lib/typus/authentication/session.rb in typus-3.1.0.rc6 vs lib/typus/authentication/session.rb in typus-3.1.0.rc7

@@ -5,22 +5,15 @@
       protected
 
       include Base
 
       def authenticate
-        if session[:typus_user_id]
-          admin_user
-        else
-          # back_to = request.env['PATH_INFO'] unless [root_path].include?(request.env['PATH_INFO'])
-          # redirect_to new_session_path(:back_to => back_to)
-          redirect_to new_admin_session_path
-        end
+        session[:typus_user_id] ? admin_user : redirect_to(new_admin_session_path)
       end
 
       def deauthenticate
         session[:typus_user_id] = nil
-        ::I18n.locale = ::I18n.default_locale
         redirect_to new_admin_session_path
       end
 
       #--
       # Return the current user. If role does not longer exist on the system
@@ -39,31 +32,35 @@
       #--
       # This method checks if the user can perform the requested action.
       # It works on models, so its available on the `resources_controller`.
       #++
       def check_if_user_can_perform_action_on_resources
-        if @item.is_a?(Typus.user_class)
+        if @item && @item.is_a?(Typus.user_class)
           check_if_user_can_perform_action_on_user
-        elsif admin_user.cannot?(params[:action], @resource.model_name)
-          not_allowed
+        else
+          not_allowed if admin_user.cannot?(params[:action], @resource.model_name)
         end
       end
 
       #--
       # Action is available on: edit, update, toggle and destroy
       #++
       def check_if_user_can_perform_action_on_user
+        is_current_user = (admin_user == @item)
+        current_user_is_root = admin_user.is_root? && is_current_user
+
         case params[:action]
         when 'edit'
-          not_allowed if admin_user.is_not_root? && (admin_user != @item)
-        when 'update'
-          user_profile = (admin_user.is_root? || admin_user.is_not_root?) && (admin_user == @item) && !(@item.role == params[@object_name][:role])
-          other_user   = admin_user.is_not_root? && !(admin_user == @item)
-          not_allowed if (user_profile || other_user)
+          # Edit other items is not allowed unless current user is root
+          # and is not the current user.
+          not_allowed if admin_user.is_not_root? && !is_current_user
         when 'toggle', 'destroy'
-          root = admin_user.is_root? && (admin_user == @item)
-          user = admin_user.is_not_root?
-          not_allowed if (root || user)
+          not_allowed if admin_user.is_not_root? || current_user_is_root
+        when 'update'
+          # Admin can update himself except setting the status to false!. Other
+          # users can update their profile as the attributes (role & status)
+          # are protected.
+          not_allowed if (admin_user.is_not_root? && !is_current_user) || current_user_is_root
         end
       end
 
       #--
       # This method checks if the user can perform the requested action.