[#45] proper password syncing, maybe minor touchups, i forget

wrekatlanta · Apr 21, 2014 · d7f4b40 · d7f4b40
1 parent 441e85e
commit d7f4b40
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 21 deletions.
diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
@@ -19,7 +19,9 @@ def edit
   end
 
   def update
-    if @user.update_attributes(user_params) and @user.sync_to_legacy_profile! and @user.sync_to_ldap
+    password = user_params[:password]
+
+    if @user.update_attributes(user_params) and @user.sync_to_legacy_profile!(password) and @user.sync_to_ldap(password)
       redirect_to admin_users_path, success: "#{@user.username} updated successfully."
     else
       render :edit

diff --git a/app/controllers/registrations_controller.rb b/app/controllers/registrations_controller.rb
@@ -1,7 +1,9 @@
 class RegistrationsController < Devise::RegistrationsController
   def update
     @user = User.find(current_user.id)
-    if @user.update_with_password(account_update_params) and @user.sync_to_legacy_profile! and @user.sync_to_ldap
+    password = account_update_params[:password]
+
+    if @user.update_with_password(account_update_params) and @user.sync_to_legacy_profile!(password) and @user.sync_to_ldap(password)
       set_flash_message :notice, :updated
       # Sign in the user bypassing validation in case his password changed
       sign_in @user, bypass: true
@@ -14,7 +16,7 @@ def update
   private
     def account_update_params
       permitted = [
-        :email, :subscribed_to_announce, :subscribed_to_staff,
+        :email, :subscribed_to_announce, :subscribed_to_staff, :mark_as_inactive,
         :first_name, :middle_name, :last_name, :display_name,
         :current_password, :password, :password_confirmation, :phone,
         :birthday_string, :avatar, :delete_avatar, :user_id,

diff --git a/app/models/legacy/staff.rb b/app/models/legacy/staff.rb
@@ -41,10 +41,37 @@ class Legacy::Staff < Legacy::Base
   has_many :phone_numbers, foreign_key: :pid, class_name: "PhoneInfo"
   has_one :user, foreign_key: :legacy_id
 
+  def password=(value)
+    write_attribute(:password, self.class.legacy_password_hash(value))
+  end
+
   def serializable_hash(options={})
     options = { 
       except: [:exec]
     }.update(options)
     super(options)
   end
+
+  # MySQL old_password polyfill
+  # https://github.com/joerghaubrichs/Ruby-MySQL-old_password-function/blob/master/mysql_password.rb
+  def self.legacy_password_hash(string)
+    nr = 1345345333
+    nr2 = 0x12345671
+    add = 7
+
+    string.each_char do |char|
+      if (char == ' ' or char == '\t')
+        next
+      end
+      tmp = char.ord
+      nr ^= (((nr & 63) + add) * tmp) + (nr << 8)
+      nr2 += (nr2 << 8) ^ nr
+      add += tmp
+    end
+
+    res1 = nr & 0x7fffffff
+    res2 = nr2 & 0x7fffffff
+
+    return '%08x%08x' % [res1, res2]
+  end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -222,7 +222,7 @@ def add_to_ldap
     end
   end
 
-  def sync_to_ldap
+  def sync_to_ldap(new_password = nil)
     if Rails.env.production? and not LdapHelper::find_user(self.username)
       ldap_handle = LdapHelper::ldap_connect
 
@@ -237,8 +237,10 @@ def sync_to_ldap
         sn: self.last_name
       }
 
-      unless self.password.blank?
-        user_attr[:userpassword] = "{SHA}#{Digest::SHA1.base64digest self.password}"
+      pwd = new_password || self.password
+
+      unless pwd.blank?
+        user_attr[:userpassword] = "{SHA}#{Digest::SHA1.base64digest pwd}"
       end
 
       unless ldap_handle.add(dn: dn, attributes: user_attr)
@@ -267,7 +269,8 @@ def delete_from_ldap
 
   # syncs to legacy_profile (Legacy::Staff)
   # DON'T PUT THIS IN A CALLBACK because of the sync script
-  def sync_to_legacy_profile!
+  # password needs to be passed in separately because the user will have already been updated
+  def sync_to_legacy_profile!(new_password = nil)
     p = self.legacy_profile
 
     if not self.email.blank?
@@ -286,15 +289,18 @@ def sync_to_legacy_profile!
       email.save!
     end
 
-    new_attributes = {}
+    pwd = new_password || self.password
+
+    p.password = pwd unless pwd.blank?
+    p.initials = username
+    p.admin = admin ? "y" : "n"
+    p.fname = first_name
+    p.mname = middle_name
+    p.lname = last_name
 
-    new_attributes[:initials] = username
-    new_attributes[:admin] = admin ? "y" : "n"
-    new_attributes[:fname] = first_name
-    new_attributes[:mname] = middle_name
-    new_attributes[:lname] = last_name
+    p.save!
 
-    p.update_attributes(new_attributes)
+    # exec is a reserved word, has to be done separately
     p.update_column :exec, exec_staff ? "y" : "n"
   end
 

diff --git a/app/views/staff/users/index.html.slim b/app/views/staff/users/index.html.slim
@@ -57,16 +57,20 @@ div ng-controller="userFilterCtrl" ng-init="init('staff', 30)"
     .col-md-6.ng-cloak ng-repeat="user in filtered = (users | filter:status:true | filter:search | filter:filterByRole) | startFrom:(currentPage-1)*itemsPerPage | limitTo:itemsPerPage"
       .well
         .row
-          .col-xs-3
-            img.img-rounded ng-src="{{ user.avatar }}"
-          .col-xs-9 style="height: 100px; overflow-y: scroll;"
+          .col-xs-3.col-sm-4.text-center
+            a ng-href="/staff/users/{{ user.id }}"
+              img.img-rounded ng-src="{{ user.avatar }}"
+            br
+            span.label< ng-class="{ active: 'label-success', inactive: 'label-warning', expired: 'label-danger', revoked: 'label-danger', potential: 'label-info' }[user.status]" {{ user.status }}
+          .col-xs-9.col-sm-8 style="height: 100px; overflow-y: scroll;"
             h4
-              a ng-href="/staff/users/{{ user.id }}"
-                | {{ user.name }}
+              a ng-href="/staff/users/{{ user.id }}" {{ user.name }}
               small<
                 | {{ user.username }}
-                span.label< ng-class="{ active: 'label-success', inactive: 'label-warning', expired: 'label-danger', revoked: 'label-danger', potential: 'label-info' }[user.status]" {{ user.status }}
             ul.list-unstyled
+              span.glyphicon.glyphicon-time>
+              span
+                | {{ user.created_at | date:'longDate' }}
               li ng-if="user.exec_staff"
                 span.glyphicon.glyphicon-star>
                 span Exec Staff

diff --git a/app/views/staff/users/index.json.jbuilder b/app/views/staff/users/index.json.jbuilder
@@ -1,5 +1,5 @@
 json.(@users) do |user|
-  json.(user, :id, :username, :name, :status, :phone, :exec_staff, :roles)
+  json.(user, :created_at, :id, :username, :name, :status, :phone, :exec_staff, :roles)
 
   json.avatar user.avatar.url(:small)
 end