From 8428ca36d26da70cf00059c219a006988f28b37a Mon Sep 17 00:00:00 2001
From: Mike Slemmer <mike@jamkazam.com>
Date: Thu, 13 Dec 2012 19:32:51 -0800
Subject: [PATCH] set_password and some refactoring

---
 app/controllers/api_controller.rb       |  6 ++--
 app/controllers/api_users_controller.rb | 41 ++++++++++---------------
 config/routes.rb                        |  1 +
 3 files changed, 22 insertions(+), 26 deletions(-)

diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
index 1d3473919..b3ae388e4 100644
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@@ -29,9 +29,11 @@ class ApiController < ApplicationController
   end
 
   protected
-    def auth_user(id)
-      unless current_user.id == id
+    def auth_user
+      unless current_user.id == params[:id]
         raise PermissionError, ValidationMessages::PERMISSION_VALIDATION_ERROR
       end
+      
+      @user = User.find(params[:id])
     end
 end
\ No newline at end of file
diff --git a/app/controllers/api_users_controller.rb b/app/controllers/api_users_controller.rb
index 385183e99..990adb349 100644
--- a/app/controllers/api_users_controller.rb
+++ b/app/controllers/api_users_controller.rb
@@ -1,6 +1,10 @@
 class ApiUsersController < ApiController
 
   before_filter :api_signed_in_user, :except => [:create, :signup_confirm, :auth_session_create]
+  before_filter :auth_user, :only => [:session_settings_show, :update, :delete, :following_create, :following_destroy, 
+                :recording_destroy, :favorite_create, :favorite_destroy, :friend_request_index, :friend_request_show,
+                :friend_request_create, :friend_destroy, :band_invitation_index, :band_invitation_show,
+                :band_invitation_update, :set_password]
 
   respond_to :json
 
@@ -54,20 +58,17 @@ class ApiUsersController < ApiController
   end
 
   def session_settings_show
-    auth_user(params[:id])
-    @user = User.find(params[:id])
     respond_with @user.my_session_settings, responder: ApiResponder
   end
 
   def update
-    auth_user(params[:id])
     @user = User.save(params[:id],
                       current_user.id,
                       params[:first_name],
                       params[:last_name],
                       params[:email],
-                      params[:password],
-                      params[:password_confirmation],
+                      nil,  # Don't allow changing password here, since we want to prompt again for the old password
+                      nil,
                       params[:musician],
                       params[:gender],
                       params[:birth_date],
@@ -81,9 +82,17 @@ class ApiUsersController < ApiController
     respond_with @user, responder: ApiResponder, :status => 200
   end
 
+  def set_password
+    begin 
+      @user.set_password(params[:old_password], params[:new_password], params[:new_password_confirm])
+    rescue JamRuby::JamArgumentError
+      render :json => { :message => ValidationMessages::OLD_PASSWORD_DOESNT_MATCH }, :status => 403 
+    end
+    respond_with responder: ApiResponder, :status => 204    
+  end
+
   def delete
-    @user = User.find(params[:id])
-  auth_user  @user.destroy # required to make 'tire' integration work
+    @user.destroy # required to make 'tire' integration work
     respond_with responder: ApiResponder, :status => 204
   end
 
@@ -104,8 +113,6 @@ class ApiUsersController < ApiController
 
   def following_create
     id = params[:id]
-    auth_user(id)
-    @user = User.find(id)
 
     if !params[:user_id].nil?
       User.create_user_following(params[:user_id], id)
@@ -118,8 +125,6 @@ class ApiUsersController < ApiController
   end
 
   def following_destroy
-    auth_user(params[:id])
-
     if !params[:user_id].nil?
       User.delete_following(params[:user_id], nil, params[:id])
 
@@ -197,7 +202,6 @@ class ApiUsersController < ApiController
   end
 
   def recording_destroy
-    auth_user(params[:id])
     @recording = Recording.find(params[:recording_id])
     @recording.delete
     respond_with responder: ApiResponder, :status => 204
@@ -211,7 +215,6 @@ class ApiUsersController < ApiController
   end
 
   def favorite_create
-    auth_user(params[:id])
     @favorite = UserFavorite.new()
     User.create_favorite(params[:id], params[:recording_id])
 
@@ -220,27 +223,23 @@ class ApiUsersController < ApiController
   end
 
   def favorite_destroy
-    auth_user(params[:id])
     User.delete_favorite(params[:id], params[:recording_id])
     respond_with responder: ApiResponder, :status => 204
   end
 
   ###################### FRIENDS (TODO: refactor resource paths) ##########################
   def friend_request_index
-    auth_user(params[:id])
     # get all outgoing and incoming friend requests
     @friend_requests = FriendRequest.where("(friend_id='#{params[:id]}' OR user_id='#{params[:id]}') AND accepted is null")
   end
 
   def friend_request_show
-    auth_user(params[:id])
     @friend_request = FriendRequest.find(params[:id])
   end
 
   def friend_request_create
-    auth_user(params[:user_id])
     @friend_request = FriendRequest.new()
-    @friend_request.user_id = params[:user_id]
+    @friend_request.user_id = params[:id]
     @friend_request.friend_id = params[:friend_id]
     @friend_request.save
     respond_with @friend_request, responder: ApiResponder, :location => api_friend_request_detail_url(@friend_request)
@@ -275,7 +274,6 @@ class ApiUsersController < ApiController
   end
 
   def friend_destroy
-    auth_user(params[:id])
     # clean up both records representing this "friendship"
     JamRuby::Friendship.delete_all "(user_id = '#{params[:id]}' AND friend_id = '#{params[:friend_id]}') OR (user_id = '#{params[:friend_id]}' AND friend_id = '#{params[:id]}')"
     respond_with responder: ApiResponder, :status => 204
@@ -283,15 +281,12 @@ class ApiUsersController < ApiController
 
   ##################### BAND INVITATIONS ##################
   def band_invitation_index
-    auth_user(params[:id])
     @user = current_user
     @invitations = @user.received_band_invitations#.merge(@user.sent_band_invitations)
     respond_with @invitations, responder: ApiResponder, :status => 200
   end
 
   def band_invitation_show
-    auth_user(params[:id])
-
     begin
       @invitation = BandInvitation.find(params[:invitation_id])
       respond_with @invitation, responder: ApiResponder, :status => 200
@@ -302,8 +297,6 @@ class ApiUsersController < ApiController
   end
 
   def band_invitation_update
-    auth_user(params[:id])
-
     begin
       @invitation = BandInvitation.save(params[:invitation_id],
                                         nil,
diff --git a/config/routes.rb b/config/routes.rb
index 6af59ffe8..d754bf538 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -50,6 +50,7 @@ SampleApp::Application.routes.draw do
     match '/users' => 'api_users#index', :via => :get
     match '/users/:id' => 'api_users#show', :via => :get, :as => 'api_user_detail'
     #match '/users' => 'api_users#create', :via => :post 
+    match '/users/:id/set_password' => 'api_users#set_password', :via => :put
     match '/users/:id' => 'api_users#update', :via => :post
     match '/users/:id' => 'api_users#destroy', :via => :delete
     match '/users/confirm/:signup_token' => 'api_users#signup_confirm', :via => :post, :as => 'api_signup_confirmation'