Merge pull request #497 from shingara/features/#456

Improve user management

Merge pull request #497 from shingara/features/#456
Improve user management
Cyril Mougel
2 parents ea727cfc f2409444
Showing 21 changed files with 317 additions and 181 deletions Show diff stats
CHANGELOG.md
Gemfile
Gemfile.lock
app/controllers/application_controller.rb
app/controllers/users_controller.rb
app/interactors/user_destroy.rb
app/models/user.rb
app/views/users/_fields.html.haml
app/views/users/edit.html.haml
app/views/users/index.html.haml
app/views/users/new.html.haml
app/views/users/show.html.haml
config/locales/en.yml
spec/controllers/users_controller_spec.rb
spec/fabricators/app_fabricator.rb
spec/interactors/user_destroy_spec.rb
spec/models/user_spec.rb
spec/views/users/edit.html.haml_spec.rb
spec/views/users/index.html.haml_spec.rb
spec/views/users/new.html.haml_spec.rb
@@ -5,6 +5,8 @@
 - Update some gems ([@shingara][])
 - [#492][] Improve some Pjax call ([@nfedyashev][])
 - [#428][] Add the support of Unfuddle Tracker ([@parallel588][])
+- Avoid to delete his own user ([@shingara][])
+- [#456] Avoid to delete admin access of current user logged ([@shingara][])
  
 ### Bug Fixes
  
@@ -48,6 +50,7 @@
 [#428]: https://github.com/errbit/errbit/issues/428
 [#453]: https://github.com/errbit/errbit/issues/453
 [#455]: https://github.com/errbit/errbit/issues/455
+[#456]: https://github.com/errbit/errbit/issues/456
 [#457]: https://github.com/errbit/errbit/issues/457
 [#460]: https://github.com/errbit/errbit/issues/460
 [#466]: https://github.com/errbit/errbit/issues/466
@@ -2,7 +2,9 @@ source &#39;http://rubygems.org&#39;
  
 gem 'rails', '3.2.13'
 gem 'mongoid', '~> 2.7.1'
-gem 'mongoid_rails_migrations'
+
+# Mongoid rails migration > 0.0.14 is not compatible to Mongoid 2.x
+gem 'mongoid_rails_migrations', '~> 0.0.14'
 gem 'devise', '~> 1.5.4'
 gem 'haml'
 gem 'htmlentities'
@@ -10,6 +12,8 @@ gem &#39;rack-ssl&#39;, :require =&gt; &#39;rack/ssl&#39;   # force SSL
  
 gem 'useragent'
 gem 'inherited_resources'
+gem 'decent_exposure'
+gem 'strong_parameters'
 gem 'SystemTimer', :platform => :ruby_18
 gem 'actionmailer_inline_css', "~> 1.3.0"
 gem 'kaminari', '>= 0.14.1'
 GIT
   remote: https://github.com/NARKOZ/gitlab.git
-  revision: f2ba111dba70eca5346a880c541dafaf35d3332a
+  revision: 53d7a8a86dfed63e56eeb16ea496bb7a82de337e
   specs:
     gitlab (2.2.0)
       httparty
@@ -91,9 +91,8 @@ GEM
       simplecov (>= 0.7)
       thor
     crack (0.3.2)
-    css_parser (1.2.6)
+    css_parser (1.3.4)
       addressable
-      rdoc
     daemons (1.1.9)
     database_cleaner (0.9.1)
     debug_inspector (0.0.2)
@@ -103,6 +102,7 @@ GEM
       debugger-ruby_core_source (~> 1.2.1)
     debugger-linecache (1.2.0)
     debugger-ruby_core_source (1.2.2)
+    decent_exposure (2.2.0)
     devise (1.5.4)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.0.3)
@@ -135,6 +135,7 @@ GEM
     hike (1.2.2)
     hipchat (0.9.0)
       httparty
+      httparty
     hoi (0.0.6)
       httparty (> 0.6.0)
       json (> 1.4.0)
@@ -151,9 +152,9 @@ GEM
       has_scope (~> 0.5.0)
       responders (~> 0.9)
     journey (1.0.4)
-    jquery-rails (2.1.3)
-      railties (>= 3.1.0, < 5.0)
-      thor (~> 0.14)
+    jquery-rails (3.0.0)
+      railties (>= 3.0, < 5.0)
+      thor (>= 0.14, < 2.0)
     json (1.8.0)
     jwt (0.1.8)
       multi_json (>= 1.5)
@@ -229,12 +230,14 @@ GEM
       activeresource (>= 2.3.0)
     pivotal-tracker (0.5.10)
       builder
+      builder
       crack
       happymapper (>= 0.3.2)
       nokogiri (>= 1.4.3)
       nokogiri (>= 1.5.5)
       nokogiri-happymapper (>= 0.5.4)
       rest-client (~> 1.6.0)
+      rest-client (~> 1.6.0)
     pjax_rails (0.3.4)
       jquery-rails
     polyglot (0.3.3)
@@ -279,7 +282,7 @@ GEM
     rbx-require-relative (0.0.9)
     rdoc (3.12.2)
       json (~> 1.4)
-    ref (1.0.4)
+    ref (1.0.5)
     responders (0.9.3)
       railties (~> 3.1)
     rest-client (1.6.7)
@@ -323,6 +326,10 @@ GEM
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
+    strong_parameters (0.2.1)
+      actionpack (~> 3.0)
+      activemodel (~> 3.0)
+      railties (~> 3.0)
     taskmapper (0.8.0)
       activeresource (~> 3.0)
       activesupport (~> 3.0)
@@ -385,6 +392,7 @@ DEPENDENCIES
   coveralls
   database_cleaner (~> 0.9.0)
   debugger
+  decent_exposure
   devise (~> 1.5.4)
   email_spec
   execjs
@@ -405,7 +413,7 @@ DEPENDENCIES
   meta_request
   mongo
   mongoid (~> 2.7.1)
-  mongoid_rails_migrations
+  mongoid_rails_migrations (~> 0.0.14)
   octokit
   omniauth-github
   oruen_redmine_client
@@ -421,6 +429,7 @@ DEPENDENCIES
   ruby-debug
   ruby-fogbugz
   rushover
+  strong_parameters
   taskmapper (~> 0.8.0)
   taskmapper-unfuddle (~> 0.7.0)
   therubyracer
@@ -17,6 +17,9 @@ class ApplicationController &lt; ActionController::Base
 protected
  
  
+  ##
+  # Check if the current_user is admin or not and redirect to root url if not
+  #
   def require_admin!
     unless user_signed_in? && current_user.admin?
       flash[:error] = "Sorry, you don't have permission to do that"
@@ -2,71 +2,78 @@ class UsersController &lt; ApplicationController
   respond_to :html
  
   before_filter :require_admin!, :except => [:edit, :update]
-  before_filter :find_user, :only => [:show, :edit, :update, :destroy, :unlink_github]
   before_filter :require_user_edit_priviledges, :only => [:edit, :update]
  
-  def index
-    @users = User.all.page(params[:page]).per(current_user.per_page)
-  end
+  expose(:user) {
+    params[:id] ? User.find(params[:id]) : User.new(user_params)
+  }
+  expose(:users) {
+    User.all.page(params[:page]).per(current_user.per_page)
+  }
  
-  def new
-    @user = User.new
-  end
+  def index; end
+  def new; end
+  def show; end
  
   def create
-    @user = User.new(params[:user])
-
-    # Set protected attributes
-    @user.admin = params[:user].try(:[], :admin) if current_user.admin?
-
-    if @user.save
-      flash[:success] = "#{@user.name} is now part of the team. Be sure to add them as a project watcher."
-      redirect_to user_path(@user)
+    if user.save
+      flash[:success] = "#{user.name} is now part of the team. Be sure to add them as a project watcher."
+      redirect_to user_path(user)
     else
       render :new
     end
   end
  
   def update
-    # Devise Hack
-    if params[:user][:password].blank? && params[:user][:password_confirmation].blank?
-      params[:user].delete(:password)
-      params[:user].delete(:password_confirmation)
-    end
-
-    # Set protected attributes
-    @user.admin = params[:user][:admin] if current_user.admin?
-
-    if @user.update_attributes(params[:user])
-      flash[:success] = "#{@user.name}'s information was successfully updated"
-      redirect_to user_path(@user)
+    if user.update_attributes(user_params)
+      flash[:success] = I18n.t('controllers.users.flash.update.success', :name => user.name)
+      redirect_to user_path(user)
     else
       render :edit
     end
   end
  
+  ##
+  # Destroy the user pass in args
+  #
+  # @param [ String ] id the id of user we want delete
+  #
   def destroy
-    @user.destroy
-
-    flash[:success] = "That's sad. #{@user.name} is no longer part of your team."
+    if user == current_user
+      flash[:error] = I18n.t('controllers.users.flash.destroy.error')
+    else
+      UserDestroy.new(user).destroy
+      flash[:success] = I18n.t('controllers.users.flash.destroy.success', :name => user.name)
+    end
     redirect_to users_path
   end
  
   def unlink_github
-    @user.update_attributes :github_login => nil, :github_oauth_token => nil
-    redirect_to user_path(@user)
+    user.update_attributes :github_login => nil, :github_oauth_token => nil
+    redirect_to user_path(user)
   end
  
   protected
  
-    def find_user
-      @user = User.find(params[:id])
-    end
-
     def require_user_edit_priviledges
-      can_edit = current_user == @user || current_user.admin?
+      can_edit = current_user == user || current_user.admin?
       redirect_to(root_path) and return(false) unless can_edit
     end
  
+  def user_params
+    @user_params ||= params[:user] ? params.require(:user).permit(*user_permit_params) : {}
+  end
+
+  def user_permit_params
+    @user_permit_params ||= [:name,:username, :email, :github_login, :per_page, :time_zone]
+    @user_permit_params << :admin if current_user.admin? && current_user.id != params[:id]
+    @user_permit_params |= [:password, :password_confirmation] if user_password_params.values.all?{|pa| !pa.blank? }
+    @user_permit_params
+  end
+
+  def user_password_params
+    @user_password_params ||= params[:user] ? params.require(:user).permit(:password, :password_confirmation) : {}
+  end
+
 end
  
@@ -0,0 +1,11 @@
+class UserDestroy
+  def initialize(user)
+    @user = user
+  end
+
+  def destroy
+    @user.destroy
+    @user.watchers.each(&:destroy)
+  end
+
+end
@@ -13,14 +13,11 @@ class User
   field :per_page, :type => Fixnum, :default => PER_PAGE
   field :time_zone, :default => "UTC"
  
-  after_destroy :destroy_watchers
   before_save :ensure_authentication_token
  
   validates_presence_of :name
   validates_uniqueness_of :github_login, :allow_nil => true
  
-  attr_protected :admin
-
   has_many :apps, :foreign_key => 'watchers.user_id'
  
   if Errbit::Config.user_has_username
@@ -59,10 +56,5 @@ class User
     self[:github_login] = login
   end
  
-  protected
-
-    def destroy_watchers
-      watchers.each(&:destroy)
-    end
 end
  
-= errors_for @user
+= errors_for user
  
 .required
   = f.label :name
-- content_for :title, "Edit #{@user.name}"
+- content_for :title, "Edit #{user.name}"
 - content_for :action_bar do
-  = render 'shared/link_github_account', :user => @user
-  = link_to('cancel', user_path(@user), :class => 'button')
+  = render 'shared/link_github_account', :user => user
+  = link_to('cancel', user_path(user), :class => 'button')
  
-= form_for @user, :html => {:autocomplete => "off"} do |f|
-  = @user.errors.full_messages.to_sentence
+= form_for user, :html => {:autocomplete => "off"} do |f|
+  = user.errors.full_messages.to_sentence
   = render 'fields', :f => f
  
   %div.buttons= f.submit 'Update User'
@@ -13,8 +13,8 @@
       %th.main Email
       %th Admin?
   %tbody
-    - @users.each do |user|
-      %tr
+    - users.each do |user|
+      %tr.user_list
         - if Errbit::Config.use_gravatar
           %td= gravatar_tag user.email, :s => 24
         %td.nowrap= link_to user.name, user_path(user)
@@ -22,5 +22,5 @@
           %td= user.username
         %td= user.email
         %td= user.admin? ? 'Y' : 'N'
-= paginate @users
+= paginate users
  
 - content_for :title, 'New User'
 - content_for :action_bar, link_to('cancel', users_path, :class => 'button')
  
-= form_for @user do |f|
-  
+= form_for user do |f|
+
   = render 'fields', :f => f
-    
-  %div.buttons= f.submit 'Add User'
 \ No newline at end of file
+
+  %div.buttons= f.submit 'Add User'
-- content_for :title, @user.name
-- if Errbit::Config.use_gravatar && gravatar = gravatar_url(@user.email, :s => 86)
+- content_for :title, user.name
+
+- if Errbit::Config.use_gravatar && gravatar = gravatar_url(user.email, :s => 86)
   - content_for :title_style do
     background: url('#{gravatar}') no-repeat;
     padding-left: 106px;
  
 - content_for :action_bar do
-  = render 'shared/link_github_account', :user => @user
+  = render 'shared/link_github_account'
   %span= link_to('Add a New User', new_user_path, :class => 'add')
-  = link_to 'edit', edit_user_path(@user), :class => 'button'
-  = link_to 'destroy', user_path(@user), :method => :delete, :data => { :confirm => 'Seriously?' }, :class => 'button'
+  = link_to 'edit', edit_user_path(user), :class => 'button'
+  = link_to 'destroy', user_path(user), :method => :delete, :data => { :confirm => 'Seriously?' }, :class => 'button'
  
 %table.single_user
   %tr
     %th Email
-    %td.main= @user.email
+    %td.main= user.email
   - if Errbit::Config.user_has_username
     %tr
       %th Username
-      %td.main= @user.username
-  - if Errbit::Config.github_authentication && @user.github_login.present?
+      %td.main= user.username
+  - if Errbit::Config.github_authentication && user.github_login.present?
     %tr
       %th GitHub Login
-      %td.main= link_to @user.github_login, "https://github.com/#{@user.github_login}"
+      %td.main= link_to user.github_login, "https://github.com/#{user.github_login}"
   %tr
     %th Admin?
-    %td= @user.admin? ? 'Y' : 'N'
+    %td= user.admin? ? 'Y' : 'N'
   %tr
     %th Created
-    %td= @user.created_at.to_s(:micro)
+    %td= user.created_at.to_s(:micro)
  
@@ -14,3 +14,13 @@ en:
   n_errs_have:
     one:   "%{count} err has"
     other: "%{count} errs have"
+
+
+  controllers:
+    users:
+      flash:
+        destroy:
+          success: "That's sad. %{name} is no longer part of your team."
+          error: "You can't delete yourself"
+        update:
+          success: "%{name}'s information was successfully updated."
 require 'spec_helper'
  
 describe UsersController do
-  render_views
  
   it_requires_authentication
   it_requires_admin_privileges :for => {
@@ -12,42 +11,39 @@ describe UsersController do
     :destroy  => :delete
   }
  
+  let(:admin) { Fabricate(:admin) }
+  let(:user) { Fabricate(:user) }
+  let(:other_user) { Fabricate(:user) }
+
   context 'Signed in as a regular user' do
+
     before do
-      sign_in @user = Fabricate(:user)
+      sign_in user
     end
  
     it "should set a time zone" do
-      Time.zone.should.to_s == @user.time_zone
+      Time.zone.should.to_s == user.time_zone
     end
  
     context "GET /users/:other_id/edit" do
       it "redirects to the home page" do
-        get :edit, :id => Fabricate(:user).id
+        get :edit, :id => other_user.id
         response.should redirect_to(root_path)
       end
     end
  
     context "GET /users/:my_id/edit" do
       it 'finds the user' do
-        get :edit, :id => @user.id
-        assigns(:user).should == @user
-      end
-
-      it "should have per_page option" do
-        get :edit, :id => @user.id
-        response.body.should match(/id="user_per_page"/)
+        get :edit, :id => user.id
+        controller.user.should == user
+        expect(response).to render_template 'edit'
       end
  
-      it "should have time_zone option" do
-        get :edit, :id => @user.id
-        response.body.should match(/id="user_time_zone"/)
-      end
     end
  
     context "PUT /users/:other_id" do
       it "redirects to the home page" do
-        put :update, :id => Fabricate(:user).id
+        put :update, :id => other_user.id
         response.should redirect_to(root_path)
       end
     end
@@ -55,44 +51,47 @@ describe UsersController do
     context "PUT /users/:my_id/id" do
       context "when the update is successful" do
         it "sets a message to display" do
-          put :update, :id => @user.to_param, :user => {:name => 'Kermit'}
+          put :update, :id => user.to_param, :user => {:name => 'Kermit'}
           request.flash[:success].should include('updated')
         end
  
         it "redirects to the user's page" do
-          put :update, :id => @user.to_param, :user => {:name => 'Kermit'}
-          response.should redirect_to(user_path(@user))
+          put :update, :id => user.to_param, :user => {:name => 'Kermit'}
+          response.should redirect_to(user_path(user))
         end
  
         it "should not be able to become an admin" do
-          put :update, :id => @user.to_param, :user => {:admin => true}
-          @user.reload.admin.should be_false
+          expect {
+            put :update, :id => user.to_param, :user => {:admin => true}
+          }.to_not change {
+            user.reload.admin
+          }.from(false)
         end
  
         it "should be able to set per_page option" do
-          put :update, :id => @user.to_param, :user => {:per_page => 555}
-          @user.reload.per_page.should == 555
+          put :update, :id => user.to_param, :user => {:per_page => 555}
+          user.reload.per_page.should == 555
         end
  
         it "should be able to set time_zone option" do
-          put :update, :id => @user.to_param, :user => {:time_zone => "Warsaw"}
-          @user.reload.time_zone.should == "Warsaw"
+          put :update, :id => user.to_param, :user => {:time_zone => "Warsaw"}
+          user.reload.time_zone.should == "Warsaw"
         end
  
         it "should be able to not set github_login option" do
-          put :update, :id => @user.to_param, :user => {:github_login => " "}
-          @user.reload.github_login.should == nil
+          put :update, :id => user.to_param, :user => {:github_login => " "}
+          user.reload.github_login.should == nil
         end
  
         it "should be able to set github_login option" do
-          put :update, :id => @user.to_param, :user => {:github_login => "awesome_name"}
-          @user.reload.github_login.should == "awesome_name"
+          put :update, :id => user.to_param, :user => {:github_login => "awesome_name"}
+          user.reload.github_login.should == "awesome_name"
         end
       end
  
       context "when the update is unsuccessful" do
         it "renders the edit page" do
-          put :update, :id => @user.to_param, :user => {:name => nil}
+          put :update, :id => user.to_param, :user => {:name => nil}
           response.should render_template(:edit)
         end
       end
@@ -101,81 +100,82 @@ describe UsersController do
  
   context 'Signed in as an admin' do
     before do
-      @user = Fabricate(:admin)
-      sign_in @user
+      sign_in admin
     end
  
     context "GET /users" do
+
       it 'paginates all users' do
-        @user.update_attribute :per_page, 2
-        users = 3.times { Fabricate(:user) }
+        admin.update_attribute :per_page, 2
+        users = 3.times {
+          Fabricate(:user)
+        }
         get :index
-        assigns(:users).to_a.size.should == 2
+        controller.users.to_a.size.should == 2
       end
+
     end
  
     context "GET /users/:id" do
       it 'finds the user' do
-        user = Fabricate(:user)
         get :show, :id => user.id
-        assigns(:user).should == user
+        controller.user.should == user
       end
     end
  
     context "GET /users/new" do
       it 'assigns a new user' do
         get :new
-        assigns(:user).should be_a(User)
-        assigns(:user).should be_new_record
+        controller.user.should be_a(User)
+        controller.user.should be_new_record
       end
     end
  
     context "GET /users/:id/edit" do
       it 'finds the user' do
-        user = Fabricate(:user)
         get :edit, :id => user.id
-        assigns(:user).should == user
+        controller.user.should == user
       end
     end
  
     context "POST /users" do
       context "when the create is successful" do
-        before do
-          @attrs = {:user => Fabricate.attributes_for(:user)}
-        end
+        let(:attrs) { {:user => Fabricate.attributes_for(:user)} }
  
         it "sets a message to display" do
-          post :create, @attrs
+          post :create, attrs
           request.flash[:success].should include('part of the team')
         end
  
         it "redirects to the user's page" do
-          post :create, @attrs
-          response.should redirect_to(user_path(assigns(:user)))
+          post :create, attrs
+          response.should redirect_to(user_path(controller.user))
         end
  
         it "should be able to create admin" do
-          @attrs[:user][:admin] = true
-          post :create, @attrs
+          attrs[:user][:admin] = true
+          post :create, attrs
           response.should be_redirect
-          User.find(assigns(:user).to_param).admin.should be_true
+          User.find(controller.user.to_param).admin.should be_true
         end
  
         it "should has auth token" do
-          post :create, @attrs
+          post :create, attrs
           User.last.authentication_token.should_not be_blank
         end
       end
  
       context "when the create is unsuccessful" do
+        let(:user) {
+          Struct.new(:admin, :attributes).new(true, {})
+        }
         before do
-          @user = Fabricate(:user)
-          User.should_receive(:new).and_return(@user)
-          @user.should_receive(:save).and_return(false)
+          User.should_receive(:new).and_return(user)
+          user.should_receive(:save).and_return(false)
         end
  
         it "renders the new page" do
-          post :create
+          post :create, :user => { :username => 'foo' }
           response.should render_template(:new)
         end
       end
@@ -183,59 +183,85 @@ describe UsersController do
  
     context "PUT /users/:id" do
       context "when the update is successful" do
-        before do
-          @user = Fabricate(:user)
-        end
-
-        it "sets a message to display" do
-          put :update, :id => @user.to_param, :user => {:name => 'Kermit'}
-          request.flash[:success].should include('updated')
-        end
-
-        it "redirects to the user's page" do
-          put :update, :id => @user.to_param, :user => {:name => 'Kermit'}
-          response.should redirect_to(user_path(@user))
-        end
-
-        it "should be able to make user an admin" do
-          put :update, :id => @user.to_param, :user => {:admin => true}
-          response.should be_redirect
-          User.find(assigns(:user).to_param).admin.should be_true
+        before {
+          put :update, :id => user.to_param, :user => user_params
+        }
+
+        context "with normal params" do
+          let(:user_params) { {:name => 'Kermit'} }
+          it "sets a message to display" do
+            expect(request.flash[:success]).to eq I18n.t('controllers.users.flash.update.success', :name => user.name)
+            expect(response).to redirect_to(user_path(user))
+          end
         end
       end
-
       context "when the update is unsuccessful" do
-        before do
-          @user = Fabricate(:user)
-        end
  
         it "renders the edit page" do
-          put :update, :id => @user.to_param, :user => {:name => nil}
+          put :update, :id => user.to_param, :user => {:name => nil}
           response.should render_template(:edit)
         end
       end
     end
  
     context "DELETE /users/:id" do
-      before do
-        @user = Fabricate(:user)
+
+      context "with a destroy success" do
+        let(:user_destroy) { mock(:destroy => true) }
+
+        before {
+          UserDestroy.should_receive(:new).with(user).and_return(user_destroy)
+          delete :destroy, :id => user.id
+        }
+
+        it 'should destroy user' do
+          expect(request.flash[:success]).to eq I18n.t('controllers.users.flash.destroy.success', :name => user.name)
+          response.should redirect_to(users_path)
+        end
       end
  
-      it "destroys the user" do
-        delete :destroy, :id => @user.id
-        User.where(:id => @user.id).first.should be_nil
+      context "with trying destroy himself" do
+        before {
+          UserDestroy.should_not_receive(:new)
+          delete :destroy, :id => admin.id
+        }
+
+        it 'should not destroy user' do
+          response.should redirect_to(users_path)
+          expect(request.flash[:error]).to eq I18n.t('controllers.users.flash.destroy.error')
+        end
       end
+    end
  
-      it "redirects to the users index page" do
-        delete :destroy, :id => @user.id
-        response.should redirect_to(users_path)
+    describe "#user_params" do
+      context "with current user not admin" do
+        before {
+          controller.stub(:current_user).and_return(user)
+          controller.stub(:params).and_return(ActionController::Parameters.new(user_param))
+        }
+        let(:user_param) { {'user' => { :name => 'foo', :admin => true }} }
+        it 'not have admin field' do
+          expect(controller.send(:user_params)).to eq ({'name' => 'foo'})
+        end
+        context "with password and password_confirmation empty?" do
+          let(:user_param) { {'user' => { :name => 'foo', 'password' => '', 'password_confirmation' => '' }} }
+          it 'not have password and password_confirmation field' do
+            expect(controller.send(:user_params)).to eq ({'name' => 'foo'})
+          end
+        end
       end
  
-      it "sets a message to display" do
-        delete :destroy, :id => @user.id
-        request.flash[:success].should include('no longer part of your team')
+      context "with current user admin" do
+        it 'have admin field'
+        context "with password and password_confirmation empty?" do
+          it 'not have password and password_confirmation field'
+        end
+        context "on his own user" do
+          it 'not have admin field'
+        end
       end
     end
+
   end
  
 end
@@ -4,7 +4,9 @@ Fabricator(:app) do
 end
  
 Fabricator(:app_with_watcher, :from => :app) do
-  watchers(:count => 1) { |parent, i| Fabricate.build(:watcher, :app => parent) }
+  watchers(:count => 1) { |parent, i|
+    Fabricate.build(:watcher, :app => parent)
+  }
 end
  
 Fabricator(:watcher) do
@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe UserDestroy do
+  let(:app) { Fabricate(
+    :app,
+    :watchers => [
+      Fabricate.build(:user_watcher, :user => user)
+    ])
+  }
+
+  describe "#destroy" do
+    let!(:user) { Fabricate(:user) }
+    it 'should delete user' do
+      expect {
+        UserDestroy.new(user).destroy
+      }.to change(User, :count)
+    end
+
+    it 'should delete watcher' do
+      expect {
+        UserDestroy.new(user).destroy
+      }.to change{
+        app.reload.watchers.where(:user_id => user.id).count
+      }.from(1).to(0)
+    end
+  end
+end
@@ -49,15 +49,6 @@ describe User do
       user.watchers.should include(watcher)
     end
  
-    it "destroys any related watchers when it is destroyed" do
-      user = Fabricate(:user)
-      app  = Fabricate(:app)
-      watcher = Fabricate(:user_watcher, :app => app, :user => user)
-      user.watchers.should_not be_empty
-      user.destroy
-      app.reload.watchers.should_not include(watcher)
-    end
-
     it "has many apps through watchers" do
       user = Fabricate(:user)
       watched_app  = Fabricate(:app)
@@ -0,0 +1,18 @@
+require 'spec_helper'
+
+describe 'users/edit.html.haml' do
+  let(:user) { stub_model(User, :name => 'shingara') }
+  before {
+    view.stub(:current_user).and_return(user)
+    view.stub(:user).and_return(user)
+  }
+  it 'should have per_page option' do
+    render
+    expect(rendered).to match(/id="user_per_page"/)
+  end
+
+  it 'should have time_zone option' do
+    render
+    expect(rendered).to match(/id="user_time_zone"/)
+  end
+end
@@ -0,0 +1,16 @@
+require 'spec_helper'
+
+describe 'users/index.html.haml' do
+  let(:user) { stub_model(User) }
+  before {
+    view.stub(:current_user).and_return(user)
+    view.stub(:users).and_return(
+      Kaminari.paginate_array([user], :total_count => 1).page(1)
+    )
+  }
+  it 'should see users option' do
+    render
+    expect(rendered).to match(/class='user_list'/)
+  end
+
+end
@@ -0,0 +1,18 @@
+require 'spec_helper'
+
+describe 'users/new.html.haml' do
+  let(:user) { stub_model(User) }
+  before {
+    view.stub(:current_user).and_return(user)
+    view.stub(:user).and_return(user)
+  }
+  it 'should have per_page option' do
+    render
+    expect(rendered).to match(/id="user_per_page"/)
+  end
+
+  it 'should have time_zone option' do
+    render
+    expect(rendered).to match(/id="user_time_zone"/)
+  end
+end
 require 'spec_helper'
  
 describe 'users/show.html.haml' do
+
   let(:user) do
     stub_model(User, :created_at => Time.now, :email => "test@example.com")
   end
@@ -8,12 +9,12 @@ describe &#39;users/show.html.haml&#39; do
   before do
     Errbit::Config.stub(:github_authentication) { true }
     controller.stub(:current_user) { stub_model(User) }
+    view.stub(:user) { user }
   end
  
   context 'with GitHub authentication' do
     it 'shows github login' do
       user.github_login = 'test_user'
-      assign :user, user
       render
       rendered.should match(/GitHub/)
       rendered.should match(/test_user/)
@@ -21,7 +22,6 @@ describe &#39;users/show.html.haml&#39; do
  
     it 'does not show github if blank' do
       user.github_login = ' '
-      assign :user, user
       render
       rendered.should_not match(/GitHub/)
     end
@@ -30,7 +30,6 @@ describe &#39;users/show.html.haml&#39; do
   context "Linking GitHub account" do
     context 'viewing another user page' do
       it "doesn't show and github linking buttons if user is not current user" do
-        assign :user, user
         render
         view.content_for(:action_bar).should_not include('Link GitHub account')
         view.content_for(:action_bar).should_not include('Unlink GitHub account')
@@ -40,7 +39,6 @@ describe &#39;users/show.html.haml&#39; do
     context 'viewing own user page' do
       before do
         controller.stub(:current_user) { user }
-        assign :user, user
       end
  
       it 'shows link github button when no login or token' do
...	...	@@ -5,6 +5,8 @@
5	5	- Update some gems ([@shingara][])
6	6	- [#492][] Improve some Pjax call ([@nfedyashev][])
7	7	- [#428][] Add the support of Unfuddle Tracker ([@parallel588][])
	8	+- Avoid to delete his own user ([@shingara][])
	9	+- [#456] Avoid to delete admin access of current user logged ([@shingara][])
8	10
9	11	### Bug Fixes
10	12
...	...	@@ -48,6 +50,7 @@
48	50	[#428]: https://github.com/errbit/errbit/issues/428
49	51	[#453]: https://github.com/errbit/errbit/issues/453
50	52	[#455]: https://github.com/errbit/errbit/issues/455
	53	+[#456]: https://github.com/errbit/errbit/issues/456
51	54	[#457]: https://github.com/errbit/errbit/issues/457
52	55	[#460]: https://github.com/errbit/errbit/issues/460
53	56	[#466]: https://github.com/errbit/errbit/issues/466
...	...
...	...	@@ -2,7 +2,9 @@ source 'http://rubygems.org'
2	2
3	3	gem 'rails', '3.2.13'
4	4	gem 'mongoid', '~> 2.7.1'
5		-gem 'mongoid_rails_migrations'
	5	+
	6	+# Mongoid rails migration > 0.0.14 is not compatible to Mongoid 2.x
	7	+gem 'mongoid_rails_migrations', '~> 0.0.14'
6	8	gem 'devise', '~> 1.5.4'
7	9	gem 'haml'
8	10	gem 'htmlentities'
...	...	@@ -10,6 +12,8 @@ gem 'rack-ssl', :require => 'rack/ssl' # force SSL
10	12
11	13	gem 'useragent'
12	14	gem 'inherited_resources'
	15	+gem 'decent_exposure'
	16	+gem 'strong_parameters'
13	17	gem 'SystemTimer', :platform => :ruby_18
14	18	gem 'actionmailer_inline_css', "~> 1.3.0"
15	19	gem 'kaminari', '>= 0.14.1'
...	...
1	1	GIT
2	2	remote: https://github.com/NARKOZ/gitlab.git
3		- revision: f2ba111dba70eca5346a880c541dafaf35d3332a
	3	+ revision: 53d7a8a86dfed63e56eeb16ea496bb7a82de337e
4	4	specs:
5	5	gitlab (2.2.0)
6	6	httparty
...	...	@@ -91,9 +91,8 @@ GEM
91	91	simplecov (>= 0.7)
92	92	thor
93	93	crack (0.3.2)
94		- css_parser (1.2.6)
	94	+ css_parser (1.3.4)
95	95	addressable
96		- rdoc
97	96	daemons (1.1.9)
98	97	database_cleaner (0.9.1)
99	98	debug_inspector (0.0.2)
...	...	@@ -103,6 +102,7 @@ GEM
103	102	debugger-ruby_core_source (~> 1.2.1)
104	103	debugger-linecache (1.2.0)
105	104	debugger-ruby_core_source (1.2.2)
	105	+ decent_exposure (2.2.0)
106	106	devise (1.5.4)
107	107	bcrypt-ruby (~> 3.0)
108	108	orm_adapter (~> 0.0.3)
...	...	@@ -135,6 +135,7 @@ GEM
135	135	hike (1.2.2)
136	136	hipchat (0.9.0)
137	137	httparty
	138	+ httparty
138	139	hoi (0.0.6)
139	140	httparty (> 0.6.0)
140	141	json (> 1.4.0)
...	...	@@ -151,9 +152,9 @@ GEM
151	152	has_scope (~> 0.5.0)
152	153	responders (~> 0.9)
153	154	journey (1.0.4)
154		- jquery-rails (2.1.3)
155		- railties (>= 3.1.0, < 5.0)
156		- thor (~> 0.14)
	155	+ jquery-rails (3.0.0)
	156	+ railties (>= 3.0, < 5.0)
	157	+ thor (>= 0.14, < 2.0)
157	158	json (1.8.0)
158	159	jwt (0.1.8)
159	160	multi_json (>= 1.5)
...	...	@@ -229,12 +230,14 @@ GEM
229	230	activeresource (>= 2.3.0)
230	231	pivotal-tracker (0.5.10)
231	232	builder
	233	+ builder
232	234	crack
233	235	happymapper (>= 0.3.2)
234	236	nokogiri (>= 1.4.3)
235	237	nokogiri (>= 1.5.5)
236	238	nokogiri-happymapper (>= 0.5.4)
237	239	rest-client (~> 1.6.0)
	240	+ rest-client (~> 1.6.0)
238	241	pjax_rails (0.3.4)
239	242	jquery-rails
240	243	polyglot (0.3.3)
...	...	@@ -279,7 +282,7 @@ GEM
279	282	rbx-require-relative (0.0.9)
280	283	rdoc (3.12.2)
281	284	json (~> 1.4)
282		- ref (1.0.4)
	285	+ ref (1.0.5)
283	286	responders (0.9.3)
284	287	railties (~> 3.1)
285	288	rest-client (1.6.7)
...	...	@@ -323,6 +326,10 @@ GEM
323	326	multi_json (~> 1.0)
324	327	rack (~> 1.0)
325	328	tilt (~> 1.1, != 1.3.0)
	329	+ strong_parameters (0.2.1)
	330	+ actionpack (~> 3.0)
	331	+ activemodel (~> 3.0)
	332	+ railties (~> 3.0)
326	333	taskmapper (0.8.0)
327	334	activeresource (~> 3.0)
328	335	activesupport (~> 3.0)
...	...	@@ -385,6 +392,7 @@ DEPENDENCIES
385	392	coveralls
386	393	database_cleaner (~> 0.9.0)
387	394	debugger
	395	+ decent_exposure
388	396	devise (~> 1.5.4)
389	397	email_spec
390	398	execjs
...	...	@@ -405,7 +413,7 @@ DEPENDENCIES
405	413	meta_request
406	414	mongo
407	415	mongoid (~> 2.7.1)
408		- mongoid_rails_migrations
	416	+ mongoid_rails_migrations (~> 0.0.14)
409	417	octokit
410	418	omniauth-github
411	419	oruen_redmine_client
...	...	@@ -421,6 +429,7 @@ DEPENDENCIES
421	429	ruby-debug
422	430	ruby-fogbugz
423	431	rushover
	432	+ strong_parameters
424	433	taskmapper (~> 0.8.0)
425	434	taskmapper-unfuddle (~> 0.7.0)
426	435	therubyracer
...	...
...	...	@@ -17,6 +17,9 @@ class ApplicationController < ActionController::Base
17	17	protected
18	18
19	19
	20	+ ##
	21	+ # Check if the current_user is admin or not and redirect to root url if not
	22	+ #
20	23	def require_admin!
21	24	unless user_signed_in? && current_user.admin?
22	25	flash[:error] = "Sorry, you don't have permission to do that"
...	...
...	...	@@ -2,71 +2,78 @@ class UsersController < ApplicationController
2	2	respond_to :html
3	3
4	4	before_filter :require_admin!, :except => [:edit, :update]
5		- before_filter :find_user, :only => [:show, :edit, :update, :destroy, :unlink_github]
6	5	before_filter :require_user_edit_priviledges, :only => [:edit, :update]
7	6
8		- def index
9		- @users = User.all.page(params[:page]).per(current_user.per_page)
10		- end
	7	+ expose(:user) {
	8	+ params[:id] ? User.find(params[:id]) : User.new(user_params)
	9	+ }
	10	+ expose(:users) {
	11	+ User.all.page(params[:page]).per(current_user.per_page)
	12	+ }
11	13
12		- def new
13		- @user = User.new
14		- end
	14	+ def index; end
	15	+ def new; end
	16	+ def show; end
15	17
16	18	def create
17		- @user = User.new(params[:user])
18		-
19		- # Set protected attributes
20		- @user.admin = params[:user].try(:[], :admin) if current_user.admin?
21		-
22		- if @user.save
23		- flash[:success] = "#{@user.name} is now part of the team. Be sure to add them as a project watcher."
24		- redirect_to user_path(@user)
	19	+ if user.save
	20	+ flash[:success] = "#{user.name} is now part of the team. Be sure to add them as a project watcher."
	21	+ redirect_to user_path(user)
25	22	else
26	23	render :new
27	24	end
28	25	end
29	26
30	27	def update
31		- # Devise Hack
32		- if params[:user][:password].blank? && params[:user][:password_confirmation].blank?
33		- params[:user].delete(:password)
34		- params[:user].delete(:password_confirmation)
35		- end
36		-
37		- # Set protected attributes
38		- @user.admin = params[:user][:admin] if current_user.admin?
39		-
40		- if @user.update_attributes(params[:user])
41		- flash[:success] = "#{@user.name}'s information was successfully updated"
42		- redirect_to user_path(@user)
	28	+ if user.update_attributes(user_params)
	29	+ flash[:success] = I18n.t('controllers.users.flash.update.success', :name => user.name)
	30	+ redirect_to user_path(user)
43	31	else
44	32	render :edit
45	33	end
46	34	end
47	35
	36	+ ##
	37	+ # Destroy the user pass in args
	38	+ #
	39	+ # @param [ String ] id the id of user we want delete
	40	+ #
48	41	def destroy
49		- @user.destroy
50		-
51		- flash[:success] = "That's sad. #{@user.name} is no longer part of your team."
	42	+ if user == current_user
	43	+ flash[:error] = I18n.t('controllers.users.flash.destroy.error')
	44	+ else
	45	+ UserDestroy.new(user).destroy
	46	+ flash[:success] = I18n.t('controllers.users.flash.destroy.success', :name => user.name)
	47	+ end
52	48	redirect_to users_path
53	49	end
54	50
55	51	def unlink_github
56		- @user.update_attributes :github_login => nil, :github_oauth_token => nil
57		- redirect_to user_path(@user)
	52	+ user.update_attributes :github_login => nil, :github_oauth_token => nil
	53	+ redirect_to user_path(user)
58	54	end
59	55
60	56	protected
61	57
62		- def find_user
63		- @user = User.find(params[:id])
64		- end
65		-
66	58	def require_user_edit_priviledges
67		- can_edit = current_user == @user \|\| current_user.admin?
	59	+ can_edit = current_user == user \|\| current_user.admin?
68	60	redirect_to(root_path) and return(false) unless can_edit
69	61	end
70	62
	63	+ def user_params
	64	+ @user_params \|\|= params[:user] ? params.require(:user).permit(*user_permit_params) : {}
	65	+ end
	66	+
	67	+ def user_permit_params
	68	+ @user_permit_params \|\|= [:name,:username, :email, :github_login, :per_page, :time_zone]
	69	+ @user_permit_params << :admin if current_user.admin? && current_user.id != params[:id]
	70	+ @user_permit_params \|= [:password, :password_confirmation] if user_password_params.values.all?{\|pa\| !pa.blank? }
	71	+ @user_permit_params
	72	+ end
	73	+
	74	+ def user_password_params
	75	+ @user_password_params \|\|= params[:user] ? params.require(:user).permit(:password, :password_confirmation) : {}
	76	+ end
	77	+
71	78	end
72	79
...	...
...	...	@@ -0,0 +1,11 @@
	1	+class UserDestroy
	2	+ def initialize(user)
	3	+ @user = user
	4	+ end
	5	+
	6	+ def destroy
	7	+ @user.destroy
	8	+ @user.watchers.each(&:destroy)
	9	+ end
	10	+
	11	+end
...	...
...	...	@@ -13,14 +13,11 @@ class User
13	13	field :per_page, :type => Fixnum, :default => PER_PAGE
14	14	field :time_zone, :default => "UTC"
15	15
16		- after_destroy :destroy_watchers
17	16	before_save :ensure_authentication_token
18	17
19	18	validates_presence_of :name
20	19	validates_uniqueness_of :github_login, :allow_nil => true
21	20
22		- attr_protected :admin
23		-
24	21	has_many :apps, :foreign_key => 'watchers.user_id'
25	22
26	23	if Errbit::Config.user_has_username
...	...	@@ -59,10 +56,5 @@ class User
59	56	self[:github_login] = login
60	57	end
61	58
62		- protected
63		-
64		- def destroy_watchers
65		- watchers.each(&:destroy)
66		- end
67	59	end
68	60
...	...
1		-= errors_for @user
	1	+= errors_for user
2	2
3	3	.required
4	4	= f.label :name
...	...
1		-- content_for :title, "Edit #{@user.name}"
	1	+- content_for :title, "Edit #{user.name}"
2	2	- content_for :action_bar do
3		- = render 'shared/link_github_account', :user => @user
4		- = link_to('cancel', user_path(@user), :class => 'button')
	3	+ = render 'shared/link_github_account', :user => user
	4	+ = link_to('cancel', user_path(user), :class => 'button')
5	5
6		-= form_for @user, :html => {:autocomplete => "off"} do \|f\|
7		- = @user.errors.full_messages.to_sentence
	6	+= form_for user, :html => {:autocomplete => "off"} do \|f\|
	7	+ = user.errors.full_messages.to_sentence
8	8	= render 'fields', :f => f
9	9
10	10	%div.buttons= f.submit 'Update User'
...	...
...	...	@@ -13,8 +13,8 @@
13	13	%th.main Email
14	14	%th Admin?
15	15	%tbody
16		- - @users.each do \|user\|
17		- %tr
	16	+ - users.each do \|user\|
	17	+ %tr.user_list
18	18	- if Errbit::Config.use_gravatar
19	19	%td= gravatar_tag user.email, :s => 24
20	20	%td.nowrap= link_to user.name, user_path(user)
...	...	@@ -22,5 +22,5 @@
22	22	%td= user.username
23	23	%td= user.email
24	24	%td= user.admin? ? 'Y' : 'N'
25		-= paginate @users
	25	+= paginate users
26	26
...	...