Redstoner/redstoner.com
Archived
0
Fork 0
Code Issues Pull Requests 2 Wiki Activity

security, user index

Browse Source
This commit is contained in:
jomo
2013-06-24 16:49:58 +02:00
parent b4f2dc5fab
commit c5dfdbeb8f
13 changed files with 125 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
app/assets/stylesheets/screen.css.scss
View File

@@ -265,5 +265,41 @@ and (min-width: 1000px)
}
}
#userlist {
.list-user {
margin: 5px 0;
display: block;
a {
color: $midgrey;
display: inline-block;
&:hover {
color: $darkred;
}
}
img {
float: left;
}
.user-info {
margin: 10px;
float: left;
span {
display: block;
}
.user-name {
font-weight: bold;
}
.user-ign {
color: #888;
font-style: italic;
}
}
}
}
}

35
app/controllers/blogposts_controller.rb
View File

@@ -10,20 +10,26 @@ class BlogpostsController < ApplicationController
end
def new
if current_user && current_user.rank >= rank_to_int("mod")
@post = Blogpost.new
else
flash[:alert] = "You are not allowed to create a new post!"
redirect_to blogposts_path
end
end
# GET /blogposts/1/edit
def edit
@post = Blogpost.find(params[:id])
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @edit.user))
else
flash[:alert] = "You are not allowed to update this post!"
end
end
# POST /blogposts
# POST /blogposts.json
def create
if current_user && current_user.rank >= rank_to_int("mod")
@post = Blogpost.new(params[:blogpost])
@post.user_id = current_user.id unless current_user.nil?
@post.user = current_user
if @post.save
redirect_to @post, notice: 'Post has been created.'
else
@@ -35,24 +41,29 @@ class BlogpostsController < ApplicationController
end
end
# PUT /blogposts/1
# PUT /blogposts/1.json
def update
@post = Blogpost.find(params[:id])
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @post.user))
if @post.update_attributes(params[:blogpost])
redirect_to @post, notice: 'Post has been updated.'
else
flash[:alert] = "There was a problem while updating the post"
render action: "edit"
end
end
end
# DELETE /blogposts/1
# DELETE /blogposts/1.json
def destroy
@post = Blogpost.find(params[:id])
@post.destroy
redirect_to blog_url
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @post.user.rank.to_i) || (current_user == @post.user))
if @post.destroy
flash[:notice] = "Post deleted!"
else
flash[:alert] = "There was a problem while deleting this Post"
end
else
flash[:alert] = "You are not allowed to delete this Post"
end
redirect_to blogpots_path
end
end

79
app/controllers/comments_controller.rb
View File

@@ -1,50 +1,23 @@
class CommentsController < ApplicationController
# GET /comments
# GET /comments.json
def index
@comments = Comment.all
respond_to do |format|
format.html # index.html.erb
format.json { render json: @comments }
end
end
# GET /comments/1
# GET /comments/1.json
def show
@comment = Comment.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.json { render json: @comment }
end
end
# GET /comments/new
# GET /comments/new.json
def new
@comment = Comment.new
respond_to do |format|
format.html # new.html.erb
format.json { render json: @comment }
end
end
# GET /comments/1/edit
def edit
@comment = Comment.find(params[:id])
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @comment.user.rank.to_i) || (current_user == @comment.user))
@comment = Comment.find(params[:id])
session[:return_to] = blogpost_path(@comment.blogpost)
else
flash[:alert] = "You are not allowed to edit this comment"
redirect_to @comment.blogpost
end
end
# POST /comments
# POST /comments.json
def create
if current_user
@comment = Comment.new(params[:comment])
@comment.user_id = current_user.id
@comment.blogpost = Blogpost.find(params[:blogpost_id])
if @comment.save
redirect_to @comment.blogpost, notice: 'Comment was successfully created.'
redirect_to @comment.blogpost, notice: 'Comment created!'
else
flash[:alert] = "There was a problem while saving your comment"
redirect_to blogpost_path(params[:blogpost_id])
@@ -52,30 +25,34 @@ class CommentsController < ApplicationController
end
end
# PUT /comments/1
# PUT /comments/1.json
def update
@comment = Comment.find(params[:id])
respond_to do |format|
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @comment.user.rank.to_i) || (current_user == @comment.user))
if @comment.update_attributes(params[:comment])
format.html { redirect_to @comment, notice: 'Comment was successfully updated.' }
format.json { head :no_content }
flash[:notice] = "Comment updated!"
redirect_to @comment.blogpost
else
format.html { render action: "edit" }
format.json { render json: @comment.errors, status: :unprocessable_entity }
flash[:alert] = "There was a problem while updating your comment"
redirect_to session[:return_to]
session.delete(:redirect_to)
end
else
flash[:alert] = "You are not allowed to edit this comment"
redirect_to blogpost_path(params[:blogpost_id])
end
end
# DELETE /comments/1
# DELETE /comments/1.json
def destroy
@comment = Comment.find(params[:id])
@comment.destroy
respond_to do |format|
format.html { redirect_to comments_url }
format.json { head :no_content }
if current_user && ((current_user.rank >= rank_to_int("mod") && current_user.rank.to_i >= @comment.user.rank.to_i) || (current_user == @comment.user))
if @comment.destroy
flash[:notice] = "Comment deleted!"
else
flash[:alert] = "There was a problem while deleting this comment"
end
else
flash[:alert] = "You are not allowed to delete this comment"
end
redirect_to @comment.blogpost
end
end

9
app/controllers/users_controller.rb
View File

@@ -1,12 +1,9 @@
class UsersController < ApplicationController
# GET /users
# GET /users.json
def index
@users = User.all
end
# GET /users/1
# GET /users/1.json
def show
@user = User.find(params[:id])
end
@@ -27,7 +24,7 @@ class UsersController < ApplicationController
if current_user && (current_user.id = params[:id] || current_user.rank >= rank_to_int("mod"))
@user = User.find(params[:id])
else
flash[:alert] = "You are not allwoed to edit this user"
flash[:alert] = "You are not allowed to edit this user"
redirect_to user_path(params[:id])
end
end
@@ -36,9 +33,11 @@ class UsersController < ApplicationController
# POST /users.json
def create
@user = User.new(params[:user])
@user.last_ip = request.remote_ip
if @user.save
redirect_to @user, notice: 'User was successfully created.'
else
flash[:alert] = "Something went wrong"
render action: "new"
end
end

2
app/helpers/users_helper.rb
View File

@@ -2,7 +2,7 @@ module UsersHelper
def avatar_url(user_id, size)
u = User.find_by_id(user_id)
u.nil? ? ign = :char : ign = u.ign
return "https://minotar.net/avatar/#{ign}/#{size}"
return "https://minotar.net/helm/#{ign}/#{size}"
end
def mc_running?

4
app/models/comment.rb
View File

@@ -1,6 +1,6 @@
class Comment < ActiveRecord::Base
attr_accessible :text, :user_id, :blogpost, :post
validates_presence_of :text, :user_id, :blogpost_id
attr_accessible :text, :user, :blogpost, :post
validates_presence_of :text, :user, :blogpost
belongs_to :blogpost
belongs_to :user
end

2
app/views/blogposts/show.html.erb
View File

@@ -12,7 +12,7 @@
<div class="comment <%= "author" if c.user == @post.user %>">
<span class="comment-info"><%= link_to c.user.name, c.user %> on <%= c.created_at.strftime("%e. %b %Y") %>
<% if current_user && current_user.rank >= rank_to_int("mod") %>
- <%= link_to "edit", edit_blogpost_comment_path(c.id) %>
- <%= link_to "edit", edit_blogpost_comment_path(c.blogpost, c) %>
<% end %>
</span>
<div class="comment-content"><%= c.text %></div>

17
app/views/comments/_form.html.erb
View File

@@ -1,17 +0,0 @@
<%= form_for(@comment) do |f| %>
<% if @comment.errors.any? %>
<div id="error_explanation">
<h2><%= pluralize(@comment.errors.count, "error") %> prohibited this comment from being saved:</h2>
<ul>
<% @comment.errors.full_messages.each do |msg| %>
<li><%= msg %></li>
<% end %>
</ul>
</div>
<% end %>
<div class="actions">
<%= f.submit %>
</div>
<% end %>

10
app/views/comments/edit.html.erb
View File

@@ -1,6 +1,6 @@
<h1>Editing comment</h1>
<h1>Edit comment</h1>
<%= render 'form' %>
<%= link_to 'Show', @comment %> |
<%= link_to 'Back', comments_path %>
<%= simple_form_for [@comment.blogpost, @comment] do |f| %>
<%= f.input :text, :label => false, :as => "text", :placeholder => "Comment" %>
<%= f.submit %>
<% end %>

21
app/views/comments/index.html.erb
View File

@@ -1,21 +0,0 @@
<h1>Listing comments</h1>
<table>
<tr>
<th></th>
<th></th>
<th></th>
</tr>
<% @comments.each do |comment| %>
<tr>
<td><%= link_to 'Show', comment %></td>
<td><%= link_to 'Edit', edit_comment_path(comment) %></td>
<td><%= link_to 'Destroy', comment, method: :delete, data: { confirm: 'Are you sure?' } %></td>
</tr>
<% end %>
</table>
<br />
<%= link_to 'New Comment', new_comment_path %>

5
app/views/comments/new.html.erb
View File

@@ -1,5 +0,0 @@
<h1>New comment</h1>
<%= render 'form' %>
<%= link_to 'Back', comments_path %>

5
app/views/comments/show.html.erb
View File

@@ -1,5 +0,0 @@
<p id="notice"><%= notice %></p>
<%= link_to 'Edit', edit_comment_path(@comment) %> |
<%= link_to 'Back', comments_path %>

18
app/views/users/index.html.erb
View File

@@ -1,4 +1,14 @@
<h1>Listing users</h1>
<% @users.each do |u| %>
<%= link_to u.name, u %> (<%= u.ign %>)
<% end %>
<h1>All users</h1>
<div id="userlist">
<% @users.each do |u| %>
<div class="list-user">
<%= link_to u do %>
<%= image_tag(avatar_url(u.id, 64), :class => "avatar", :alt => "avatar") %>
<div class="user-info">
<span class="user-name"><%= u.name %></span>
<span class="user-ign"><%= u.ign %></span>
</div>
<% end %>
</div>
<% end %>
</div>