diff --git a/app/components/users/javascripts/init_component.js b/app/components/users/javascripts/init_component.js index f2c7e47..edb5592 100644 --- a/app/components/users/javascripts/init_component.js +++ b/app/components/users/javascripts/init_component.js @@ -33,7 +33,7 @@ Ext.Msg.alert("Success", "New Password: "+data.password); }, error: function(data,textStatus) { - Ext.Msg.alert( "Error", JSON.parse(data.responseText)["error"]); + Ext.Msg.alert( "Error", JSON.parse(data.responseText)["errors"][0]); } }); } diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index 3dc34c0..a9eacd7 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -1,18 +1,22 @@ require 'securerandom' class Api::V1::UsersController < Api::V1::BaseController + CANNOT_MANAGE = "You do not have the permission to manager users" + NOT_FOUND = "User not found" + NOT_ALLOWED = "Not allowed to reset your own password in this fashion" + PASS_LENGTH = 8 def password_reset if can? :manage, User user = User.find_by_id(params[:user_id]) - render :json => { "error" => "User not found"}, :status => 404 and return if user.nil? - render :json => { "error" => "Not allowed to reset your own password in this fashion."}, :status => 403 and return if user.id == current_user.id + render :json => { "errors" => [NOT_FOUND]}, :status => 404 and return if user.nil? + render :json => { "errors" => [NOT_ALLOWED]}, :status => 403 and return if user.id == current_user.id - new_pass = SecureRandom.hex[0,8] + new_pass = SecureRandom.hex[0,PASS_LENGTH] user.password = new_pass user.save render :json => { "password" => new_pass}, :status => 200 and return else - render :json => { "error" => "You do not have the permission"}, :status => 403 and return + render :json => { "errors" => [CANNOT_MANAGE]}, :status => 403 and return end end diff --git a/spec/controllers/api/users_controller_spec.rb b/spec/controllers/api/users_controller_spec.rb new file mode 100644 index 0000000..5748990 --- /dev/null +++ b/spec/controllers/api/users_controller_spec.rb @@ -0,0 +1,72 @@ +require 'spec_helper' + +describe Api::V1::UsersController do + + describe "#password_reset" do + + context "as a user" do + before(:each) do + @user = FactoryGirl.create(:user) + sign_in @user + end + + it "returns 403" do + post :password_reset + expect(@response.code.to_i).to eql 403 + end + + it "returns an error message" do + post :password_reset + json = JSON.parse(@response.body) + expect(json["errors"].first).to eql Api::V1::UsersController::CANNOT_MANAGE + end + + end + + context "as an admin" do + before(:each) do + @user = FactoryGirl.create(:admin) + sign_in @user + end + + it "forbids a user to reset their own password" do + post :password_reset, user_id: @user.id + expect(@response.code.to_i).to eql 403 + json = JSON.parse(@response.body) + expect(json["errors"].first).to eql Api::V1::UsersController::NOT_ALLOWED + end + + context "with no user in json data" do + it "returns 404" do + post :password_reset + expect(@response.code.to_i).to eql 404 + end + + it "returns an error message" do + post :password_reset + json = JSON.parse(@response.body) + expect(json["errors"].first).to eql Api::V1::UsersController::NOT_FOUND + end + end + + context "another user exists" do + before(:each) do + @user2 = FactoryGirl.create(:user) + end + + it "returns 200" do + post :password_reset, user_id: @user2.id + expect(@response.code.to_i).to eql 200 + end + + it "returns that users new password" do + post :password_reset, user_id: @user2.id + json = JSON.parse(@response.body) + expect(json["password"].length).to eql Api::V1::UsersController::PASS_LENGTH + end + + end + + end + end +end