From a57848b3a6206e538d6afe7ef2cab977fee10ea6 Mon Sep 17 00:00:00 2001 From: Robbe Van Herck Date: Mon, 8 Apr 2019 16:41:19 +0200 Subject: [PATCH 1/2] Added User API and userkey --- app/controllers/application_controller.rb | 5 ++++- app/controllers/users_controller.rb | 26 +++++++++++++++++++++- app/models/user.rb | 15 +++++++++++++ config/routes.rb | 1 + db/migrate/20190408122720_add_api_token.rb | 10 +++++++++ db/schema.rb | 5 +++-- 6 files changed, 58 insertions(+), 4 deletions(-) create mode 100644 db/migrate/20190408122720_add_api_token.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 3593ddf..b9d8db7 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -2,7 +2,10 @@ class ApplicationController < ActionController::Base protect_from_forgery with: :exception rescue_from CanCan::AccessDenied do |exception| - redirect_to root_path, flash: { error: message_for(exception) } + respond_to do |format| + format.json { render json: [ "Diefstal is een misdrijf." ], status: :forbidden } + format.html { redirect_to root_path, flash: { error: message_for(exception) } } + end end def after_sign_in_path_for(resource) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 45963ed..c81854a 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -23,8 +23,21 @@ class UsersController < ApplicationController load_and_authorize_resource before_action :init, only: :show + skip_load_and_authorize_resource :only => :show def show + # TODO fix this with `authorize!` + if params[:id] && (@user.name != params[:id] && !@user.admin?) + respond_to do |format| + format.json { render json: ["Mind your own business"] } + format.html { redirect_to root_url } + end + else + respond_to do |format| + format.json { render json: @user } + format.html {} + end + end end def update @@ -81,6 +94,17 @@ class UsersController < ApplicationController end def init - @user ||= current_user + @user ||= current_user || user_token || User.new + end + + def user_token + @user_token ||= authenticate_with_http_token do |token, options| + User.find_by userkey: token + end + end + + def reset_key + @user.generate_key! + redirect_to @user end end diff --git a/app/models/user.rb b/app/models/user.rb index 0b10c17..7967d3d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -37,6 +37,7 @@ class User < ActiveRecord::Base where(name: auth.uid).first_or_create do |user| user.name = auth.uid user.avatar = Identicon.data_url_for auth.uid + user.generate_key! end end @@ -89,4 +90,18 @@ class User < ActiveRecord::Base user.koelkast = true end end + + def generate_key + set_key unless self.userkey + end + + def generate_key! + set_key + self.save + end + + private + def set_key + self.userkey = SecureRandom.base64(16) + end end diff --git a/config/routes.rb b/config/routes.rb index e223888..16a5da5 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -22,6 +22,7 @@ Rails.application.routes.draw do member do get 'quickpay' => 'users#quickpay' get 'dagschotel/edit' => 'users#edit_dagschotel', as: 'edit_dagschotel' + post :reset_key end end diff --git a/db/migrate/20190408122720_add_api_token.rb b/db/migrate/20190408122720_add_api_token.rb new file mode 100644 index 0000000..b73f94c --- /dev/null +++ b/db/migrate/20190408122720_add_api_token.rb @@ -0,0 +1,10 @@ +class AddApiToken < ActiveRecord::Migration + def change + add_column :users, :userkey, :string + + User.all.each do |user| + user.generate_key + user.save + end + end +end diff --git a/db/schema.rb b/db/schema.rb index 7e13464..027c761 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20160304192839) do +ActiveRecord::Schema.define(version: 20190408122720) do create_table "barcodes", force: :cascade do |t| t.integer "product_id" @@ -86,7 +86,8 @@ ActiveRecord::Schema.define(version: 20160304192839) do t.string "name" t.boolean "private", default: false t.integer "frecency", default: 0, null: false - t.boolean "quickpay_hidden" + t.boolean "quickpay_hidden", default: false + t.string "userkey" end add_index "users", ["koelkast"], name: "index_users_on_koelkast" From c588d0f6d4924558e39584069468184275dea6b2 Mon Sep 17 00:00:00 2001 From: redfast00 Date: Thu, 18 Apr 2019 22:50:33 +0200 Subject: [PATCH 2/2] Better authentication --- app/controllers/users_controller.rb | 9 --------- app/models/ability.rb | 3 +++ db/schema.rb | 3 ++- 3 files changed, 5 insertions(+), 10 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index c81854a..76909e4 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -23,21 +23,12 @@ class UsersController < ApplicationController load_and_authorize_resource before_action :init, only: :show - skip_load_and_authorize_resource :only => :show def show - # TODO fix this with `authorize!` - if params[:id] && (@user.name != params[:id] && !@user.admin?) - respond_to do |format| - format.json { render json: ["Mind your own business"] } - format.html { redirect_to root_url } - end - else respond_to do |format| format.json { render json: @user } format.html {} end - end end def update diff --git a/app/models/ability.rb b/app/models/ability.rb index 9c2b8a0..a856eb0 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -24,6 +24,9 @@ class Ability def initialize_user(user) can :read, :all + cannot :read, User do |otheruser| + otheruser != user && !user.admin? && !user.koelkast + end can :manage, User, id: user.id can :create, Order do |order| order.user == user && user.try(:balance).try(:>, -500) diff --git a/db/schema.rb b/db/schema.rb index 027c761..cfcfc89 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20190408122720) do +ActiveRecord::Schema.define(version: 20190415182036) do create_table "barcodes", force: :cascade do |t| t.integer "product_id" @@ -87,6 +87,7 @@ ActiveRecord::Schema.define(version: 20190408122720) do t.boolean "private", default: false t.integer "frecency", default: 0, null: false t.boolean "quickpay_hidden", default: false + t.string "key" t.string "userkey" end