diff --git a/app/controllers/plans_controller.rb b/app/controllers/plans_controller.rb index 46c5157..af340c7 100644 --- a/app/controllers/plans_controller.rb +++ b/app/controllers/plans_controller.rb @@ -161,7 +161,6 @@ # Save the guidance group selections guidance_group_ids = params[:guidance_group_ids].blank? ? [] : params[:guidance_group_ids].map(&:to_i).uniq @plan.guidance_groups = GuidanceGroup.where(id: guidance_group_ids) -puts @plan.guidance_groups.collect(&:name).join(', ') @plan.save if @plan.update_attributes(attrs) diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb index 7984224..5a39f49 100644 --- a/app/controllers/registrations_controller.rb +++ b/app/controllers/registrations_controller.rb @@ -155,10 +155,10 @@ else successfully_updated = current_user.update_with_password(password_update) end - else # user did not change their email so no pwd required + else # This case is never reached since this method when called with require_password = true is because the email changed. The case for password changed goes to do_update_password instead successfully_updated = current_user.update_without_password(update_params) end - else # password not required + else # password not required successfully_updated = current_user.update_without_password(update_params) end else @@ -203,7 +203,7 @@ session[:locale] = current_user.get_locale unless current_user.get_locale.nil? set_gettext_locale #Method defined at controllers/application_controller.rb set_flash_message :notice, success_message(_('password'), _('saved')) - sign_in current_user, bypass: true # Sign in the user bypassing validation in case his password changed + sign_in current_user, bypass: true # TODO this method is deprecated redirect_to "#{edit_user_registration_path}\#password-details", notice: success_message(_('password'), _('saved')) else diff --git a/app/models/user.rb b/app/models/user.rb index 296565c..2090de0 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -65,6 +65,8 @@ end } + after_update :when_org_changes + # EVALUATE CLASS AND INSTANCE METHODS BELOW # # What do they do? do they do it efficiently, and do we need them? @@ -114,28 +116,6 @@ user_identifiers.where(identifier_scheme: scheme).first end -# TODO: Check the logic here. Its deleting the permissions if the user does not have permission -# to change orgs and either the incoming or existing org is nil. -# We should also NOT be auto-saving here!!! - ## - # sets a new organisation id for the user - # if the user has any perms such as org_admin or admin, those are removed - # if the user had an api_token, that is removed - # - # @param new_organisation_id [Integer] the id for an organisation - # @return [String] the empty string as a causality of setting api_token - def org_id=(new_org_id) - unless self.can_change_org? || new_org_id.nil? || self.org.nil? || (new_org_id.to_s == self.org.id.to_s) - # rip all permissions from the user - self.perms.delete_all - end - # set the user's new organisation - super(new_org_id) - # self.save! - # rip api permissions from the user - self.remove_token! - end - ## # sets a new organisation for the user # @@ -235,8 +215,7 @@ # modifies the user model def remove_token! unless api_token.blank? - self.api_token = "" - self.save! + update_column(:api_token, "") unless new_record? end end @@ -249,7 +228,7 @@ random_token = SecureRandom.urlsafe_base64(nil, false) break random_token unless User.exists?(api_token: random_token) end - self.save! + update_column(:api_token, api_token) unless new_record? deliver_if(recipients: self, key: 'users.admin_privileges') do |r| UserMailer.api_token_granted_notification(r).deliver_now end @@ -309,4 +288,14 @@ def self.where_case_insensitive(field, val) User.where("lower(#{field}) = ?", val.respond_to?(:downcase) ? val.downcase : val.to_s) end + + private + def when_org_changes + if org_id != org_id_was + unless can_change_org? + perms.delete_all + remove_token! + end + end + end end diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb index 9817def..73d966f 100644 --- a/test/unit/user_test.rb +++ b/test/unit/user_test.rb @@ -326,5 +326,22 @@ language = Language.new(name: 'esperonto', abbreviation: 'zz') verify_belongs_to_relationship(@user, language) end - + test "after_save removes API token and its perms associated" do + previous_api_token = @user.api_token + @user.perms = [Perm.add_orgs, Perm.grant_permissions] + previous_perms = @user.perms.to_a + @user.org = Org.where.not(id: @user.org_id).first + @user.save + assert_not_equal(previous_api_token, @user.api_token) + assert_not_equal(previous_perms, @user.perms.to_a) + end + test "after_save does not remove API token and its perms associated if user can_change_org" do + previous_api_token = @user.api_token + @user.perms = [Perm.add_orgs, Perm.grant_permissions, Perm.change_affiliation] + previous_perms = @user.perms + @user.org = Org.where.not(id: @user.org_id).first + @user.save + assert_equal(previous_api_token, @user.api_token) + assert_equal(previous_perms, @user.perms) + end end