Require authentication for most endpoints (#29)

Reviewed-on: #29
This commit is contained in:
Andrew Tomaka 2024-09-08 21:07:51 -04:00
parent 0f95034e8e
commit c64550785e
15 changed files with 84 additions and 11 deletions

View file

@ -1,3 +1,4 @@
class ApplicationController < ActionController::Base class ApplicationController < ActionController::Base
include Authenticatable include Authenticatable
include Authorizable
end end

View file

@ -0,0 +1,37 @@
module Authorizable
extend ActiveSupport::Concern
included do
before_action :require_registered_user
end
class_methods do
def allow_unregistered_user(**args)
skip_before_action :require_registered_user, **args
end
def require_unregistered_user(**args)
skip_before_action :require_registered_user, **args
before_action :require_unregistered_user, **args
end
end
private
def require_registered_user
Current.user.registered? || redirect_to_sign_in
end
def require_unregistered_user
Current.user.unregistered? || redirect_to_dashboard
end
def redirect_to_sign_in
session[:return_url] = request.url
redirect_to new_session_url, alert: "You must be logged in to continue."
end
def redirect_to_dashboard
redirect_to root_url, alert: "You are already logged in."
end
end

View file

@ -1,4 +1,5 @@
class SessionsController < ApplicationController class SessionsController < ApplicationController
require_unregistered_user only: %i[new create]
# GET /sessions/new # GET /sessions/new
def new def new
@session = Session.new @session = Session.new
@ -11,9 +12,8 @@ class SessionsController < ApplicationController
respond_to do |format| respond_to do |format|
if @session.save if @session.save
session[:current_user_id] = @session.user_id session[:current_user_id] = @session.user_id
Rails.logger.info("ID: #{@session.user_id}")
format.html { redirect_to root_url, notice: "Session was successfully created." } format.html { redirect_to redirect_url, notice: "Session was successfully created." }
format.json { render :show, status: :created, location: @session } format.json { render :show, status: :created, location: @session }
else else
format.html { render :new, status: :unprocessable_entity, alert: @session.errors } format.html { render :new, status: :unprocessable_entity, alert: @session.errors }
@ -27,12 +27,16 @@ class SessionsController < ApplicationController
session[:current_user_id] = nil session[:current_user_id] = nil
respond_to do |format| respond_to do |format|
format.html { redirect_to root_url, notice: "Session was successfully destroyed." } format.html { redirect_to new_session_url, notice: "Session was successfully destroyed." }
format.json { head :no_content } format.json { head :no_content }
end end
end end
private private
def redirect_url
session.delete(:return_url) || root_url
end
# Only allow a list of trusted parameters through. # Only allow a list of trusted parameters through.
def session_params def session_params
params.require(:session).permit(:email, :password) params.require(:session).permit(:email, :password)

View file

@ -1,4 +1,6 @@
class UsersController < ApplicationController class UsersController < ApplicationController
require_unregistered_user only: %i[new create]
before_action :set_user, only: %i[ show edit update destroy ] before_action :set_user, only: %i[ show edit update destroy ]
# GET /users or /users.json # GET /users or /users.json
@ -25,6 +27,9 @@ class UsersController < ApplicationController
respond_to do |format| respond_to do |format|
if @user.save if @user.save
@session = Session.new(session_params).save
session[:current_user_id] = @session.user_id
format.html { redirect_to user_url(@user), notice: "User was successfully created." } format.html { redirect_to user_url(@user), notice: "User was successfully created." }
format.json { render :show, status: :created, location: @user } format.json { render :show, status: :created, location: @user }
else else
@ -67,4 +72,8 @@ class UsersController < ApplicationController
def user_params def user_params
params.require(:user).permit(:email, :password, :password_confirmation) params.require(:user).permit(:email, :password, :password_confirmation)
end end
def session_params
user_params.slice(:email, :password)
end
end end

View file

@ -1,3 +1,5 @@
class GuestUser class GuestUser
def registered? = false def registered? = false
def unregistered? = true
end end

View file

@ -2,4 +2,6 @@ class User < ApplicationRecord
has_secure_password has_secure_password
def registered? = true def registered? = true
def unregistered? = false
end end

View file

@ -14,14 +14,15 @@
<body> <body>
<nav class="w-100 p-6 bg-gray-900 flex items-center justify-between flex-wrap"> <nav class="w-100 p-6 bg-gray-900 flex items-center justify-between flex-wrap">
<ul class="flex"> <ul class="flex">
<li class="mr-6"><%= link_to "Dashboard", root_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Expenses", expenses_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Credit Card Bills", credit_card_bills_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Incomes", incomes_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Members", members_path, class: "text-white" %></li>
<% if Current.user.registered? %> <% if Current.user.registered? %>
<li class="mr-6"><%= link_to "Dashboard", root_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Expenses", expenses_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Credit Card Bills", credit_card_bills_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Incomes", incomes_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Members", members_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Log out", session_path, data: {turbo_method: :delete}, class: "text-white" %></li> <li class="mr-6"><%= link_to "Log out", session_path, data: {turbo_method: :delete}, class: "text-white" %></li>
<% else %> <% else %>
<li class="mr-6"><%= link_to "Sign up", new_user_path, class: "text-white" %></li>
<li class="mr-6"><%= link_to "Log in", new_session_path, class: "text-white" %></li> <li class="mr-6"><%= link_to "Log in", new_session_path, class: "text-white" %></li>
<% end %> <% end %>
</ul> </ul>

View file

@ -20,8 +20,9 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
end end
test "should destroy session" do test "should destroy session" do
login(users(:one).email)
delete session_url(@session) delete session_url(@session)
assert_redirected_to root_url assert_redirected_to new_session_url
end end
end end

View file

@ -6,6 +6,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
end end
test "should get index" do test "should get index" do
login(@user.email)
get users_url get users_url
assert_response :success assert_response :success
end end
@ -31,21 +32,25 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
end end
test "should show user" do test "should show user" do
login(@user.email)
get user_url(@user) get user_url(@user)
assert_response :success assert_response :success
end end
test "should get edit" do test "should get edit" do
login(@user.email)
get edit_user_url(@user) get edit_user_url(@user)
assert_response :success assert_response :success
end end
test "should update user" do test "should update user" do
login(@user.email)
patch user_url(@user), params: { user: { email: @user.email, password: "secret", password_confirmation: "secret" } } patch user_url(@user), params: { user: { email: @user.email, password: "secret", password_confirmation: "secret" } }
assert_redirected_to user_url(@user) assert_redirected_to user_url(@user)
end end
test "should destroy user" do test "should destroy user" do
login(@user.email)
assert_difference("User.count", -1) do assert_difference("User.count", -1) do
delete user_url(@user) delete user_url(@user)
end end

View file

@ -3,6 +3,7 @@ require "application_system_test_case"
class CreditCardBillsTest < ApplicationSystemTestCase class CreditCardBillsTest < ApplicationSystemTestCase
setup do setup do
@credit_card_bill = credit_card_bills(:one) @credit_card_bill = credit_card_bills(:one)
login(users(:one).email)
end end
test "visiting the index" do test "visiting the index" do

View file

@ -3,6 +3,7 @@ require "application_system_test_case"
class ExpensesTest < ApplicationSystemTestCase class ExpensesTest < ApplicationSystemTestCase
setup do setup do
@expense = expenses(:monthly_expense) @expense = expenses(:monthly_expense)
login(users(:one).email)
end end
test "visiting the index" do test "visiting the index" do

View file

@ -3,6 +3,7 @@ require "application_system_test_case"
class IncomesTest < ApplicationSystemTestCase class IncomesTest < ApplicationSystemTestCase
setup do setup do
@income = incomes(:included_1) @income = incomes(:included_1)
login(users(:one).email)
end end
test "visiting the index" do test "visiting the index" do

View file

@ -3,6 +3,7 @@ require "application_system_test_case"
class MembersTest < ApplicationSystemTestCase class MembersTest < ApplicationSystemTestCase
setup do setup do
@member = members(:one) @member = members(:one)
login(users(:one).email)
end end
test "visiting the index" do test "visiting the index" do

View file

@ -6,13 +6,14 @@ class UsersTest < ApplicationSystemTestCase
end end
test "visiting the index" do test "visiting the index" do
login(@user.email)
visit users_url visit users_url
assert_selector "h1", text: "Users" assert_selector "h1", text: "Users"
end end
test "should create user" do test "should create user" do
visit users_url visit users_url
click_on "New user" click_on "Sign up"
fill_in "Email", with: "userthree@example.local" fill_in "Email", with: "userthree@example.local"
fill_in "Password", with: "secret" fill_in "Password", with: "secret"
@ -24,6 +25,7 @@ class UsersTest < ApplicationSystemTestCase
end end
test "should update User" do test "should update User" do
login(@user.email)
visit user_url(@user) visit user_url(@user)
click_on "Edit this user", match: :first click_on "Edit this user", match: :first
@ -37,7 +39,8 @@ class UsersTest < ApplicationSystemTestCase
end end
test "should destroy User" do test "should destroy User" do
visit user_url(@user) login(@user.email)
visit user_url(users(:two))
click_on "Destroy this user", match: :first click_on "Destroy this user", match: :first
assert_text "User was successfully destroyed" assert_text "User was successfully destroyed"

View file

@ -10,4 +10,8 @@ class ActiveSupport::TestCase
fixtures :all fixtures :all
# Add more helper methods to be used by all tests here... # Add more helper methods to be used by all tests here...
def login(email, password = "secret")
post sessions_url, params: { session: { email: email, password: password } }
assert session[:current_user_id].present?
end
end end