dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
7796c38c086aa18b6e59135edc86bbce26ec956d
clinch/app/controllers/admin/users_controller.rb
Dan Milne 7796c38c08
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details
Add pairwise SID with a UUIDv4, a significatant upgrade over User.id.to_s. Complete allowing admin to enforce TOTP per user
2025-11-23 11:16:06 +11:00

85 lines
2.3 KiB
Ruby
Raw Blame History

module Admin
class UsersController < BaseController
before_action :set_user, only: [:show, :edit, :update, :destroy, :resend_invitation]
def index
@users = User.order(created_at: :desc)
end
def show
end
def new
@user = User.new
end
def create
@user = User.new(user_params)
@user.password = SecureRandom.alphanumeric(16) if user_params[:password].blank?
@user.status = :pending_invitation
if @user.save
InvitationsMailer.invite_user(@user).deliver_later
redirect_to admin_users_path, notice: "User created successfully. Invitation email sent to #{@user.email_address}."
else
render :new, status: :unprocessable_entity
end
end
def edit
end
def update
update_params = user_params
# Only update password if provided
update_params.delete(:password) if update_params[:password].blank?
if @user.update(update_params)
redirect_to admin_users_path, notice: "User updated successfully."
else
render :edit, status: :unprocessable_entity
end
end
def resend_invitation
unless @user.pending_invitation?
redirect_to admin_users_path, alert: "Cannot send invitation. User is not pending invitation."
return
end
InvitationsMailer.invite_user(@user).deliver_later
redirect_to admin_users_path, notice: "Invitation email resent to #{@user.email_address}."
end
def destroy
# Prevent admin from deleting themselves
if @user == Current.session.user
redirect_to admin_users_path, alert: "You cannot delete your own account."
return
end
@user.destroy
redirect_to admin_users_path, notice: "User deleted successfully."
end
private
def set_user
@user = User.find(params[:id])
end
def user_params
# Base attributes that all admins can modify
base_params = params.require(:user).permit(:email_address, :name, :password, :status, :totp_required, custom_claims: {})
# Only allow modifying admin status when editing other users (prevent self-demotion)
if params[:id] != Current.session.user.id.to_s
base_params[:admin] = params[:user][:admin] if params[:user][:admin].present?
end
base_params
end
end
end
Reference in New Issue View Git Blame Copy Permalink