edit Event', edit_event_path(event), :class => "btn btn-default" %></td>
+          <td>
+            <%= link_to edit_event_path(event), :class => "btn btn-default" do %>
+              <span class="glyphicon glyphicon-pencil"></span> Edit Event
+            <% end %>
+          </td>
           <td><%= event.title %></td>
           <td><%= event.description %></td>
           <td><%= event.attendance_entries.count %></td>

diff --git a/app/views/layouts/_navigation.html.erb b/app/views/layouts/_navigation.html.erb
@@ -17,7 +17,7 @@
         <% end %>
       </li>
     <% end %>
-    <% if can? :read, :events %>
+    <% if can? :read, Event %>
       <li>
         <%= link_to events_path do %>
           <span class="glyphicon glyphicon-list"></span> Events
@@ -27,7 +27,7 @@
   </ul>
   <ul class="nav navbar-nav navbar-right">
     <li>
-      <%= link_to "Signed in as #{current_user.netid}", root_path if current_user %>
+      <%= link_to "#{current_user.full_name}", edit_user_path(current_user) if current_user %>
     </li>
   </ul>
 </div>
diff --git a/app/views/users/_form.html.erb b/app/views/users/_form.html.erb
@@ -11,17 +11,25 @@
     </div>
   <% end %>
 
+  <div class="field">
+    <%= f.label :netid %><br>
+    <%= @user.netid %>
+  </div>
   <div class="field">
     <%= f.label :first_name %><br>
     <%= f.text_field :first_name %>
   </div>
+  <div class="field">
+    <%= f.label :nickname %><br>
+    <%= f.text_field :nickname %>
+  </div>
   <div class="field">
     <%= f.label :last_name %><br>
     <%= f.text_field :last_name %>
   </div>
   <div class="field">
-    <%= f.label :netid %><br>
-    <%= f.text_field :netid %>
+    <%= f.label :email %><br>
+    <%= f.text_field :email %>
   </div>
   <div class="actions">
     <%= f.submit %>

diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb
@@ -1,6 +1,3 @@
-<h1>Editing user</h1>
+<h1>Editing User</h1>
 
 <%= render 'form' %>
-
-<%= link_to 'Show', @user %> |
-<%= link_to 'Back', users_path %>
diff --git a/db/migrate/20140926222037_create_join_event_user.rb b/db/migrate/20140926222037_create_join_event_user.rb
@@ -0,0 +1,8 @@
+class CreateJoinEventUser < ActiveRecord::Migration
+  def change
+    create_table :events_users do |t|
+      t.references :event, :null => false
+      t.references :user, :null => false
+    end
+  end
+end
diff --git a/db/migrate/20140927025624_add_ldap_attributes_to_user.rb b/db/migrate/20140927025624_add_ldap_attributes_to_user.rb
@@ -0,0 +1,6 @@
+class AddLdapAttributesToUser < ActiveRecord::Migration
+  def change
+    add_column :users, :nickname, :string
+    add_column :users, :email, :string
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
@@ -11,24 +11,30 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20140922030535) do
+ActiveRecord::Schema.define(version: 20140927025624) do
 
 # Could not dump table "attendance_entries" because of following NoMethodError
-#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fa325143e88>
+#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb7fc316580>
 
 # Could not dump table "events" because of following NoMethodError
-#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fa325143e88>
+#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb7fc316580>
+
+# Could not dump table "events_users" because of following NoMethodError
+#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb7fc316580>
 
 # Could not dump table "people" because of following NoMethodError
-#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fa325143e88>
+#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb7fc316580>
 
 # Could not dump table "roles" because of following NoMethodError
-#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fa325143e88>
+#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb7fc316580>
+
+# Could not dump table "sessions" because of following NoMethodError
+#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb7fc316580>
 
 # Could not dump table "settings" because of following NoMethodError
-#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fa325143e88>
+#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb7fc316580>
 
 # Could not dump table "users" because of following NoMethodError
-#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fa325143e88>
+#   undefined method `column_spec_with_oracle_enhanced' for #<ActiveRecord::ConnectionAdapters::SQLite3Adapter:0x007fb7fc316580>
 
 end