From c5dfdbeb8f00512ad3810975547c56e7c6dcb480 Mon Sep 17 00:00:00 2001
From: jomo <github@jomo.tv>
Date: Mon, 24 Jun 2013 16:49:58 +0200
Subject: [PATCH] security, user index

---
 app/assets/stylesheets/screen.css.scss  | 36 ++++++++++
 app/controllers/blogposts_controller.rb | 47 ++++++++-----
 app/controllers/comments_controller.rb  | 89 +++++++++----------------
 app/controllers/users_controller.rb     |  9 ++-
 app/helpers/users_helper.rb             |  2 +-
 app/models/comment.rb                   |  4 +-
 app/views/blogposts/show.html.erb       |  2 +-
 app/views/comments/_form.html.erb       | 17 -----
 app/views/comments/edit.html.erb        | 10 +--
 app/views/comments/index.html.erb       | 21 ------
 app/views/comments/new.html.erb         |  5 --
 app/views/comments/show.html.erb        |  5 --
 app/views/users/index.html.erb          | 18 +++--
 13 files changed, 125 insertions(+), 140 deletions(-)
 delete mode 100644 app/views/comments/_form.html.erb
 delete mode 100644 app/views/comments/index.html.erb
 delete mode 100644 app/views/comments/new.html.erb
 delete mode 100644 app/views/comments/show.html.erb

diff --git a/app/assets/stylesheets/screen.css.scss b/app/assets/stylesheets/screen.css.scss
index 76ac76b..5b7f04c 100644
--- a/app/assets/stylesheets/screen.css.scss
+++ b/app/assets/stylesheets/screen.css.scss
@@ -265,5 +265,41 @@ and (min-width: 1000px)
     }
   }
 
+  #userlist {
+    .list-user {
+      margin: 5px 0;
+      display: block;
+      a {
+        color: $midgrey;
+        display: inline-block;
+        &:hover {
+          color: $darkred;
+        }
+      }
+      img {
+        float: left;
+      }
+      .user-info {
+        margin: 10px;
+        float: left;
+        span {
+          display: block;
+        }
+        .user-name {
+          font-weight: bold;
+        }
+        .user-ign {
+          color: #888;
+          font-style: italic;
+        }
+      }
+    }
+  }
+
+
+
+
+
+
 
 }
\ No newline at end of file
diff --git a/app/controllers/blogposts_controller.rb b/app/controllers/blogposts_controller.rb
index 1992538..edd31ce 100644
--- a/app/controllers/blogposts_controller.rb
+++ b/app/controllers/blogposts_controller.rb
@@ -10,20 +10,26 @@ class BlogpostsController < ApplicationController
   end
 
   def new
-    @post = Blogpost.new
+    if current_user && current_user.rank >= rank_to_int("mod")
+      @post = Blogpost.new
+    else
+      flash[:alert] = "You are not allowed to create a new post!"
+      redirect_to blogposts_path
+    end
   end
 
-  # GET /blogposts/1/edit
   def edit
-    @post = Blogpost.find(params[:id])
+      @post = Blogpost.find(params[:id])
+      if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @edit.user))
+    else
+      flash[:alert] = "You are not allowed to update this post!"
+    end
   end
 
-  # POST /blogposts
-  # POST /blogposts.json
   def create
     if current_user && current_user.rank >= rank_to_int("mod")
       @post = Blogpost.new(params[:blogpost])
-      @post.user_id = current_user.id unless current_user.nil?
+      @post.user = current_user
       if @post.save
         redirect_to @post, notice: 'Post has been created.'
       else
@@ -35,24 +41,29 @@ class BlogpostsController < ApplicationController
     end
   end
 
-  # PUT /blogposts/1
-  # PUT /blogposts/1.json
   def update
     @post = Blogpost.find(params[:id])
-
-    if @post.update_attributes(params[:blogpost])
-      redirect_to @post, notice: 'Post has been updated.'
-    else
-      render action: "edit"
+    if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @post.user))
+      if @post.update_attributes(params[:blogpost])
+        redirect_to @post, notice: 'Post has been updated.'
+      else
+        flash[:alert] = "There was a problem while updating the post"
+        render action: "edit"
+      end
     end
   end
 
-  # DELETE /blogposts/1
-  # DELETE /blogposts/1.json
   def destroy
     @post = Blogpost.find(params[:id])
-    @post.destroy
-
-    redirect_to blog_url
+    if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @post.user))
+      if @post.destroy
+        flash[:notice] = "Post deleted!"
+      else
+        flash[:alert] = "There was a problem while deleting this Post"
+      end
+    else
+      flash[:alert] = "You are not allowed to delete this Post"
     end
+    redirect_to blogpots_path
+  end
 end
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
index 82f64cb..3d7990d 100644
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@@ -1,50 +1,23 @@
 class CommentsController < ApplicationController
-  # GET /comments
-  # GET /comments.json
-  def index
-    @comments = Comment.all
 
-    respond_to do |format|
-      format.html # index.html.erb
-      format.json { render json: @comments }
-    end
-  end
-
-  # GET /comments/1
-  # GET /comments/1.json
-  def show
-    @comment = Comment.find(params[:id])
-
-    respond_to do |format|
-      format.html # show.html.erb
-      format.json { render json: @comment }
-    end
-  end
-
-  # GET /comments/new
-  # GET /comments/new.json
-  def new
-    @comment = Comment.new
-
-    respond_to do |format|
-      format.html # new.html.erb
-      format.json { render json: @comment }
-    end
-  end
-
-  # GET /comments/1/edit
   def edit
     @comment = Comment.find(params[:id])
+    if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @comment.user.rank.to_i) || (current_user == @comment.user))
+      @comment = Comment.find(params[:id])
+      session[:return_to] = blogpost_path(@comment.blogpost)
+    else
+      flash[:alert] = "You are not allowed to edit this comment"
+      redirect_to @comment.blogpost
+    end
   end
 
-  # POST /comments
-  # POST /comments.json
   def create
-    @comment = Comment.new(params[:comment])
-    @comment.user_id = current_user.id
-    @comment.blogpost = Blogpost.find(params[:blogpost_id])
+    if current_user
+      @comment = Comment.new(params[:comment])
+      @comment.user_id = current_user.id
+      @comment.blogpost = Blogpost.find(params[:blogpost_id])
       if @comment.save
-        redirect_to @comment.blogpost, notice: 'Comment was successfully created.'
+        redirect_to @comment.blogpost, notice: 'Comment created!'
       else
         flash[:alert] = "There was a problem while saving your comment"
         redirect_to blogpost_path(params[:blogpost_id])
@@ -52,30 +25,34 @@ class CommentsController < ApplicationController
     end
   end
 
-  # PUT /comments/1
-  # PUT /comments/1.json
   def update
     @comment = Comment.find(params[:id])
-
-    respond_to do |format|
-    if @comment.update_attributes(params[:comment])
-      format.html { redirect_to @comment, notice: 'Comment was successfully updated.' }
-      format.json { head :no_content }
+    if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @comment.user.rank.to_i) || (current_user == @comment.user))
+      if @comment.update_attributes(params[:comment])
+        flash[:notice] = "Comment updated!"
+        redirect_to @comment.blogpost
+      else
+        flash[:alert] = "There was a problem while updating your comment"
+        redirect_to session[:return_to]
+        session.delete(:redirect_to)
+      end
     else
-      format.html { render action: "edit" }
-      format.json { render json: @comment.errors, status: :unprocessable_entity }
+      flash[:alert] = "You are not allowed to edit this comment"
+      redirect_to blogpost_path(params[:blogpost_id])
     end
   end
 
-  # DELETE /comments/1
-  # DELETE /comments/1.json
   def destroy
     @comment = Comment.find(params[:id])
-    @comment.destroy
-
-    respond_to do |format|
-      format.html { redirect_to comments_url }
-      format.json { head :no_content }
+    if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @comment.user.rank.to_i) || (current_user == @comment.user))
+      if @comment.destroy
+        flash[:notice] = "Comment deleted!"
+      else
+        flash[:alert] = "There was a problem while deleting this comment"
+      end
+    else
+      flash[:alert] = "You are not allowed to delete this comment"
     end
+    redirect_to @comment.blogpost
   end
-end
+end
\ No newline at end of file
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 45f2da1..54d24f1 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -1,12 +1,9 @@
 class UsersController < ApplicationController
-  # GET /users
-  # GET /users.json
+
   def index
     @users = User.all
   end
 
-  # GET /users/1
-  # GET /users/1.json
   def show
     @user = User.find(params[:id])
   end
@@ -27,7 +24,7 @@ class UsersController < ApplicationController
     if current_user && (current_user.id = params[:id] || current_user.rank >= rank_to_int("mod"))
       @user = User.find(params[:id])
     else
-      flash[:alert] = "You are not allwoed to edit this user"
+      flash[:alert] = "You are not allowed to edit this user"
       redirect_to user_path(params[:id])
     end
   end
@@ -36,9 +33,11 @@ class UsersController < ApplicationController
   # POST /users.json
   def create
     @user = User.new(params[:user])
+    @user.last_ip = request.remote_ip
     if @user.save
       redirect_to @user, notice: 'User was successfully created.'
     else
+      flash[:alert] = "Something went wrong"
       render action: "new"
     end
   end
diff --git a/app/helpers/users_helper.rb b/app/helpers/users_helper.rb
index d267102..006e64f 100644
--- a/app/helpers/users_helper.rb
+++ b/app/helpers/users_helper.rb
@@ -2,7 +2,7 @@ module UsersHelper
   def avatar_url(user_id, size)
     u = User.find_by_id(user_id)
     u.nil? ? ign = :char : ign = u.ign
-    return "https://minotar.net/avatar/#{ign}/#{size}"
+    return "https://minotar.net/helm/#{ign}/#{size}"
   end
 
   def mc_running?
diff --git a/app/models/comment.rb b/app/models/comment.rb
index 2e367b3..60f9f07 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -1,6 +1,6 @@
 class Comment < ActiveRecord::Base
-  attr_accessible :text, :user_id, :blogpost, :post
-  validates_presence_of :text, :user_id, :blogpost_id
+  attr_accessible :text, :user, :blogpost, :post
+  validates_presence_of :text, :user, :blogpost
   belongs_to :blogpost
   belongs_to :user
 end
\ No newline at end of file
diff --git a/app/views/blogposts/show.html.erb b/app/views/blogposts/show.html.erb
index ef78e69..235cae6 100644
--- a/app/views/blogposts/show.html.erb
+++ b/app/views/blogposts/show.html.erb
@@ -12,7 +12,7 @@
     <div class="comment <%= "author" if c.user == @post.user %>">
       <span class="comment-info"><%= link_to c.user.name, c.user %> on <%= c.created_at.strftime("%e. %b %Y") %>
         <% if current_user && current_user.rank >= rank_to_int("mod") %>
-         - <%= link_to "edit", edit_blogpost_comment_path(c.id) %>
+         - <%= link_to "edit", edit_blogpost_comment_path(c.blogpost, c) %>
         <% end %>
       </span>
       <div class="comment-content"><%= c.text %></div>
diff --git a/app/views/comments/_form.html.erb b/app/views/comments/_form.html.erb
deleted file mode 100644
index a568b0b..0000000
--- a/app/views/comments/_form.html.erb
+++ /dev/null
@@ -1,17 +0,0 @@
-<%= form_for(@comment) do |f| %>
-  <% if @comment.errors.any? %>
-    <div id="error_explanation">
-      <h2><%= pluralize(@comment.errors.count, "error") %> prohibited this comment from being saved:</h2>
-
-      <ul>
-      <% @comment.errors.full_messages.each do |msg| %>
-        <li><%= msg %></li>
-      <% end %>
-      </ul>
-    </div>
-  <% end %>
-
-  <div class="actions">
-    <%= f.submit %>
-  </div>
-<% end %>
diff --git a/app/views/comments/edit.html.erb b/app/views/comments/edit.html.erb
index 12ea7f9..4a91606 100644
--- a/app/views/comments/edit.html.erb
+++ b/app/views/comments/edit.html.erb
@@ -1,6 +1,6 @@
-<h1>Editing comment</h1>
+<h1>Edit comment</h1>
 
-<%= render 'form' %>
-
-<%= link_to 'Show', @comment %> |
-<%= link_to 'Back', comments_path %>
+<%= simple_form_for [@comment.blogpost, @comment] do |f| %>
+  <%= f.input :text, :label => false, :as => "text", :placeholder => "Comment" %>
+  <%= f.submit %>
+<% end %>
\ No newline at end of file
diff --git a/app/views/comments/index.html.erb b/app/views/comments/index.html.erb
deleted file mode 100644
index bfa38fe..0000000
--- a/app/views/comments/index.html.erb
+++ /dev/null
@@ -1,21 +0,0 @@
-<h1>Listing comments</h1>
-
-<table>
-  <tr>
-    <th></th>
-    <th></th>
-    <th></th>
-  </tr>
-
-<% @comments.each do |comment| %>
-  <tr>
-    <td><%= link_to 'Show', comment %></td>
-    <td><%= link_to 'Edit', edit_comment_path(comment) %></td>
-    <td><%= link_to 'Destroy', comment, method: :delete, data: { confirm: 'Are you sure?' } %></td>
-  </tr>
-<% end %>
-</table>
-
-<br />
-
-<%= link_to 'New Comment', new_comment_path %>
diff --git a/app/views/comments/new.html.erb b/app/views/comments/new.html.erb
deleted file mode 100644
index 07a754a..0000000
--- a/app/views/comments/new.html.erb
+++ /dev/null
@@ -1,5 +0,0 @@
-<h1>New comment</h1>
-
-<%= render 'form' %>
-
-<%= link_to 'Back', comments_path %>
diff --git a/app/views/comments/show.html.erb b/app/views/comments/show.html.erb
deleted file mode 100644
index d5e89c7..0000000
--- a/app/views/comments/show.html.erb
+++ /dev/null
@@ -1,5 +0,0 @@
-<p id="notice"><%= notice %></p>
-
-
-<%= link_to 'Edit', edit_comment_path(@comment) %> |
-<%= link_to 'Back', comments_path %>
diff --git a/app/views/users/index.html.erb b/app/views/users/index.html.erb
index 48a5818..8f84ebc 100644
--- a/app/views/users/index.html.erb
+++ b/app/views/users/index.html.erb
@@ -1,4 +1,14 @@
-<h1>Listing users</h1>
-<% @users.each do |u| %>
-    <%= link_to u.name, u %> (<%= u.ign %>)
-<% end %>
\ No newline at end of file
+<h1>All users</h1>
+<div id="userlist">
+  <% @users.each do |u| %>
+    <div class="list-user">
+      <%= link_to u do %>
+        <%= image_tag(avatar_url(u.id, 64), :class => "avatar", :alt => "avatar") %>
+        <div class="user-info">
+          <span class="user-name"><%= u.name %></span>
+          <span class="user-ign"><%= u.ign %></span>
+        </div>
+      <% end %>
+    </div>
+  <% end %>
+</div>
\ No newline at end of file