diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 3593ddf..b9d8db7 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -2,7 +2,10 @@ class ApplicationController < ActionController::Base protect_from_forgery with: :exception rescue_from CanCan::AccessDenied do |exception| - redirect_to root_path, flash: { error: message_for(exception) } + respond_to do |format| + format.json { render json: [ "Diefstal is een misdrijf." ], status: :forbidden } + format.html { redirect_to root_path, flash: { error: message_for(exception) } } + end end def after_sign_in_path_for(resource) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 45963ed..76909e4 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -25,6 +25,10 @@ class UsersController < ApplicationController before_action :init, only: :show def show + respond_to do |format| + format.json { render json: @user } + format.html {} + end end def update @@ -81,6 +85,17 @@ class UsersController < ApplicationController end def init - @user ||= current_user + @user ||= current_user || user_token || User.new + end + + def user_token + @user_token ||= authenticate_with_http_token do |token, options| + User.find_by userkey: token + end + end + + def reset_key + @user.generate_key! + redirect_to @user end end diff --git a/app/models/ability.rb b/app/models/ability.rb index 9c2b8a0..a856eb0 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -24,6 +24,9 @@ class Ability def initialize_user(user) can :read, :all + cannot :read, User do |otheruser| + otheruser != user && !user.admin? && !user.koelkast + end can :manage, User, id: user.id can :create, Order do |order| order.user == user && user.try(:balance).try(:>, -500) diff --git a/app/models/user.rb b/app/models/user.rb index 0b10c17..7967d3d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -37,6 +37,7 @@ class User < ActiveRecord::Base where(name: auth.uid).first_or_create do |user| user.name = auth.uid user.avatar = Identicon.data_url_for auth.uid + user.generate_key! end end @@ -89,4 +90,18 @@ class User < ActiveRecord::Base user.koelkast = true end end + + def generate_key + set_key unless self.userkey + end + + def generate_key! + set_key + self.save + end + + private + def set_key + self.userkey = SecureRandom.base64(16) + end end diff --git a/config/routes.rb b/config/routes.rb index e223888..16a5da5 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -22,6 +22,7 @@ Rails.application.routes.draw do member do get 'quickpay' => 'users#quickpay' get 'dagschotel/edit' => 'users#edit_dagschotel', as: 'edit_dagschotel' + post :reset_key end end diff --git a/db/migrate/20190408122720_add_api_token.rb b/db/migrate/20190408122720_add_api_token.rb new file mode 100644 index 0000000..b73f94c --- /dev/null +++ b/db/migrate/20190408122720_add_api_token.rb @@ -0,0 +1,10 @@ +class AddApiToken < ActiveRecord::Migration + def change + add_column :users, :userkey, :string + + User.all.each do |user| + user.generate_key + user.save + end + end +end diff --git a/db/schema.rb b/db/schema.rb index 7e13464..cfcfc89 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20160304192839) do +ActiveRecord::Schema.define(version: 20190415182036) do create_table "barcodes", force: :cascade do |t| t.integer "product_id" @@ -86,7 +86,9 @@ ActiveRecord::Schema.define(version: 20160304192839) do t.string "name" t.boolean "private", default: false t.integer "frecency", default: 0, null: false - t.boolean "quickpay_hidden" + t.boolean "quickpay_hidden", default: false + t.string "key" + t.string "userkey" end add_index "users", ["koelkast"], name: "index_users_on_koelkast"