1 Replies - 2139 Views - Last Post: 23 February 2012 - 08:09 PM Rate Topic: -----

#1 NotarySojac  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 53
  • View blog
  • Posts: 428
  • Joined: 30-September 10

Is the password needed whenever updating an attribute of User?

Posted 23 February 2012 - 06:01 PM

So, I have a user model that has multiple 'persons' as an attribute @user.persons = []
I want a user to be able to add person entities to their account, as can somewhat be seen below.

A visual for what the user's page looks like (very unfinished, it's been at the bottom of my list a while due to other concerns):
Posted Image

But when I try my current scheme, it exclaims that I haven't entered a password (because I'd like to not need the password, since they're already authenticated).


So I'm getting the feeling that I just need to pass the user's password into the form as a hidden input. Is that the standard method or am I missing something? I don't even know how to pull that data out of memory =/


=====

Ok, there's SO MUCH code to share here it's ridiculous.


User Model (error msg origin... it's based on a template from ruby.railstutorial.com/book):
require 'digest'
class User < ActiveRecord::Base
  attr_accessor :password
  attr_accessible :email, :password, :password_confirmation
  
  has_many :persons
  has_many :addresses
  
  has_many :todos, :dependent => :destroy
  
  has_one :employee
  
  
  
  has_many :relationships, :foreign_key => "follower_id", # override the foriegn key default, "relationship_id" 
                           :dependent => :destroy
  has_many :following, :through => :relationships, :source => :followed  # override to use "followed_id"
  
  
  has_many :reverse_relationships, :foreign_key => "followed_id",
                                   :class_name => "Relationship",
                                   :dependent => :destroy
  has_many :followers, :through => :reverse_relationships, :source => :follower
  
  
  
  
  email_regex = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
  
  #validates :name, :presence => true, :length   => { :maximum => 50 }
  
  validates :email, :presence => true, :format => { :with => email_regex },
                    :uniqueness => { :case_sensitive => false }
  
  validates :password, :presence     => true,
                     :confirmation => true,
                     :length       => { :within => 6..40 }

  before_save :encrypt_password
  
  def has_password?(submitted_password)
    encrypted_password == encrypt(submitted_password)
  end
  
  def self.authenticate(email, submitted_password)
    user = find_by_email(email)
    return nil  if user.nil?
    return user if user.has_password?(submitted_password)
  end

  def self.authenticate_with_salt(id, cookie_salt)
    user = find_by_id(id)
    (user && user.salt == cookie_salt) ? user : nil
  end
  
  
  def following?(followed)
    relationships.find_by_followed_id(followed)
  end

  def follow!(followed)
    relationships.create!(:followed_id => followed.id)
  end
  
  def unfollow!(followed)
    relationships.find_by_followed_id(followed).destroy
  end
  
  def feed
    ## This is preliminary. See Chapter 12 for the full implementation.
    # Micropost.where("user_id = ?", id)
    Micropost.from_users_followed_by(self)
  end
  
  private
    
    def encrypt_password
      self.salt = make_salt if new_record?
      self.encrypted_password = encrypt(password)
    end

    def encrypt(string)
      secure_hash("#{salt}--#{string}")
    end

    def make_salt
      secure_hash("#{Time.now.utc}--#{password}")
    end

    def secure_hash(string)
      Digest::SHA2.hexdigest(string)
    end

end





Controller for persons.. for creating persons (tied to form's action):
  def create
    #@person = Person.new(params[:person])
    @user = User.where(:id => params[:person][:user_id] ).first
    
    #make sure the user being edited is the current user
    if current_user != @user
      flash[:error] = "You don't have access to this user's persons"
      render '/'
      return
    end
    
    # current_user.persons.new(params[:person])
    
    if current_user.update_attributes(:person => params[:person]) #current_user.save
      # sign_in @user
      flash[:success] = "Person successfully created!"
      
      redirect_to @user
    else
      flash[:error] = current_user.errors
      redirect_to @user
    end
  end




Controller for the view (users controller):
  .
  .
  .
  def show
    @user   = User.find(params[:id])  #  Think  www.example.com/users/:id
    #@microposts = @user.microposts.paginate(:page => params[:page])
    @persons = @user.persons
    @new_person = @user.persons.new
    @title  = @user.email
    @employee = @user.employee
  end
  .
  .
  .




The view pictured:
<h1>Person X</h1>

<div class="user_info">
	<% unless @persons.empty? %>
		<% @persons.each do %>
			hi<br>
		<% end %>
	<% else %>
		There are no person details registered for this account.<br><br>
	<%end%>
	
	<a href='javascript:showFormForAddingPerson();'>Add a new 'Person' to your account?</a>
	
	
	<%= form_for(@new_person, :url => { :action => "create", :controller => "persons" } ) do |f| %>
		<% if @new_person.errors.any? %>
		    <div id="error_explanation">
		      <h2><%= pluralize(@new_person.errors.count, "error") %> prohibited this user from being saved:</h2>
		
		      <ul>
		      <% @new_person.errors.full_messages.each do |msg| %>
		        <li><%= msg %></li>
		      <% end %>
		      </ul>
		    </div>
		<% end %>
		
		
		<div class="field">
			<div class='entry'>
			    <%= f.label :user_id, 'User ID:' %>
			    <%= f.text_field :user_id %><br />
		    </div>
		    
		    <div class='entry'>
			    <%= f.label :first_name, 'First Name:' %>
			    <%= f.text_field :first_name %><br>
		    </div>
		    
		    <div class='entry'>
			    <%= f.label :last_name, 'Last Name:' %>
			    <%= f.text_field :last_name %><br>
		    </div>
		    
		    <div class='entry'>
			    <%= f.label :email, 'Email:' %>
			    <%= f.text_field :email %><br>
		    </div>
		    
		    <%= f.submit %>
		</div>
	<%end%>
	
</div>



Is This A Good Question/Topic? 0
  • +

Replies To: Is the password needed whenever updating an attribute of User?

#2 NotarySojac  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 53
  • View blog
  • Posts: 428
  • Joined: 30-September 10

Re: Is the password needed whenever updating an attribute of User?

Posted 23 February 2012 - 08:09 PM

I made some changes to that persons controller to make things work from me and added an input box on the view, requesting that the user enter their password in order to make changes to their account.


  .
  .
  .
  def create
    #@person = Person.new(params[:person])
    @user = User.where(:id => params[:person][:user_id] ).first
    
    #make sure the user being edited is the current user
    if current_user != @user
      flash[:error] = "You don't have access to this user's persons"
      render '/'
      return
    end
    
    # get there god damn password where it goes...
    current_user.password = '111111'
    
    if current_user.has_password?(params[:password])  # if they had the password correct...
      current_user.password = params[:password]  # then set the password in current_user... i guess...
    else
      flash[:error] = "You had the wrong password."  # or die
      redirect_to @user
      return
    end
    
    current_user.persons.create(params[:person])
    
    if current_user.save # current_user.update_attributes(:person => params[:person])
      # sign_in @user
      flash[:success] = "Person successfully created!"
      
      redirect_to @user
    else
      flash[:error] = current_user.errors
      redirect_to @user
    end
  end
  .
  .
  .



I'll have to review my resources and figure out how it's meant to be because I just don't remember even running into this problem before (let alone the way the code looks now, yucky).
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1