Finish user edit, update, index, and destroy actions

Author: mhartl

Gemfile

@@ -3,21 +3,24 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 ruby "3.1.1"
 
-gem "rails",           "7.0.2.3"
-gem "bcrypt",          "3.1.16"
-gem "bootstrap-sass",  "3.4.1"
-gem "sassc-rails",     "2.1.2"
-gem "sprockets-rails", "3.4.2"
-gem "importmap-rails", "1.0.3"
-gem "turbo-rails",     "1.0.1"
-gem "stimulus-rails",  "1.0.4"
-gem "jbuilder",        "2.11.5"
-gem "puma",            "5.6.4"
-gem "bootsnap",        "1.11.1", require: false
+gem "rails",                   "7.0.2.3"
+gem "bcrypt",                  "3.1.16"
+gem "faker",                   "2.20.0"
+gem "will_paginate",           "3.3.1"
+gem "bootstrap-will_paginate", "1.0.0"
+gem "bootstrap-sass",          "3.4.1"
+gem "sassc-rails",             "2.1.2"
+gem "sprockets-rails",         "3.4.2"
+gem "importmap-rails",         "1.0.3"
+gem "turbo-rails",             "1.0.1"
+gem "stimulus-rails",          "1.0.4"
+gem "jbuilder",                "2.11.5"
+gem "puma",                    "5.6.4"
+gem "bootsnap",                "1.11.1", require: false
 
 group :development, :test do
-  gem "sqlite3", "1.4.2"
   gem "debug",   "1.4.0", platforms: %i[ mri mingw x64_mingw ]
+  gem "sqlite3", "1.4.2"
 end
 
 group :development do
@@ -39,7 +42,7 @@ group :production do
   gem "pg", "1.3.3"
 end
 
-# Windows does not include zoneinfo files, so bundle the tzinfo-data gem
+# Windows does not include zoneinfo files, so bundle the tzinfo-data gem.
 # Uncomment the following line if you're running Rails
 # on a native Windows system:
-# gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw, :jruby]
+# gem "tzinfo-data", platforms: %i[ mingw mswin x64_mingw jruby ]

Gemfile.lock

@@ -78,6 +78,8 @@ GEM
     bootstrap-sass (3.4.1)
       autoprefixer-rails (>= 5.2.1)
       sassc (>= 2.0.0)
+    bootstrap-will_paginate (1.0.0)
+      will_paginate
     builder (3.2.4)
     capybara (3.36.0)
       addressable
@@ -98,6 +100,8 @@ GEM
     digest (3.1.0)
     erubi (1.10.0)
     execjs (2.8.1)
+    faker (2.20.0)
+      i18n (>= 1.8.11, < 2)
     ffi (1.15.5)
     formatador (1.1.0)
     globalid (1.0.0)
@@ -262,6 +266,7 @@ GEM
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
+    will_paginate (3.3.1)
     xpath (3.2.0)
       nokogiri (~> 1.8)
     zeitwerk (2.5.4)
@@ -273,8 +278,10 @@ DEPENDENCIES
   bcrypt (= 3.1.16)
   bootsnap (= 1.11.1)
   bootstrap-sass (= 3.4.1)
+  bootstrap-will_paginate (= 1.0.0)
   capybara (= 3.36.0)
   debug (= 1.4.0)
+  faker (= 2.20.0)
   guard (= 2.18.0)
   guard-minitest (= 2.4.6)
   importmap-rails (= 1.0.3)
@@ -293,6 +300,7 @@ DEPENDENCIES
   turbo-rails (= 1.0.1)
   web-console (= 4.2.0)
   webdrivers (= 5.0.0)
+  will_paginate (= 3.3.1)
 
 RUBY VERSION
    ruby 3.1.1p18

app/assets/stylesheets/custom.scss

@@ -212,4 +212,16 @@ input {
 
 .dropdown-menu.active {
   display: block;
+}
+
+/* Users index */
+
+.users {
+  list-style: none;
+  margin: 0;
+  li {
+    overflow: auto;
+    padding: 10px 0;
+    border-bottom: 1px solid $gray-lighter;
+  }
 }

app/controllers/sessions_controller.rb

@@ -6,10 +6,11 @@ def new
   def create
     user = User.find_by(email: params[:session][:email].downcase)
     if user && user.authenticate(params[:session][:password])
+      forwarding_url = session[:forwarding_url]
       reset_session
       params[:session][:remember_me] == '1' ? remember(user) : forget(user)
       log_in user
-      redirect_to user
+      redirect_to forwarding_url || user
     else
       flash.now[:danger] = 'Invalid email/password combination'
       render 'new', status: :unprocessable_entity

app/controllers/users_controller.rb

@@ -1,4 +1,11 @@
 class UsersController < ApplicationController
+  before_action :logged_in_user, only: [:index, :edit, :update, :destroy]
+  before_action :correct_user,   only: [:edit, :update]
+  before_action :admin_user,     only: :destroy
+
+  def index
+    @users = User.paginate(page: params[:page])
+  end
 
   def show
     @user = User.find(params[:id])
@@ -20,10 +27,52 @@ def create
     end
   end
 
+  def edit
+    @user = User.find(params[:id])
+  end
+
+  def update
+    @user = User.find(params[:id])
+    if @user.update(user_params)
+      flash[:success] = "Profile updated"
+      redirect_to @user
+    else
+      render 'edit', status: :unprocessable_entity
+    end
+  end
+
+  def destroy
+    User.find(params[:id]).destroy
+    flash[:success] = "User deleted"
+    redirect_to users_url, status: :see_other
+  end
+
   private
 
     def user_params
       params.require(:user).permit(:name, :email, :password,
                                    :password_confirmation)
     end
-end
+
+    # Before filters
+
+    # Confirms a logged-in user.
+    def logged_in_user
+      unless logged_in?
+        store_location
+        flash[:danger] = "Please log in."
+        redirect_to login_url
+      end
+    end
+
+    # Confirms the correct user.
+    def correct_user
+      @user = User.find(params[:id])
+      redirect_to(root_url) unless @user == current_user
+    end
+
+    # Confirms an admin user.
+    def admin_user
+      redirect_to(root_url) unless current_user.admin?
+    end
+end

app/helpers/sessions_helper.rb

@@ -3,6 +3,9 @@ module SessionsHelper
   # Logs in the given user.
   def log_in(user)
     session[:user_id] = user.id
+    # Guard against session replay attacks.
+    # See https://bit.ly/33UvK0w for more.
+    session[:session_token] = user.session_token
   end
 
   # Remembers a user in a persistent session.
@@ -15,7 +18,10 @@ def remember(user)
   # Returns the user corresponding to the remember token cookie.
   def current_user
     if (user_id = session[:user_id])
-      @current_user ||= User.find_by(id: user_id)
+      user = User.find_by(id: user_id)
+      if user && session[:session_token] == user.session_token
+        @current_user = user
+      end
     elsif (user_id = cookies.encrypted[:user_id])
       user = User.find_by(id: user_id)
       if user && user.authenticated?(cookies[:remember_token])
@@ -25,6 +31,11 @@ def current_user
     end
   end
 
+  # Returns true if the given user is the current user.
+  def current_user?(user)
+    user && user == current_user
+  end
+
   # Returns true if the user is logged in, false otherwise.
   def logged_in?
     !current_user.nil?
@@ -43,4 +54,9 @@ def log_out
     reset_session
     @current_user = nil
   end
+
+  # Stores the URL trying to be accessed.
+  def store_location
+    session[:forwarding_url] = request.original_url if request.get?
+  end
 end

app/helpers/users_helper.rb

@@ -1,9 +1,10 @@
 module UsersHelper
 
   # Returns the Gravatar for the given user.
-  def gravatar_for(user)
+  def gravatar_for(user, options = { size: 80 })
+    size         = options[:size]
     gravatar_id  = Digest::MD5::hexdigest(user.email.downcase)
-    gravatar_url = "https://secure.gravatar.com/avatar/#{gravatar_id}"
+    gravatar_url = "https://secure.gravatar.com/avatar/#{gravatar_id}?s=#{size}"
     image_tag(gravatar_url, alt: user.name, class: "gravatar")
   end
 end

app/models/user.rb

@@ -7,7 +7,7 @@ class User < ApplicationRecord
                     format: { with: VALID_EMAIL_REGEX },
                     uniqueness: true
   has_secure_password
-  validates :password, presence: true, length: { minimum: 6 }
+  validates :password, presence: true, length: { minimum: 6 }, allow_nil: true
 
   # Returns the hash digest of the given string.
   def User.digest(string)
@@ -25,6 +25,13 @@ def User.new_token
   def remember
     self.remember_token = User.new_token
     update_attribute(:remember_digest, User.digest(remember_token))
+    remember_digest
+  end
+
+  # Returns a session token to prevent session hijacking.
+  # We reuse the remember digest for convenience.
+  def session_token
+    remember_digest || remember
   end
 
   # Returns true if the given token matches the digest.

app/views/layouts/_header.html.erb

@@ -15,14 +15,14 @@
         <li><%= link_to "Home", root_path %></li>
         <li><%= link_to "Help", help_path %></li>
         <% if logged_in? %>
-          <li><%= link_to "Users", '#' %></li>
+          <li><%= link_to "Users", users_path %></li>
           <li class="dropdown">
             <a href="#" id="account" class="dropdown-toggle">
               Account <b class="caret"></b>
             </a>
             <ul id="dropdown-menu" class="dropdown-menu">
               <li><%= link_to "Profile", current_user %></li>
-              <li><%= link_to "Settings", '#' %></li>
+              <li><%= link_to "Settings", edit_user_path(current_user) %></li>
               <li class="divider"></li>
               <li>
                 <%= link_to "Log out", logout_path,

app/views/users/_user.html.erb

@@ -0,0 +1,8 @@
+<li>
+  <%= gravatar_for user, size: 50 %>
+  <%= link_to user.name, user %>
+  <% if current_user.admin? && !current_user?(user) %>
+    | <%= link_to "delete", user, data: { "turbo-method": :delete,
+                                          turbo_confirm: "You sure?" } %>
+  <% end %>
+</li>