Diff
Modified: trunk/app/controllers/users_controller.rb (2591 => 2592)
--- trunk/app/controllers/users_controller.rb 2011-04-20 13:36:51 UTC (rev 2591)
+++ trunk/app/controllers/users_controller.rb 2011-05-25 22:05:41 UTC (rev 2592)
@@ -11,8 +11,8 @@
before_filter :login_required, :except => [:index, :new, :create, :search, :all, :confirm_email, :forgot_password, :reset_password] + show_actions
before_filter :find_users, : [:all]
- before_filter :find_user, : show_actions
- before_filter :find_user_auth, : [:edit, :update, :destroy]
+ before_filter :find_user, : [:destroy] + show_actions
+ before_filter :find_user_auth, : [:edit, :update]
# declare sweepers and which actions should invoke them
cache_sweeper :user_sweeper, : [ :create, :update, :destroy ]
@@ -245,20 +245,25 @@
# DELETE /users/1
def destroy
- flash[:notice] = 'Please contact the administrator to have your account removed.'
- redirect_to :action ="" :index
+
+ unless Authorization.check(:action ="" 'destroy', :object => @user, :user => current_user)
+ flash[:notice] = 'You do not have permission to delete this user.'
+ redirect_to :action ="" :index
+ return
+ end
- address@hidden
+ @user.destroy
- # the user MUST be logged in to destroy their account
+ # If the destroyed account belongs to the current user, then
# it is important to log them out afterwards or they'll
# receive a nasty error message..
- #session[:user_id] = nil
+
+ session[:user_id] = nil if @user == current_user
- #respond_to do |format|
- # flash[:notice] = 'User was successfully destroyed'
- # format.html { redirect_to users_url }
- #end
+ respond_to do |format|
+ flash[:notice] = 'User account was successfully deleted'
+ format.html { redirect_to(params[:return_to] ? "#{Conf.base_uri}#{params[:return_to]}" : users_url) }
+ end
end
# GET /users/confirm_email/:hash
Modified: trunk/app/views/users/_listing.rhtml (2591 => 2592)
--- trunk/app/views/users/_listing.rhtml 2011-04-20 13:36:51 UTC (rev 2591)
+++ trunk/app/views/users/_listing.rhtml 2011-05-25 22:05:41 UTC (rev 2592)
@@ -81,6 +81,13 @@
<% master_id, friendship_obj = current_user.friendship_from_self_id_and_friends_id(user.id) %>
<%= icon "friend_delete", user_friendship_path(master_id, friendship_obj) + "?return_to=" + currentusers_things_url('friends'), nil, {:confirm => "Are you sure you want to remove this user from your friend list?", :method => :delete}, "Cancel Friendship" %>
<% end %>
- </td>
-<% end %>
+ <% end %>
+ <% if Authorization.check(:action ="" 'destroy', :object => user, :user => current_user) %>
+ <%= icon "destroy", user_path(user) + "?return_to=" + CGI::escape(request.request_uri), nil, {
+ :confirm => "Are you sure you want to remove this user?", :method => :delete},
+ "Delete User" %>
+ <% end %>
+
+</td>
+
Modified: trunk/app/views/users/show.rhtml (2591 => 2592)
--- trunk/app/views/users/show.rhtml 2011-04-20 13:36:51 UTC (rev 2591)
+++ trunk/app/views/users/show.rhtml 2011-05-25 22:05:41 UTC (rev 2592)
@@ -58,6 +58,12 @@
<% end %>
<li><%= icon('history', userhistory_path(@user), nil, nil, 'View My History')%></li>
<% end %>
+
+ <% if Authorization.check(:action ="" 'destroy', :object => @user, :user => current_user) %>
+ <li><%= icon "destroy", user_path(@user), nil, {
+ :confirm => "Are you sure you want to remove this user?", :method => :delete},
+ "Delete User" %></li>
+ <% end %>
</ul>
<% end %>
Modified: trunk/lib/authorization.rb (2591 => 2592)
--- trunk/lib/authorization.rb 2011-04-20 13:36:51 UTC (rev 2591)
+++ trunk/lib/authorization.rb 2011-05-25 22:05:41 UTC (rev 2592)
@@ -485,6 +485,23 @@
is_authorized = false
end
+ when "User"
+
+ case action
+
+ when "view"
+ # everyone can view users
+ is_authorized = true
+
+ when "edit"
+ # the owner of a user record can edit
+ is_authorized = !user.nil? && user_id == thing_id
+
+ when "destroy"
+ # only adminstrators can delete accounts at present
+ is_authorized = user_is_administrator?(user)
+ end
+
else
# don't recognise the kind of "thing" that is being authorized, so
# we don't specifically know that it needs to be blocked;