3 files changed, 83 insertions, 24 deletions

diff --git a/users/app/controllers/controller_extension/authentication.rb b/users/app/controllers/controller_extension/authentication.rb
new file mode 100644
index 0000000..6ac7a5b
--- /dev/null
+++ b/users/app/controllers/controller_extension/authentication.rb
@@ -0,0 +1,38 @@
+module ControllerExtension::Authentication
+  extend ActiveSupport::Concern
+
+  private
+
+  included do
+    helper_method :current_user, :logged_in?, :admin?
+  end
+
+  def authentication_errors
+    return unless errors = warden.winning_strategy.try(:message)
+    errors.inject({}) do |translated,err|
+      translated[err.first] = I18n.t(err.last)
+      translated
+    end
+  end
+
+  def logged_in?
+    !!current_user
+  end
+
+  def authorize
+    access_denied unless logged_in?
+  end
+
+  def access_denied
+    redirect_to login_url, :alert => "Not authorized"
+  end
+
+  def admin?
+    current_user && current_user.is_admin?
+  end
+
+  def authorize_admin
+    access_denied unless admin?
+  end
+
+end
diff --git a/users/app/controllers/sessions_controller.rb b/users/app/controllers/sessions_controller.rb
index 284c0e2..bc910b5 100644
--- a/users/app/controllers/sessions_controller.rb
+++ b/users/app/controllers/sessions_controller.rb
@@ -3,33 +3,24 @@ class SessionsController < ApplicationController
   skip_before_filter :verify_authenticity_token
 
   def new
+    @session = Session.new
+    if authentication_errors
+      @errors = authentication_errors
+      render :status => 422
+    end
   end
 
   def create
-    @user = User.find_by_param(params[:login])
-    session[:handshake] = @user.initialize_auth(params['A'].hex)
-    User.current = @user #?
-    render :json => session[:handshake]
-  rescue RECORD_NOT_FOUND
-    render :json => {:errors => {:login => ["unknown user"]}}
+    authenticate!
   end
 
   def update
-    # TODO: validate the id belongs to the session
-    @user = User.find_by_param(params[:id])
-    @srp_session = session.delete(:handshake)
-    @srp_session.authenticate!(params[:client_auth].hex)
-    session[:user_id] = @user.id
-    User.current = @user #?
-    render :json => @srp_session
-  rescue WRONG_PASSWORD
-    session[:handshake] = nil
-    render :json => {:errors => {"password" => ["wrong password"]}}
+    authenticate!
+    render :json => session.delete(:handshake)
   end
 
   def destroy
-    session[:user_id] = nil
-    User.current = nil #?
+    logout
     redirect_to root_path
   end
 end
diff --git a/users/app/controllers/users_controller.rb b/users/app/controllers/users_controller.rb
index 82d2eac..cffc8c6 100644
--- a/users/app/controllers/users_controller.rb
+++ b/users/app/controllers/users_controller.rb
@@ -1,18 +1,48 @@
 class UsersController < ApplicationController
 
-  skip_before_filter :verify_authenticity_token
+  skip_before_filter :verify_authenticity_token, :only => [:create]
+
+  before_filter :fetch_user, :only => [:edit, :update, :destroy]
+  before_filter :authorize_admin, :only => [:index]
 
   respond_to :json, :html
 
+  def index
+    if params[:query]
+      @users = User.by_login.startkey(params[:query]).endkey(params[:query].succ)
+    else
+      @users = User.by_created_at.descending
+    end
+    @users = @users.limit(10)
+    respond_with @users.map(&:login).sort
+  end
+
   def new
     @user = User.new
   end
 
   def create
-    @user = User.create!(params[:user])
-    respond_with(@user, :location => root_url, :notice => "Signed up!")
-  rescue VALIDATION_FAILED => e
-    @user = e.document
-    respond_with(@user, :location => new_user_path)
+    @user = User.create(params[:user])
+    respond_with @user
+  end
+
+  def edit
+  end
+
+  def update
+    @user.update_attributes(params[:user])
+    respond_with @user
+  end
+
+  def destroy
+    @user.destroy
+    redirect_to admin? ? users_path : login_path
+  end
+
+  protected
+
+  def fetch_user
+    @user = User.find_by_param(params[:id])
+    access_denied unless admin? or (@user == current_user)
   end
 end