Add required authorization to all pages

Signed-off-by: Ira W. Snyder <devel@irasnyder.com>

diff --git a/app/controllers/application.rb b/app/controllers/application.rb
index e9da3d0..aaf37b3 100644 (file)
--- a/app/controllers/application.rb
+++ b/app/controllers/application.rb
@@ -13,4 +13,12 @@ class ApplicationController < ActionController::Base
       redirect_to :controller => "login", :action => "login"
     end
   end
+
+  def manager
+    user = User.find_by_id(session[:user_id])
+    unless user and user.manager
+      flash[:notice] = "You must be a manager to access this page"
+      redirect_to :controller => "login", :action => "index"
+    end
+  end
 end

diff --git a/app/controllers/coitem_controller.rb b/app/controllers/coitem_controller.rb
index a524f05..d93a4b0 100644 (file)
--- a/app/controllers/coitem_controller.rb
+++ b/app/controllers/coitem_controller.rb
@@ -1,4 +1,9 @@
 class CoitemController < ApplicationController
+
+  # Make sure that the user has logged in before they can take any
+  # action on checked out items
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/customer_controller.rb b/app/controllers/customer_controller.rb
index 9aba977..1e560c0 100644 (file)
--- a/app/controllers/customer_controller.rb
+++ b/app/controllers/customer_controller.rb
@@ -1,4 +1,8 @@
 class CustomerController < ApplicationController
+
+  # Make sure that the user has logged in before they can take any action
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/game_controller.rb b/app/controllers/game_controller.rb
index 42a037e..31fe67e 100644 (file)
--- a/app/controllers/game_controller.rb
+++ b/app/controllers/game_controller.rb
@@ -1,4 +1,8 @@
 class GameController < ApplicationController
+
+  # Make sure that the user has logged in before they can take any action
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/game_policy_controller.rb b/app/controllers/game_policy_controller.rb
index 9ef608f..1d5dc09 100644 (file)
--- a/app/controllers/game_policy_controller.rb
+++ b/app/controllers/game_policy_controller.rb
@@ -1,4 +1,11 @@
 class GamePolicyController < ApplicationController
+
+  # Make sure that the user has logged in before they can take any action
+  before_filter :authorize, :only => [:index, :list, :show]
+
+  # Make sure the user is a manager if they want to modify data
+  before_filter :manager, :only => [:new, :create, :edit, :update, :destroy]
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/gamegenre_controller.rb b/app/controllers/gamegenre_controller.rb
index 1293676..e3005b1 100644 (file)
--- a/app/controllers/gamegenre_controller.rb
+++ b/app/controllers/gamegenre_controller.rb
@@ -1,4 +1,8 @@
 class GamegenreController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/gameplatform_controller.rb b/app/controllers/gameplatform_controller.rb
index 30aadf9..4e009c8 100644 (file)
--- a/app/controllers/gameplatform_controller.rb
+++ b/app/controllers/gameplatform_controller.rb
@@ -1,4 +1,8 @@
 class GameplatformController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/login_controller.rb b/app/controllers/login_controller.rb
index 9352437..f557c3e 100644 (file)
--- a/app/controllers/login_controller.rb
+++ b/app/controllers/login_controller.rb
@@ -2,7 +2,10 @@ class LoginController < ApplicationController
   layout "admin"
 
   # Make sure that a user logs in before doing any action here
-  before_filter :authorize, :except => :login
+  before_filter :authorize, :only => :index
+
+  # Only managers can do the following actions
+  before_filter :manager, :only => [:add_user, :delete_user, :list_users]
 
   def add_user
     @user = User.new(params[:user])
@@ -51,4 +54,5 @@ class LoginController < ApplicationController
   def list_users
     @all_users = User.find(:all)
   end
+
 end

diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
index 312a204..be0c368 100644 (file)
--- a/app/controllers/media_controller.rb
+++ b/app/controllers/media_controller.rb
@@ -1,4 +1,8 @@
 class MediaController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/merchandise_controller.rb b/app/controllers/merchandise_controller.rb
index 062a3ef..fb7beff 100644 (file)
--- a/app/controllers/merchandise_controller.rb
+++ b/app/controllers/merchandise_controller.rb
@@ -1,4 +1,8 @@
 class MerchandiseController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/purchase_controller.rb b/app/controllers/purchase_controller.rb
index ebb08cd..2ac4dae 100644 (file)
--- a/app/controllers/purchase_controller.rb
+++ b/app/controllers/purchase_controller.rb
@@ -1,5 +1,8 @@
 class PurchaseController < ApplicationController
 
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     redirect_to :action => :begin
   end

diff --git a/app/controllers/rentable_controller.rb b/app/controllers/rentable_controller.rb
index f8c6f51..ca9dad6 100644 (file)
--- a/app/controllers/rentable_controller.rb
+++ b/app/controllers/rentable_controller.rb
@@ -1,4 +1,8 @@
 class RentableController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/rentable_policy_controller.rb b/app/controllers/rentable_policy_controller.rb
index f99fbed..84c4e7c 100644 (file)
--- a/app/controllers/rentable_policy_controller.rb
+++ b/app/controllers/rentable_policy_controller.rb
@@ -1,4 +1,11 @@
 class RentablePolicyController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize, :only => [:index, :list, :show]
+
+  # Make sure the user is a manager before doing any action specified
+  before_filter :manager, :only => [:new, :create, :edit, :update, :destroy]
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/video_controller.rb b/app/controllers/video_controller.rb
index 31575d8..ee34e5c 100644 (file)
--- a/app/controllers/video_controller.rb
+++ b/app/controllers/video_controller.rb
@@ -1,4 +1,8 @@
 class VideoController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize, :except => :login
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/video_policy_controller.rb b/app/controllers/video_policy_controller.rb
index 4be73da..918c2e4 100644 (file)
--- a/app/controllers/video_policy_controller.rb
+++ b/app/controllers/video_policy_controller.rb
@@ -1,4 +1,11 @@
 class VideoPolicyController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize, :only => [:index, :list, :show]
+
+  # Only managers can do the following actions
+  before_filter :manager, :only => [:new, :create, :edit, :update, :destroy]
+
   def index
     list
     render :action => 'list'

diff --git a/app/controllers/videogenre_controller.rb b/app/controllers/videogenre_controller.rb
index 2462099..c0cef4f 100644 (file)
--- a/app/controllers/videogenre_controller.rb
+++ b/app/controllers/videogenre_controller.rb
@@ -1,4 +1,8 @@
 class VideogenreController < ApplicationController
+
+  # Make sure that a user logs in before doing any action here
+  before_filter :authorize
+
   def index
     list
     render :action => 'list'

diff --git a/app/models/user.rb b/app/models/user.rb
index 1edfc41..9e50c73 100644 (file)
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -36,8 +36,10 @@ class User < ActiveRecord::Base
   end
 
   def after_destroy
-    if User.count.zero?
-      raise "Can't delete last user"
+    # We can't delete all of the managers, nor all of the users
+    managers = User.find_all_by_manager(true)
+    if managers.length.zero? or User.count.zero?
+      raise "Can't delete last manager"
     end
   end
 

diff --git a/config/routes.rb b/config/routes.rb
index 9bbc463..ddbc98a 100644 (file)
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -11,7 +11,7 @@ ActionController::Routing::Routes.draw do |map|
 
   # You can have the root of your site routed by hooking up '' 
   # -- just remember to delete public/index.html.
-  # map.connect '', :controller => "welcome"
+  map.connect '', :controller => "login"
 
   # Allow downloading Web Service WSDL as a file with an extension
   # instead of a file named 'wsdl'

diff --git a/db/development.sqlite3 b/db/development.sqlite3
index e6ad50f..b910a37 100644 (file)
Binary files a/db/development.sqlite3 and b/db/development.sqlite3 differ

diff --git a/public/index.html b/public/index.html.orig
similarity index 100%
rename from public/index.html
rename to public/index.html.orig