From 233a6b122bc4aed44a0babee0797d2dba6da5b06 Mon Sep 17 00:00:00 2001
From: "Ira W. Snyder" <devel@irasnyder.com>
Date: Sat, 24 Nov 2007 01:39:10 -0800
Subject: [PATCH] Add required authorization to all pages

Signed-off-by: Ira W. Snyder <devel@irasnyder.com>
---
 app/controllers/application.rb                |   8 ++++++++
 app/controllers/coitem_controller.rb          |   5 +++++
 app/controllers/customer_controller.rb        |   4 ++++
 app/controllers/game_controller.rb            |   4 ++++
 app/controllers/game_policy_controller.rb     |   7 +++++++
 app/controllers/gamegenre_controller.rb       |   4 ++++
 app/controllers/gameplatform_controller.rb    |   4 ++++
 app/controllers/login_controller.rb           |   6 +++++-
 app/controllers/media_controller.rb           |   4 ++++
 app/controllers/merchandise_controller.rb     |   4 ++++
 app/controllers/purchase_controller.rb        |   3 +++
 app/controllers/rentable_controller.rb        |   4 ++++
 app/controllers/rentable_policy_controller.rb |   7 +++++++
 app/controllers/video_controller.rb           |   4 ++++
 app/controllers/video_policy_controller.rb    |   7 +++++++
 app/controllers/videogenre_controller.rb      |   4 ++++
 app/models/user.rb                            |   6 ++++--
 config/routes.rb                              |   2 +-
 db/development.sqlite3                        | Bin 24576 -> 24576 bytes
 public/{index.html => index.html.orig}        |   0
 20 files changed, 83 insertions(+), 4 deletions(-)
 rename public/{index.html => index.html.orig} (100%)

diff --git a/app/controllers/application.rb b/app/controllers/application.rb
index e9da3d0..aaf37b3 100644
--- a/app/controllers/application.rb
+++ b/app/controllers/application.rb
@@ -13,4 +13,12 @@ class ApplicationController < ActionController::Base
       redirect_to :controller => "login", :action => "login"
     end
   end
+
+  def manager
+    user = User.find_by_id(session[:user_id])
+    unless user and user.manager
+      flash[:notice] = "You must be a manager to access this page"
+      redirect_to :controller => "login", :action => "index"
+    end
+  end
 end
diff --git a/app/controllers/coitem_controller.rb b/app/controllers/coitem_controller.rb
index a524f05..d93a4b0 100644
--- a/app/controllers/coitem_controller.rb
+++ b/app/controllers/coitem_controller.rb
@@ -1,4 +1,9 @@
 class CoitemController < ApplicationController
+
+  # Make sure that the user has logged in before they can take any
+  # action on checked out items
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/customer_controller.rb b/app/controllers/customer_controller.rb
index 9aba977..1e560c0 100644
--- a/app/controllers/customer_controller.rb
+++ b/app/controllers/customer_controller.rb
@@ -1,4 +1,8 @@
 class CustomerController < ApplicationController
+
+  # Make sure that the user has logged in before they can take any action
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/game_controller.rb b/app/controllers/game_controller.rb
index 42a037e..31fe67e 100644
--- a/app/controllers/game_controller.rb
+++ b/app/controllers/game_controller.rb
@@ -1,4 +1,8 @@
 class GameController < ApplicationController
+
+  # Make sure that the user has logged in before they can take any action
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/game_policy_controller.rb b/app/controllers/game_policy_controller.rb
index 9ef608f..1d5dc09 100644
--- a/app/controllers/game_policy_controller.rb
+++ b/app/controllers/game_policy_controller.rb
@@ -1,4 +1,11 @@
 class GamePolicyController < ApplicationController
+
+  # Make sure that the user has logged in before they can take any action
+  before_filter :authorize, :only => [:index, :list, :show]
+
+  # Make sure the user is a manager if they want to modify data
+  before_filter :manager, :only => [:new, :create, :edit, :update, :destroy]
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/gamegenre_controller.rb b/app/controllers/gamegenre_controller.rb
index 1293676..e3005b1 100644
--- a/app/controllers/gamegenre_controller.rb
+++ b/app/controllers/gamegenre_controller.rb
@@ -1,4 +1,8 @@
 class GamegenreController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/gameplatform_controller.rb b/app/controllers/gameplatform_controller.rb
index 30aadf9..4e009c8 100644
--- a/app/controllers/gameplatform_controller.rb
+++ b/app/controllers/gameplatform_controller.rb
@@ -1,4 +1,8 @@
 class GameplatformController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/login_controller.rb b/app/controllers/login_controller.rb
index 9352437..f557c3e 100644
--- a/app/controllers/login_controller.rb
+++ b/app/controllers/login_controller.rb
@@ -2,7 +2,10 @@ class LoginController < ApplicationController
   layout "admin"
 
   # Make sure that a user logs in before doing any action here
-  before_filter :authorize, :except => :login
+  before_filter :authorize, :only => :index
+
+  # Only managers can do the following actions
+  before_filter :manager, :only => [:add_user, :delete_user, :list_users]
 
   def add_user
     @user = User.new(params[:user])
@@ -51,4 +54,5 @@ class LoginController < ApplicationController
   def list_users
     @all_users = User.find(:all)
   end
+
 end
diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 312a204..be0c368 100644
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -1,4 +1,8 @@
 class MediaController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/merchandise_controller.rb b/app/controllers/merchandise_controller.rb
index 062a3ef..fb7beff 100644
--- a/app/controllers/merchandise_controller.rb
+++ b/app/controllers/merchandise_controller.rb
@@ -1,4 +1,8 @@
 class MerchandiseController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/purchase_controller.rb b/app/controllers/purchase_controller.rb
index ebb08cd..2ac4dae 100644
--- a/app/controllers/purchase_controller.rb
+++ b/app/controllers/purchase_controller.rb
@@ -1,5 +1,8 @@
 class PurchaseController < ApplicationController
 
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     redirect_to :action => :begin
   end
diff --git a/app/controllers/rentable_controller.rb b/app/controllers/rentable_controller.rb
index f8c6f51..ca9dad6 100644
--- a/app/controllers/rentable_controller.rb
+++ b/app/controllers/rentable_controller.rb
@@ -1,4 +1,8 @@
 class RentableController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/rentable_policy_controller.rb b/app/controllers/rentable_policy_controller.rb
index f99fbed..84c4e7c 100644
--- a/app/controllers/rentable_policy_controller.rb
+++ b/app/controllers/rentable_policy_controller.rb
@@ -1,4 +1,11 @@
 class RentablePolicyController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize, :only => [:index, :list, :show]
+
+  # Make sure the user is a manager before doing any action specified
+  before_filter :manager, :only => [:new, :create, :edit, :update, :destroy]
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/video_controller.rb b/app/controllers/video_controller.rb
index 31575d8..ee34e5c 100644
--- a/app/controllers/video_controller.rb
+++ b/app/controllers/video_controller.rb
@@ -1,4 +1,8 @@
 class VideoController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize, :except => :login
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/video_policy_controller.rb b/app/controllers/video_policy_controller.rb
index 4be73da..918c2e4 100644
--- a/app/controllers/video_policy_controller.rb
+++ b/app/controllers/video_policy_controller.rb
@@ -1,4 +1,11 @@
 class VideoPolicyController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize, :only => [:index, :list, :show]
+
+  # Only managers can do the following actions
+  before_filter :manager, :only => [:new, :create, :edit, :update, :destroy]
+
   def index
     list
     render :action => 'list'
diff --git a/app/controllers/videogenre_controller.rb b/app/controllers/videogenre_controller.rb
index 2462099..c0cef4f 100644
--- a/app/controllers/videogenre_controller.rb
+++ b/app/controllers/videogenre_controller.rb
@@ -1,4 +1,8 @@
 class VideogenreController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'
diff --git a/app/models/user.rb b/app/models/user.rb
index 1edfc41..9e50c73 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -36,8 +36,10 @@ class User < ActiveRecord::Base
   end
 
   def after_destroy
-    if User.count.zero?
-      raise "Can't delete last user"
+    # We can't delete all of the managers, nor all of the users
+    managers = User.find_all_by_manager(true)
+    if managers.length.zero? or User.count.zero?
+      raise "Can't delete last manager"
     end
   end
 
diff --git a/config/routes.rb b/config/routes.rb
index 9bbc463..ddbc98a 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -11,7 +11,7 @@ ActionController::Routing::Routes.draw do |map|
 
   # You can have the root of your site routed by hooking up '' 
   # -- just remember to delete public/index.html.
-  # map.connect '', :controller => "welcome"
+  map.connect '', :controller => "login"
 
   # Allow downloading Web Service WSDL as a file with an extension
   # instead of a file named 'wsdl'
diff --git a/db/development.sqlite3 b/db/development.sqlite3
index e6ad50fae99ef9f0cd08c9df19e9aba0b3e1fd61..b910a3725e78c7698b8199b8218517f4b40a0960 100644
GIT binary patch
delta 372
zcmYMwu}%Xq41nS5UFn88GL(gh0TrENJGN&=kWS19iCmIHsA`8&=9V|$RVu{B(3jyo
zh|0j`>GN;z4x`;+^f4P<?9YELr_H_^*NduoYEJ9#da-|hsJGq8q&j=NnZCW|wIc=R
z6heqGQp^zOI46rJDN&mtQ_5&_Av335w7nK!6((XYW++29{s+O7b0%cN5C)$yyCDdA
zlpI3AG;VtZ;<ld)L(7a%L?x2evk8eJ*>K-Xs#!@~hE;gZ>u3W<3@Rvn8a(%8u{1dE
zs71xZ;tinZLbie?T1Zl6^QuL3;N7OH|02U(TE485y*U>lT58c5raquX@g6iMG)|nA
cA;x1Qm2-}wlm{S{%`60)s;aurud7@71((rYV*mgE

delta 114
zcmV~$u?@m75CFipEYVP80Mb(+Q1brR|1~8F3m}U8JDwxiAgfr2KFhENcgyaU-EAk=
z*7kQk0)X=seD%4mFaI2y_q~}kCz>sGM7`;Rie`kE*(_QiDJn9Qtl^qSB=wBk-6Vu4
Rh{$2!M6rzS0H5#WL4PHo9)bV>

diff --git a/public/index.html b/public/index.html.orig
similarity index 100%
rename from public/index.html
rename to public/index.html.orig
-- 
2.25.1