Merge branch 'master' into feature/authentication_generic_error

Conflicts:
	app/views/layouts/_messages.html.haml
	app/views/layouts/application.html.haml
	users/app/assets/javascripts/users.js.coffee

9 files changed, 128 insertions, 68 deletions

diff --git a/users/app/controllers/account_settings_controller.rb b/users/app/controllers/account_settings_controller.rb
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/users/app/controllers/account_settings_controller.rb
diff --git a/users/app/controllers/controller_extension/authentication.rb b/users/app/controllers/controller_extension/authentication.rb
index 0dca29c..6daffdb 100644
--- a/users/app/controllers/controller_extension/authentication.rb
+++ b/users/app/controllers/controller_extension/authentication.rb
@@ -39,9 +39,18 @@ module ControllerExtension::Authentication
   end
 
   def access_denied
-    # TODO: should we redirect to the root_url in either case, and have the root_url include the login screen (and also ability to create unauthenticated tickets) when no user is logged in?
-    redirect_to login_url, :alert => "Not authorized" if !logged_in?
-    redirect_to root_url, :alert => "Not authorized" if logged_in?
+    respond_to do |format|
+      format.html do
+        if logged_in?
+          redirect_to root_url, :alert => t(:not_authorized)
+        else
+          redirect_to login_url, :alert => t(:not_authorized_login)
+        end
+      end
+      format.json do
+        render :json => {'error' => t(:not_authorized)}, status: :unprocessable_entity
+      end
+    end
   end
 
   def admin?
diff --git a/users/app/controllers/email_aliases_controller.rb b/users/app/controllers/email_aliases_controller.rb
index 3b0d5ac..4628a7f 100644
--- a/users/app/controllers/email_aliases_controller.rb
+++ b/users/app/controllers/email_aliases_controller.rb
@@ -1,20 +1,12 @@
-class EmailAliasesController < ApplicationController
-
+class EmailAliasesController < UsersBaseController
   before_filter :fetch_user
 
-  respond_to :html
-
   def destroy
     @alias = @user.email_aliases.delete(params[:id])
-    @user.save
-    flash[:notice] = t(:email_alias_destroyed_successfully, :alias => @alias)
-    redirect_to edit_user_path(@user, :anchor => :email)
+    if @user.save
+      flash[:notice] = t(:email_alias_destroyed_successfully, :alias => bold(@alias))
+    end
+    redirect_to edit_user_email_settings_path(@user)
   end
 
-  protected
-
-  def fetch_user
-    @user = User.find_by_param(params[:user_id])
-    access_denied unless admin? or (@user == current_user)
-  end
 end
diff --git a/users/app/controllers/email_settings_controller.rb b/users/app/controllers/email_settings_controller.rb
new file mode 100644
index 0000000..f7d85be
--- /dev/null
+++ b/users/app/controllers/email_settings_controller.rb
@@ -0,0 +1,41 @@
+class EmailSettingsController < UsersBaseController
+
+  before_filter :authorize
+  before_filter :fetch_user
+
+  def edit
+    @email_alias = LocalEmail.new
+  end
+
+  def update
+    @user.attributes = cleanup_params(params[:user])
+    if @user.changed?
+      if @user.save
+        flash[:notice] = t(:changes_saved)
+        redirect
+      else
+        if @user.email_aliases.last && !@user.email_aliases.last.valid?
+          # display bad alias in text field:
+          @email_alias = @user.email_aliases.pop
+        end
+        render 'email_settings/edit'
+      end
+    else
+      redirect
+    end
+  end
+
+  private
+
+  def redirect
+    redirect_to edit_user_email_settings_url(@user)
+  end
+
+  def cleanup_params(user)
+    if !user['email_forward'].nil? && user['email_forward'].empty?
+      user.delete('email_forward') # don't allow "" as an email forward
+    end
+    user
+  end
+
+end
diff --git a/users/app/controllers/overviews_controller.rb b/users/app/controllers/overviews_controller.rb
new file mode 100644
index 0000000..52ce267
--- /dev/null
+++ b/users/app/controllers/overviews_controller.rb
@@ -0,0 +1,9 @@
+class OverviewsController < UsersBaseController
+
+  before_filter :authorize
+  before_filter :fetch_user
+
+  def show
+  end
+
+end
diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb
index 01ecff6..d6c455b 100644
--- a/users/app/controllers/sessions_controller.rb
+++ b/users/app/controllers/sessions_controller.rb
@@ -22,4 +22,15 @@ class SessionsController < ApplicationController
     logout
     redirect_to root_path
   end
+
+  #
+  # this is a bad hack, but user_overview_url(user) is not available
+  # also, this doesn't work because the redirect happens as a PUT. no idea why.
+  #
+  #Warden::Manager.after_authentication do |user, auth, opts|
+  #  response = Rack::Response.new
+  #  response.redirect "/users/#{user.id}/overview"
+  # throw :warden, response.finish
+  #end
+
 end
diff --git a/users/app/controllers/users_base_controller.rb b/users/app/controllers/users_base_controller.rb
new file mode 100644
index 0000000..dc2fa16
--- /dev/null
+++ b/users/app/controllers/users_base_controller.rb
@@ -0,0 +1,18 @@
+#
+# common base class for all user related controllers
+#
+
+class UsersBaseController < ApplicationController
+
+  protected
+
+  def fetch_user
+    @user = User.find_by_param(params[:user_id] || params[:id])
+    if !@user && admin?
+      redirect_to users_url, :alert => t(:no_such_thing, :thing => 'user')
+    elsif !admin? && @user != current_user
+      access_denied
+    end
+  end
+
+end
diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index dff1ed5..4ce970b 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -1,74 +1,42 @@
-class UsersController < ApplicationController
+#
+# This is an HTML-only controller. For the JSON-only controller, see v1/users_controller.rb
+#
 
-  before_filter :authorize, :only => [:show, :edit, :destroy, :update]
+class UsersController < UsersBaseController
+
+  before_filter :authorize, :only => [:show, :edit, :update, :destroy]
   before_filter :fetch_user, :only => [:show, :edit, :update, :destroy]
-  before_filter :authorize_self, :only => [:update]
-  before_filter :set_anchor, :only => [:edit, :update]
   before_filter :authorize_admin, :only => [:index]
 
-  respond_to :json, :html
+  respond_to :html
 
   def index
     if params[:query]
-      @users = User.by_login.startkey(params[:query]).endkey(params[:query].succ)
+      if @user = User.find_by_login(params[:query])
+        redirect_to user_overview_url(@user)
+        return
+      else
+        @users = User.by_login.startkey(params[:query]).endkey(params[:query].succ)
+      end
     else
       @users = User.by_created_at.descending
     end
-    @users = @users.limit(10)
-    respond_with @users.map(&:login).sort
+    @users = @users.limit(100)
   end
 
   def new
     @user = User.new
   end
 
-  def create
-    @user = User.create(params[:user])
-    respond_with @user
+  def show
   end
 
   def edit
-    @email_alias = LocalEmail.new
-  end
-
-  def update
-    @user.attributes = params[:user]
-    if @user.changed? and @user.save
-      flash[:notice] = t(:user_updated_successfully)
-    elsif @user.email_aliases.last and !@user.email_aliases.last.valid?
-      @email_alias = @user.email_aliases.pop
-    end
-    respond_with @user, :location => edit_user_path(@user, :anchor => @anchor)
   end
 
   def destroy
     @user.destroy
-    redirect_to admin? ? users_path : login_path
+    redirect_to admin? ? users_url : root_url
   end
 
-  protected
-
-  def fetch_user
-    # authorize filter has been checked first, so won't get here unless authenticated
-    @user = User.find_by_param(params[:id])
-    if !@user and admin?
-      redirect_to users_path, :alert => t(:no_such_thing, :thing => 'user')
-      return
-    end
-    access_denied unless admin? or (@user == current_user)
-  end
-
-  def authorize_self
-    # have already checked that authorized
-    access_denied unless (@user == current_user)
-  end
-
-  def set_anchor
-    @anchor = email_settings? ? :email : :account
-  end
-
-  def email_settings?
-    params[:user] &&
-    params[:user].keys.detect{|key| key.index('email')}
-  end
 end
diff --git a/users/app/controllers/v1/users_controller.rb b/users/app/controllers/v1/users_controller.rb
index 617bd4b..fda56f2 100644
--- a/users/app/controllers/v1/users_controller.rb
+++ b/users/app/controllers/v1/users_controller.rb
@@ -1,20 +1,32 @@
 module V1
-  class UsersController < ApplicationController
+  class UsersController < UsersBaseController
 
     skip_before_filter :verify_authenticity_token
+    before_filter :fetch_user, :only => [:update]
     before_filter :authorize, :only => [:update]
+    before_filter :authorize_admin, :only => [:index]
 
     respond_to :json
 
+    def index
+      if params[:query]
+        @users = User.by_login.startkey(params[:query]).endkey(params[:query].succ)
+        respond_with @users.map(&:login).sort
+      else
+        render :json => {'error' => 'query required', 'status' => :unprocessable_entity}
+      end
+    end
+
     def create
       @user = User.create(params[:user])
       respond_with @user # return ID instead?
     end
 
     def update
-      # For now, only allow public key to be updated via the API. Eventually we might want to store in a config what attributes can be updated via the API.
-      @user = User.find_by_param(params[:id])
-      @user.update_attributes params[:user].slice(:public_key) if params[:user].respond_to?(:slice)
+      @user.update_attributes params[:user]
+      if @user.valid?
+        flash[:notice] = t(:user_updated_successfully)
+      end
       respond_with @user
     end